Consul Agent

    Agents run in either client or server mode. Client nodes are lightweight processes that make up the majority of the cluster. They interface with the server nodes for most operations and maintain very little state of their own. Clients run on every node where services are running.

    In addition to the core agent operations, server nodes participate in the consensus quorum. The quorum is based on the Raft protocol, which provides strong consistency and availability in the case of failure. Server nodes should run on dedicated instances because they are more resource intensive than client nodes.

    Every agent in the Consul cluster goes through a lifecycle. Understanding the lifecycle is useful for building a mental model of an agent’s interactions with a cluster and how the cluster treats a node. The following process describes the agent lifecycle within the context of an existing cluster:

    1. An agent is started either manually or through an automated or programmatic process. Newly-started agents are unaware of other nodes in the cluster.
    2. An agent joins a cluster, which enables the agent to discover agent peers. Agents join clusters on startup when the command is issued or according the auto-join configuration.
    3. Existing servers will begin replicating to the new node if the agent is a server.

    In the event of a network failure, some nodes may be unable to reach other nodes. Unreachable nodes will be marked as failed.

    Distinguishing between a network failure and an agent crash is impossible. As a result, agent crashes are handled in the same manner is network failures.

    Once a node is marked as failed, this information is updated in the service catalog.

    Note: Updating the catalog is only possible if the servers can still . Once the network recovers or a crashed agent restarts, the cluster will repair itself and unmark a node as failed. The health check in the catalog will also be updated to reflect the current state.

    Exiting Nodes

    When a node leaves a cluster, it communicates its intent and the cluster marks the node as having left. In contrast to changes related to failures, all of the services provided by a node are immediately deregistered. If a server agent leaves, replication to the exiting server will stop.

    To prevent an accumulation of dead nodes (nodes in either failed or left states), Consul will automatically remove dead nodes out of the catalog. This process is called reaping. This is currently done on a configurable interval of 72 hours (changing the reap interval is not recommended due to its consequences during outage situations). Reaping is similar to leaving, causing all associated services to be deregistered.

    You should run one Consul agent per server or host. Instances of Consul can run in separate VMs or as separate containers. At least one server agent per Consul deployment is required, but three to five server agents are recommended. Refer to the following sections for information about host, port, memory, and other requirements:

    The contains additional information, including licensing configuration, environment variables, and other details.

    Start a Consul agent with the command and agent subcommand using the following syntax:

    Consul ships with a -dev flag that configures the agent to run in server mode and several additional settings that enable you to quickly get started with Consul. The -dev flag is provided for learning purposes only. We strongly advise against using it for production environments.

    Getting Started Tutorials: You can test a local agent by following the Getting Started tutorials.

    You can also point to a directory containing several configuration files with the -config-dir flag. This enables you to logically group configuration settings into separate files. See for additional information.

    The following example starts an agent in dev mode and stores agent state data in the tmp/consul directory:

    1. consul agent -data-dir=tmp/consul -dev

    Agents are highly configurable, which enables you to deploy Consul to any infrastructure. Many of the default options for the agent command are suitable for becoming familiar with a local instance of Consul. In practice, however, several additional configuration options must be specified for Consul to function as expected. Refer to Agent Configuration topic for a complete list of configuration options.

    Consul prints several important messages on startup. The following example shows output from the command:

    • Node name: This is a unique name for the agent. By default, this is the hostname of the machine, but you may customize it using the -node flag.

    • Datacenter: This is the datacenter in which the agent is configured to run. For single-DC configurations, the agent will default to dc1, but you can configure which datacenter the agent reports to with the flag. Consul has first-class support for multiple datacenters, but configuring each node to report its datacenter improves agent efficiency.

    • Server: This indicates whether the agent is running in server or client mode. Running an agent in server mode requires additional overhead. This is because they participate in the consensus quorum, store cluster state, and handle queries. A server may also be in “bootstrap” mode, which enables the server to elect itselft as the Raft leader. Multiple servers cannot be in bootstrap mode because it would put the cluster in an inconsistent state.

    • Client Addr: This is the address used for client interfaces to the agent. This includes the ports for the HTTP and DNS interfaces. By default, this binds only to localhost. If you change this address or port, you’ll have to specify a -http-addr whenever you run commands such as to indicate how to reach the agent. Other applications can also use the HTTP address and port to control Consul.

    • Cluster Addr: This is the address and set of ports used for communication between Consul agents in a cluster. Not all Consul agents in a cluster have to use the same port, but this address MUST be reachable by all other nodes.

    When running under systemd on Linux, Consul notifies systemd by sending READY=1 to the $NOTIFY_SOCKET when a LAN join has completed. For this either the join or retry_join option has to be set and the service definition file has to have Type=notify set.

    You can specify many options to configure how Consul operates when issuing the consul agent command. You can also create one or more configuration files and provide them to Consul at startup using either the -config-file or option. Configuration files must be written in either JSON or HCL format.

    Consul Terminology: Configuration files are sometimes called “service definition” files when they are used to configure client agents. This is because clients are most commonly used to register services in the Consul catalog.

    The following example starts a Consul agent that takes configuration settings from a file called server.json located in the current working directory:

    1. consul agent -config-file=server.json

    The configuration options necessary to successfully use Consul depend on several factors, including the type of agent you are configuring (client or server), the type of environment you are deploying to (e.g., on-premise, multi-cloud, etc.), and the security options you want to implement (ACLs, gRPC encryption). The following examples are intended to help you understand some of the combinations you can implement to configure Consul.

    Common Configuration Settings

    The following example configuration is for a server agent named “consul-server“. The server is bootstrapped and the Consul GUI is enabled. The reason this server agent is configured for a service mesh is that the connect configuration is enabled. Connect is Consul’s service mesh component that provides service-to-service connection authorization and encryption using mutual Transport Layer Security (TLS). Applications can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections without being aware of Connect at all. See for details.

    Overview - 图2

    Server Node with Encryption Enabled

    The following example shows a server node configured with encryption enabled. Refer to the chapter for additional information about how to configure security options for Consul.

    Overview - 图4

    1. node_name = "consul-server"
    2. server    = true
    3. ui_config {
    4.   enabled = true
    5. data_dir = "consul/data"
    6. addresses {
    7.   http = "0.0.0.0"
    8. }
    9. retry_join = [
    10.   "consul-server2",
    11.   "consul-server3"
    12. ]
    13. encrypt                = "aPuGh+5UDskRAbkLaXRzFoSOcSM+5vAK+NEYOWHJH7w="
    14. verify_incoming        = true
    15. verify_outgoing        = true
    16. verify_server_hostname = true
    17. ca_file                = "/consul/config/certs/consul-agent-ca.pem"
    18. cert_file              = "/consul/config/certs/dc1-server-consul-0.pem"

    Using Consul as a central service registry is a common use case. The following example configuration includes common settings to register a service with a Consul agent and enable health checks (see Checks to learn more about health checks):

    Overview - 图6

    An agent can be stopped in two ways: gracefully or forcefully. Servers and Clients both behave differently depending on the leave that is performed. There are two potential states a process can be in after a system signal is sent: left and failed.

    To gracefully halt an agent, send the process an interrupt signal (usually Ctrl-C from a terminal, or running kill -INT consul_pid ). For more information on different signals sent by the kill command, see

    When a Client is gracefully exited, the agent first notifies the cluster it intends to leave the cluster. This way, other cluster members notify the cluster that the node has left.

    When a Server is gracefully exited, the server will not be marked as left. This is to minimally impact the consensus quorum. Instead, the Server will be marked as failed. To remove a server from the cluster, the force-leave command is used. Using force-leave will put the server instance in a left state so long as the Server agent is not alive.

    Alternatively, you can forcibly stop an agent by sending it a kill -KILL consul_pid signal. This will stop any agent immediately. The rest of the cluster will eventually (usually within seconds) detect that the node has died and notify the cluster that the node has failed.

    The and leave_on_terminate configuration options allow you to adjust this behavior.