mattfinlayson / ansible-consul Goto Github PK

Currently Ansible Galaxy lists two packages for this role: savagegus.consul and savagegus.ansible-consul, both referring to this repo. savagegus.consul is the one many people use (3768 downloads), but it hasn't had any updates since 1.3, and savagegus.ansible-consul has more recent versions (1.8 as of time of writing), but only a dozen or so downloads.

Is this intentional? It looks like accidental republish under a different name.

in the sample playbook
consul_is_ui: "true" should be consul_is_ui: true
or the conditionals throughout should change to compare against "true". it seems mixed between conditionals checking for matching strings or booleans

Thanks for making this btw, great stuff!

have to restart dnsmasq and pause immediately after configuring. Otherwise the next step (installing tornado) will fail because pypi.python.org doesn't resolve.

diff --git a/roles/ansible-consul/tasks/dnsmasq.yml b/roles/ansible-consul/tasks/dnsmasq.yml
index 4686aa1..c960105 100644
--- a/roles/ansible-consul/tasks/dnsmasq.yml
+++ b/roles/ansible-consul/tasks/dnsmasq.yml
@@ -12,5 +12,11 @@
   copy: >
     content='server=/{{ consul_domain }}/127.0.0.1#8600'
     dest=/etc/dnsmasq.d/10-consul
-  notify:
-    - restart dnsmasq
+  register: dnsmasq_configured
+
+- service: name=dnsmasq state=restarted
+  when: dnsmasq_configured|changed
+
+- pause: seconds=1
+  when dnsmasq_configured|changed
+

If consul_verify_server_hostname isn't specified as a string "false" it gets set to the default of true.

Hello.

Do you have plans to add tasks for installing consul template utility?

Thank you for great Ansible role.

So I recently upgraded to 0.6.0 and along with that I used a newer version of this role. There was a lot to grok, but everything seemed to work for my Consul server so I moved onto upgrading one of my clients. Things seemed to work on the Consul side after the upgrade until I realized that my docker containers could not resolve hosts using Consul DNS. After some troubleshooting, I could only get them to be able to use the DNS if -p 8600 was specified along with dig. That's weird... so I started to take a look at what had changed from the older role version I was using. After a LOT of testing, I finally found the culprit:

https://github.com/savagegus/ansible-consul/blob/master/tasks/dnsmasq.yml#L31-L44

Why was this added? @trumant

Doesn't this mean that anything outside of the local host (such as Docker containers) cannot go through dnsmasq for DNS lookups?

Does this playbook sets up the consul cluster?

If the consul config file changes, it should notify a handler to restart consul.

Our hostnames are kinda long. We follow this standard, with one addition for vendor, so we get hostnames that end up being something like i-WWXXYYZZ.bastion.us-west-2.aws.int.example.com. Because the hostname is so long, when nginx tries to start up I get an error like:

Restarting nginx: nginx: [emerg] could not build the server_names_hash, 
you should increase either server_names_hash_max_size: 256 
or server_names_hash_bucket_size: 64.

(More info at Server Fault)
The fix for this is pretty simple, just add something like server_names_hash_max_size: 256 to the http section of the nginx.conf. I would just add this functionality to ansible-consul, but wanted to consult (hah! puns!) first as it might be a little out of scope for this project

In commit 5bcfe7a, the "reload consul config" handler has a spelling error. "Commmand" should be "command".

https://github.com/savagegus/ansible-consul/blob/master/templates/consul.json.j2#L58-L60

I believe you'll need to set http to the client address in order for this to work?

The flags -bind and -client will be overridden with auto generated content from the init script (consul.conf.j2). So you are not able to provide them via configuration.

looks like something is wrong with the logic here: https://github.com/jivesoftware/ansible-consul/blob/master/templates/consul.json.j2#L6

consul_servers: ['10.0.0.9', '10.0.1.6', '10.0.0.5'] results in this in the conf:

"start_join": ["10.0.0.9", "10.0.1.6", ],

which results in the error.

For access to the consul executable by users and the UI content by the nginx user, the consul directory should be world readable. Currently, /opt/consul is only accessible by user consul. Maybe the default has changed in Ansible.

The task Download the Go tarball fails when it is not run as root and wants to write to /usr/src, with e.g. vagrant the provisioner is not run as root by default.

A few questions arise from that:

• Why are you installing golang source?
• Is it possible to just install the hashicorp consul binary with this role?
• Is it possible to control this behaviour with a variable (did not see anything about go source in docs)

Thanks for your attention!

ansible-galaxy install savagegus.consul

• downloading role 'consul', owned by savagegus
• downloading role from https://github.com/jivesoftware/ansible-consul/archive/1.3.tar.gz
• error: failed to download the file.
• savagegus.consul was NOT installed successfully.
• you can use --ignore-errors to skip failed roles.

The role tarball doesnt exist.

The SELinux task for consul-ui does not correctly detect when SELinux is enabled:

TASK [savagegus.consul : allow nginx to connect to consul (selinux)] *************
fatal: [...]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux is disabled on this host."}

Hi,

tasks/install.yaml doesn't check for the existence of the consul binary and will skip unpacking the archive if the archive is already present.

For example: if /tmp/0.5.2_linux_amd64.zip is present and /opt/consul/bin/consul is not present, the "when: consul_was_downloaded|changed" in "copy and unpack" will not trigger the task.

Deleting consul_home to start anew will leave the archive in place. consul_home will be repopulated with everything except the consul binary.

TASK [savagegus.consul : install deps (RHEL)] **********************************
failed: [consul1] => (item=[u'unzip', u'jq']) => {"changed": false, "failed": true, "item": ["unzip", "jq"], "msg": "No Package matching 'jq' found available, installed or updated", "rc": 0, "results": []}

It's not in yum, maybe consider pip install jq instead?

After you install dnsmasq, unless you configure the listen-address= in /etc/dnsmasq.conf then you will have a big DNS vulnerability on your server (test it with http://openresolver.com/). Please consider adding a step to limit listen-address=127.0.0.1.

I do not want to check for updates, the disable_update_check parameter (https://www.consul.io/docs/agent/options.html#disable_update_check) should be configurable.

Upstart is not only available in Debian, it should also work with ansible_os_family = 'RedHat'.
I can remove that check in the playbook. Sounds ok?

The last line of tasks/main.yml runs tasks/service.yml, starts consul if not started:

- service: >
  name=consul
  state=running

The next step is handlers/main.yml, which restarts consul:

- name: restart consul
  action: service name=consul state=restarted enabled=yes

(Note the older "action: service" line. The newer "server: name=foo" is used a few tasks later.)

[edit, again: There's something I don't understand about leadership election. I get no election on restart.]

They're almost the same, but not quite. My three server "datacenter" (Debian, systemd, with bootstrap_expect: 3) loses leadership on the restart and can't seem to regain it. A debug task shows Leadership is gained; that runs before the handler

I removed the service.yml include and things seem to work as expected. I haven't figured out why the line is there. Maybe there's some difference with Ansible 2?

Getting two errors:

"unsupported parameter for module: become_user"
"unsupported parameter for module: become"

For the add CONSUL_RPC_ADDR to .bashrc task in install.yml. Removing them fixed the issue. Should I open a PR?

In default/main.yml we have:

consul_ui_dir: "{{ consul_home }}/dist"

At the same time, in tasks/install-ui.yml:

- name: copy and unpack ui
  unarchive: >
    src={{ consul_download_folder }}/{{ consul_ui_archive }}
    dest={{ consul_home }}
    copy=no
  when: consul_ui_was_downloaded|changed

Which puts UI files a level higher than needed.
Changing to dest={{ consul_ui_dir }} resolves the issue.

This role is working wonderfully under ansible-1.9.1, thanks.

Just a heads up, though. It breaks with ansible-2.0.0 devel:

TASK [savagegus.consul : savagegus.consul : consul config file] *****************
fatal: [i-a001010a]: FAILED! => {"msg": "UndefinedError: 'ansible_fqdn' is undefined", "failed": true, "changed": false}
fatal: [i-a101010b]: FAILED! => {"msg": "UndefinedError: 'ansible_fqdn' is undefined", "failed": true, "changed": false}
fatal: [i-be010114]: FAILED! => {"msg": "UndefinedError: 'ansible_fqdn' is undefined", "failed": true, "changed": false}

The hosts in question were created by the ec2 module, and their hostgroup was created with the add_host module.

Apparently [1] [2], Ansible doesn't support running multiple handlers with the same name. Since franklinkim.nginx (for Debian) is loaded before geerlingguy.nginx (for RedHat), the reload nginx handler for Debian wins, and the reload is skipped:

RUNNING HANDLER [franklinkim.nginx : reload nginx] *****************************
skipping: [...] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}

The result is getting the "Welcome to nginx!" page instead of the Consul UI. Running sudo nginx -s reload on the servers fixes the issue, as expected.

I'm not sure how to fix this without modifying the nginx modules.

is there a reason why there is https://github.com/jivesoftware/ansible-consul/blob/master/templates/consul.json.j2#L36 as well as https://github.com/jivesoftware/ansible-consul/blob/master/templates/consul.json.j2#L42?

First, thanks for all of this. I'm new to Consul and this project helped me a lot.

When I set consul_client_address, I found that Dnsmasq no longer works. The problem is that 127.0.0.1 is hard-coded in dnsmasq.yml.

I fixed it by changing the line to this:
content='server=/{{ consul_domain }}/{{ consul_client_address }}#{{ consul_port_dns }}'

The various client addresses can be individually configured using the config file (https://www.consul.io/docs/agent/options.html) and the addresses object. I'm sure you know this. I don't know if you want to be able to set all the addresses individually in this project.

Thanks again for all of your work. This has been a huge help.

The nginx_user gets set improperly on RHEL and bootstrap provisioning fails unless nginx_user is set explicitly for this role in the play.

The problem exists here:

  - { role: franklinkim.nginx, when: consul_install_nginx == true and ansible_os_family == "Debian" }
  - { role: geerlingguy.nginx, when: consul_install_nginx == true and ansible_os_family == "RedHat" }
  - { role: joshualund.golang, when: consul_install_consul_cli == true }

The problem appears to be that franklinkim's nginx sets nginx_user in its default/main.yml:

🌀  grep nginx_user defaults/main.yml
nginx_user: www-data

Which remains loaded for the successive role (geerlingguy.nginx). The next nginx role finds this variable set and won't override it with the platform default, even if that was not explicitly set by the user, but the previously attempted role.

Not sure if there is a safer way to "probe" role loading without cluttering the main namespace. I'm eager to learn if there is.

Hi,
I noticed that the ansible-galaxy (https://galaxy.ansible.com/detail#/role/1453) is not updated with the latest changes.
Can you please update it?

Thanks
Shay.

I see that there is a task that appends the executable onto $PATH, but if I run sudu su and then try and run consul I get consul: command not found.

Might be a simple question, but is there a way to make the executable available to sudo without changing the consul user?

Thanks!

On many machines I'd like to have the client there but don't want to run an agent. I just want to query a remote agent.

When I'm trying to create consul cluster on Soft Layer, it works fine 'cause private network binds to eth0.

But, for example, at Diagital Ocean private network binds to eth1 interface.

So, I see something like 10.12.0.9 in address when using consul members.

Mb change bind_addr declaration in consul.json.j2 to:
"bind_addr": {% for host in consul_servers %}{% if host in ansible_all_ipv4_addresses %}"{{host}}"{% endif %}{% endfor %},?

The role variable exists and is used in the consul.conf.j2 template, but is not documented in the README. The property doesn't have a default value, so I'm not sure about where is the best place to add it.

Perhaps I am missing something, but it seams that an option for setting recursors is missing, is this becuase dnsmasq is preffered?

Looks like we need:

acl_datacenter
acl_default_policy
acl_down_policy
acl_master_token
acl_token
acl_ttl
addresses { 
  dns: 
  http:
  rpc:
}
ca_file
verify_incoming
verify_outgoing
cert_file
check_update_interval
disable_anonymous_signature
disable_remote_exec
disable_update_check
dns_config {
  allow_stale
  max_stale
  node_ttl
  service_ttl
}
domain
enable_debug
enable_syslog
key_file
leave_on_teminate
log_level
ports { 
  dns - The DNS server, -1 to disable. Default 8600.
  http - The HTTP api, -1 to disable. Default 8500.
  rpc - The RPC endpoint. Default 8400.
  serf_lan - The Serf LAN port. Default 8301.
  serf_wan - The Serf WAN port. Default 8302.
  server - Server RPC address
}
protocol
recursor
skip_leave_on_interrupt
statsd_addr
statsite_addr
syslog_facility

With the "-ui-dir /path/to/ui" option the consul ui is available at http://localhost:8500/ui by default; however, ansible-consul has a curious dependency on an Ubuntu specific nginx role to enable the ui. It seems out of place. Can we have a simple ui option?

Hi,
Provisioning failed with error:
TASK [savagegus.consul : add CONSUL_RPC_ADDR to .bashrc] ***********************
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "unsupported parameter for module: become_user"}

to resolved the failure:
I removed the following lines:
become=yes
become_user={{ consul_user }}
from tasks/install.yml -->name: add CONSUL_RPC_ADDR to .bashrc

and rerun
.bashrc file created
ansible finished successfully

please advise
Riki

Ansible galaxy have old version of this role (without systemd templates). Please, add new repository tag 1.2 and galaxy role.

Thank you.

Hi,
I tried to run consul provision using ansible 2 , the provision failed in several steps
Do you plan to support ansible 2 ?
Thanks
Riki

Attempting to use Upstart with RHEL/CentOS 6 (after applying PR #160 to allow it) fails:

$ sudo start consul
consul start/running, process 19872
$ sudo status consul
consul stop/waiting

Adding some debugging to the Upstart script

exec &> /tmp/consul-upstart.log
set -x

reveals the cause:

$ cat /tmp/consul-upstart.log
+ sudo setcap CAP_NET_BIND_SERVICE=+eip /opt/consul/bin/consul
sudo: sorry, you must have a tty to run sudo

The fix is to use su instead of sudo, as explained here.

The latest version on galaxy is from 2014.

https://galaxy.ansible.com/list#/roles/1453

Hi,

Can this playbook be used for configuring consul across multiple datacenters? How can we make sure nodes in two datacenter's (DC1 and DC2) form a cluster? Thanks.

Thanks,
Govind

I am having problems with geerlingguy.nginx for RHEL. It looks like it was updated a few days ago. I believe has something to do with the configuration validation for NGINX. Am I the only one experiencing this?

The creation of the consul user always fails on hosts with it already existing because it is running the consul process

msg: usermod: user consul is currently used by process xxxx

Maybe we should register 'create consul group' and check if changed for 'create consul user'?

I am using this playbook for consul server and it works like magic - love that !!.

I am also using this playbook for consul client. It still installs nginx. Is there an option to override that?

Can the ansible script check for that version and not download if consul_ui is true?