集群部署
节点IP | 节点名称 |
|---|---|
192.168.1.181 | consul-01 |
192.168.1.182 | consul-02 |
192.168.1.183 | consul-03 |
节点一配置
代码语言:javascript复制# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}
# 下载consul压缩包,解压到/data/consul/bin/目录下
# 创建配置文件
vim /data/consul/conf/consul-01.json
{
"datacenter": "dc1",
"primary_datacenter": "dc1",
"bootstrap_expect": 3,
"start_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"retry_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"advertise_addr": "192.168.1.181",
"bind_addr": "192.168.1.181",
"client_addr": "0.0.0.0"
"server": true,
"ui": true,
"connect":{
"enabled": true
},
"node_name": "consul-01",
"data_dir": "/data/consul/data/",
"enable_script_checks": false,
"enable_local_script_checks": false,
"log_file": "/data/consul/logs/",
"log_level": "info",
"log_rotate_bytes": 100000000,
"log_rotate_duration": "24h",
"encrypt": "Nliwp 3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=", # consul keygen 生成
"acl": {
"enabled": true,
"default_policy": "deny", # 默认allow,如果需要自定义权限,将其设置为deny
"enable_token_persistence": true, # 开启token持久化,持久化到磁盘上
"enable_key_list_policy":true # 允许KV的递归操作
}
}# 创建启动脚本
vim /usr/lib/systemd/system/consul.service
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240
[Install]
WantedBy=multi-user.target# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul节点二配置
代码语言:javascript复制# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}
# 下载consul压缩包,解压到/data/consul/bin/目录下
# 创建配置文件
vim /data/consul/conf/consul-02.json
{
"datacenter": "dc1",
"primary_datacenter": "dc1",
"bootstrap_expect": 3,
"start_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"retry_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"advertise_addr": "192.168.1.182",
"bind_addr": "192.168.1.182",
"client_addr": "0.0.0.0",
"server": true,
"ui": true,
"connect":{
"enabled": true
},
"node_name": "consul-02",
"data_dir": "/data/consul/data/",
"enable_script_checks": false,
"enable_local_script_checks": false,
"log_file": "/data/consul/logs/",
"log_level": "info",
"log_rotate_bytes": 100000000,
"log_rotate_duration": "24h",
"encrypt": "Nliwp 3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=",
"acl": {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true,
"enable_key_list_policy":true
}
}# 创建启动脚本
vim /usr/lib/systemd/system/consul.service
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240
[Install]
WantedBy=multi-user.target# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul节点三配置
代码语言:javascript复制# 创建目录
mkdir -p /data/consul/{data,conf,bin,logs}
# 下载consul压缩包,解压到/data/consul/bin/目录下
# 创建配置文件
vim /data/consul/conf/consul-03.json
{
"datacenter": "dc1",
"primary_datacenter": "dc1",
"bootstrap_expect": 3,
"start_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"retry_join":[
"192.168.1.181",
"192.168.1.182",
"192.168.1.183"
],
"advertise_addr": "192.168.1.183",
"bind_addr": "192.168.1.183",
"client_addr": "0.0.0.0",
"server": true,
"ui": true,
"connect":{
"enabled": true
},
"node_name": "consul-03",
"data_dir": "/data/consul/data/",
"enable_script_checks": false,
"enable_local_script_checks": false,
"log_file": "/data/consul/logs/",
"log_level": "info",
"log_rotate_bytes": 100000000,
"log_rotate_duration": "24h",
"encrypt": "Nliwp 3S19aCAY8Sq7G5NJUqVkBwqNyG13v1BExCMd4=",
"acl": {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true,
"enable_key_list_policy":true
}
}# 创建启动脚本
vim /usr/lib/systemd/system/consul.service
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
Type=notify
User=root
ExecStart=/data/consul/bin/consul agent -config-dir=/data/consul/conf/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=10240
LimitNPROC=10240
[Install]
WantedBy=multi-user.target# 启动服务
systemctl daemon-reload
systemctl enable consul
systemctl start consul启用 ACL 访问控制
代码语言:javascript复制# 重新启动consul,在任意一节点上初始化consul acl
[root@i-lra7lmuy ~]# consul acl bootstrap
AccessorID: 9bf939ae-cb49-655a-0cc5-adbf6d29b239
SecretID: 98633362-4795-75e0-2c4b-849a7195e3c9
Description: Bootstrap Token (Global Management)
Local: false
Create Time: 2022-04-03 12:34:28.883028023 0800 CST
Policies:
00000000-0000-0000-0000-000000000001 - global-management
该命令只能执行一次,生成的SecretID拥有最高权限
# 修改三个节点的配置文件,启用ACL
...
"acl": {
"enabled": true,
"default_policy": "deny",
"enable_token_persistence": true,
"enable_key_list_policy":true,
"tokens": {
"master": "98633362-4795-75e0-2c4b-849a7195e3c9",
"agent": "98633362-4795-75e0-2c4b-849a7195e3c9"
}
}配置规则
浏览器访问http://ip:8500,输入上面生成的SecretID
image.png默认Policy:global-management,这个是拥有最高权限的SecretID,等于超级管理员
AccessorID:访问ID。唯一,对应有一个token Scope:作用范围 Roles & Policies:拥有权限或者策略,AccessorID通过关联不同角色和策略来控制访问权限
代码语言:javascript复制# 服务策略
service_prefix "" {
policy = "write" # 表示所有服务可写
}
# node策略
node_prefix "" {
policy = "write"
}
# kv 策略
kv_prefix "" {
policy = "list" # 所有kv可执行递归list操作
}
kv_prefix "" {
policy = "write" # 所有kv可执行写操作
}
kv_prefix "config/" {
policy = "read" # 以config/开头的key可执行读操作
}
