Consul and Version Control / Backups
1,660 views
Skip to first unread message
Wesley Staples
Dec 16, 2015, 8:51:30 AM12/16/15
to Consul
I have a couple of scenarios running through my head about getting consul data under version control. What happens when:
1.) An authorized user changes a value consul, lets say the name of a database. Consul-Template will recognize the change on two or three different servers update a template and restart apache. So far everything is working like it should. The next day I notice failing health checks on that server. After troubleshooting I realize the database name is wrong. How could I tell what the value was before? What is the correct way to audit what happened?
2.) One day I find the consul kv has no data in it. Even the vault path is gone. How do I "restore from backup"?
I suppose these same questions apply to vault as well.
1.) An authorized user changes a value consul, lets say the name of a database. Consul-Template will recognize the change on two or three different servers update a template and restart apache. So far everything is working like it should. The next day I notice failing health checks on that server. After troubleshooting I realize the database name is wrong. How could I tell what the value was before? What is the correct way to audit what happened?
2.) One day I find the consul kv has no data in it. Even the vault path is gone. How do I "restore from backup"?
I suppose these same questions apply to vault as well.
Darron Froese
Dec 16, 2015, 11:28:34 AM12/16/15
to Consul
Wesley,
We found that the best way to do this was to not allow people to make changes to the KV directly.
We have a specific 'consul-config' Git repo that people make changes to - those changes are fed into the KV store using git2consul:
That way we have an audit trail of all of the changes and who made it - which makes those sorts of problems you describe pretty easy to handle.
As far as Vault goes, I'm not sure if this would be applicable to Vault given its encrypted nature - but for Consul alone that's how we do it.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/614990e1-2e61-443a-8713-1c407bbc9bbc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
James Phillips
Dec 19, 2015, 1:38:21 AM12/19/15
to consu...@googlegroups.com
Hi Wesley,
Darron's answer is probably the best for your use case #1.
For #2 there's some ongoing discussion on https://github.com/hashicorp/consul/issues/1254 that's relevant to this. There a number of open source tools as well, such as https://github.com/leprechau/consul-backinator.
Hope that helps!
-- James
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/CAEsqDyfNpmKmjnvLVjWsqPp_Gm%2BdsZWap2kNhnKkYX_ZbQ2jSg%40mail.gmail.com.
Darron Froese
Dec 19, 2015, 9:41:16 PM12/19/15
to consu...@googlegroups.com
I had no idea the backinator existed.
Thanks James - very useful.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/CAGoWc06O9UzTSm5dr3j2ZhOSbTsuicAW44Wbk9eMNjHqbffgPw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages