HA mode with consul backend, autodetect address for Cluster addres and Redirect address set invalid

267 views

Skip to first unread message

Sergey Bondarev

unread,

Dec 8, 2016, 2:42:37 PM12/8/16

to Vault

i have worked consul with 3 nodes, with address consul (10.0.0.203, .204, .205) in docker conatainer

i try 3 vault container with config

`backend "consul" {
address = "consul:8500"
path = "vault"
}

listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}`

after start docker logs vault show me:

Backend: consul (HA available) Cgo: disabled Cluster Address: https://10.0.0.204:8201 Listener 1: tcp (addr: "172.19.0.9:8200", tls: "disabled") Log Level: info Mlock: supported: true, enabled: true Redirect Address: http://10.0.0.204:8200 Version: Vault v0.6.3 Version Sha: 27aff4397f6fe6cf741fbc967adf863347c0beaf+CHANGES
address 10.0.0.204 - this is address of consul, not is vault docker container address!

i try set in config all address staticaly
`server.hcl
/vault/config # cat server.hcl
backend "consul" {
address = "consul:8500"
redirect_addr = "http://172.18.0.10:8200"
path = "vault/"
}

listener "tcp" {
address = "172.18.0.10:8200"
cluster_address = "172.18.0.10:8201"
tls_disable = 1
}
`

docker logs show good:
`==> Vault server configuration:

             Backend: consul (HA available)
                 Cgo: disabled
     Cluster Address: https://172.18.0.10:8201
          Listener 1: tcp (addr: "172.18.0.10:8200", cluster address: "172.18.0.10:8201", tls: "disabled")
           Log Level: info
               Mlock: supported: true, enabled: true
    Redirect Address: http://172.18.0.10:8200
             Version: Vault v0.6.3
         Version Sha: 27aff4397f6fe6cf741fbc967adf863347c0beaf+CHANGES

but netstat show - vault listen only port 8200, and do not listen port 8201
why ?

netstat -ntpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 172.18.0.10:8200 0.0.0.0:* LISTEN 6/vault

Jeff Mitchell

unread,

Dec 9, 2016, 10:02:20 AM12/9/16

to vault...@googlegroups.com

Is that node active? Only active nodes listen for requests on the cluster port.

Best,
Jeff

> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/772b1661-69ed-444b-860c-f89154ee7276%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages