Consul Casual Talks #1 http://connpass.com/event/35836/
ฏͳConsul clusterӡ༻Consul Casual Talks #1@fujiwara
View Slide
౻ݪ ढ़Ұ@fujiwaragithub.com/fujiwarasfujiwara.hatenablog.comٕज़෦
Game & Community
AgendaConsulͷ׆༻ࣄྫฏʹӡ༻͢ΔͨΊͷϙΠϯτ
Consulͷ׆༻ࣄྫ1. Internal DNS (node, service)2. maintͰϝϯςφϯε3. StretcherʹΑΔσϓϩΠɺChef࣮ߦ4. consul-templateʹΑΔnginxͷઃఆߋ৽5. 1͔͠ಈ͔ͨ͘͠ͳ͍daemonͷഉଞىಈ
Internal DNS
Internal DNS (node, service)node໊ (ྫ kayac-web-i-1234567...)service໊(ྫ)• log-aggregator : Fluentdͷूαʔό• log-analyzer : Norikra• internal-proxy : ֎ʹग़ͯߦͨ͘ΊͷSquid• internal-mta : ֎ʹग़ͯߦͨ͘ΊͷPostfix
Internal DNS (node, service)dnsmasqΛશͰىಈ.consul υϝΠϯͷ໊લղܾconsul agent127.0.0.1:53 Λdnsmasq͕Listen͢Δ# dnsmasq.confserver=/consul/127.0.0.1#8600bind-interfaceslisten-address=127.0.0.1
Internal DNS (node, service)resolv.conf Ͱ (node|service).consul ΛݕࡧυϝΠϯʹࢦఆ→ node໊ɺservice໊͚ͩͰଓͰ͖Δ# /etc/resolv.confsearch node.consul service.consulnameserver 127.0.0.1 # dnsmasqnameserver 172.16.0.2 # VPC resolvernameserver 172.16.0.254 # Unbound on EC2
bash-completionͰsshͷϗετ໊ิ~/.bash_profile_known_hosts_real(){local members=$(consul members -status=alive | awk '!/Node/{printf("%s ", $1)}')COMPREPLY=( $( \compgen -W "$members" \${COMP_WORDS[COMP_CWORD]} \) )return 0}ੜ͖͍ͯΔϗετͷΈิީิʹͳΔhttp://qiita.com/sfujiwara/items/f4fa907ead53ed104e1a
FluentdͷूαʔόૹΔઃఆConsulͰఏڙ͢ΔDNS໊ϥϯυϩϏϯͰૹ৴type forwardexpire_dns_cache 15dns_round_robin trueheartbeat_type tcphost log-aggregator.service.consulૹ৴ઌͷྻڍෆཁɺࣗಈΓ͠
maintͰϝϯςφϯε
consul maintconsul maint -enable [-reason "..."]͋ΔnodeΛϝϯςφϯεϞʔυʹ͢Δ→ serviceͷ໊લղܾ͔Β֎ΕΔ→ nodeͷ໊લղܾͰ͖Δ (sshͱ͔)
consul maint༻ྫFluentdूαʔόΛϝϯςφϯε͍ͨ͠߹ʹmaint→ DNS͔Β֎ΕΔͷͰૹ৴͕ࢭ·Δ(expire_dns_cache ͷઃఆ͕ඞཁ)NorikraͷΠϯελϯεΛऔΓସ͍͑ͨͱ͖ʹ• ৽͍͠ϗετΛ maint -enable ͰηοτΞοϓ• چͰ maint -enable, ৽Ͱ maint -disable• DNSͰೖΕସΘΔͷͰૹ৴ઌ͕ΓସΘΔ
PackerͰ AMI ࡞࣌ʹ maint1. consul cluster ʹ join2. maint -enable (ߏஙதʹΈࠐ·Εͳ͍Α͏ʹ)3. ChefͰߏங4. maintঢ়ଶͷ·· AMI ࡞5. AMI͔Βىಈͨ͠Πϯελϯεmaintͷ··6. ىಈޙͷॾʑ͕ऴΘͬͨΒ maint -disable → αʔϏεΠϯ
maintͳΒىಈ͠ͳ͍daemontools ͷ run script#!/bin/bashmaint=$(consul maint)if [[ $maint != "" ]]; thenecho "$maint"sleep 10exit 1fiexec ...ϝϯς࣌ʹىಈͯ͠ཉ͘͠ͳ͍daemonΛ੍ޚ(maint -enableʹͳͬͯstopͨ͠Γ͠ͳ͍)
StretcherʹΑΔσϓϩΠ
StretcherʹΑΔσϓϩΠgithub.com/fujiwara/stretcherConsul / Serf ͱ࿈ܞͯ͠ಈ͘σϓϩΠπʔϧ
StretcherͰChef࣮ߦChef-Server → Stretcher + Chef-Solo• Chef-Serverr͕ SPOF / ϘτϧωοΫʹͳΒͳ͍• શʹಉ͡tar, eventΛˠద༻͢ΔjsonΛ֤ϊʔυͰܾఆ# /etc/sysconfig/hostname-prefixHOSTNAME_PREFIX="xxx-app"→ nodes/xxx-app.json Λద༻
ChefͷroleݕࡧΛserviceఆٛͰ/etc/consul.d/role.json{"service": {"name": "role","tags": [ "batch-server", "db-client", ... ]}}Serviceͱͯ͠ఆٛͯ͠ݕࡧՄೳʹhttp://localhost:8500/v1/catalog/service/role?tag=db-client
http://localhost:8500/v1/catalog/service/role?tag=internal-proxy[{"Node": "xxx-i-10bf0fe2","Address": "10.0.0.123","ServiceID": "role","ServiceName": "role",...},{"Node": "xxx-i-3c1b72b3","Address": "10.0.1.234","ServiceID": "role","ServiceName": "role",...}]
DaemontoolsཧԼͷdaemonserviceఆٛ{"service": {"name": "daemontools","tags": [ "app", stretcher", "gunfish", ... ]}}
͋ΔdaemontoolsཧϓϩηεΛ࠶ىಈ͍ͨ͠curl http://localhost:8500/v1/catalog/service/daemontools?tag=gunfish | jq -r ".[].Node"xxx-admin-i-0391d6162be552655xxx-app-i-01a7ff42f4796be4fxxx-app-i-05bd652734828b522xxx-batch-i-0095ac858fe87d8e5Regexp::TrieͰ࠷దͳਖ਼نදݱʹͯ͠ consul execconsul exec -node '(?:xxx\-(?:a(?:dmin|pp)|batch))'"svc -h /service/gunfish"
consul-templateʹΑΔnginxͷઃఆߋ৽
consul-templatehttps://github.com/hashicorp/consul-template• Consul KVͷɺServiceͷղܾ݁ՌͳͲΛτϦΨʹ• ςϯϓϨʔτߋ৽ɺҙscript kick͕Ͱ͖Δ
nginxͷઃఆߋ৽# config.hcltemplate {source = "/etc/nginx/spam.ip.conf.ctmpl"destination = "/etc/nginx/spam.ip.conf"command = "service nginx reload"perms = 0644backup = true}# spam.ip.conf.ctmpl{{key "spam_ips"}}localhost:8500/v1/kv/spam_ips ʹPUT͢Δ͚ͩͰઃఆߋ৽
1͔͠ಈ͔ͨ͘͠ͳ͍daemonͷഉଞىಈ
1͔͠ಈ͔ͨ͘͠ͳ͍daemonͷഉଞىಈWebSocketड৴Ͱಈ͘Slack bot→ 2Ҏ্Ͱಈ͘ͱ͢ΔͰՄ༻ੑΛ͍࣋ͨͤͨ…
1͔͠ಈ͔ͨ͘͠ͳ͍daemonͷഉଞىಈconsul lock Λ͏ϩοΫΛऔಘͰ͖ͨΒࢦఆͨ͠ίϚϯυ͕࣮ߦ͞ΕΔwrapperconsul lock -n 1 nuko "/path/to/run-nuko.sh"Consul leader͕ೖΕସΘΔͱϩοΫ͕ղ์͞ΕΔͷͰҙ
ฏʹӡ༻͢ΔͨΊͷϙΠϯτ
ฏʹӡ༻͢ΔͨΊͷϙΠϯτRaftΛ(େ·͔ʹͰ͍͍ͷͰ)͓ͬͯ͘http://thesecretlivesofdata.com/raft/ࢄڥͰͷ߹ҙܗΞϧΰϦζϜ• Ϧʔμʔબग़ʹʮաʯͷ߹ҙ͕ඞཁ• 2 = 1མͪΔͱա(=2)͕औΕͳ͍• 3 = 1མͪͯա(=2)͕औΕΔ• 4 = 2མͪΔͱա(=3)͕औΕͳ͍
Deployment Tableຊ൪Ͱ࠷3, 3 or 5͕ਪconsul.io/docs/internals/consensus.html
ServerʹඞཁͳϦιʔε• CPU: 2CPUͰे• Memory: 20MBʙ• Disk: 2MBʙMemory, DiskKVͷར༻ঢ়گ࣍ୈKV dump JSON 10MB, data_dir/raft 120MB→ consul agent RSS 250MB
Serverʹઐ༻ϗετ͕ඞཁʁconsul agentࣗମͦΕ΄ͲϦιʔεΛ༻͠ͳ͍Disk IO͕ߴෛՙͳ߹ʹRaftͷHeartbeat͕ࣦഊ͍͢͠• Timeout 500ms• Heartbeatʹࣦഊ͢ΔͱLeaderબग़͕ߦΘΕΔ• ௨ৗ2,3ඵͰબग़ྃ͢Δ• Consul server tmpfs Λอଘઌʹͯ͠Disk IOͷӨڹճආ
ߴՄ༻ੑͷͨΊʹServerʹΑΓಉ࣌ʹোΛىͯ͜͠ͳ͍node͕มΘΔ• 3 node → 1• 5 node → 23 nodeߏ࣌ɺ2མͪͯΓ1ʹͳͬͯ͠·͏ͱLeader͕બग़Ͱ͖ͳ͍࣌ؒΓ͢ϝϯςφϯε࣌ʹҰ࣌తʹServer nodeΛ૿͢ख
ߴՄ༻ੑͷͨΊʹServer nodeͷfailoverࣗಈ! Ϣʔβৗʹlocalhostͷagent͚ͩΛΈ͍ͯΕΑ͍
nodeো࣌ͷӨڹ! LeaderͰͳ͍ → " ଞnodeʹӨڹͳ͠! Leader → " Leader࠶બग़σϑΥϧτͰͯ͢ͷಡΈॻ͖ΛLeader͕ॲཧ (ڧҰ؏ੑ)Leader͕ܾ·Δ·ͰΞΫηεෆೳ (DNS, HTTP)
Stale mode (DNS)Leader࠶બग़௨ৗ2ʙ3ඵͰྃͦͷؒDNSͰNode, Service໊ղܾΛ͍ͨ͠ʁ→ Stale mode : Leaderະબग़ͰԠՄೳ"dns_config":{"allow_stale": true, // default false"max_stale": "10s" // default 5s}݁Ռݹ͍Մೳੑ͕͋Δ(݁Ռ߹ੑ)
DNS TTLdefaultTTL 0 → cache͞Εͳ͍node, serviceผʹTTLΛઃఆՄೳDNS cache(ͨͱ͑dnsmasq)Λલஈʹஔͯ͠cacheͰ͖Δ"dns_config":{"node_ttl": "60s","service_ttl": {"*": "15s"}}
Stale mode (HTTP API)HTTP APIͰstale modeʹ͢Δ߹Ҿ stale$ curl "http://127.0.0.1:8500/v1/kv/web/key1?stale"staleҾͳ͠ͰLeaderબग़தʹΞΫηε→ 500 Internal Server Error
ӡ༻தͷUpgradeconsul.io/docs/upgrading.htmlconsul.io/docs/upgrade-specific.htmlόʔδϣϯผʹҙ͕͋ΔͷͰυΩϡϝϯτΛॱ൪ʹAgentΛೖΕସ͑Δ͜ͱͰRolling upgradeՄೳ(Leader nodeೖΕସ͑Ͱ࠶બग़ى͖Δ)
҆ఆੑv0.2͔࣌Β2Ҏ্ӡ༻Agentϓϩηε͕མͪͨ͜ͱ1ճ͚ͩ(0.4.1࣌)EBS(gp2)ͷΫϨδοτރׇ → IO waitେྔ→ panic: Timeout starting MDB transactionΦϖϛεͰServerΛམͱ͗͢͠Δͱճ෮ෆೳ
KVͷόοΫΞοϓ͋Δ֊ͷԼͷΛ࠶ؼతʹऔΓ͍ͨ߹ recurse$ curl -s "http://127.0.0.1:8500/v1/kv/?recurse"[{"CreateIndex":112,"ModifyIndex":115,"LockIndex":0,"Key":"key1","Flags":123,"Value":"dGVzdA=="},{"CreateIndex":122,"ModifyIndex":122,"LockIndex":0,"Key":"key2","Flags":0,"Value":"dGVzdDI="},{"CreateIndex":124,"ModifyIndex":124,"LockIndex":0,"Key":"test/1","Flags":0,"Value":"dGVzdDM="}]Key, Flags, ValueΛPUT͠ͳ͓͠ͰϨετΞͰ͖Δ
࣮ࡍʹLeader͕ೖΕସΘͬͨͱ͖ͷϩά2016/07/30 10:07:28 [WARN] raft: Heartbeat timeout reached, starting election2016/07/30 10:07:28 [INFO] raft: Node at 10.0.2.132:8300 [Candidate] entering Candidate state2016/07/30 10:07:30 [WARN] raft: Election timeout reached, restarting election2016/07/30 10:07:30 [INFO] raft: Node at 10.0.2.132:8300 [Candidate] entering Candidate state2016/07/30 10:07:30 [INFO] raft: Election won. Tally: 32016/07/30 10:07:30 [INFO] raft: Node at 10.0.2.132:8300 [Leader] entering Leader state2016/07/30 10:07:30 [INFO] consul: cluster leadership acquired2016/07/30 10:07:30 [INFO] consul: New leader elected: xxx-consul-i-ff26ca5a2ඵఔͰճ෮DNSͷcache / stale mode ͰαʔϏεӨڹͳ͠stale໌ࣔ͠ͳ͍HTTP API500ʹͳΔˠৗ࣌ୟ͖·͘Δͷ…?
࣮ࡍʹ͋ͬͨා͍
consul exec Ͱେྔ݁Ռऔಘconsul exec "cat /var/log/foo.log" | grep ...֤ϗετͷϩάΛconsul execͰऔಘ͠Α͏ͱͨ͠→ consul exec KVʹҰ୴อଘ͢ΔͷͰϝϞϦ/DBංେԽserverΛ1ͣͭ࠶ىಈͯ͠ճ෮
ΦϖϛεͰΫϥελ่յupgrade͔ͨͬͨ͠3ߏͷserverͷ1Λམͱͯ͠ɺ৽͍͠όΠφϦͰىಈͨ͠(ͭΓͩͬͨ)ͪΌΜͱىಈ͍ͯ͠ͳ͍ͷʹ2ͷαʔόΛམͱͨ͠→ ่յ
่յͨ͠ΒͲ͏͢Ε1. མͪண͘2. serverΛશ෦ࢭΊΔ3. σʔλ(data_dir)શ෦ফ͢4. serverΛ -bootstrap-expect N Ͱىಈ• start_join ·ͨ खಈͰ join5. (ඞཁͳΒ) KVΛόοΫΞοϓ͔Β͢
fujiwara3
sadonosake
picardparis
rigolon
yellowshippo
pistatium
claudioed
daikimori
weaverryan
unclejoe
line_developers
hamadakoji
senkin13
rmw
revolveconf
gr2m
kneath
maggiecrowley
productmarketing
afnizarnur
schacon
andyhume
scottboms
pedronauck
keathley