pearkes
commented
6 years ago From a quick look it seems like you might be missing the "agent" stanza for the tokens used by your agent. I recommend following the ACL Guide closely. We're definitely aware of the generally challenging UX here, and are working on more holistic improvements. However, issues on GitHub for Consul are intended to be related to bugs or feature requests, so we recommend using our other community resources instead of asking here.
- FAQ (Frequently asked questions)
- Consul Guides
- Any other questions can be sent to the Consul mailing list
If you feel this is a bug, please open a new issue with the appropriate information.
consul versionfor both Client and ServerClient:
[1.0.2]Server:[1.0.2]consul infofor both Client and ServerTo obtain this info I was forced to disable both ACLs because of permission denied.
Client:
Server:
Operating system and Environment details
Server (docker inspect):
Client (docker inspect):
Description of the Issue (and unexpected/desired result)
Service registration blocked by ACL but it shouldn't.
Reproduction steps
2.ACL agent token created curl -X PUT -H "X-Consul-Token: 2dac2892-cd4b-339e-9616-8e69cf38c37b" -d '{"Name": "Agent Token","Type": "client","Rules": "node \"\" { policy = \"write\" } service \"\" { policy = \"write\" } key \"\" { policy = \"write\" } "}' http://5.6.7.8:8500/v1/acl/create
Introduced ACL agent tocen on consul server curl -X PUT -H "X-Consul-Token: 2dac2892-cd4b-339e-9616-8e69cf38c37b" -d '{"Token": "5df79abf-87ab-2341-36ae-cf2a6f60cbdf"}' http://5.6.7.8:8500/v1/agent/token/acl_agent_token
Introduced ACL token on consul client curl -X PUT -H "X-Consul-Token: 2dac2892-cd4b-339e-9616-8e69cf38c37b" -d '{"Token": "5df79abf-87ab-2341-36ae-cf2a6f60cbdf"}' http://127.0.0.1:8500/v1/agent/token/acl_agent_token
Consul derver docker container restarted.
Consul client docker container restarted.
Log Fragments or Link to gist
Client: 2017/12/30 10:41:17 [INFO] serf: EventMemberJoin: laptop 1.2.3.4 2017/12/30 10:41:17 [INFO] agent: Started DNS server 127.0.0.1:8600 (udp) 2017/12/30 10:41:17 [INFO] agent: Started DNS server 127.0.0.1:8600 (tcp) 2017/12/30 10:41:17 [INFO] agent: Started HTTP server on 127.0.0.1:8500 (tcp) 2017/12/30 10:41:17 [INFO] agent: started state syncer 2017/12/30 10:41:17 [INFO] agent: Retry join LAN is supported for: aliyun aws azure digitalocean gce os scaleway softlayer 2017/12/30 10:41:17 [INFO] agent: Joining LAN cluster... 2017/12/30 10:41:17 [INFO] agent: (LAN) joining: [5.6.7.8] 2017/12/30 10:41:17 [WARN] manager: No servers available 2017/12/30 10:41:17 [ERR] agent: failed to sync remote state: No known Consul servers 2017/12/30 10:41:17 [INFO] serf: EventMemberJoin: consul-test 5.6.7.8 2017/12/30 10:41:17 [WARN] memberlist: Refuting a suspect message (from: laptop) 2017/12/30 10:41:17 [INFO] consul: adding server consul-test (Addr: tcp/5.6.7.8:8300) (DC: test) 2017/12/30 10:41:17 [INFO] agent: (LAN) joined: 1 Err:
2017/12/30 10:41:17 [INFO] agent: Join LAN completed. Synced with 1 initial agents
2017/12/30 10:41:19 [ERR] consul: "Catalog.Register" RPC failed to server 5.6.7.8:8300: rpc error making call: Permission denied
2017/12/30 10:41:19 [WARN] agent: Service "mgmt-test" registration blocked by ACLs
2017/12/30 10:41:20 [INFO] agent: Synced node info
2017/12/30 10:41:30 [WARN] memberlist: Refuting a suspect message (from: consul-test)
2017/12/30 10:41:41 [WARN] memberlist: Refuting a suspect message (from: consul-test)
2017/12/30 10:42:03 [WARN] memberlist: Refuting a suspect message (from: consul-test)
2017/12/30 10:42:14 [WARN] memberlist: Refuting a suspect message (from: consul-test)
2017/12/30 10:42:36 [WARN] memberlist: Refuting a suspect message (from: consul-test)
Server: 2017/12/30 10:44:48 [INFO] raft: Initial configuration (index=1): [{Suffrage:Voter ID:dc81987f-8d79-60f7-7aba-548fdbaba794 Address:5.6.7.8:8300}] 2017/12/30 10:44:48 [INFO] serf: EventMemberJoin: consul-test.test 5.6.7.8 2017/12/30 10:44:48 [INFO] raft: Node at 5.6.7.8:8300 [Follower] entering Follower state (Leader: "") 2017/12/30 10:44:48 [WARN] serf: Failed to re-join any previously known node 2017/12/30 10:44:48 [INFO] serf: EventMemberJoin: consul-test 5.6.7.8 2017/12/30 10:44:48 [INFO] agent: Started DNS server 5.6.7.8:8600 (udp) 2017/12/30 10:44:48 [INFO] serf: Attempting re-join to previously known node: laptop: 1.2.3.4:8301 2017/12/30 10:44:48 [INFO] consul: Adding LAN server consul-test (Addr: tcp/5.6.7.8:8300) (DC: test) 2017/12/30 10:44:48 [INFO] consul: Handled member-join event for server "consul-test.test" in area "wan" 2017/12/30 10:44:48 [INFO] agent: Started DNS server 5.6.7.8:8600 (tcp) 2017/12/30 10:44:48 [INFO] agent: Started HTTP server on 5.6.7.8:8500 (tcp) 2017/12/30 10:44:48 [INFO] agent: started state syncer 2017/12/30 10:44:54 [WARN] raft: Heartbeat timeout from "" reached, starting election 2017/12/30 10:44:54 [INFO] raft: Node at 5.6.7.8:8300 [Candidate] entering Candidate state in term 5 2017/12/30 10:44:54 [INFO] raft: Election won. Tally: 1 2017/12/30 10:44:54 [INFO] raft: Node at 5.6.7.8:8300 [Leader] entering Leader state 2017/12/30 10:44:54 [INFO] consul: cluster leadership acquired 2017/12/30 10:44:54 [INFO] consul: New leader elected: consul-test 2017/12/30 10:44:54 [INFO] consul: member 'laptop' reaped, deregistering 2017/12/30 10:44:54 [INFO] agent: Synced node info 2017/12/30 10:44:58 [WARN] serf: Failed to re-join any previously known node 2017/12/30 10:45:18 [INFO] serf: EventMemberJoin: hlaptop 1.2.3.4 2017/12/30 10:45:18 [INFO] consul: member '-laptop' joined, marking health alive 2017/12/30 10:45:30 [INFO] memberlist: Suspect laptop has failed, no acks received 2017/12/30 10:45:34 [INFO] memberlist: Marking -laptop as failed, suspect timeout reached (0 peer confirmations) 2017/12/30 10:45:34 [INFO] serf: EventMemberFailed: laptop 1.2.3.4 2017/12/30 10:45:34 [INFO] consul: member 'laptop' failed, marking health critical 2017/12/30 10:45:34 [INFO] serf: EventMemberJoin: laptop 1.2.3.4 2017/12/30 10:45:34 [INFO] consul: member 'laptop' joined, marking health alive 2017/12/30 10:45:37 [ERR] memberlist: Push/Pull with laptop failed: dial tcp 1.2.3.4:8301: i/o timeout 2017/12/30 10:45:41 [INFO] memberlist: Suspect laptop has failed, no acks received 2017/12/30 10:45:52 [INFO] memberlist: Suspect laptop has failed, no acks received 2017/12/30 10:46:02 [INFO] memberlist: Suspect laptop has failed, no acks received