consul icon indicating copy to clipboard operation
consul copied to clipboard
verified publisher icon hashicorp

Support receiving socket file descriptors from systemd

Open anonymouse64 opened this issue 6 years ago • 6 comments

Feature Description

Currently, consul supports notify systemd via NOTIFY_SOCKET when consul is ready, which allows other systemd services attempting to connect to consul to have consul as a dependency, but this doesn't help the case where there are services that don't declare consul as a systemd dependency (or are not systemd units at all) that are attempting to connect to consul while it is starting up. Systemd has a solution to this, by specifying ListenStream in the service unit file. This informs systemd to start listening on the specified socket file descriptors before starting the service (and not reading/writing anything on the file descriptors), and then the service can get the file descriptor for the socket using sd_listen_fds (there can be multiple socket file descriptors that systemd opens for the service). Consul should implement support for listening on it's ports using this if it's available. Then users deploying Consul with systemd could write a systemd service unit file specifying for example ListenStream=8500, for example to have systemd start listening on port 8500 on behalf of consul before consul is completely ready.

Use Case(s)

During startup, after the consul process has been started executing but before it has opened and listened on it's sockets, there is a race condition where other services will attempt to connect and the connection will fail. This is especially problematic during reboot/restart scenarios where there can be many services starting simultaneously attempting to connect to consul. Implementing support for receiving socket file descriptors from systemd solves this, as usually in system startup scenarios systemd will start listening on all service listen streams very early in the boot cycle.

anonymouse64 avatar Apr 07 '19 12:04 anonymouse64

For reference, coreos has a golang package which does this: https://godoc.org/github.com/coreos/go-systemd/activation

anonymouse64 avatar Apr 07 '19 12:04 anonymouse64

Wanted to note there is some precedent for supporting similar systemd events (not sure that is the right noun), see https://github.com/hashicorp/consul/pull/3164.

pearkes avatar Apr 11 '19 02:04 pearkes

Any update on this? Would a PR using the coreos package be accepted here?

anonymouse64 avatar Jul 16 '19 01:07 anonymouse64

Slight bump, please also note that this allows operators to bind to low ports without adding capabilities to the consul binary, such as binding to port 53.

In the mean time, systemd exposes systemd-socket-proxyd for binaries not supporting socket activation.

adongy avatar Jul 24 '20 14:07 adongy

https://systemd.io/FILE_DESCRIPTOR_STORE/

majek avatar Feb 15 '24 12:02 majek

any updates?

fsdrw08 avatar Jun 10 '24 10:06 fsdrw08