Incorrect description of -bind default

[stevendanna]

The documentation for the -bind default says:

-bind - The address that should be bound to for internal cluster communications. This is an IP address that should be reachable by all other nodes in the cluster. By default, this is "0.0.0.0", meaning Consul will use the first available private IP address. Consul uses both TCP and UDP and the same port for both. If you have any firewalls, be sure to allow both protocols.

When reading this I found the following surprising:

By default, this is "0.0.0.0", meaning Consul will use the first available private IP address.

Since 0.0.0.0 typically means "listen on all addresses" (i.e INADDR_ANY). A quick lsof on a consul process confirms that consul is listening on all interfaces:

consul  12907 vagrant    3u  IPv6 100650      0t0     TCP *:8300 (LISTEN)
consul  12907 vagrant    4u  0000    0,9        0    6476 anon_inode
consul  12907 vagrant    5ur  REG  252,0   262272  660236 /home/vagrant/consul-data/tmp/state229940523/lock.mdb
consul  12907 vagrant    6u   REG  252,0   106496  660237 /home/vagrant/consul-data/tmp/state229940523/data.mdb
consul  12907 vagrant    7u   REG  252,0   106496  660237 /home/vagrant/consul-data/tmp/state229940523/data.mdb
consul  12907 vagrant    8uW  REG  252,0  1048576  660239 /home/vagrant/consul-data/raft/raft.db
consul  12907 vagrant    9u   REG  252,0       45  660243 /home/vagrant/consul-data/serf/local.snapshot
consul  12907 vagrant   10u  IPv6 100651      0t0     TCP *:8301 (LISTEN)
consul  12907 vagrant   11u  IPv6 100652      0t0     UDP *:8301
consul  12907 vagrant   12u   REG  252,0       34  660244 /home/vagrant/consul-data/serf/remote.snapshot
consul  12907 vagrant   13u  IPv6 100653      0t0     TCP *:8302 (LISTEN)
consul  12907 vagrant   14u  IPv6 100654      0t0     UDP *:8302

I'm guessing "Consul will use the first available private IP address" refers to the IP address that is advertised to other nodes in the cluster rather than what actually gets bound to.

[bhourigan]

I ran into this issue just a few days ago, it binds to 127.0.0.1 by default and when I use 0.0.0.0 it still binds to just 127.0.0.1. I had to explicitly specify the IP address of eth0 as the bind_address.

[aidanhs]

@bhourigan do you mean it was advertising 127.0.0.1, or that it was actually just binding to 127.0.0.1 when you specified 0.0.0.0?

[bhourigan]

@aidanhs It was binding to 127.0.0.1. I didn't get to see what address it wanted to advertise.

[slackpad]

Looking at the code and doing a quick local test it looks like it'll advertise the private IP but bind to all interfaces - I'll take a deeper look at this one.

[stevendanna]

Looking at the code and doing a quick local test it looks like it'll advertise the private IP but bind to all interfaces - I'll take a deeper look at this one.

To be clear, I think this behavior is fine and the documentation could just be a bit clearer. Maybe something like "By default, this is "0.0.0.0", meaning Consul will bind to all available IP address but only advertise the first available private IP address. To change the address that is advertised use --adverise option."

[slackpad]

I think the intent was not to bind to 0.0.0.0 by default, and the docs lead people to believe this isn't happening, so I think we'll change the behavior to be in line with the docs.

[aidanhs]

Is "private IP address" a widely understood term? I'm not clear on the logic involved in choosing an IP address based on those words.

[slackpad]

The docs should probably be made more specific and reference RFC 1918 and RFC 6598 which specify the IP ranges that Consul looks for. We can also mention that this isn't a security mechanism, just a default behavior that tries to avoid binding to external interfaces.

[slackpad]

This will get cleaned up when we move to https://github.com/hashicorp/go-sockaddr and update the documentation around that.

[hanshasselberg]

This issue is fixed in the docs now:

-bind - The address that should be bound to for internal cluster communications. This is an IP address that should be reachable by all other nodes in the cluster. By default, this is "0.0.0.0", meaning Consul will bind to all addresses on the local machine and will advertise the private IPv4 address to the rest of the cluster.