Check - Agent HTTP API
Refer to Define Health Checks for information about Consul health check capabilities.
The /agent/check
endpoints interact with health checks
managed by the local agent in Consul.
These should not be confused with checks in the catalog.
List Checks
This endpoint returns all checks that are registered with the local agent. These checks were either provided through configuration files or added dynamically using the HTTP API.
It is important to note that the checks known by the agent may be different from those reported by the catalog. This is usually due to changes being made while there is no leader elected. The agent performs active anti-entropy, so in most situations everything will be in sync within a few seconds.
The HTTP response includes the X-Consul-Results-Filtered-By-ACLs: true
header
if the response array excludes results due to ACL policy configuration.
Refer to the HTTP API documentation for more information.
Method | Path | Produces |
---|---|---|
GET | /agent/checks | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
---|---|---|---|
NO | none | none | node:read,service:read |
Query Parameters
filter
(string: "")
- Specifies the expression used to filter the queries results prior to returning the data.ns
(string: "")
Enterprise - Return only the checks in the specified namespace. You can also specify the namespace through other methods.
Sample Request
$ curl \ http://127.0.0.1:8500/v1/agent/checks
Sample Response
{ "service:redis": { "Node": "foobar", "CheckID": "service:redis", "Name": "Service 'redis' check", "Status": "passing", "Notes": "", "Output": "", "ServiceID": "redis", "ServiceName": "redis", "ServiceTags": ["primary"], "Interval": "10s", "Timeout": "1s" "Type": "tcp", "ExposedPort": 0, "Definition": {}, "Namespace": "default", "CreateIndex": 0, "ModifyIndex": 0 }}
Filtering
The filter will be executed against each health check value in the results map with the following selectors and filter operations being supported:
Selector | Supported Operations |
---|---|
CheckID | Equal, Not Equal, In, Not In, Matches, Not Matches |
Name | Equal, Not Equal, In, Not In, Matches, Not Matches |
Node | Equal, Not Equal, In, Not In, Matches, Not Matches |
Notes | Equal, Not Equal, In, Not In, Matches, Not Matches |
Output | Equal, Not Equal, In, Not In, Matches, Not Matches |
ServiceID | Equal, Not Equal, In, Not In, Matches, Not Matches |
ServiceName | Equal, Not Equal, In, Not In, Matches, Not Matches |
ServiceTags | In, Not In, Is Empty, Is Not Empty |
Status | Equal, Not Equal, In, Not In, Matches, Not Matches |
Register Check
This endpoint adds a new check to the local agent. Checks may be of script, HTTP, TCP, UDP, or TTL type. The agent is responsible for managing the status of the check and keeping the Catalog in sync.
Method | Path | Produces |
---|---|---|
PUT | /agent/check/register | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
---|---|---|---|
NO | none | none | node:write,service:write |
Query Parameters
ns
(string: "")
Enterprise - Specifies the namespace of the check you register. You can also specify the namespace through other methods.
JSON Request Body Schema
Name
(string: <required>)
- Specifies the name of the check.ID
(string: "")
- Specifies a unique ID for this check on the node. This defaults to the"Name"
parameter, but it may be necessary to provide an ID for uniqueness. This value will return in the response as"CheckId"
.Namespace
(string: "")
Enterprise - Specifies the namespace of the check you register. This field takes precedence over thens
query parameter, one of several other methods to specify the namespace.Interval
(string: "")
- Specifies the frequency at which to run this check. This is required for HTTP, TCP, and UDP checks.Notes
(string: "")
- Specifies arbitrary information for humans. This is not used by Consul internally.DeregisterCriticalServiceAfter
(string: "")
- Specifies that checks associated with a service should deregister after this time. This is specified as a time duration with suffix like "10m". If a check is in the critical state for more than this configured value, then its associated service (and all of its associated checks) will automatically be deregistered. The minimum timeout is 1 minute, and the process that reaps critical services runs every 30 seconds, so it may take slightly longer than the configured timeout to trigger the deregistration. This should generally be configured with a timeout that's much, much longer than any expected recoverable outage for the given service.Args
(array<string>)
- Specifies command arguments to run to update the status of the check. Prior to Consul 1.0, checks used a singleScript
field to define the command to run, and would always run in a shell. In Consul 1.0, theArgs
array was added so that checks can be run without a shell. TheScript
field is deprecated, and you should include the shell in theArgs
to run under a shell, eg."args": ["sh", "-c", "..."]
.Note: Consul 1.0 shipped with an issue where
Args
was erroneously namedScriptArgs
in this API. Please useScriptArgs
with Consul 1.0 (that will continue to be accepted in future versions of Consul), andArgs
in Consul 1.0.1 and later.AliasNode
(string: "")
- Specifies the ID of the node for an alias check. If no service is specified, the check will alias the health of the node. If a service is specified, the check will alias the specified service on this particular node.AliasService
(string: "")
- Specifies the ID of a service for an alias check. If the service is not registered with the same agent,AliasNode
must also be specified. Note this is the service ID and not the service name (though they are very often the same).DockerContainerID
(string: "")
- Specifies that the check is a Docker check, and Consul will evaluate the script everyInterval
in the given container using the specifiedShell
. Note thatShell
is currently only supported for Docker checks.GRPC
(string: "")
- Specifies agRPC
check's endpoint that supports the standard gRPC health checking protocol. The state of the check will be updated at the givenInterval
by probing the configured endpoint. Add the service identifier after thegRPC
check's endpoint in the following format to check for a specific service instead of the whole gRPC server/:service_identifier
.GRPCUseTLS
(bool: false)
- Specifies whether to use TLS for thisgRPC
health check. If TLS is enabled, then by default, a valid TLS certificate is expected. Certificate verification can be turned off by settingTLSSkipVerify
totrue
.H2PING
(string "")
- Specifies an address that uses http2 to run a ping check on. At the specifiedInterval
, a connection is made to the address, and a ping is sent. If the ping is successful, the check will be classified aspassing
, otherwise it will be marked ascritical
. TLS is used by default. To disable TLS and use h2c, setH2PingUseTLS
tofalse
. If TLS is enabled, a valid SSL certificate is required by default, but verification can be removed withTLSSkipVerify
.H2PingUseTLS
(bool: true)
- Specifies if TLS should be used for H2PING check. If TLS is enabled, a valid SSL certificate is required by default, but verification can be removed withTLSSkipVerify
.HTTP
(string: "")
- Specifies anHTTP
check to perform aGET
request against the value ofHTTP
(expected to be a URL) everyInterval
. If the response is any2xx
code, the check ispassing
. If the response is429 Too Many Requests
, the check iswarning
. Otherwise, the check iscritical
. HTTP checks also support SSL. By default, a valid SSL certificate is expected. Certificate verification can be controlled using theTLSSkipVerify
.Method
(string: "")
- Specifies a different HTTP method to be used for anHTTP
check. When no value is specified,GET
is used.Body
(string: "")
- Specifies a body that should be sent withHTTP
checks.DisableRedirects
(bool: false)
- Specifies whether to disable following HTTP redirects when performing an HTTP check.Header
(map[string][]string: {})
- Specifies a set of headers that should be set forHTTP
checks. Each header can have multiple values.Timeout
(duration: 10s)
- Specifies a timeout for outgoing connections in the case of a Script, HTTP, TCP, UDP, or gRPC check. Can be specified in the form of "10s" or "5m" (i.e., 10 seconds or 5 minutes, respectively).OutputMaxSize
(positive int: 4096)
- Allow to put a maximum size of text for the given check. This value must be greater than 0, by default, the value is 4k. The value can be further limited for all checks of a given agent using thecheck_output_max_size
flag in the agent.TLSServerName
(string: "")
- Specifies an optional string used to set the SNI host when connecting via TLS. For anHTTP
check, this value is set automatically if the URL uses a hostname (not an IP address).TLSSkipVerify
(bool: false)
- Specifies if the certificate for an HTTPS check should not be verified.TCP
(string: "")
- Specifies aTCP
to connect against the value ofTCP
(expected to be an IP or hostname plus port combination) everyInterval
. If the connection attempt is successful, the check ispassing
. If the connection attempt is unsuccessful, the check iscritical
. In the case of a hostname that resolves to both IPv4 and IPv6 addresses, an attempt will be made to both addresses, and the first successful connection attempt will result in a successful check.TCPUseTLS
(bool: false)
- Specifies whether to use TLS for thisTCP
health check. If TLS is enabled, then by default, a valid TLS certificate is expected. Certificate verification can be turned off by settingTLSSkipVerify
totrue
.UDP
(string: "")
- Specifies aUDP
IP address/hostname and port. The check sends datagrams to the value specified at the interval specified in theInterval
configuration. If the datagram is sent successfully or a timeout is returned, the check is set to thepassing
state. The check is logged ascritical
if the datagram is sent unsuccessfully.OSService
(string: "")
- Specifies the identifier of an OS-level service to check. You can specify eitherWindows Services
on Windows orSystemD
services on Unix.TTL
(duration: 10s)
- Specifies this is a TTL check, and the TTL endpoint must be used periodically to update the state of the check. If the check is not set to passing within the specified duration, then the check will be set to the failed state.ServiceID
(string: "")
- Specifies the ID of a service to associate the registered check with an existing service provided by the agent.Status
(string: "")
- Specifies the initial status of the health check.SuccessBeforePassing
(int: 0)
- Specifies the number of consecutive successful results required before check status transitions to passing. Available for HTTP, TCP, gRPC, Docker & Monitor checks. Added in Consul 1.7.0.FailuresBeforeWarning
(int: 0)
- Specifies the number of consecutive unsuccessful results required before check status transitions to warning. Defaults to the same value asFailuresBeforeCritical
. Values higher thanFailuresBeforeCritical
are invalid. Available for HTTP, TCP, gRPC, Docker & Monitor checks. Added in Consul 1.11.0.FailuresBeforeCritical
(int: 0)
- Specifies the number of consecutive unsuccessful results required before check status transitions to critical. Available for HTTP, TCP, gRPC, Docker & Monitor checks. Added in Consul 1.7.0.
Sample Payload
{ "ID": "mem", "Name": "Memory utilization", "Namespace": "default", "Notes": "Ensure we don't oversubscribe memory", "DeregisterCriticalServiceAfter": "90m", "Args": ["/usr/local/bin/check_mem.py"], "DockerContainerID": "f972c95ebf0e", "Shell": "/bin/bash", "HTTP": "https://example.com", "Method": "POST", "Header": { "Content-Type": ["application/json"] }, "Body": "{\"check\":\"mem\"}", "DisableRedirects": true, "TCP": "example.com:22", "Interval": "10s", "Timeout": "5s", "TLSSkipVerify": true}
Sample Request
$ curl \ --request PUT \ --data @payload.json \ http://127.0.0.1:8500/v1/agent/check/register
Deregister Check
This endpoint remove a check from the local agent. The agent will take care of deregistering the check from the catalog. If the check with the provided ID does not exist, no action is taken.
Method | Path | Produces |
---|---|---|
PUT | /agent/check/deregister/:check_id | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
---|---|---|---|
NO | none | none | node:write,service:write |
Path Parameters
check_id
(string: "")
- Specifies the unique ID of the check to deregister.
Query Parameters
ns
(string: "")
Enterprise - Specifies the namespace of the check you deregister. You can also specify the namespace through other methods.
Sample Request
$ curl \ --request PUT \ http://127.0.0.1:8500/v1/agent/check/deregister/my-check-id
TTL Check Pass
This endpoint is used with a TTL type check to set the status of the check to
passing
and to reset the TTL clock.
Method | Path | Produces |
---|---|---|
PUT | /agent/check/pass/:check_id | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
---|---|---|---|
NO | none | none | node:write,service:write |
Path Parameters
check_id
(string: "")
- Specifies the unique ID of the check to use.
Query Parameters
note
(string: "")
- Specifies a human-readable message. This will be passed through to the check'sOutput
field.ns
(string: "")
Enterprise - Specifies the namespace of the check you update. You can also specify the namespace through other methods.
Sample Request
$ curl \ --request PUT \ http://127.0.0.1:8500/v1/agent/check/pass/my-check-id
TTL Check Warn
This endpoint is used with a TTL type check to set the status of the check to
warning
and to reset the TTL clock.
Method | Path | Produces |
---|---|---|
PUT | /agent/check/warn/:check_id | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
---|---|---|---|
NO | none | none | node:write,service:write |
Path Parameters
check_id
(string: "")
- Specifies the unique ID of the check to use.
Query Parameters
note
(string: "")
- Specifies a human-readable message. This will be passed through to the check'sOutput
field.ns
(string: "")
Enterprise - Specifies the namespace of the check you update. You can also specify the namespace through other methods.
Sample Request
$ curl \ http://127.0.0.1:8500/v1/agent/check/warn/my-check-id
TTL Check Fail
This endpoint is used with a TTL type check to set the status of the check to
critical
and to reset the TTL clock.
If you want to manually mark a service as unhealthy, use maintenance mode instead of defining a TTL health check and using this endpoint.
Method | Path | Produces |
---|---|---|
PUT | /agent/check/fail/:check_id | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
---|---|---|---|
NO | none | none | node:write,service:write |
Path Parameters
check_id
(string: "")
- Specifies the unique ID of the check to use.
Query Parameters
note
(string: "")
- Specifies a human-readable message. This will be passed through to the check'sOutput
field.ns
(string: "")
Enterprise - Specifies the namespace of the check you update. You can also specify the namespace through other methods.
Sample Request
$ curl \ http://127.0.0.1:8500/v1/agent/check/fail/my-check-id
TTL Check Update
This endpoint is used with a TTL type check to set the status of the check and to reset the TTL clock.
If you want to manually mark a service as unhealthy, use maintenance mode instead of defining a TTL health check and using this endpoint.
Method | Path | Produces |
---|---|---|
PUT | /agent/check/update/:check_id | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
---|---|---|---|
NO | none | none | node:write,service:write |
Path Parameters
check_id
(string: "")
- Specifies the unique ID of the check to use.
Query Parameters
ns
(string: "")
Enterprise - Specifies the namespace of the check you update. You can also specify the namespace through other methods.
JSON Request Body Schema
Status
(string: "")
- Specifies the status of the check. Valid values are"passing"
,"warning"
, and"critical"
.Output
(string: "")
- Specifies a human-readable message. This will be passed through to the check'sOutput
field.
Sample Payload
{ "Status": "passing", "Output": "curl reported a failure:\n\n..."}
Sample Request
$ curl \ --request PUT \ --data @payload.json \ http://127.0.0.1:8500/v1/agent/check/update/my-check-id
Methods to Specify Namespace Enterprise
Local agent health check endpoints support several methods for specifying the namespace of the check resources with the following order of precedence:
Namespace
field of the JSON request body - only applies to the register endpointns
query parameterX-Consul-Namespace
request header- Namespace is inherited from the namespace of the request's ACL token (if any)
- The
default
namespace