Loki Error Guide: 'error getting ring ... connection refused' — Fix the KV Store Backend
Fix Loki 'error getting ring ... connect: connection refused': repair the Consul/etcd KV backend, open the port, or switch to memberlist.
- #loki
- #logging
- #troubleshooting
- #errors
Fixing errors like this? Get 500 free DevOps AI prompts
500 copy-paste AI prompts for the stack you actually run — one PDF, free.
Overview
When Loki’s hash ring is backed by an external KV store (Consul or etcd), every ring read goes to that backend. If the backend is unreachable, Loki logs:
level=error msg="error getting ring" err="Get \"http://consul:8500/v1/kv/collectors/ring\": dial tcp 10.0.0.9:8500: connect: connection refused"
The connection refused means the TCP dial to the KV backend reached a host but nothing was listening on the port — Consul on 8500 (or etcd on 2379) is down, the wrong address is configured, or a network policy blocks the port. Because Loki cannot read ring membership from the KV store, distributors, ingesters, queriers, and rulers all lose their view of the ring and the read/write path fails. The fix is to make the configured KV backend healthy and reachable — or to drop the external dependency by moving the ring to memberlist.
Symptoms
- Component logs repeat
error getting ringwithconnection refusedtoconsul:8500or an etcd endpoint on2379. - The failure is cluster-wide and started when Consul/etcd was restarted, moved, or lost.
/ringfails to render or shows stale membership.common.ring.kvstore.storeisconsuloretcd, notmemberlist.- Curling the KV backend directly from a Loki pod also fails to connect.
Common Root Causes
- Consul or etcd is down — the backend process crashed or was never deployed, so nothing listens on 8500/2379.
- Wrong KV address in
common.ring.kvstore—kvstore.consul.hostorkvstore.etcd.endpointspoints at a name/IP that is not the live backend. - NetworkPolicy blocking the KV port — 8500 (Consul) or 2379 (etcd) is dropped between Loki and the backend.
- TLS or ACL misconfiguration — the backend requires TLS or a valid ACL token that Loki is not sending, so connections are refused or rejected.
store: consulwith no cluster deployed — the config assumes an external KV backend that was never provisioned.
How to diagnose
-
Curl the KV backend from a Loki pod — reproduce the exact dial the error shows:
kubectl exec -it deploy/loki-distributor -- \ curl -s http://consul:8500/v1/status/leader # etcd variant: curl -s http://etcd:2379/health -
Check the KV backend’s own health — confirm the process is up and serving:
kubectl get pods -l app=consul kubectl logs -l app=consul --tail=50 | grep -i 'error\|leader' -
Verify the configured address matches the running backend:
common: ring: kvstore: store: consul consul: host: consul:8500 # must match the live Consul service -
Test the port from a Loki pod — isolate a network-policy block from a dead backend:
kubectl exec -it deploy/loki-distributor -- nc -vz consul 8500 -
Check for TLS/ACL requirements — a backend expecting TLS or a token refuses plain requests:
kubectl get networkpolicy -o yaml | grep -A6 '8500\|2379' # confirm whether Consul ACLs are enabled and a token is required
Fixes
Restore the KV backend and confirm the configured address so Loki can read the ring again. Verify Consul/etcd is healthy and that the host in config resolves to it:
common:
ring:
kvstore:
store: consul
consul:
host: consul:8500
http_client_timeout: 20s
consistent_reads: true
Open the KV port between Loki and the backend so the dial is not refused by a NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: loki-to-consul
spec:
podSelector:
matchLabels: { app: consul }
ingress:
- from:
- podSelector: { matchLabels: { app: loki } }
ports:
- { protocol: TCP, port: 8500 }
Supply the correct ACL token (and TLS) the backend requires so connections are accepted rather than refused. Point Loki at the token file and CA:
common:
ring:
kvstore:
store: consul
consul:
host: consul:8500
acl_token: ${CONSUL_HTTP_TOKEN}
For etcd, set the endpoints correctly so Loki dials the live cluster members on 2379:
common:
ring:
kvstore:
store: etcd
etcd:
endpoints:
- etcd-0:2379
- etcd-1:2379
dial_timeout: 10s
Switch the ring to memberlist to remove the external dependency entirely if you do not need Consul/etcd. Gossip-based membership has no separate backend to fail:
common:
ring:
kvstore:
store: memberlist
memberlist:
join_members:
- loki-memberlist:7946
bind_port: 7946
What to watch out for
connection refusedmeans the port reached a host but nothing was listening — that is a dead backend or wrong address, not a DNS failure (which would sayno such host).- An external KV store is a hard dependency for the whole ring; if you keep Consul/etcd, run it highly available or Loki inherits its downtime.
- A NetworkPolicy block and a dead backend look identical from the log line; use
nc -vzplus a direct backend health check to tell them apart. - If the backend enforces ACLs or TLS, a missing token or CA can present as refused/rejected connections even when the process is healthy.
- Switching
storeto memberlist changes where ring state lives; migrate deliberately and confirm all components use the same store, or they will not share a ring.
Related
- Loki Error Guide: ‘empty ring’ — the ring failure that surfaces when the KV backend cannot be read.
- Loki Error Guide: ‘too many unhealthy instances in the ring’ — quorum loss when KV-backed membership goes stale.
- Loki Error Guide: ‘failed to flush chunks’ — a downstream write-path failure when ingesters lose their ring view.
Get 500 Battle-Tested DevOps AI Prompts — Free
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.