zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Powell Molleti <pmoll...@vmware.com>
Subject Re: Zookeeper over SSH tunnels
Date Mon, 14 Dec 2015 22:01:58 GMT
Hi Anand,

Some of the known issues are connect timeout when node is unavailable
(packets being dropped) rather than node available but sending RST.

Leader election connection establishment is serialized hence that adds to
this issue and I think that is the common understanding, look here
https://issues.apache.org/jira/browse/ZOOKEEPER-2081. Let me know if it
makes sense.

Also would you still prefer to use SSH tunnels if Zookeeper supported SSL
natively between itself?.
Hope this helps.

Thanks
Powell. 

On 12/14/15, 8:42 AM, "Anand Parthasarathy" <anpartha@avinetworks.com>
wrote:

>Just re-posting the same question that I posted last week to see if I can
>get any responses.
>
>Hi,
>
>Just wondering if any one has run zookeeper ensemble over SSH tunnels. We
>are moving to a model where we are securing all communication between our
>cluster to be over SSH tunnel including the zookepeer ports (client,
>election and leader sync ports). With this, I notice that the convergence
>when one of the nodes is shut down takes a much longer time than when we
>run without the SSH tunnels. One of the issues I notice in this
>configuration is as follows:
>- Typically, if zookeeper is brought down on one of the nodes, the
>connection to the zookeeper ports are RST with "Connection Refused". With
>the SSH tunnel, because SSH is acting as a TCP proxy, the connection is
>created and then torn down quite immediately. With this behavior, it
>somehow gets into a state where it has to go thru a longer timeout before
>it converges.
>
>Have any of you seen this behavior before? Is there any tuning that we can
>do to improve this behavior?
>
>Thanks,
>Anand.


Mime
View raw message