zookeeper-commits mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	sy...@apache.org
Subject	[zookeeper] branch branch-3.6 updated: ZOOKEEPER-3818: client SSL support for zkServer.sh status command
Date	Tue, 12 May 2020 09:57:29 GMT
This is an automated email from the ASF dual-hosted git repository. symat pushed a commit to branch branch-3.6 in repository https://gitbox.apache.org/repos/asf/zookeeper.git The following commit(s) were added to refs/heads/branch-3.6 by this push: new 6cf8b02 ZOOKEEPER-3818: client SSL support for zkServer.sh status command 6cf8b02 is described below commit 6cf8b02120731922b64a35ca997786314a3584ec Author: Mate Szalay-Beko <symat@apache.org> AuthorDate: Tue May 12 09:53:40 2020 +0000 ZOOKEEPER-3818: client SSL support for zkServer.sh status command When the ZooKeeper cluster is started in client SSL-only mode (omitting the clientPort from the zoo.cfg), then the current `zkServer.sh status` command fails to connect to the server. This patch contains: - a fix for the zkServer.sh to fall-back to SSL connetion if no unsecure port is defined - documenting the necessary system properties one needs to define in this case - some formatting fixes in the `zookeeperTools.md` file to get proper code blocks generated Hints for testing: you can generate SSL certificate files e.g. by: ``` mkdir -p /tmp/ssl mkdir -p /tmp/zkdata cp ./zookeeper-client/zookeeper-client-c/ssl/gencerts.sh /tmp/ssl/ cd /tmp/ssl/ ./gencerts.sh localhost ``` then you can change your zoo.cfg: ``` tickTime=3000 initLimit=10 syncLimit=5 dataDir=/tmp/zkdata secureClientPort=22281 # clientPort=2181 serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.keyStore.location=/tmp/ssl/server.jks ssl.keyStore.password=password ssl.trustStore.location=/tmp/ssl/servertrust.jks ssl.trustStore.password=password ``` then start ZooKeeper: `./bin/zkServer.sh start-foreground` then you can run `zkServer.sh status` like: ``` CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.trustStore.location=/tmp/ssl/clienttrust.jks -Dzookeeper.ssl.trustStore.password=password -Dzookeeper.ssl.keyStore.location=/tmp/ssl/client.jks -Dzookeeper.ssl.keyStore.password=password -Dzookeeper.client.secure=true " ./bin/zkServer.sh status ``` Author: Mate Szalay-Beko <symat@apache.org> Reviewers: Aishwarya Soni <aishwarya.vsoni@gmail.com>, Norbert Kalmar <nkalmar@apache.org> Closes #1348 from symat/ZOOKEEPER-3818 (cherry picked from commit 236e3d9183606512f0e03a1f828ad0d392eb6091) Signed-off-by: Mate Szalay-Beko <symat@apache.org> --- bin/zkServer.sh \| 83 +++++++++++++--------- .../src/main/resources/markdown/zookeeperAdmin.md \| 8 ++- .../src/main/resources/markdown/zookeeperTools.md \| 8 +++ 3 files changed, 64 insertions(+), 35 deletions(-) diff --git a/bin/zkServer.sh b/bin/zkServer.sh index ec3db14..f3a8ba0 100755 --- a/bin/zkServer.sh +++ b/bin/zkServer.sh @@ -229,51 +229,70 @@ restart) ;; status) # -q is necessary on some versions of linux where nc returns too quickly, and no stat result is output + isSSL="false" clientPortAddress=`$GREP "^[[:space:]]clientPortAddress[^[:alpha:]]" "$ZOOCFG" \| sed -e 's/.=//'` if ! [ $clientPortAddress ] then - clientPortAddress="localhost" + clientPortAddress="localhost" fi clientPort=`$GREP "^[[:space:]]clientPort[^[:alpha:]]" "$ZOOCFG" \| sed -e 's/.=//'` if ! [[ "$clientPort" =~ ^[0-9]+$ ]] then - dataDir=`$GREP "^[[:space:]]dataDir" "$ZOOCFG" \| sed -e 's/.=//'` - myid=`cat "$dataDir/myid"` - if ! [[ "$myid" =~ ^[0-9]+$ ]] ; then - echo "clientPort not found and myid could not be determined. Terminating." - exit 1 - fi - clientPortAndAddress=`$GREP "^[[:space:]]server.$myid=.;." "$ZOOCFG" \| sed -e 's/.=//' \| sed -e 's/.;//'` - if [ ! "$clientPortAndAddress" ] ; then - echo "Client port not found in static config file. Looking in dynamic config file." - dynamicConfigFile=`$GREP "^[[:space:]]dynamicConfigFile" "$ZOOCFG" \| sed -e 's/.=//'` - clientPortAndAddress=`$GREP "^[[:space:]]server.$myid=.;." "$dynamicConfigFile" \| sed -e 's/.=//' \| sed -e 's/.;//'` - fi - if [ ! "$clientPortAndAddress" ] ; then - echo "Client port not found. Terminating." - exit 1 - fi - if [[ "$clientPortAndAddress" =~ ^.:[0-9]+ ]] ; then - clientPortAddress=`echo "$clientPortAndAddress" \| sed -e 's/:.//'` - fi - clientPort=`echo "$clientPortAndAddress" \| sed -e 's/.://'` - if [ ! "$clientPort" ] ; then - echo "Client port not found. Terminating." - exit 1 - fi + dataDir=`$GREP "^[[:space:]]dataDir" "$ZOOCFG" \| sed -e 's/.=//'` + myid=`cat "$dataDir/myid" 2> /dev/null` + if ! [[ "$myid" =~ ^[0-9]+$ ]] ; then + echo "myid could not be determined, will not able to locate clientPort in the server configs." + else + clientPortAndAddress=`$GREP "^[[:space:]]server.$myid=.;." "$ZOOCFG" \| sed -e 's/.=//' \| sed -e 's/.;//'` + if [ ! "$clientPortAndAddress" ] ; then + echo "Client port not found in static config file. Looking in dynamic config file." + dynamicConfigFile=`$GREP "^[[:space:]]dynamicConfigFile" "$ZOOCFG" \| sed -e 's/.=//'` + clientPortAndAddress=`$GREP "^[[:space:]]server.$myid=.;." "$dynamicConfigFile" \| sed -e 's/.=//' \| sed -e 's/.;//'` + fi + if [ ! "$clientPortAndAddress" ] ; then + echo "Client port not found in the server configs" + else + if [[ "$clientPortAndAddress" =~ ^.:[0-9]+ ]] ; then + clientPortAddress=`echo "$clientPortAndAddress" \| sed -e 's/:.//'` + fi + clientPort=`echo "$clientPortAndAddress" \| sed -e 's/.://'` + fi + fi fi - echo "Client port found: $clientPort. Client address: $clientPortAddress." + if [ ! "$clientPort" ] ; then + echo "Client port not found. Looking for secureClientPort in the static config." + secureClientPort=`$GREP "^[[:space:]]secureClientPort[^[:alpha:]]" "$ZOOCFG" \| sed -e 's/.=//'` + if [ "$secureClientPort" ] ; then + isSSL="true" + clientPort=$secureClientPort + else + echo "Unable to find either secure or unsecure client port in any configs. Terminating." + exit 1 + fi + fi + echo "Client port found: $clientPort. Client address: $clientPortAddress. Client SSL: $isSSL." STAT=`"$JAVA" "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" "-Dzookeeper.log.file=${ZOO_LOG_FILE}" \ - -cp "$CLASSPATH" $JVMFLAGS org.apache.zookeeper.client.FourLetterWordMain \ - $clientPortAddress $clientPort srvr 2> /dev/null \ + -cp "$CLASSPATH" $CLIENT_JVMFLAGS $JVMFLAGS org.apache.zookeeper.client.FourLetterWordMain \ + $clientPortAddress $clientPort srvr $isSSL 2> /dev/null \ \| $GREP Mode` if [ "x$STAT" = "x" ] then - echo "Error contacting service. It is probably not running." - exit 1 + if [ "$isSSL" = "true" ] ; then + echo " " + echo "Note: We used secureClientPort ($secureClientPort) to establish connection, but we failed. The 'status'" + echo " command establishes a client connection to the server to execute diagnostic commands. Please make sure you" + echo " provided all the Client SSL connection related parameters in the CLIENT_JVMFLAGS environment variable! E.g.:" + echo " CLIENT_JVMFLAGS=\"-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty" + echo " -Dzookeeper.ssl.trustStore.location=/tmp/clienttrust.jks -Dzookeeper.ssl.trustStore.password=password" + echo " -Dzookeeper.ssl.keyStore.location=/tmp/client.jks -Dzookeeper.ssl.keyStore.password=password" + echo " -Dzookeeper.client.secure=true\" ./zkServer.sh status" + echo " " + fi + echo "Error contacting service. It is probably not running." + exit 1 else - echo $STAT - exit 0 + echo $STAT + exit 0 fi ;; ) diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md index 1c6e130..bc16647 100644 --- a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md +++ b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md @@ -480,9 +480,11 @@ these options. ### Monitoring -The ZooKeeper service can be monitored in one of two -primary ways; 1) the command port through the use of [4 letter words](#sc_zkCommands) and 2) [JMX](zookeeperJMX.html). See the appropriate section for -your environment/requirements. +The ZooKeeper service can be monitored in one of three primary ways: + + the command port through the use of [4 letter words](#sc_zkCommands) +* with [JMX](zookeeperJMX.html) +* using the [`zkServer.sh status` command](zookeeperTools.html#zkServer) <a name="sc_logging"></a> diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperTools.md b/zookeeper-docs/src/main/resources/markdown/zookeeperTools.md index 8d74006..2b2a76c 100644 --- a/zookeeper-docs/src/main/resources/markdown/zookeeperTools.md +++ b/zookeeper-docs/src/main/resources/markdown/zookeeperTools.md @@ -68,6 +68,14 @@ Apache ZooKeeper, version 3.6.0-SNAPSHOT 06/11/2019 05:39 GMT ``` +The `status` command establishes a client connection to the server to execute diagnostic commands. +When the ZooKeeper cluster is started in client SSL only mode (by omitting the clientPort +from the zoo.cfg), then additional SSL related configuration has to be provided before using +the `./zkServer.sh status` command to find out if the ZooKeeper server is running. An example: + + CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.trustStore.location=/tmp/clienttrust.jks -Dzookeeper.ssl.trustStore.password=password -Dzookeeper.ssl.keyStore.location=/tmp/client.jks -Dzookeeper.ssl.keyStore.password=password -Dzookeeper.client.secure=true" ./zkServer.sh status + + <a name="zkCli"></a> ### zkCli.sh
Mime	Unnamed text/plain (inline, 8-Bit, 10324 bytes)
	View raw message