zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ashish soni <aishwarya.ash...@gmail.com>
Subject Re: Side affects of setting quorumListenOnAllIPs to true
Date Tue, 16 Jun 2020 10:24:33 GMT
Hi,

Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper
still connect and form a quorum with only the static or dynamic server
connection strings or it can connect and form a quorum with any IP address
outside the server connection strings as it is allowed to bind with a
0.0.0.0 interface?

Ram, I think you don't need to add this if you have a static IP config or
using 3.6+. If you feel it is a security issue for the organization, try ZK
3.6.1 without setting that config.

Regards,
Aishwarya Soni

On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <szalay.beko.mate@gmail.com>
wrote:

> Hi Ram,
>
> > all i want to know is by enabling this property there are no side effects
> or security risks.
>
> well, this is something for you (or for your security team) to evaluate.
> E.g. if your hosts have multiple network interfaces with both "private" and
> "public" networks attached, then I can consider setting
> quorumListenOnAllIPs=true to be a security risk. Of course you can block
> the public access with proper firewall rules.
>
> But usually ZooKeeper is deployed in some secure / core infrastructure,
> well protected from DOS / other attacks, in which
> case quorumListenOnAllIPs=true is not a real security risk.
>
> This is something we (the ZooKeeper community) will not be able to tell, as
> this depends on your network topology and your security protocols. We can
> only help in explaining what this config is doing.
>
> Kind regards,
> Mate
>
> On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Mate,
> >
> > Thanks for explaining, all i want to know is by enabling this property
> > there are no side effects or security risks.
> >
> > Ram
> >
> > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté <
> > szalay.beko.mate@gmail.com> wrote:
> >
> > > Hi Ram,
> > >
> > > I am not sure I understand your question. The config
> quorumListenOnAllIPs
> > > is about to specify if the ports ZooKeeper uses for Server-to-server
> > > communication should bind on the specified address/IP
> > > (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true).
> > >
> > > An example: You configure your server list using either static or
> dynamic
> > > configuration like:
> > > server.1=a.foo.com:2888:3888
> > > server.2=b.foo.com:2888:3888
> > > ...
> > >
> > > In this case when server.2 starts, it reads the config then initiates
> > > connection (for ZK internal leader election protocol) to server.1 by
> > > connecting to a.foo.com:3888 and sending it's own address (
> > b.foo.com:3888)
> > > enabling server.1 to connect back. However, if server.2 is behind a
> > proxy /
> > > using kubernetes / whatever, then it is possible that you can reach
> > > server.2 as b.foo.com but the ZK process on server.2 can not actually
> > bind
> > > on b.foo.com:3888. In this case the easiest solution is to bind on
> > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file
> > of
> > > server 2, since in this case server.2 would send 0.0.0.0:3888 in the
> > > initial message to server.1 and server.1 would try to connect back to
> > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it
> comes
> > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to
> bind
> > > on 0.0.0.0:3888 and still send a 'valid' address in the initial
> message,
> > > an
> > > address where other servers can reach it.
> > >
> > > I hope the explanation made it more (and not less) clear :p
> > >
> > > Kind regards,
> > > Mate
> > >
> > >
> > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu <
> > > rammohanganap@gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > I am trying to see what are the pros and cons of setting
> > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or
> > local
> > > > proxy environments is not working by keeping default value (false).
> So
> > > can
> > > > someone please explain?
> > > >
> > > > Any way zookeeper will form quorum with the servers list from the
> > > zoo.conf
> > > > static file right? so by enabling this property can any server or IP
> > out
> > > of
> > > > the zoo.conf can join the quorum?
> > > >
> > > > Ram
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message