On 09/08/2016 03:51 PM, Srinivas Naga Kotaru (skotaru) wrote: > The scenario where I saw this happening was running a Consul with > default settings. Because multiple different clusters were > started using default settings the access details were the same. > The way Consul finds other nodes is via Gossip which is done over > UDP.
But (according to its documentation) it doesn't use multicast or anything like that to find other nodes; you tell the new server the address of an existing node in the cluster, and it gets the info about the other nodes from there. So if they were all initially configured to talk to the same initial server, which was either outside the OpenShift cluster or else in a global namespace, then they would all be able to talk to it and register themselves with it, and they would all learn each others IP addresses in that way, but they wouldn't actually be able to communicate with each other (other than indirectly via the one server that they could all reach). Anyway, if your original question is "can applications using UDP bypass multi-tenant isolation", then the answer is "no, they can't". > By changing the settings for Consul this was resolved. changing how? > This is > also how I detected that other instances were running from a > previous deploy. Consul nodes were popping up that I had previous > deleted by deleting either the Pod or RC and yet the container in > the Pod for the Consul agent was still running. If there are bugs that make containers stay alive after they've been deleted then maybe those bugs make them able to talk to pods they shouldn't be able to talk to too. But I don't know of any such bugs. -- Dan _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
