Hi, Mate, suppose we do set quorumListenOnAllIPs to true. Will the zookeeper still connect and form a quorum with only the static or dynamic server connection strings or it can connect and form a quorum with any IP address outside the server connection strings as it is allowed to bind with a 0.0.0.0 interface?
Ram, I think you don't need to add this if you have a static IP config or using 3.6+. If you feel it is a security issue for the organization, try ZK 3.6.1 without setting that config. Regards, Aishwarya Soni On Tue, Jun 16, 2020 at 1:03 AM Szalay-Bekő Máté <[email protected]> wrote: > Hi Ram, > > > all i want to know is by enabling this property there are no side effects > or security risks. > > well, this is something for you (or for your security team) to evaluate. > E.g. if your hosts have multiple network interfaces with both "private" and > "public" networks attached, then I can consider setting > quorumListenOnAllIPs=true to be a security risk. Of course you can block > the public access with proper firewall rules. > > But usually ZooKeeper is deployed in some secure / core infrastructure, > well protected from DOS / other attacks, in which > case quorumListenOnAllIPs=true is not a real security risk. > > This is something we (the ZooKeeper community) will not be able to tell, as > this depends on your network topology and your security protocols. We can > only help in explaining what this config is doing. > > Kind regards, > Mate > > On Mon, Jun 15, 2020 at 7:12 PM rammohan ganapavarapu < > [email protected]> wrote: > > > Mate, > > > > Thanks for explaining, all i want to know is by enabling this property > > there are no side effects or security risks. > > > > Ram > > > > On Sun, Jun 14, 2020 at 11:48 PM Szalay-Bekő Máté < > > [email protected]> wrote: > > > > > Hi Ram, > > > > > > I am not sure I understand your question. The config > quorumListenOnAllIPs > > > is about to specify if the ports ZooKeeper uses for Server-to-server > > > communication should bind on the specified address/IP > > > (quorumListenOnAllIPs=false) or on 0.0.0.0 (quorumListenOnAllIPs=true). > > > > > > An example: You configure your server list using either static or > dynamic > > > configuration like: > > > server.1=a.foo.com:2888:3888 > > > server.2=b.foo.com:2888:3888 > > > ... > > > > > > In this case when server.2 starts, it reads the config then initiates > > > connection (for ZK internal leader election protocol) to server.1 by > > > connecting to a.foo.com:3888 and sending it's own address ( > > b.foo.com:3888) > > > enabling server.1 to connect back. However, if server.2 is behind a > > proxy / > > > using kubernetes / whatever, then it is possible that you can reach > > > server.2 as b.foo.com but the ZK process on server.2 can not actually > > bind > > > on b.foo.com:3888. In this case the easiest solution is to bind on > > > 0.0.0.0:3888. However, you can not set 0.0.0.0:3888 in the config file > > of > > > server 2, since in this case server.2 would send 0.0.0.0:3888 in the > > > initial message to server.1 and server.1 would try to connect back to > > > server.2 using 0.0.0.0:3888 what is a bad idea. So in this case it > comes > > > handy to set quorumListenOnAllIPs=true which will cause ZooKeeper to > bind > > > on 0.0.0.0:3888 and still send a 'valid' address in the initial > message, > > > an > > > address where other servers can reach it. > > > > > > I hope the explanation made it more (and not less) clear :p > > > > > > Kind regards, > > > Mate > > > > > > > > > On Fri, Jun 12, 2020 at 7:42 PM rammohan ganapavarapu < > > > [email protected]> wrote: > > > > > > > Hi, > > > > > > > > I am trying to see what are the pros and cons of setting > > > > quorumListenOnAllIPs to true. Running zookeeper cluster in mtls or > > local > > > > proxy environments is not working by keeping default value (false). > So > > > can > > > > someone please explain? > > > > > > > > Any way zookeeper will form quorum with the servers list from the > > > zoo.conf > > > > static file right? so by enabling this property can any server or IP > > out > > > of > > > > the zoo.conf can join the quorum? > > > > > > > > Ram > > > > > > > > > >
