-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to connect to zookeeper from other software #1337
Comments
This is intentional. We do not want third party applications use the Zookeeper because it could have negative impact on Kafka cluster availability and because Zookeeper is quite hard to secure. If you really need a workaround, you can use this deployment which can proxy Zookeeper (it expects your Kafka cluster to be named |
Thank you, just what I needed. I will keep your warnings in mind about destabilizing zookeeper, and only use it for readonly/debugging purposes. |
Unfortunately, I think there is still some problems from my zookeeper install. The zoo-entrance gets also timeouts : |
Right. Where are you running it? Kubernetes or OpenShift? Which version? I think when I wrote it it was on environment where I had disabled NetworkPolicies. If your network has NetworkPolicies enabled, we will need to add it. |
FYI: This should be the YAML: apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
labels:
app: zoo-entrance
name: zoo-entrance
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: zoo-entrance
ports:
- port: 2181
protocol: TCP
podSelector:
matchLabels:
strimzi.io/name: my-cluster-zookeeper
policyTypes:
- Ingress |
Running on kubernetes, cloud (OVH cloud provider). I am also investigating something on their side at the moment, it may be their config which is at fault. I will try to see if this is a problem with network policies |
Network policy works fine. I didn't think of looking at that. thank you |
Last day also met this problem. I am with you about security but in my case it would be better to use strimzi zookeeper for external resources (HDFS components). But suggested solution with deploy proxy service does not fit my situation. I tried to change config of tls-sidecar and use So thank you for open source code, i made some changes for sidecar containers to make it simple proxy without TLS. Example:Replace
I don't start stunnel and leave run script to throw nginx logs. And as result, i change images for tls-sidecar containers in operator deployment config:
Also, anyone can get my images, mentioned in the box above and use|check them, or create own custom. For simple solution: just replace used images in your file https://github.com/strimzi/strimzi-kafka-operator/blob/master/install/cluster-operator/050-Deployment-strimzi-cluster-operator.yaml as in last box. |
for the sake of implementation, could @scholzj provide dockerfile for |
FYI: The Zoo entrance now lives in https://github.com/scholzj/zoo-entrance (including the Docker file) |
@scholzj works perfectly ☝️ |
I need this feature too. Running two ZooKeeper instances for one project usually just doesn't make sense. |
@rtsisyk You can use the tool from the repo above. We do not plan to implement this in Strimzi. Also, be careful since Zookeeper will soon be removed from Kafka as Kafka moves to replace it with its own RAFT protocol implementation. |
Yeah, I'm trying this workaround. Anyway, adding an extra layer to unwrap SSL doesn't look like a reasonable solution for me.
Good point. But this work is not finished yet and currently we have to deal both with Kafka and ZooKeeper. Any good implementations of ZooKeeper operators you can suggest? What is about adding an option to use an external ZooKeeper for Strimzi? I'm trying to run ClickHouse, which needs both ZooKeeper and ClickHouse. Adding an extra ZooKeeper instance in this case doesn't make sense. |
As I said, I do not think we plan either of that anymore. Sorry. One of the reasons we never opened the Zookeeper was that we never really had an intention to support it beyond Kafka. I do not have any experience with any other Zookeeper operators I'm afraid. |
I am trying to use zoo-entrance deployment for connecting to zookeeper but ending up getting below errors
Because of the above error am not able to bring up user operator successfully, errors in user operator
Can someone help me understand what I might be doing wrong here? |
Please make sure you use the latest version of the Zoo entrance. Also, keep in mind that it is not part of Strimzi, so any issues should be raised in the Zoo entrance repo and not in Strimzi. |
I am trying to install kafka-manager but it asks for a zookeeper host (ZK_HOST). giving it the zookeeper service at port 2181 ends up generating a timeout on the socket, probably because it is hitting the TlsSideCar instead, and is probably not configured to have access.
Same goes for trifecta, kafka-topics-ui, kafka-rest etc, basically everything that requires a ZK_HOST to start connecting to the cluster.
I was wondering if there was anything I could do to resolve this, to make them able to connect to zookeeper. I definitely tried to create a new service pointing to 21811 (the port that zookeeper container listens to) trying to bypass the TlsSideCar entirely but same, the connection times out.
Do you have any ideas of what else I could try ?
Here are my logs from kafka-manager, but they are pretty much self explanatory:
[info] o.a.z.ClientCnxn - Opening socket connection to server kafka-zookeeper-direct.kafka.svc.cluster.local/10.3.197.87:2181. Will not attempt to authenticate using SASL (unknown error)
[warn] o.a.z.ClientCnxn - Client session timed out, have not heard from server in 60059ms for sessionid 0x0
[info] o.a.z.ClientCnxn - Client session timed out, have not heard from server in 60059ms for sessionid 0x0, closing socket connection and attempting reconnect
[info] o.a.z.ClientCnxn - Opening socket connection to server kafka-zookeeper-direct.kafka.svc.cluster.local/10.3.197.87:2181. Will not attempt to authenticate using SASL (unknown error)
[warn] o.a.c.ConnectionState - Connection attempt unsuccessful after 120324 (greater than max timeout of 60000). Resetting connection and trying again with a new connection.
The text was updated successfully, but these errors were encountered: