istio: zookeeper stops working after injecting istio-proxy
Bug description
- Installed zookeeper via helm chart via instructions here: https://github.com/helm/charts/tree/master/incubator/zookeeper
All worked fine and validated each of the 3 pods within the stateful set is good and the quorum is established.
- Annotate the namespace with istio auto injection and kill each of the 3 zookeeper pod. Watch the pod restarted with istio-proxy however, none of the pod become running for long, always restarting:
$ k get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.21.0.1 <none> 443/TCP 167d
zookeeper ClusterIP 172.21.229.8 <none> 2181/TCP 4h42m
zookeeper-headless ClusterIP None <none> 2181/TCP,3888/TCP,2888/TCP 4h42m
(⎈ |linistio10/7caab3af9f514f028081a8180c107b69:default)
~/Downloads/istio-1.4.0 ⌚ 20:31:55
$ k get pods
NAME READY STATUS RESTARTS AGE
zookeeper-0 1/2 Running 62 3h32m
zookeeper-1 1/2 CrashLoopBackOff 61 3h31m
zookeeper-2 2/2 Running 62 3h30m
(⎈ |linistio10/7caab3af9f514f028081a8180c107b69:default)
~/Downloads/istio-1.4.0 ⌚ 20:38:48
$ k get statefulset
NAME READY AGE
zookeeper 1/3 4h49m
Chatted with @hzxuzhonghu briefly via #networking channel on slack - would like to open an issue to track this.
Expected behavior zookeeper continues to work, at least in permissive mode.
Steps to reproduce the bug see above
Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm)
$ istioctl version
client version: 1.4.0
control plane version: 1.4.0
data plane version: 1.3.2 (3 proxies), 1.4.0 (4 proxies)
How was Istio installed? istioctl manifest apply
Environment where bug was observed (cloud vendor, OS, etc) IBM Cloud K8s 1.14 cluster
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 5
- Comments: 30 (25 by maintainers)
Commits related to this issue
- Make zk listen to 0.0.0.0 for ports 2888/3888 as said here (https://github.com/istio/istio/issues/19280#issuecomment-560542530), zookeeper doesn't listen on 0.0.0.0 per default and then is not "servi... — committed to sylvainOL/zookeeper-operator by sylvainOL 5 years ago
- Make zk listen to 0.0.0.0 for ports 2888/3888 as said in https://github.com/istio/istio/issues/19280#issuecomment-560542530, zookeeper doesn't listen on 0.0.0.0 per default and then is not "service m... — committed to sylvainOL/zookeeper-operator by sylvainOL 5 years ago
works pretty well after i remove the annotation! @banix @snible thank you much for the suggestion of using quorumListenOnAllIPs.
Here is what I did.
echo “quorumListenOnAllIPs=true” >> $ZK_CONFIG_FILE
remove all istio related annotations for exclude ports in the zookeeper yaml
redeploy zookeeper yaml file. make sure all pods are deployed new and check init container to ensure the ports 2888/3888 aren’t there.
all zookeeper pods should be up running. exec into any of the zookerpods.
Found a workaround for this… zookeeper has 3 ports: 2181/TCP,3888/TCP,2888/TCP
2181 is for client connnections, and 3888/2888 are both used internally for leader election and followers. I went ahead and excluded 3888/2888 for inbound ports, e.g.
and redeployed the statefulset. After that, all my zookeeper pods are coming up fine and the quorum are established.
yes, you should not set
quorumListenOnAllIPsin istio 1.10.quorumListenOnAllIPsis an experimental flag from zookeeper and not recommended for production anyway.This looks like the issues we have with apps that do not listen on local host. This can be changed with updating one or more configuration parameters for a given app. Looking at zookeeper docs (https://zookeeper.apache.org/doc/r3.3.5/zookeeperAdmin.html#sc_configuration) I see:
looking into it.
The root cause is that zookeeper listens on pod ip only
Ref: https://istio.io/faq/applications/#cassandra
This is really a bad UX, @rshriram @howardjohn @lambdai any idea how can we solve this?