VPN Zookeeper client connection

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

VPN Zookeeper client connection

Vincenzo D'Amore
Hi all,

I'm unable to upload a file into a zookeeper instance running behind a VPN.

As far as I understood, after the first connection to client port 2181,
there is a second connection from client to server to a random port which
is dynamically assigned by zookeeper server.

INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197]
- Accepted socket connection from /10.0.2.2:53159
INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@868] -
Client attempting to establish new session at /10.0.2.2:53159
INFO  [SyncThread:0:ZooKeeperServer@617] - Established session
0x14dd817fa700010 with negotiated timeout 20000 for client /10.0.2.2:53159
WARN  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@357] -
caught end of stream exception
EndOfStreamException: Unable to read additional data from client sessionid
0x14dd817fa700010, likely client has closed socket
at org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:228)
at
org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.java:208)
at java.lang.Thread.run(Thread.java:745)

53159 port is unreachable from outside, because it is random and cannot be
mapped to VPN access rules.

Is there a way to workaround this problem?
May I define a static port or a port range for the second connection?



--
Vincenzo D'Amore
email: [hidden email]
skype: free.dev
mobile: +39 349 8513251
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VPN Zookeeper client connection

Chris Nauroth
Hello Vincenzo,

The 53159 port in this log doesn't represent a different, second
connection.  (There is no second TCP handshake initiated by sending a new
SYN packet.)  Instead, 53159 is the ephemeral port that the client
selected for its end of the socket connection.

Ephemeral ports are assigned by the OS, so the ZooKeeper software doesn't
have direct control over which port will be chosen.  Different OSes use a
different range by default, and the range can be reconfigured to something
else in the OS.  The IANA suggests 49152-65535, and this is what modern
versions of FreeBSD and Windows use by default.  Linux typically uses
32768-61000 by default.

Is it possible that your VPN setup is blocking outbound traffic on
ephemeral ports?  If so, then that could explain what you're seeing.  I'd
also expect it would break other client/server software.

If you absolutely must bind the client to a specific port number and open
a firewall rule for just that port, then you might be able to achieve that
by writing a custom class that subclasses
org.apache.zookeeper.ClientCnxnSocket and then starting the process with
argument -Dzookeeper.clientCnxnSocket=<your fully qualified class name>.
For more details, see the code here:

https://github.com/apache/zookeeper/blob/release-3.4.6/src/java/main/org/ap
ache/zookeeper/ZooKeeper.java#L1772-1787


I haven't tried it myself, but this might give you a way to bind to a
specific local port.

--Chris Nauroth




On 6/9/15, 5:30 AM, "Vincenzo D'Amore" <[hidden email]> wrote:

>Hi all,
>
>I'm unable to upload a file into a zookeeper instance running behind a
>VPN.
>
>As far as I understood, after the first connection to client port 2181,
>there is a second connection from client to server to a random port which
>is dynamically assigned by zookeeper server.
>
>INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197]
>- Accepted socket connection from /10.0.2.2:53159
>INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@868] -
>Client attempting to establish new session at /10.0.2.2:53159
>INFO  [SyncThread:0:ZooKeeperServer@617] - Established session
>0x14dd817fa700010 with negotiated timeout 20000 for client /10.0.2.2:53159
>WARN  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@357] -
>caught end of stream exception
>EndOfStreamException: Unable to read additional data from client sessionid
>0x14dd817fa700010, likely client has closed socket
>at org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:228)
>at
>org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.
>java:208)
>at java.lang.Thread.run(Thread.java:745)
>
>53159 port is unreachable from outside, because it is random and cannot be
>mapped to VPN access rules.
>
>Is there a way to workaround this problem?
>May I define a static port or a port range for the second connection?
>
>
>
>--
>Vincenzo D'Amore
>email: [hidden email]
>skype: free.dev
>mobile: +39 349 8513251

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VPN Zookeeper client connection

Vincenzo D'Amore
Thanks Chris for your explanation, yes there was a setup blocking outbound
traffic.

On Tue, Jun 9, 2015 at 7:08 PM, Chris Nauroth <[hidden email]>
wrote:

> Hello Vincenzo,
>
> The 53159 port in this log doesn't represent a different, second
> connection.  (There is no second TCP handshake initiated by sending a new
> SYN packet.)  Instead, 53159 is the ephemeral port that the client
> selected for its end of the socket connection.
>
> Ephemeral ports are assigned by the OS, so the ZooKeeper software doesn't
> have direct control over which port will be chosen.  Different OSes use a
> different range by default, and the range can be reconfigured to something
> else in the OS.  The IANA suggests 49152-65535, and this is what modern
> versions of FreeBSD and Windows use by default.  Linux typically uses
> 32768-61000 by default.
>
> Is it possible that your VPN setup is blocking outbound traffic on
> ephemeral ports?  If so, then that could explain what you're seeing.  I'd
> also expect it would break other client/server software.
>
> If you absolutely must bind the client to a specific port number and open
> a firewall rule for just that port, then you might be able to achieve that
> by writing a custom class that subclasses
> org.apache.zookeeper.ClientCnxnSocket and then starting the process with
> argument -Dzookeeper.clientCnxnSocket=<your fully qualified class name>.
> For more details, see the code here:
>
> https://github.com/apache/zookeeper/blob/release-3.4.6/src/java/main/org/ap
> ache/zookeeper/ZooKeeper.java#L1772-1787
>
>
> I haven't tried it myself, but this might give you a way to bind to a
> specific local port.
>
> --Chris Nauroth
>
>
>
>
> On 6/9/15, 5:30 AM, "Vincenzo D'Amore" <[hidden email]> wrote:
>
> >Hi all,
> >
> >I'm unable to upload a file into a zookeeper instance running behind a
> >VPN.
> >
> >As far as I understood, after the first connection to client port 2181,
> >there is a second connection from client to server to a random port which
> >is dynamically assigned by zookeeper server.
> >
> >INFO  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197
> ]
> >- Accepted socket connection from /10.0.2.2:53159
> >INFO [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:ZooKeeperServer@868] -
> >Client attempting to establish new session at /10.0.2.2:53159
> >INFO  [SyncThread:0:ZooKeeperServer@617] - Established session
> >0x14dd817fa700010 with negotiated timeout 20000 for client /
> 10.0.2.2:53159
> >WARN  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@357] -
> >caught end of stream exception
> >EndOfStreamException: Unable to read additional data from client sessionid
> >0x14dd817fa700010, likely client has closed socket
> >at org.apache.zookeeper.server.NIOServerCnxn.doIO(NIOServerCnxn.java:228)
> >at
> >org.apache.zookeeper.server.NIOServerCnxnFactory.run(NIOServerCnxnFactory.
> >java:208)
> >at java.lang.Thread.run(Thread.java:745)
> >
> >53159 port is unreachable from outside, because it is random and cannot be
> >mapped to VPN access rules.
> >
> >Is there a way to workaround this problem?
> >May I define a static port or a port range for the second connection?
> >
> >
> >
> >--
> >Vincenzo D'Amore
> >email: [hidden email]
> >skype: free.dev
> >mobile: +39 349 8513251
>
>


--
Vincenzo D'Amore
email: [hidden email]
skype: free.dev
mobile: +39 349 8513251
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: VPN Zookeeper client connection

Vanecek_84
This post has NOT been accepted by the mailing list yet.
In reply to this post by Vincenzo D'Amore
Using VPN can be very beneficial especially when you are accessing public WIFI networks. I use a free service for my android phone but have just bought the HMA vpn for kodi. They allow multiple connections so I can use it on my phone as well. Such a great value for money.
Loading...