Default for secureClientPort and adminServer

[Jan Høydahl <ja...@cominvent.com>]

Hi

The default reserved port number for Zookeeper is 2181. So when installing ZK using package managers that's typically what you'll get.
Now with Netty and SSL you want clients to connect to secureClientPort. In the Confluence page examples are given with port 2281. But is there some best practice or recommendation on which port to use? Specifically:

- Is 2281 a recommended default?
- Or is it better to use 2181 for secureClientPort and disable old clientPort?

Likewise the new AdminServer defaults to 8080 (same a plain Jetty). Would it not be beneficial to have a well known port, say 2191 that clients/apps could use as default, and assume that if you apt-get install zookeeper or run it via docker, that would be the port AdminServer listens to?

I'm asking because I believe in well-defined conventions. I'm a Solr committer and we need to document to users how to configure Zookeeper with SSL, and choose defaults in our clients talking to Zookeeper, including AdminServer. Ideally I hope the ZK project actively recommends ports for clientPort, secureClientPort and AdminServer in the 21xx range and let that tricle down to downstream package managers and installer makers. Seeing 8080 in a firewall setup tells you nothing, but seeing 2191 would immediately ring a bell.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

Re: Default for secureClientPort and adminServer

[Enrico Olivelli <eo...@gmail.com>]

Il dom 28 lug 2019, 19:44 Jan Høydahl <ja...@cominvent.com> ha scritto:

> Thanks,
>
> Port unification sounds great.
>
> > client that works both with and without SSL, the same for the client and
> the same for the admin server.
>
>
> Are you saying that you'll serve the AdminServer on a sub path of the main
> clientPort, so we'll only need to connect to one port and use the same SSL
> cert? Or will AdminServer still require its own port?
>

AdminServer will have its own port.

We are also introducing a new pluggable metrics publishing system, with
support, for instance, for Prometheus.io, and it will require a different
port as well

Enrico


> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 28. jul. 2019 kl. 13:53 skrev Enrico Olivelli <eo...@gmail.com>:
> >
> > Jan
> >
> > Il dom 28 lug 2019, 13:27 Jan Høydahl <ja...@cominvent.com> ha
> scritto:
> >
> >> Hi
> >>
> >> The default reserved port number for Zookeeper is 2181. So when
> installing
> >> ZK using package managers that's typically what you'll get.
> >> Now with Netty and SSL you want clients to connect to secureClientPort.
> In
> >> the Confluence page examples are given with port 2281. But is there some
> >> best practice or recommendation on which port to use? Specifically:
> >>
> >> - Is 2281 a recommended default?
> >> - Or is it better to use 2181 for secureClientPort and disable old
> >> clientPort?
> >>
> >
> > I am not sure if there is a right answer to this question.
> > But on 3.6.0 we will have 'port unification' that is that we have only
> one
> > client that works both with and without SSL, the same for the client and
> > the same for the admin server.
> >
> > Enrico
> >
> >
> >> Likewise the new AdminServer defaults to 8080 (same a plain Jetty).
> Would
> >> it not be beneficial to have a well known port, say 2191 that
> clients/apps
> >> could use as default, and assume that if you apt-get install zookeeper
> or
> >> run it via docker, that would be the port AdminServer listens to?
> >>
> >> I'm asking because I believe in well-defined conventions. I'm a Solr
> >> committer and we need to document to users how to configure Zookeeper
> with
> >> SSL, and choose defaults in our clients talking to Zookeeper, including
> >> AdminServer. Ideally I hope the ZK project actively recommends ports for
> >> clientPort, secureClientPort and AdminServer in the 21xx range and let
> that
> >> tricle down to downstream package managers and installer makers. Seeing
> >> 8080 in a firewall setup tells you nothing, but seeing 2191 would
> >> immediately ring a bell.
> >>
> >> --
> >> Jan Høydahl, search solution architect
> >> Cominvent AS - www.cominvent.com
> >>
> >>
>
>

Re: Default for secureClientPort and adminServer

[Jan Høydahl <ja...@cominvent.com>]

Thanks,

Port unification sounds great. 

> client that works both with and without SSL, the same for the client and the same for the admin server.


Are you saying that you'll serve the AdminServer on a sub path of the main clientPort, so we'll only need to connect to one port and use the same SSL cert? Or will AdminServer still require its own port?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 28. jul. 2019 kl. 13:53 skrev Enrico Olivelli <eo...@gmail.com>:
> 
> Jan
> 
> Il dom 28 lug 2019, 13:27 Jan Høydahl <ja...@cominvent.com> ha scritto:
> 
>> Hi
>> 
>> The default reserved port number for Zookeeper is 2181. So when installing
>> ZK using package managers that's typically what you'll get.
>> Now with Netty and SSL you want clients to connect to secureClientPort. In
>> the Confluence page examples are given with port 2281. But is there some
>> best practice or recommendation on which port to use? Specifically:
>> 
>> - Is 2281 a recommended default?
>> - Or is it better to use 2181 for secureClientPort and disable old
>> clientPort?
>> 
> 
> I am not sure if there is a right answer to this question.
> But on 3.6.0 we will have 'port unification' that is that we have only one
> client that works both with and without SSL, the same for the client and
> the same for the admin server.
> 
> Enrico
> 
> 
>> Likewise the new AdminServer defaults to 8080 (same a plain Jetty). Would
>> it not be beneficial to have a well known port, say 2191 that clients/apps
>> could use as default, and assume that if you apt-get install zookeeper or
>> run it via docker, that would be the port AdminServer listens to?
>> 
>> I'm asking because I believe in well-defined conventions. I'm a Solr
>> committer and we need to document to users how to configure Zookeeper with
>> SSL, and choose defaults in our clients talking to Zookeeper, including
>> AdminServer. Ideally I hope the ZK project actively recommends ports for
>> clientPort, secureClientPort and AdminServer in the 21xx range and let that
>> tricle down to downstream package managers and installer makers. Seeing
>> 8080 in a firewall setup tells you nothing, but seeing 2191 would
>> immediately ring a bell.
>> 
>> --
>> Jan Høydahl, search solution architect
>> Cominvent AS - www.cominvent.com
>> 
>> 

Re: Default for secureClientPort and adminServer

[Enrico Olivelli <eo...@gmail.com>]

Jan

Il dom 28 lug 2019, 13:27 Jan Høydahl <ja...@cominvent.com> ha scritto:

> Hi
>
> The default reserved port number for Zookeeper is 2181. So when installing
> ZK using package managers that's typically what you'll get.
> Now with Netty and SSL you want clients to connect to secureClientPort. In
> the Confluence page examples are given with port 2281. But is there some
> best practice or recommendation on which port to use? Specifically:
>
> - Is 2281 a recommended default?
> - Or is it better to use 2181 for secureClientPort and disable old
> clientPort?
>

I am not sure if there is a right answer to this question.
But on 3.6.0 we will have 'port unification' that is that we have only one
client that works both with and without SSL, the same for the client and
the same for the admin server.

Enrico


> Likewise the new AdminServer defaults to 8080 (same a plain Jetty). Would
> it not be beneficial to have a well known port, say 2191 that clients/apps
> could use as default, and assume that if you apt-get install zookeeper or
> run it via docker, that would be the port AdminServer listens to?
>
> I'm asking because I believe in well-defined conventions. I'm a Solr
> committer and we need to document to users how to configure Zookeeper with
> SSL, and choose defaults in our clients talking to Zookeeper, including
> AdminServer. Ideally I hope the ZK project actively recommends ports for
> clientPort, secureClientPort and AdminServer in the 21xx range and let that
> tricle down to downstream package managers and installer makers. Seeing
> 8080 in a firewall setup tells you nothing, but seeing 2191 would
> immediately ring a bell.
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
>