We run ZK in containers using public images (pack it under systemd+podman). This way SSL is there.

On 11. Jun 2021, at 13:45, Tristan Cacqueray <tdecacqu@redhat.com> wrote:

On Thu, Jun 10, 2021 at 23:55 Paul Belanger wrote:

...

Hi!

So, I am in the process of enabling SSL on our instance of Zuul and a little surprised to see that no version of Zookeeper in debubuntu repos actually support SSL.

The installation docs for Zuul, don't seem to reference how to install zookeeper, expect installing the version that doesn't support SSL.

How are others doing this? Does anyone know of an existing PPA to pull zookeeper from?

Paul

We are packaging the upstream binary release with this RPM spec file: https://softwarefactory-project.io/cgit/rpms/zookeeper/tree/zookeeper.spec <https://softwarefactory-project.io/cgit/rpms/zookeeper/tree/zookeeper.spec>

And there is also a zuul-jobs role to install the service: https://zuul-ci.org/docs/zuul-jobs/system-roles.html#role-ensure-zookeeper <https://zuul-ci.org/docs/zuul-jobs/system-roles.html#role-ensure-zookeeper>

Regards, -Tristan _______________________________________________ Zuul-discuss mailing list Zuul-discuss@lists.zuul-ci.org <mailto:Zuul-discuss@lists.zuul-ci.org> http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-discuss <http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-discuss>

Hi Paul, Sorry that it took some time. Your question caught me in understanding that we never finished proper automation of that part (quite some manual messing was always required). Base __was__ https://github.com/opentelekomcloud-infra/ansible-role-zookeeper <https://github.com/opentelekomcloud-infra/ansible-role-zookeeper> which is having nothing to do with SSL, but already deployed cluster as podman/systemd - https://github.com/opentelekomcloud-infra/system-config/pull/186 <https://github.com/opentelekomcloud-infra/system-config/pull/186> - A PR into our system-config repo with the setup. There are still some activities to at least create any reasonable tests for that. (SSL certs are generated by x509 role with custom CA) A bit of challenge is that if your SSL certs are not using IP addresses (at least as alt_name) you are forced to have DNS (forward and reverse) functioning properly, otherwise cluster doesn’t really build up. Additional stuff is that cli works only as “zkCli.sh -server MY_IP:2281”. For not yet identified reasons it simply doesn’t want to work with localhost. The same problem is for “zkServer.sh”, except that we have not found a way to make it working at all. There is somewhere likely a small bug, but after 1 day of fighting with it I simply do not see it. Hope this helps. Regards, Artem

On 14. Jun 2021, at 14:48, Paul Belanger <pabelanger@redhat.com> wrote:

On Fri, Jun 11, 2021 at 02:23:03PM +0200, Artem Goncharov wrote:

...

We run ZK in containers using public images (pack it under systemd+podman). This way SSL is there.

Do you have any public code some place I could look at? Working on this process this week.

Paul

_______________________________________________ Zuul-discuss mailing list Zuul-discuss@lists.zuul-ci.org http://lists.zuul-ci.org/cgi-bin/mailman/listinfo/zuul-discuss

On Fri, Jun 11, 2021, at 7:24 AM, Jeremy Stanley wrote:

On 2021-06-10 23:55:34 -0400 (-0400), Paul Belanger wrote:

...

So, I am in the process of enabling SSL on our instance of Zuul and a little surprised to see that no version of Zookeeper in debubuntu repos actually support SSL.

I agree, it looks like they're just pulling whatever Debian has, which at present is 3.4[*] (minimum versions for SSL seem to be 3.5.1/3.6.0[**]).

...

The installation docs for Zuul, don't seem to reference how to install zookeeper, expect installing the version that doesn't support SSL.

How are others doing this? Does anyone know of an existing PPA to pull zookeeper from?

Unfortunately the guides I'm turning up for installing newer ZK all seem to recommend deploying from the upstream release tarball (after prerequisites from relevant distro packages).

Before switching to the docker containers I did this for a long time as part of my zuul unittesting setup. It works well; it even includes init scripts you can use. The biggest downside is you are on the hook for figuring out updates manually.

[*] https://packages.debian.org/zookeeper [**] https://issues.apache.org/jira/browse/ZOOKEEPER-2125 -- Jeremy Stanley