Configuring the ZooKeeper Connection¶
Scenarios¶
ZooKeeper has maxClientCnxn configuration at the server side, and this configuration will verify the connections from each client IP address. But many clients can create countless unnecessary connections and consume all resources of ZooKeeper during the denial-of-service (DOS) attack. This makes other clients fail to create legitimate connections or even triggers the server breakdown.
To limit the maximum number of connections to a single ZooKeeper server, all ZooKeeper servers introduce a new configuration to check the total number of active connections before accepting any new connection requests.
Figure 1 Connection control logic¶
Configuration Description¶
Go to the All Configurations page of ZooKeeper by referring to Modifying Cluster Service Configuration Parameters. Enter a parameter name in the search box. Configure maxClientCnxn and maxCnxns to limit the maximum number of connections on each host and the total number of connections on the ZooKeeper server.
Parameter | Description | Default Value |
|---|---|---|
maxClientCnxns | Limits the number of client connections to a ZooKeeper server in the ZooKeeper cluster. Clients are distinguished by IP address. The configuration is the same as that in the open source version. | 2000 |
maxCnxns | Specifies the maximum number of client connections allowed by a single ZooKeeper server. Clients are not differentiated by IP address. | 20000 |
Note
The ZooKeeper connection control function is based on IP addresses instead of specific users. If all connections of an IP address are occupied by few services, other mandatory services from the same IP address may fail to connect to the ZooKeeper. Therefore, ensure that only trusted applications are allowed to connect to ZooKeeper and the maximum number of connections is configured accordingly.