Cloudera Docs

Known Issues in Apache ZooKeeper

Learn about the known issues in ZooKeeper, the impact or changes to the functionality, and the workaround.

OPSAPS-61188: Zookeeper start fails with custom user as contents inside /var/lib/zookeeper have "zookeeper" as owner instead of the custom user
In Cloudera Manager the Process Username for ZooKeeper can be changed from the default zookeeper value to any custom value. This configuration change in Cloudera Manager automatically changes the owner of the var/lib/zookeeper folder but keeps zookeeper as the owner of any folders or files inside var/lib/zookeeper, such as myid and version-2. As a result ZooKeeper fails to start because it needs to read the snapshots and txnlogs from the var/lib/zookeeper/version-2 folder when starting.
  1. Ensure that you changed the Process Username to a username that exists on the OS.
  2. Manually change the owner.
    1. Log in to the node.
    2. Recursively change the owner of var/lib/zookeeper using the chown -R command.
Zookeeper-client does not use ZooKeeper TLS/SSL automatically
The command-line tool ‘zookeeper-client’ is installed to all Cloudera Nodes and it can be used to start the default Java command line ZooKeeper client. However even when ZooKeeper TLS/SSL is enabled, the zookeeper-client command connects to localhost:2181, without using TLS/SSL.
Manually configure the 2182 port, when zookeeper-client connects to a ZooKeeper cluster.The following is an example of connecting to a specific three-node ZooKeeper cluster using TLS/SSL: 
CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.keyStore.location=<path to your configured keystore> -Dzookeeper.ssl.keyStore.password=<the password you configured for the keystore>  -Dzookeeper.ssl.trustStore.location=<path to your configured truststore> -Dzookeeper.ssl.trustStore.password=<the password you configured for the truststore> -Dzookeeper.client.secure=true" zookeeper-client -server <your.zookeeper.server-1>:2182,<your.zookeeper.server-2>:2182,<your.zookeeper.server-3>:2182
TLS v1.3 Support for CDP in Zookeeper
ZooKeeper does not support TLS v1.3.
To configure TLS v1.3, add the following properties in the Server Advanced Configuration Snippet (Safety Valve) for zoo.cfg file.
ssl.protocol=TLSv1.3
ssl.enabledProtocols=TLSv1.3,TLSv1.2
ssl.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_E
CDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_
AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256