配置NettyServerCnxnFactory后ZooKeeper仍用NIOServerCnxnFactory问题排查
2026-6-12
ZooKeeper SSL配置异常:NIOServerCnxnFactory未切换为NettyServerCnxnFactory问题排查
问题现象
使用confluentinc/cp-zookeeper:7.4.1镜像部署ZooKeeper节点,已在ZOO_CFG_EXTRA中配置serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory并开启SSL相关配置,但日志显示ZooKeeper仍使用NIOServerCnxnFactory,且抛出SSL isn't supported in NIOServerCnxn异常。
相关日志
[2025-09-01 08:36:27,729] INFO Using org.apache.zookeeper.server.NIOServerCnxnFactory as server connection factory (org.apache.zookeeper.server.ServerCnxnFactory) [2025-09-01 08:36:27,731] INFO Configuring NIO connection handler with 10s sessionless connection timeout, 1 selector thread(s), 8 worker threads, and 64 kB direct buffers. (org.apache.zookeeper.server.NIOServerCnxnFactory) [2025-09-01 08:36:27,732] INFO binding to port 0.0.0.0/0.0.0.0:2181 (org.apache.zookeeper.server.NIOServerCnxnFactory) [2025-09-01 08:36:27,774] INFO Using org.apache.zookeeper.server.NIOServerCnxnFactory as server connection factory (org.apache.zookeeper.server.ServerCnxnFactory) java.lang.UnsupportedOperationException: SSL isn't supported in NIOServerCnxn at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:635)
容器配置
zookeeper-3: image: confluentinc/cp-zookeeper:7.4.1 hostname: zookeeper-3 container_name: zookeeper-3 volumes: - ./zookeeper-3_data:/var/lib/zookeeper/data - ./zookeeper-3_log:/var/lib/zookeeper/log - ./security/keystore/zookeeper-3.keystore.jks:/security/zookeeper-3.keystore.jks - ./security/truststore/zookeeper-3.truststore.jks:/security/zookeeper-3.truststore.jks environment: ZOOKEEPER_CLIENT_PORT: 2181 ZOOKEEPER_SECURE_CLIENT_PORT: 2281 ZOOKEEPER_TICK_TIME: 2000 ZOO_MY_ID: 3 ZOO_SERVERS: 'server.1=zookeeper-1:2888:3888;2181 server.2=zookeeper-2:2888:3888;2181 server.3=zookeeper-3:2888:3888;2181' ZOO_CFG_EXTRA: "sslQuorum=true portUnification=true serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.quorum.hostnameVerification=false ssl.quorum.keyStore.location=/security/zookeeper-3.keystore.jks ssl.quorum.keyStore.password=password ssl.quorum.trustStore.location=/security/zookeeper-3.truststore.jks ssl.quorum.trustStore.password=password secureClientPort=2281 ssl.hostnameVerification=false ssl.keyStore.location=/security/zookeeper-3.keystore.jks ssl.keyStore.password=password ssl.trustStore.location=/security/zookeeper-3.truststore.jks ssl.trustStore.password=password"
故障原因
核心问题在于Confluent cp-zookeeper镜像的启动脚本优先级逻辑:
- 当环境变量中设置了
ZOOKEEPER_CLIENT_PORT和ZOOKEEPER_SECURE_CLIENT_PORT时,镜像启动脚本会自动生成对应配置项,并强制为普通客户端端口(2181)绑定NIOServerCnxnFactory - 此时
ZOO_CFG_EXTRA中配置的serverCnxnFactory会被启动脚本生成的配置覆盖,导致ZooKeeper仍使用不支持SSL的NIOServerCnxnFactory,进而触发异常 - 配置中同时在
ZOO_CFG_EXTRA和环境变量重复定义secureClientPort,进一步加剧了配置冲突
解决方法
- 移除冲突环境变量:删除
ZOOKEEPER_CLIENT_PORT和ZOOKEEPER_SECURE_CLIENT_PORT,将clientPort=2181和secureClientPort=2281完全移至ZOO_CFG_EXTRA中配置 - 调整配置顺序:确保
serverCnxnFactory配置在ZOO_CFG_EXTRA的靠前位置,避免被后续配置项覆盖 - 清理重复配置:删除
ZOO_CFG_EXTRA中重复的secureClientPort配置
修改后的容器环境配置示例:
environment: ZOOKEEPER_TICK_TIME: 2000 ZOO_MY_ID: 3 ZOO_SERVERS: 'server.1=zookeeper-1:2888:3888;2181 server.2=zookeeper-2:2888:3888;2181 server.3=zookeeper-3:2888:3888;2181' ZOO_CFG_EXTRA: "clientPort=2181 secureClientPort=2281 sslQuorum=true portUnification=true serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory ssl.quorum.hostnameVerification=false ssl.quorum.keyStore.location=/security/zookeeper-3.keystore.jks ssl.quorum.keyStore.password=password ssl.quorum.trustStore.location=/security/zookeeper-3.truststore.jks ssl.quorum.trustStore.password=password ssl.hostnameVerification=false ssl.keyStore.location=/security/zookeeper-3.keystore.jks ssl.keyStore.password=password ssl.trustStore.location=/security/zookeeper-3.truststore.jks ssl.trustStore.password=password"
- 重启容器验证:重启后查看日志,确认输出变为
Using org.apache.zookeeper.server.NettyServerCnxnFactory as server connection factory,且无SSL相关异常
内容的提问来源于stack exchange,提问作者Sandman
