[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Clarification

On 09/08/2016 03:51 PM, Srinivas Naga Kotaru (skotaru) wrote:
> The scenario where I saw this happening was running a Consul with
> default settings. Because multiple different clusters were
> started using default settings the access details were the same.
> The way Consul finds other nodes is via Gossip which is done over
> UDP.

But (according to its documentation) it doesn't use multicast or
anything like that to find other nodes; you tell the new server the
address of an existing node in the cluster, and it gets the info about
the other nodes from there. So if they were all initially configured to
talk to the same initial server, which was either outside the OpenShift
cluster or else in a global namespace, then they would all be able to
talk to it and register themselves with it, and they would all learn
each others IP addresses in that way, but they wouldn't actually be able
to communicate with each other (other than indirectly via the one server
that they could all reach).

Anyway, if your original question is "can applications using UDP bypass
multi-tenant isolation", then the answer is "no, they can't".

> By changing the settings for Consul this was resolved.

changing how?

> This is
> also how I detected that other instances were running from a
> previous deploy. Consul nodes were popping up that I had previous
> deleted by deleting either the Pod or RC and yet the container in
> the Pod for the Consul agent was still running.

If there are bugs that make containers stay alive after they've been
deleted then maybe those bugs make them able to talk to pods they
shouldn't be able to talk to too. But I don't know of any such bugs.

-- Dan

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]