search

ClickHouse / ClickHouse

ClickHouse® is a real-time analytics DBMS
https://clickhouse.com
Apache License 2.0
37.82k stars 6.94k forks source link

Port being set to 9000 even though <tcp_port> is disabled and <tcp_port_secure> is 9440 #70349

Open hardy-pham opened 1 month ago

hardy-pham commented 1 month ago

Describe the unexpected behaviour I'm currently working to enable SSL on my Clickhouse cluster. In doing so, I've followed these configurations: https://clickhouse.com/docs/en/guides/sre/configuring-ssl

The only difference here is that I am using cluster discovery as opposed to specifying my shard configurations.

In my server-config.xml, I have the following block that specifies which ports to use:

    <https_port>8443</https_port>
    <tcp_port_secure>9440</tcp_port_secure>
    <interserver_https_port>9010</interserver_https_port>

    <allow_experimental_cluster_discovery>1</allow_experimental_cluster_discovery>
    <remote_servers>
        <test_cluster>
            <discovery>
                <path>/clickhouse/discovery/test_cluster</path>
                <shard>__shardnum__</shard>
                <secret>__cluster_discovery_secret__</secret>
            </discovery>
        </test_cluster>
    </remote_servers>

Even with these configurations, there are logs that indicate that the Clickhose nodes are trying to communicate with one another over port 9000 as opposed to 9440. Is there a setting that I am missing?? When I run this following query in the clickhouse client, it shows that my nodes are on port 9000 as well. select * from system.clusters

What's unusual is that when I perform a telnet to port 9440, I'm able to connect successfully between the servers. telnet <ip> 9440

Expected behavior I expect the servers to attempt to communicate with one another over port 9440 as opposed to port 9000.

hardy-pham commented 1 month ago

Can someone confirm that this is because Cluster Discovery doesn't support SSL?

https://github.com/ClickHouse/ClickHouse/blob/af1a0f12aa49a5b5188c5868db52570ba78a1c54/src/Interpreters/ClusterDiscovery.cpp#L150

hardy-pham commented 1 month ago

Took a look at the source code and it seems to look for a flag inside the tag, so I added it in and now I'm receiving this warning:

2024.10.04 01:39:43.151375 [ 22547 ] {} ClusterDiscovery: Node ':9000' in cluster 'test_cluster' has different 'secure' value, skipping it

But all other nodes have the same secure flag... Anyone have any idea what I'm missing here?