Skip to main content
Sign in

Netcat (nc) process observed in ZooKeeper container

  • Updated

Issue

A security monitoring system flagged execution of the nc (netcat) utility inside a ZooKeeper container in a Fusion Kubernetes deployment. The alert raised concerns about whether this behavior is expected or malicious.

 

Diagnosis

The nc command is executed inside the ZooKeeper container as part of Fusion’s standard readiness and cluster bootstrap logic. This behavior is common in Fusion 5.x and does not indicate an intrusion or misconfiguration.

 

Environment

Fusion 5.5.0 and above
Kubernetes-based deployments (e.g., OpenShift, GKE, EKS, AKS)

 

Cause

Fusion includes internal health checks and startup logic that rely on the nc utility to confirm the readiness of ZooKeeper nodes before allowing them to join the cluster or receive traffic. These checks are built into the container image and executed by lightweight scripts.

 

Resolution

Fusion uses nc (netcat) in the following ways during ZooKeeper container lifecycle:

Readiness probe

Each ZooKeeper pod mounts a ConfigMap that includes readiness check scripts. These scripts run the following command:

echo ruok | nc 127.0.0.1 2181

This is a ZooKeeper-specific "Are you ok?" probe that confirms the server is responding before declaring the pod ready. Kubernetes only routes traffic to a ZooKeeper node after this check passes.

 

Cluster bootstrap wait

Fusion also uses nc -z to confirm that peer ZooKeeper nodes are reachable on port 2888 before the current pod can join the quorum. This check is performed in an initContainer at startup.

nc -z <peer-ip> 2888

This ensures that the ZooKeeper ensemble forms correctly, avoiding split-brain scenarios or availability disruptions.

 

Security implications

Although netcat is a powerful networking tool and often flagged in scans due to its potential misuse, its use here is benign and isolated:

  • Always run as the zookeeper user

  • Executes predefined, read-only probes

  • No data transmission outside the pod or cluster

  • No listening mode or persistent processes involved

These executions are zero-byte, ephemeral, and critical to Fusion’s ability to maintain a highly available ZooKeeper ensemble.

If needed, monitoring rules can be tuned to allow nc execution specifically within the zookeeper container and only for the expected process paths.
 

Summary

The presence of nc in ZooKeeper containers is expected behavior in Fusion and is necessary to ensure high availability and safe cluster operations. These health checks are executed automatically and securely as part of Fusion’s standard orchestration and should not be considered a security threat.

 

 

 

 

 

 

 

Related articles

Powered by Zendesk