Failed to deploy the security cluster
1.Enable SSL communication.
config.properties.template add ssl Related Configurations
One question:
This file is local. How do I upload it to Yarn?
2.I simply used the command, and the error was reported.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
Issue reproduced.
Also need to update advanced configuration under documents.
This has been addressed in the wiki: https://gitee.com/openlookeng/openlookeng-on-yarn/wikis
I didn't find any information about security clusters on the wiki
I investigated this and was able to start an SSL cluster in my development environment, but the steps were a bit awkward.
Here is how I set up the keystore.jks file:
hdfs dfs -put <the file> <the destination in HDFS>
), and manually download it from HDFS on the destination machine (hdfs dfs -get <file location in HDFS> <destination on the machine>
). In my example, I put the keystore file at /tmp/keystore.jks
on my machine.Here is the config.properties.template that I used on coordinator nodes:
coordinator=true
node-scheduler.include-coordinator=false
http-server.http.port=_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
query.max-memory=10GB
query.max-total-memory=10GB
query.max-memory-per-node=2GB
query.max-total-memory-per-node=2GB
discovery-server.enabled=true
discovery.uri=https://_OLK_PROPERTIES_TEMPLATE_CN_DISCOVERY_IP:_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
hetu.multiple-coordinator.enabled=_OLK_PROPERTIES_TEMPLATE_HA_ENABLED
hetu.embedded-state-store.enabled=_OLK_PROPERTIES_TEMPLATE_HA_ENABLED
hetu.queryeditor-ui.allow-insecure-over-http=true
http-server.http.enabled=false
node.internal-address-source=FQDN
http-server.https.enabled=true
http-server.https.port=_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
http-server.https.keystore.path=/tmp/keystore.jks
http-server.https.keystore.key=keystorepassword
internal-communication.https.required=true
internal-communication.https.keystore.path=/tmp/keystore.jks
internal-communication.https.keystore.key=keystorepassword
Here is the config.properties.template that I used on worker nodes:
coordinator=false
node-scheduler.include-coordinator=false
http-server.http.port=_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
query.max-memory=10GB
query.max-total-memory=10GB
query.max-memory-per-node=2GB
query.max-total-memory-per-node=2GB
discovery.uri=https://_OLK_PROPERTIES_TEMPLATE_CN_DISCOVERY_IP:_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
hetu.multiple-coordinator.enabled=_OLK_PROPERTIES_TEMPLATE_HA_ENABLED
http-server.http.enabled=false
node.internal-address-source=FQDN
http-server.https.enabled=true
http-server.https.port=_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
http-server.https.keystore.path=/tmp/keystore.jks
http-server.https.keystore.key=keystorepassword
internal-communication.https.required=true
internal-communication.https.keystore.path=/tmp/keystore.jks
internal-communication.https.keystore.key=keystorepassword
Could you try the steps from the above comment and see if that successfully starts the SSL cluster in your environment?
I think there's something wrong with it.
The startup is successful.
but
Haven't returned for a long time so I manually stopped.
then
I set http-server.http.enabled=true at the same time
no worker
We think this is related to an untrusted SSL certificate. (Are there also errors when starting a cluster with SSL manually without yarn?)
Please ensure that the certificate used by olk is trusted by Java.
“Java Truststore File for TLS” from this page might be related? https://openlookeng.io/docs/docs/security/tls.html
This issue is not specific to olk-on-yarn. We need to update our OLK docs for the CLI to trust the server side certificate. Lower the priority, and remove the on-yarn lable.
The -Djavax.net.ssl.trustStore=client_truststore.jks
Java option needs to be passed when calling the hetu-cli:
Here are the steps I used to generate the keystore, truststore, and certificate:
I generate the keystore, truststore, and certificate from your steps
Here is the config.properties.template that I used on coordinator nodes:
coordinator=true
node-scheduler.include-coordinator=false
http-server.http.port=_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
query.max-memory=10GB
query.max-total-memory=10GB
query.max-memory-per-node=2GB
query.max-total-memory-per-node=2GB
discovery-server.enabled=true
discovery.uri=_OLK_PROPERTIES_TEMPLATE_DISCOVERY_URI
hetu.multiple-coordinator.enabled=_OLK_PROPERTIES_TEMPLATE_HA_ENABLED
hetu.embedded-state-store.enabled=_OLK_PROPERTIES_TEMPLATE_HA_ENABLED
hetu.queryeditor-ui.allow-insecure-over-http=true
node.internal-address=51-38-77-19.huawei.com
discovery.uri=https://51-38-77-19.huawei.com:9090
#node.internal-adress-source=FQDN
http-server.http.enabled=false
http-server.https.enabled=true
http-server.https.port=9090
#http-server.https.port=_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
http-server.https.keystore.path=/opt/keystore.jks
http-server.https.keystore.key=Huawei@123
internal-communication.https.required=true
internal-communication.https.keystore.path=/opt/keystore.jks
internal-communication.https.keystore.key=Huawei@123
Here is the config.properties.template that I used on worker nodes:
coordinator=false
node-scheduler.include-coordinator=false
http-server.http.port=_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
query.max-memory=10GB
query.max-total-memory=10GB
query.max-memory-per-node=2GB
query.max-total-memory-per-node=2GB
discovery.uri=_OLK_PROPERTIES_TEMPLATE_DISCOVERY_URI
hetu.multiple-coordinator.enabled=_OLK_PROPERTIES_TEMPLATE_HA_ENABLED
node.internal-address=51-38-77-19.huawei.com
discovery.uri=https://51-38-77-19.huawei.com:9090
#node.internal-address-source=FQDN
http-server.http.enabled=false
http-server.https.enabled=true
http-server.https.port=9090
#http-server.https.port=_OLK_PROPERTIES_TEMPLATE_HTTP_SERVER_PORT
http-server.https.keystore.path=/opt/keystore.jks
http-server.https.keystore.key=Huawei@123
internal-communication.https.required=true
internal-communication.https.keystore.path=/opt/keystore.jks
internal-communication.https.keystore.key=Huawei@123
python3 olk_on_yarn.py start -ha true -cn 2 -w 2 --use-nginx true --nginx-port 8070
If I set 'http-server.http.enabled=true',I can access the WebUI,but there is no worker.
When creating the keystore file, the section for "What is your first and last name?" needs to be the same as the machine's fully qualified domain name or unqualified hostname. (I'm not entirely sure which one it's supposed to be, for my environment they're the same. I recommend trying both?)
Also please refer to the olk-on-yarn documentation for SSL: https://gitee.com/openlookeng/openlookeng-on-yarn/wikis/openLooKeng%20Examples#ssl
Here are keystore, truststore, and certificate:
keytool -v -list -keystore keystore.jks
keytool -v -list -keystore olk_trust.jks
There are no http_uri like 'https://51-38-76-121.huawei.com:xxx' both cn and worker
登录 后才可以发表评论