Local KDC enabled, Secure Cluster by default.

Author: smithzc

v6/compute.tf

@@ -5,6 +5,7 @@ resource "oci_core_instance" "Utility" {
   hostname_label      = "CDH-Utility-1"
   shape               = "${var.master_instance_shape}"
   subnet_id           = "${oci_core_subnet.public.*.id[var.availability_domain - 1]}"
+  fault_domain	      = "FAULT-DOMAIN-3"
 
   source_details {
     source_type             = "image"
@@ -30,6 +31,7 @@ resource "oci_core_instance" "Master" {
   hostname_label      = "CDH-Master-${format("%01d", count.index+1)}"
   shape               = "${var.master_instance_shape}"
   subnet_id           = "${oci_core_subnet.private.*.id[var.availability_domain - 1]}"
+  fault_domain	      = "FAULT-DOMAIN-${(count.index%3)+1}"
 
   source_details {
     source_type             = "image"
@@ -79,6 +81,7 @@ resource "oci_core_instance" "Worker" {
   hostname_label      = "CDH-Worker-${format("%01d", count.index+1)}"
   shape               = "${var.worker_instance_shape}"
   subnet_id           = "${oci_core_subnet.private.*.id[var.availability_domain - 1]}"
+  fault_domain        = "FAULT-DOMAIN-${(count.index%3)+1}"
 
   source_details {
     source_type             = "image"

v6/outputs.tf

@@ -4,4 +4,4 @@ output "0 - INFO - Block Volume Size (HDFS)" { value = "${var.data_blocksize_in_
 output "1 - Bastion SSH Login" { value = "ssh -i ${var.ssh_keypath} opc@${data.oci_core_vnic.bastion_vnic.public_ip_address}" }
 output "2 - Cloudera Manager URL" { value = "http://${data.oci_core_vnic.utility_node_vnic.public_ip_address}:7180/cmf/" }
 output "3 - Cloudera Manager Recent Commands" { value = "http://${data.oci_core_vnic.utility_node_vnic.public_ip_address}:7180/cmf/commands/commands" }
-output "4 - DEPLOYMENT COMMAND" { value = "python scripts/deploy_on_oci.py -m ${data.oci_core_vnic.utility_node_vnic.public_ip_address} -d ${ceil(((var.hdfs_usable_in_gbs*3)/var.data_blocksize_in_gbs)/var.worker_node_count)} -w ${var.worker_instance_shape}" }
+output "4 - DEPLOYMENT COMMAND" { value = "python scripts/deploy_on_oci.py -B -m ${data.oci_core_vnic.utility_node_vnic.public_ip_address} -d ${ceil(((var.hdfs_usable_in_gbs*3)/var.data_blocksize_in_gbs)/var.worker_node_count)} -w ${var.worker_instance_shape}" }

v6/scripts/boot.sh

@@ -13,14 +13,68 @@ log "->TUNING START"
 # HOST TUNINGS
 # 
 
+# Disable SELinux
+sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
+setenforce 0
+
 ## Modify resolv.conf to ensure DNS lookups work
 rm -f /etc/resolv.conf
 echo "search public1.cdhvcn.oraclevcn.com public2.cdhvcn.oraclevcn.com public3.cdhvcn.oraclevcn.com private1.cdhvcn.oraclevcn.com private2.cdhvcn.oraclevcn.com private3.cdhvcn.oraclevcn.com bastion1.cdhvcn.oraclevcn.com bastion2.cdhvcn.oraclevcn.com bastion3.cdhvcn.oraclevcn.com" > /etc/resolv.conf
 echo "nameserver 169.254.169.254" >> /etc/resolv.conf
 
-## Install Java
-yum install java-1.8.0-openjdk.x86_64 -y
+EXECNAME="JAVA - KERBEROS"
+log "->INSTALL"
+## Install Java & Kerberos client
+yum install java-1.8.0-openjdk.x86_64 krb5-workstation -y
+
+EXECNAME="KERBEROS"
+log "->krb5.conf"
+## Configure krb5.conf
+kdc_server='cdh-utility-1'
+kdc_fqdn=`host $kdc_server | gawk '{print $1}'`
+realm="hadoop.com"
+REALM="HADOOP.COM"
+log "-> CONFIG"
+rm -f /etc/krb5.conf
+cat > /etc/krb5.conf << EOF
+# Configuration snippets may be placed in this directory as well
+includedir /etc/krb5.conf.d/
 
+[libdefaults]
+ default_realm = ${REALM}
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ rdns = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d  
+ forwardable = true
+ udp_preference_limit = 1000000
+ default_tkt_enctypes = rc4-hmac 
+ default_tgs_enctypes = rc4-hmac
+ permitted_enctypes = rc4-hmac
+
+[realms]
+    ${REALM} = {
+        kdc = ${kdc_fqdn}:88
+        admin_server = ${kdc_fqdn}:749
+        default_domain = ${realm}
+    }
+
+[domain_realm]
+    .${realm} = ${REALM}
+     ${realm} = ${REALM}
+
+[kdc]
+    profile = /var/kerberos/krb5kdc/kdc.conf
+
+[logging]
+    kdc = FILE:/var/log/krb5kdc.log
+    admin_server = FILE:/var/log/kadmin.log
+    default = FILE:/var/log/krb5lib.log
+EOF
+
+EXECNAME="TUNING"
+log "->OS"
 ## Disable Transparent Huge Pages
 echo never | tee -a /sys/kernel/mm/transparent_hugepage/enabled
 echo "echo never | tee -a /sys/kernel/mm/transparent_hugepage/enabled" | tee -a /etc/rc.local
@@ -44,6 +98,7 @@ echo net.ipv4.tcp_low_latency=1 >> /etc/sysctl.conf
 ## Tune File System options
 sed -i "s/defaults        1 1/defaults,noatime        0 0/" /etc/fstab
 
+log "->SSH"
 ## Enable root login via SSH key
 cp /root/.ssh/authorized_keys /root/.ssh/authorized_keys.bak
 cp /home/opc/.ssh/authorized_keys /root/.ssh/authorized_keys
@@ -55,27 +110,30 @@ hbase -       nofile  32768
 hbase -       nproc   2048" >> /etc/security/limits.conf
 ulimit -n 262144
 
+log "->FirewallD"
 systemctl stop firewalld
 systemctl disable firewalld
 
 ## Post Tuning Execution Below
-
+EXECNAME="MYSQL Connector"
 ## MySQL Connector Install
+log "->INSTALL"
 wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.46.tar.gz
 tar zxvf mysql-connector-java-5.1.46.tar.gz
 mkdir -p /usr/share/java/
 cd mysql-connector-java-5.1.46
 cp mysql-connector-java-5.1.46-bin.jar /usr/share/java/mysql-connector-java.jar
 
+EXECNAME="SLEEP"
+log "->START"
+sleep 300
+# Sleep for 5 minutes to allow block volume attachments time to finish
+log "->DONE"
+
 #
 # DISK SETUP
 #
 
-EXECNAME="SLEEP"
-## SLEEP HERE - GIVE TIME FOR BLOCK VOLUMES TO ATTACH
-log "->SLEEP"
-sleep 180 
-
 vol_match() {
 case $i in
 	1) disk="oraclevdb";;
@@ -225,57 +283,5 @@ for i in `seq 1 ${#iqn[@]}`; do
 	done;
 done;
 fi
-# Kerberos Workstation Setup
-EXECNAME="KERBEROS"
-log "-> INSTALL"
-yum install krb5-workstation
-
-KERBEROS_PASSWORD="SOMEPASSWORD"
-OPC_USER_PASSWORD="somepassword"
-kdc_server="cdh-utility-1"
-kdc_fqdn=`host $kdc_server | gawk '{print $1}'`
-realm="hadoop.com"
-REALM="HADOOP.COM"
-log "-> CONFIG"
-rm -f /etc/krb5.conf
-cat > /etc/krb5.conf << EOF
-# Configuration snippets may be placed in this directory as well
-includedir /etc/krb5.conf.d/
-
-[libdefaults]
- default_realm = ${REALM}
- dns_lookup_realm = false
- dns_lookup_kdc = false
- rdns = false
- ticket_lifetime = 24h
- renew_lifetime = 7d  
- forwardable = true
- udp_preference_limit = 1000000
- default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
- default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
- permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
-
-[realms]
-    ${REALM} = {
-        kdc = ${kdc_fqdn}:88
-        admin_server = ${kdc_fqdn}:749
-        default_domain = ${realm}
-    }
-
-[domain_realm]
-    .${realm} = ${REALM}
-     ${realm} = ${REALM}
-
-[kdc]
-    profile = /var/kerberos/krb5kdc/kdc.conf
-
-[logging]
-    kdc = FILE:/var/log/krb5kdc.log
-    admin_server = FILE:/var/log/kadmin.log
-    default = FILE:/var/log/krb5lib.log
-EOF
-log "-> Principal & ticket"
-echo -e "${KERBEROS_PASSWORD}\naddprinc -randkey host/client.${REALM}\nktadd host/kdc.${REALM}" | kadmin -p root/admin
-
 EXECNAME="END"
 log "->DONE"

v6/scripts/cm_boot_mysql.sh

@@ -10,6 +10,10 @@ log() {
 EXECNAME="TUNING"
 
 log "-> START"
+# Disable SELinux
+sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
+setenforce 0
+
 ## Modify resolv.conf to ensure DNS lookups work
 rm -f /etc/resolv.conf
 echo "search public1.cdhvcn.oraclevcn.com public2.cdhvcn.oraclevcn.com public3.cdhvcn.oraclevcn.com private1.cdhvcn.oraclevcn.com private2.cdhvcn.oraclevcn.com private3.cdhvcn.oraclevcn.com bastion1.cdhvcn.oraclevcn.com bastion2.cdhvcn.oraclevcn.com bastion3.cdhvcn.oraclevcn.com" > /etc/resolv.conf
@@ -56,9 +60,9 @@ cp /home/opc/.ssh/authorized_keys /root/.ssh/authorized_keys
 EXECNAME="KERBEROS"
 log "-> INSTALL"
 
-yum -y install krb5-server krb5-libs
+yum -y install krb5-server krb5-libs krb5-workstation
 KERBEROS_PASSWORD="SOMEPASSWORD"
-OPC_USER_PASSWORD="somepassword"
+SCM_USER_PASSWORD="somepassword"
 kdc_server=$(hostname)
 kdc_fqdn=`host $kdc_server | gawk '{print $1}'`
 realm="hadoop.com"
@@ -78,9 +82,9 @@ includedir /etc/krb5.conf.d/
  renew_lifetime = 7d  
  forwardable = true
  udp_preference_limit = 1000000
- default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
- default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
- permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
+ default_tkt_enctypes = rc4-hmac 
+ default_tgs_enctypes = rc4-hmac
+ permitted_enctypes = rc4-hmac
 
 [realms]
     ${REALM} = {
@@ -121,19 +125,20 @@ default_realm = ${REALM}
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3-hmac-sha1
-        supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
+        supported_enctypes = rc4-hmac:normal 
         default_principal_flags = +preauth
     }
 EOF
 
 rm -f /var/kerberos/krb5kdc/kadm5.acl
 cat > /var/kerberos/krb5kdc/kadm5.acl << EOF
 */admin@${REALM}    *
+cloudera-scm@${REALM}	*
 EOF
 
 kdb5_util create -r ${REALM} -s -P ${KERBEROS_PASSWORD}
 
-echo -e "addprinc root/admin\n${KERBEROS_PASSWORD}\n${KERBEROS_PASSWORD}\naddprinc opc\n${OPC_USER_PASSWORD}\n${OPC_USER_PASSWORD}\nktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin\nktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw\nexit\n" | kadmin.local -r ${REALM}
+echo -e "addprinc root/admin\n${KERBEROS_PASSWORD}\n${KERBEROS_PASSWORD}\naddprinc cloudera-scm\n${SCM_USER_PASSWORD}\n${SCM_USER_PASSWORD}\nktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin\nktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw\nexit\n" | kadmin.local -r ${REALM}
 log "-> START"
 systemctl start krb5kdc.service
 systemctl start kadmin.service
@@ -147,7 +152,11 @@ rpm --import https://archive.cloudera.com/cdh6/6.1.0/redhat7/yum//RPM-GPG-KEY-cl
 wget http://archive.cloudera.com/cm6/6.1.0/redhat7/yum/cloudera-manager.repo -O /etc/yum.repos.d/cloudera-manager.repo
 yum install oracle-j2sdk* cloudera-manager-server java-1.8.0-openjdk.x86_64 python-pip -y
 pip install psycopg2==2.7.5 --ignore-installed
-yum install cloudera-manager-daemons -y
+yum install oracle-j2sdk1.8.x86_64 cloudera-manager-daemons cloudera-manager-agent -y
+cm_host=`host cdh-utility-1 | gawk '{print $1}'`
+cp /etc/cloudera-scm-agent/config.ini /etc/cloudera-scm-agent/config.ini.orig
+sed -e "s/\(server_host=\).*/\1${cm_host}/" -i /etc/cloudera-scm-agent/config.ini
+systemctl start cloudera-scm-agent
 
 create_random_password()
 {

v6/scripts/cm_boot_postgres.sh

@@ -10,6 +10,10 @@ log() {
 EXECNAME="TUNING"
 
 log "->START"
+# Disable SELinux
+sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
+setenforce 0
+
 ## Modify resolv.conf to ensure DNS lookups work
 rm -f /etc/resolv.conf
 echo "search public1.cdhvcn.oraclevcn.com public2.cdhvcn.oraclevcn.com public3.cdhvcn.oraclevcn.com private1.cdhvcn.oraclevcn.com private2.cdhvcn.oraclevcn.com private3.cdhvcn.oraclevcn.com bastion1.cdhvcn.oraclevcn.com bastion2.cdhvcn.oraclevcn.com bastion3.cdhvcn.oraclevcn.com" > /etc/resolv.conf