Configure one or more new ECS nodes with the ECS service principal
Where you are adding one or more new nodes to an ECS configuration, the ECS service principal and corresponding keytab must be deployed to the new nodes.
You must have the following items before you can complete this procedure:
- The list of ECS node IP addresses.
- The IP address of the KDC.
- The DNS resolution where you run this script should be the same as the DNS resolution for the Hadoop host, otherwise the
vipr/_HOST@REALM will not work.
-
Log in to Node 1 and check that the tools have previously been installed and the playbooks are available.
The example used previously was:
/home/admin/ansible/viprfs-client-<ECS version>-<version>/playbooks
-
Edit the
inventory.txt file in the
playbooks/samples directory to add the ECS nodes.
The default entries are shown in the following extract.
[data_nodes]
192.168.2.[100:200]
[kdc]
192.168.2.10
-
Start the utility container on ECS Node 1 and make the Ansible playbooks available to the container.
-
Load the utility container image.
Example:
sudo docker load -i /opt/emc/caspian/checker/docker/images/utilities.txz
-
Get the identity of the docker image.
Example:
admin@provo-lilac:~> sudo docker images
The output will give you the image identity:
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
utilities 1.5.0.0-403.cb6738e 186bd8577a7a 2 weeks ago 738.5 MB
-
Start and enter utilities image.
Example:
sudo docker run -v /opt/emc/caspian/fabric/agent/services/object/main/log:/opt/storageos/logs
-v /home/admin/ansible/viprfs-client-3.0.0.0.85325.a05145b/playbooks:/ansible
--name=ecs-tools -i -t --privileged --net=host 186bd8577a7a /bin/bash
In the example, the location to which the Ansible playbooks were unzipped
/home/admin/ansible/viprfs-client-3.0.0.0.85325.a05145b/playbooks is mapped to the
/ansible directory in the utility container.
-
Change to the working directory in the container.
-
Run the Ansible playbook to generate keytabs.
ansible-playbook -v -k -i inventory.txt generate-vipr-keytabs.yml
-
Run the Ansible playbook to configure the data nodes with the ECS service principal.
Make sure the
/ansible/samples/keytab directory exists and the
krb5.conf file is in the working directory
/ansible/samples directory.
ansible-playbook -v -k -i inventory.txt setup-vipr-kerberos.yml
Verify that the correct ECS service principal, one per data node, has been created (from the KDC):
# kadmin.local -q "list_principals" | grep vipr
vipr/nile3-vm42.centera.lab.emc.com@MA.EMC.COM
vipr/nile3-vm43.centera.lab.emc.com@MA.EMC.COM
Verify that correct keytab is generated and stored in location:
/data/hdfs/krb5.keytab on all ECS data nodes. You can use the
strings command on the keytab to extract the human readable text, and verify that it contains the correct principal. For example:
dataservice-10-247-199-69:~ # strings /data/hdfs/krb5.keytab
MA.EMC.COM
vipr
nile3-vm42.centera.lab.emc.com
In this case the principal is
vipr/nile3-vm42.centera.lab.emc.com.