CDP Deployment for Single KDC

This document provides a step by step process to deploy single Pulse instance for Cloudera clusters with single KDC.

Prerequisites

Keep the following information handy:

1. CM URL (https://<Alias/FQDN of the CM URL>:<CM Port>)
2. CM Username
3. CM Password
4. Spark History HDFS path & Spark3 History HDFS path
5. Kafka Version
6. Hbase Version
7. Hive Version
8. Hive Metastore DB Connection URL
9. hive metastore Database Name
10. hive metastore DB Username
11. hive metastore DB Password
12. Oozie DB Name
13. Oozie DB URL
14. Oozie DB Username
15. Oozie DB Password
16. Kerberos Keytab
17. krb5.conf file
18. Principal
19. Kerberos Username
20. cacerts/jssecacerts
21. YARN Scheduler Type
22. Kafka Interbroker protocol

Uninstallation

1. For uninstalling agents, you must follow the Cloudera Parcel Agent Uninstall doc.
2. You must also remove the Pulse JARS and the configuration for Hive and Tez.
3. Acceldata will then perform the following command for backup and uninstalling the existing Pulse.

a. Create a backup directory.

xxxxxxxxxx

mkdir -p /data01/backup

b. For backup, we can copy the whole config and work dir.

xxxxxxxxxx

cp -R $AcceloHome/config /data01/backup/

cp -R $AcceloHome/work /data01/backup/

c. Uninstall the existing Pulse setup by running the following command:

xxxxxxxxxx

accelo uninstall local

OUTPUT

[root@nifihost1:data01 (ad-default)]$ accelo uninstall local

✗ You're about to uninstall the local AccelData setup. This will also DELETE all persistent data from the current node. However, NONE of the remote no

✔ You're about to uninstall the local AccelData setup. This will also DELETE all persistent data from the current node. However, NONE of the remote no

✔ You're about to uninstall the local AccelData setup. This will also DELETE all persistent data from the current node. However, NONE of the remote no

You're about to uninstall the local AccelData setup. This will also DELETE all persistent data from the current node. However, NONE of the remote nodes will be affected. Please confirm your action [y/n]: : y

WARN: Gauntlet is running in dry run mode. Disable this to delete indices from elastic and purge data from mongo DB

Uninstalling the AccelData components from local machine ...

d. Logout from the terminal session.

Download the Binaries and Docker Images and Load Them

1. Download the jars, hystaller, accelo binaries, and docker images from the download links provided by Acceldata.
2. Move the docker images and jars in the following directory:

xxxxxxxxxx

mkdir -p /data01/images

3. Copy the binaries and tar files in to the /data01/images folder.

xxxxxxxxxx

cp </path/to/binaries/tar> /data01/images

4. Change the directory.

xxxxxxxxxx

cd /data01/images

5. Extract the single tar file.

xxxxxxxxxx

tar xvf <name_of_tar_file>.tar

OUTPUT

6. Load the Docker images by running the following command:

7. Check if all the images are loaded into the server.

Config Cluster

1. Validate the all the hosts file.
2. Create the acceldata dir by running the following command:

3. Copy the Spark hosts and Zookeeper hosts file in acceldata directory, by running the following command:

4. Place the accelo binary in the /data01/acceldata directory.

5. Rename the accelo.linux binary to accelo.

6. Change the directory.

7. Run the following command to do accelo init :

8. Enter the appropriate answers when prompted.
9. Source the ad.sh file.

10. Run the init command to provide the Pulse version.

OUTPUT

Provide the correct Pulse version, in this case it will be 3.3.3.

11. Now run accelo info command to get the initial info.

OUTPUT

12. Run the config cluster command to configure the cluster in Pulse.

13. Provide appropriate answers when prompted.

Copy the License

Place the license file provided by Acceldata in the work directory.

Deploy Core

Deploy the Pulse core components by running the following command:

OUTPUT

Configure SSL For Connectors and Streaming

If you have TLS/SSL enforced for any of the Hadoop components in the target cluster, you have to bind-mount the Java truststore files inside the containers for the following Pulse services.

1. ad-connectors
2. ad-sparkstats
3. ad-streaming
4. ad-kafka-connector
5. ad-kafka-0-10-2-connector
6. ad-fsanalyticsv2-connector

Only these services will establish connections to the corresponding Hadoop components of the cluster via the HTTPS URI.

Ensure that the permissions of these files are set to 0655 . i.e, read-able for all the users.

AD-CONNECTORS & AD-SPARKSTATS

1. Generate the ad-core-connectors configuration file if not present:

2. Edit the file in path <$AcceloHome>/config/docker/addons/ad-core-connectors.yml and add the following lines under the volumes section of both ad-connectors and ad-sparkstats service blocks.

3. If you only have the jssecacert file available and not the cacerts file, you can mount the jssecacerts file as the cacerts file inside the container, as demonstrated below:

AD-STREAMING

1. Generate the ad-core configuration file if not present:

2. Edit the file in path <$AcceloHome>/config/docker/ad-core.yml and add the following lines under the volumes section of ad-streaming service block.

3. If you only have the jssecacert file available and not the cacerts file, you can mount the jssecacerts file as the cacerts file inside the container, as demonstrated below:

AD-FSANALYTICSV2-CONNECTOR

1. Generate the ad-fsanalyticsv2-connector configuration file if not present:

2. Edit the file in path <$AcceloHome>/config/docker/addons/ad-fsanalyticsv2-connector.yml and add the following lines under the volumes section of ad-fsanalyticsv2-connector.

3. If you only have the jssecacert file available and not the cacerts file, you can mount the jssecacerts file as the cacerts file inside the container, as demonstrated below:

AD-KAFKA-CONNECTOR

1. Generate the ad-core-connectors configuration file if not present:

2. Edit the file in path <$AcceloHome>/config/docker/addons/ad-kafka-connector.yml and add the following lines under the volumes section of ad-kafka-connector.

3. If you only have the jssecacert file available and not the cacerts file, you can mount the jssecacerts file as the cacerts file inside the container, as demonstrated below:

AD-KAFKA-0-10-2-CONNECTOR

1. Generate the ad-core-connectors configuration file if not present:

2. Edit the file in path <$AcceloHome>/config/docker/addons/ad-kafka-0-10-2-connector.yml and add the following lines under the volumes section of ad-kafka-0-10-2-connector.

3. If you only have the jssecacert file available and not the cacerts file, you can mount the jssecacerts file as the cacerts file inside the container, as demonstrated below:

Deploy Addons

Run the following command to deploy the Pulse addons, and then select the components that are needed for Spark standalone:

OUTPUT

Configure Alerts Notifications

1. For setting the active cluster, run the following command:

2. Configure the alerts notifications.

OUTPUT

3. Set the cluster2 as the active cluster.

4. Configure the alerts for the second cluster.

5. Set the cluster3 as the active cluster.

6. Configure the alerts for the third cluster.

7. Restart the alerts notifications.

OUTPUT

Database Push Configuration

Run the following command to push config to db:

Configure Gauntlet

Updating the Gauntlet Crontab Duration

1. Check if the ad-core.yml file is present or not by running the following command:

2. If the above file is not present, then generate it by running the following command:

3. Edit the ad-core.yml file.

a. Open the file.

b. Update the CRON_TAB_DURATION env variable in the ad-gauntlet section.

This makes gauntlet run every two days at midnight.

c. The updated file will look something like this:

d. Save the file.

4. Restart gauntlet service by running the following command:

Updating the Gauntlet Dry Run Mode

1. Check if the ad-core.yml file is present or not by running the following command:

2. If the above file is not present, then generate it by running the following command:

3. Edit the ad-core.yml file.

a. Open the file.

b. Update the DRY_RUN_ENABLE env variable in the ad-gauntlet section.

This will make the gauntlet delete the older elastic indices and MongoDB data.

c. The updated file will look something like this:

d. Save the file.

4. Restart gauntlet service by running the following command:

Configuring Gauntlet for Multi Node and Multi Cluster Deployment

1. Run the following command to generate the gauntlet config files:

2. Change the dir to config/gauntlet/ .

3. Check if all the files are present or not for all the clusters or not.

4. Modify the gauntlet_elastic_<clustername>.yml file.

5. Edit the elastic address in the file for multi node setup.

6. Modify the elastic address for both clusters.
7. Push the config to database.

8. Restart the gauntlet service.

Updating MongoDB Cleanup and Compaction Frequency in Hours

By default, when dry run is disabled MongoDB cleanup and compaction will run once a day. To configure the frequency, follow the steps listed below:

1. Run the following command:

2. Answer the prompts. If you’re unsure about how many days you wish to retain, then proceed with the default values.

3. When the following prompt comes up, specify the hours of the day during which you would like MongoDB clean up and compaction to run. The value must be a CSV of hours as per the 24 hour time notation.

4. Run the following command. When gauntlet runs the next time, MongoDB clean up and compaction will run at the specified hours, once per hour.

Enabling (TLS) HTTPS for Pulse Web UI Configuration Using ad-proxy

Deployment and Configuration

1. Copy the cert.crt, cert.key and ca.crt (optional) files to $AcceloHome/config/proxy/certs location.
2. Check if ad-core.yml file is present or not.

3. If ad-core.yml file is not present, then generate the ad-core.yml file.

OUTPUT

4. Modify the ad-core.yml file.

a. Open the ad-core.yml file.

b. Remove the ports: field in the ad-graphql section of ad-core.yml .

c. The resulting ad-graphql section will look like this:

d. Save the file.

5. Restart the ad-graphql container.

6. Check if the port is not exposed to host.

OUTPUT

7. Check if there any errors in ad-graphql container.

8. Deploy the ad-proxy addons, run the following command and select Proxy from the list and press enter.

9. Now you can access the Pulse UI using https://<pulse-server-hostname> By default the port used is 443.

Configuration

If you want to change the SSL port to another port, follow the steps below:

1. Check if ad-proxy.yml file is present or not.

2. Generate the ad-proxy.yml file if its not present.

OUTPUT

3. Modify the ad-core.yml file.

a. Open the ad-proxy.yml file.

b. Change the host port in the ports list to the desired port.

The final file will look like this if the host port is 6003 :

c. Save the file.

4. Restart the ad-proxy container.

5. Check if there are any errors.

6. Now you can access the Pulse UI using https://<pulse-server-hostname>:6003 .

Set Up LDAP for Pulse UI

1. Check if the ldap.conf is present or not.

2. Run the configure command to generate the default ldap.conf if not already present.

OUTPUT

3. Edit the file in path $AcceloHome/config/ldap/ldap.conf .

5. Configure file for below properties:

   • LDAP FQDN : FQDN where LDAP server is running

     • host = [FQDN]

   • If port 389 is being used then

     • insecureNoSSL = true

   • SSL root CA Certificate

     • rootCA = [CERTIFICATE_FILE_PATH]

   • bindDN : to be used for ldap search need to be member of admin group

   • bindPW : password for entering in database, can be removed later once ldapgets enabled

   • baseDN used for user search

     • Eg: (cn=users, cn=accounts, dc=accedata, dc=io)

   • Filter used for the user search

     • Eg: (objectClass=person)

   • baseDN used for group search

     • Eg: (cn= groups, cn=accounts, dc=acceldata, dc=io)

   • Group Search: Object class used for group search

     • Eg: (objectClass= posixgroup)

Here is the command to check if user has search entry access and group access in LDAP directory:

If the file is already generated it will ask for the LDAP credentials to validate the connectivity and configurations which are mentioned in the below steps.

6. Run the configure command.

7. It will ask for the LDAP user credentials.

8. If things went correctly, it will show the below confirmation message:

9. Press ‘y' and press 'Enter’.

OUTPUT

10. Push the LDAP config.

11. Run the deploy add-ons command.

12. Select the LDAP from the list shown and click Enter.

OUTPUT

13. Run the restart command.

14. Open Pulse Web UI and create default roles.
15. Create an ops role with the necessary access permissions. Any users who log in via LDAP will automatically be assigned to this role.