[
https://issues.apache.org/jira/browse/HADOOP-15456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16475005#comment-16475005
]
Ajay Kumar edited comment on HADOOP-15456 at 5/14/18 11:19 PM:
---------------------------------------------------------------
[~elek] thanks for reviewing this. My initial thoughts to have separate image
of ozone security was to remove any dependency on hadoop-runner image. It will
allow us to modify ozone image if required more freely but i am open to merging
this with hadoop-runner branch for time being and fork it later if required.
{quote}As I see the only non compatible change between the existing
apache/hadoop-runner and your base image is that you removed the 'USER hadoop'.
Is there any reason for that?
{quote}
Datanode needs to be started with root user. since it is for testing purpose
only i think its ok to run with default user without doing sudo.
{quote}There are some commented out code in the starter.sh. (eg. keystore
download). If we don't need the wire encryptiom yet, we can simply just remove
those lines. Also there are other disabled lines (sleep, volume permission
fix). I am just wondering if they ara intentional{quote}
Will remove it.
{quote}You have a loop to wait for the KDC server. I really like it as it makes
it more safe to start the kerberized containers. Just two note: The loop should
be executed IMHO only if KERBEROS SERVER is set. + You can add the 'KDC' word
to the print out in the else case to make it easier to understand that we are
waiting for the KDC...
{quote}
done
{quote}If it will be a shared runner image for both hadoop/hdds/hdfs/yarn, the
readme should be adjusted a little.
{quote}
I think its better to have separate image for hadoop and hdds but if we choose
to have one i can update readme.
was (Author: ajayydv):
[~elek] thanks for reviewing this. My initial thoughts to have separate image
of ozone security was to remove any dependency on hadoop-runner image. It will
allow us to modify ozone image if required more freely but i am open to merging
this with hadoop-runner branch for time being and fork it later if required.
{quote}As I see the only non compatible change between the existing
apache/hadoop-runner and your base image is that you removed the 'USER hadoop'.
Is there any reason for that?{quote}
{quote}Datanode needs to be started with root user. since it is for testing
purpose only i think its ok to run with default user without doing sudo.
There are some commented out code in the starter.sh. (eg. keystore download).
If we don't need the wire encryptiom yet, we can simply just remove those
lines. Also there are other disabled lines (sleep, volume permission fix). I am
just wondering if they ara intentional{quote}
Will remove them.
{quote}You have a loop to wait for the KDC server. I really like it as it makes
it more safe to start the kerberized containers. Just two note: The loop should
be executed IMHO only if KERBEROS SERVER is set. + You can add the 'KDC' word
to the print out in the else case to make it easier to understand that we are
waiting for the KDC...{quote}
done
{quote}If it will be a shared runner image for both hadoop/hdds/hdfs/yarn, the
readme should be adjusted a little.{quote}
I think its better to have separate image for hadoop and hdds but if we choose
to have one i can update readme.
> create base image for running secure ozone cluster
> --------------------------------------------------
>
> Key: HADOOP-15456
> URL: https://issues.apache.org/jira/browse/HADOOP-15456
> Project: Hadoop Common
> Issue Type: Sub-task
> Reporter: Ajay Kumar
> Assignee: Ajay Kumar
> Priority: Major
> Attachments: HADOOP-15456-docker-hadoop-runner.001.patch,
> secure-ozone.tar
>
>
> Create docker image to run secure ozone cluster.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
