[ https://issues.apache.org/jira/browse/HADOOP-9888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13745177#comment-13745177 ]
Chris Nauroth commented on HADOOP-9888: --------------------------------------- So far, we've only seen the DNS timeout happen in Windows VMs running in Azure with Oracle JDK 7. As a workaround, we created a file named krb5.ini in \Windows with the following contents: {code} [libdefaults] default_realm = FOO.COM dns_lookup_realm = false dns_lookup_kdc = false {code} I propose that if security is not enabled, we skip getting the default realm and just fall back to a default. We'll need to verify that {{KerberosName#defaultRealm}} is only used in code paths where security is enabled. One tricky aspect is that {{KerberosName}} can be referenced from {{UserGroupInformation#isSecurityEnabled}}, so the static initialization block might run before initialization of {{UserGroupInformation}} has completed. We might need to start with something similar to the HADOOP-6913 patch for 0.22 to break this circular initialization. > KerberosName static initialization gets default realm, which is unneeded in > non-secure deployment. > -------------------------------------------------------------------------------------------------- > > Key: HADOOP-9888 > URL: https://issues.apache.org/jira/browse/HADOOP-9888 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 3.0.0, 2.1.1-beta > Reporter: Chris Nauroth > > {{KerberosName}} has a static initialization block that looks up the default > realm. Running with Oracle JDK7, this code path triggers a DNS query. In > some environments, we've seen this DNS query block and time out after 30 > seconds. This is part of static initialization, and the class is referenced > from {{UserGroupInformation#initialize}}, so every daemon and every shell > command experiences this delay. This occurs even for non-secure deployments, > which don't need the default realm. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira