[jira] [Commented] (HDDS-1019) Use apache/hadoop-runner image to test ozone secure cluster

[Elek, Marton (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HDDS-1019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16778138#comment-16778138
 ] 

Elek, Marton commented on HDDS-1019:
------------------------------------

ozonesecure cluster is not working for me with the new base image:

{code}
scm_1           | org.apache.hadoop.security.KerberosAuthException: failure to 
login: for principal: scm/s...@example.com from keytab 
/etc/security/keytabs/scm.keytab javax.security.auth.login.LoginException: 
Message stream modified (41)
scm_1           |       at 
org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1847)
scm_1           |       at 
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1215)
scm_1           |       at 
org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1008)
scm_1           |       at 
org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:315)
scm_1           |       at 
org.apache.hadoop.hdds.scm.server.StorageContainerManager.loginAsSCMUser(StorageContainerManager.java:500)
scm_1           |       at 
org.apache.hadoop.hdds.scm.server.StorageContainerManager.<init>(StorageContainerManager.java:258)
scm_1           |       at 
org.apache.hadoop.hdds.scm.server.StorageContainerManager.<init>(StorageContainerManager.java:216)
scm_1           |       at 
org.apache.hadoop.hdds.scm.server.StorageContainerManager.createSCM(StorageContainerManager.java:688)
scm_1           |       at 
org.apache.hadoop.hdds.scm.server.StorageContainerManager.main(StorageContainerManager.java:600)
scm_1           | Caused by: javax.security.auth.login.LoginException: Message 
stream modified (41)
scm_1           |       at 
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
scm_1           |       at 
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
scm_1           |       at 
java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
scm_1           |       at 
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
scm_1           |       at 
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
scm_1           |       at 
java.base/java.security.AccessController.doPrivileged(Native Method)
scm_1           |       at 
java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
scm_1           |       at 
java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
scm_1           |       at 
org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:1926)
scm_1           |       at 
org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1837)
scm_1           |       ... 8 more
scm_1           | Caused by: KrbException: Message stream modified (41)
scm_1           |       at 
java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:83)
scm_1           |       at 
java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:158)
scm_1           |       at 
java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
scm_1           |       at 
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:295)
scm_1           |       at 
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
scm_1           |       at 
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
scm_1           |       ... 17 more
{code}

I am fine with commit the trunk patch here (because it's not working anyway) 
but I would suggest to delete the ozonesecure/docker-image/runner directory 
during this commit. I you agree, I will commit it to the trunk.

> Use apache/hadoop-runner image to test ozone secure cluster
> -----------------------------------------------------------
>
>                 Key: HDDS-1019
>                 URL: https://issues.apache.org/jira/browse/HDDS-1019
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>            Reporter: Elek, Marton
>            Assignee: Xiaoyu Yao
>            Priority: Critical
>         Attachments: HDDS-1019-docker-hadoop-runner.01.patch, 
> HDDS-1019-docker-hadoop-runner.02.patch, 
> HDDS-1019-docker-hadoop-runner.03.patch, HDDS-1019-trunk.01.patch, 
> HDDS-1019-trunk.02.patch
>
>
> As of now the secure ozone cluster uses a custom image which is not based on 
> the apache/hadoop-runner image. There are multiple problems with that:
>  1. multiple script files which are maintained in the docker-hadoop-runner 
> branch are copied and duplicated in 
> hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/runner/scripts
>  2. The user of the image is root. It creates 
> core-site.xml/hdfs-site.xml/ozone-site.xml which root user which prevents to 
> run all the default smoke tests
>  3. To build the base image with each build takes more time
> I propose to check what is missing from the apache/hadoop-ozone base image, 
> add it and use that one. 
> I marked it critical because 2): it breaks the run of the the acceptance test 
> suit.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org