HDDS-10. Add kdc docker image for secure ozone cluster. Contributed by Ajay Kumar.
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/9200bc1f Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/9200bc1f Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/9200bc1f Branch: refs/heads/HDDS-4 Commit: 9200bc1fc98288cb30a8f8f7ca34bbabe4aeddee Parents: 67d4b03 Author: Xiaoyu Yao <x...@apache.org> Authored: Thu Oct 4 13:20:09 2018 -0700 Committer: Xiaoyu Yao <x...@apache.org> Committed: Wed Oct 17 14:04:04 2018 -0700 ---------------------------------------------------------------------- .../dist/src/main/compose/ozonesecure/README.md | 22 +++++ .../compose/ozonesecure/docker-compose.yaml | 94 ++++++++++++-------- .../docker-image/docker-krb5/Dockerfile-krb5 | 33 +++++++ .../docker-image/docker-krb5/README.md | 34 +++++++ .../docker-image/docker-krb5/kadm5.acl | 1 + .../docker-image/docker-krb5/krb5.conf | 40 +++++++++ .../docker-image/docker-krb5/launcher.sh | 25 ++++++ 7 files changed, 210 insertions(+), 39 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/9200bc1f/hadoop-ozone/dist/src/main/compose/ozonesecure/README.md ---------------------------------------------------------------------- diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/README.md b/hadoop-ozone/dist/src/main/compose/ozonesecure/README.md new file mode 100644 index 0000000..0ce9a0a --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/README.md @@ -0,0 +1,22 @@ +<!--- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> +# Experimental UNSECURE krb5 Kerberos container. + +Only for development. Not for production. + +#### Dockerfile for KDC: +* ./docker-image/docker-krb5/Dockerfile-krb5 + +#### Dockerfile for SCM,OM and DataNode: +* ./docker-image/runner/Dockerfile \ No newline at end of file http://git-wip-us.apache.org/repos/asf/hadoop/blob/9200bc1f/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml ---------------------------------------------------------------------- diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml index 42ab05e..fab5ba9 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml @@ -16,42 +16,58 @@ version: "3" services: - kdc: - image: ahadoop/kdc:v1 - hostname: kdc - volumes: - - $SRC_VOLUME:/opt/hadoop - datanode: - image: ahadoop/runner:latest - volumes: - - $SRC_VOLUME:/opt/hadoop - hostname: datanode - ports: - - 9864 - command: ["/opt/hadoop/bin/ozone","datanode"] - env_file: - - ./docker-config - ozoneManager: - image: ahadoop/runner:latest - hostname: om - volumes: - - $SRC_VOLUME:/opt/hadoop - ports: - - 9874:9874 - environment: - ENSURE_OM_INITIALIZED: /data/metadata/ozoneManager/current/VERSION - env_file: - - ./docker-config - command: ["/opt/hadoop/bin/ozone","om"] - scm: - image: ahadoop/runner:latest - hostname: scm - volumes: - - $SRC_VOLUME:/opt/hadoop - ports: - - 9876:9876 - env_file: - - ./docker-config - environment: - ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION - command: ["/opt/hadoop/bin/ozone","scm"] + kdc: + build: + context: docker-image/docker-krb5 + dockerfile: Dockerfile-krb5 + args: + buildno: 1 + hostname: kdc + volumes: + - $SRC_VOLUME:/opt/hadoop + datanode: + build: + context: docker-image/runner + dockerfile: Dockerfile + args: + buildno: 1 + volumes: + - $SRC_VOLUME:/opt/hadoop + hostname: datanode + ports: + - 9864 + command: ["/opt/hadoop/bin/ozone","datanode"] + env_file: + - docker-config + om: + build: + context: docker-image/runner + dockerfile: Dockerfile + args: + buildno: 1 + hostname: om + volumes: + - $SRC_VOLUME:/opt/hadoop + ports: + - 9874:9874 + environment: + ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION + env_file: + - docker-config + command: ["/opt/hadoop/bin/ozone","om"] + scm: + build: + context: docker-image/runner + dockerfile: Dockerfile + args: + buildno: 1 + hostname: scm + volumes: + - $SRC_VOLUME:/opt/hadoop + ports: + - 9876:9876 + env_file: + - docker-config + environment: + ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION + command: ["/opt/hadoop/bin/ozone","scm"] http://git-wip-us.apache.org/repos/asf/hadoop/blob/9200bc1f/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 ---------------------------------------------------------------------- diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 new file mode 100644 index 0000000..b5b931d --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 @@ -0,0 +1,33 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License lsfor the specific language governing permissions and +# limitations under the License. + + +FROM frolvlad/alpine-oraclejdk8:slim +RUN apk add --update bash ca-certificates openssl krb5-server krb5 && rm -rf /var/cache/apk/* && update-ca-certificates +RUN wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 +RUN chmod +x /usr/local/bin/dumb-init +RUN wget -O /root/issuer https://github.com/ajayydv/docker/raw/kdc/issuer +RUN chmod +x /root/issuer +WORKDIR /opt +ADD krb5.conf /etc/ +ADD kadm5.acl /var/lib/krb5kdc/kadm5.acl +RUN kdb5_util create -s -P Welcome1 +RUN kadmin.local -q "addprinc -randkey admin/ad...@example.com" +RUN kadmin.local -q "ktadd -k /tmp/admin.keytab admin/ad...@example.com" +ADD launcher.sh . +RUN mkdir -p /data +ENTRYPOINT ["/usr/local/bin/dumb-init", "--", "/opt/launcher.sh"] + http://git-wip-us.apache.org/repos/asf/hadoop/blob/9200bc1f/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/README.md ---------------------------------------------------------------------- diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/README.md b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/README.md new file mode 100644 index 0000000..b864a5f --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/README.md @@ -0,0 +1,34 @@ +<!--- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> + +# Experimental UNSECURE krb5 Kerberos container. + +Only for development. Not for production. + +The docker image contains a rest service which provides keystore and keytab files without any authentication! + +Master password: Welcome1 + +Principal: admin/ad...@example.com Password: Welcome1 + +Test: + +``` +docker run --net=host krb5 + +docker run --net=host -it --entrypoint=bash krb5 +kinit admin/admin +#pwd: Welcome1 +klist +``` http://git-wip-us.apache.org/repos/asf/hadoop/blob/9200bc1f/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/kadm5.acl ---------------------------------------------------------------------- diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/kadm5.acl b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/kadm5.acl new file mode 100644 index 0000000..8fe9f69 --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/kadm5.acl @@ -0,0 +1 @@ +*/ad...@example.com x http://git-wip-us.apache.org/repos/asf/hadoop/blob/9200bc1f/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/krb5.conf ---------------------------------------------------------------------- diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/krb5.conf b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/krb5.conf new file mode 100644 index 0000000..34eabe1 --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/krb5.conf @@ -0,0 +1,40 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[logging] +default = FILE:/var/log/krb5libs.log +kdc = FILE:/var/log/krb5kdc.log +admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_canonicalize_hostname = false + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_realm = EXAMPLE.COM + +[realms] + EXAMPLE.COM = { + kdc = localhost + admin_server = localhost + } + +[domain_realm] + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM + http://git-wip-us.apache.org/repos/asf/hadoop/blob/9200bc1f/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/launcher.sh ---------------------------------------------------------------------- diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/launcher.sh b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/launcher.sh new file mode 100644 index 0000000..0824f7b --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/launcher.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +/root/issuer & +krb5kdc -n & +sleep 4 +kadmind -nofork & +sleep 2 +tail -f /var/log/krb5kdc.log & +tail -f /var/log/kadmind.log + --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
