diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/README.md b/hadoop-ozone/dist/src/main/compose/ozonesecure/README.md new file mode 100644 index 00000000000..0ce9a0a8926 --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/README.md @@ -0,0 +1,22 @@ + +# Experimental UNSECURE krb5 Kerberos container. + +Only for development. Not for production. + +#### Dockerfile for KDC: +* ./docker-image/docker-krb5/Dockerfile-krb5 + +#### Dockerfile for SCM,OM and DataNode: +* ./docker-image/runner/Dockerfile \ No newline at end of file diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml index 42ab05ee3de..fab5ba939ac 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml @@ -16,42 +16,58 @@ version: "3" services: - kdc: - image: ahadoop/kdc:v1 - hostname: kdc - volumes: - - $SRC_VOLUME:/opt/hadoop - datanode: - image: ahadoop/runner:latest - volumes: - - $SRC_VOLUME:/opt/hadoop - hostname: datanode - ports: - - 9864 - command: ["/opt/hadoop/bin/ozone","datanode"] - env_file: - - ./docker-config - ozoneManager: - image: ahadoop/runner:latest - hostname: om - volumes: - - $SRC_VOLUME:/opt/hadoop - ports: - - 9874:9874 - environment: - ENSURE_OM_INITIALIZED: /data/metadata/ozoneManager/current/VERSION - env_file: - - ./docker-config - command: ["/opt/hadoop/bin/ozone","om"] - scm: - image: ahadoop/runner:latest - hostname: scm - volumes: - - $SRC_VOLUME:/opt/hadoop - ports: - - 9876:9876 - env_file: - - ./docker-config - environment: - ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION - command: ["/opt/hadoop/bin/ozone","scm"] + kdc: + build: + context: docker-image/docker-krb5 + dockerfile: Dockerfile-krb5 + args: + buildno: 1 + hostname: kdc + volumes: + - $SRC_VOLUME:/opt/hadoop + datanode: + build: + context: docker-image/runner + dockerfile: Dockerfile + args: + buildno: 1 + volumes: + - $SRC_VOLUME:/opt/hadoop + hostname: datanode + ports: + - 9864 + command: ["/opt/hadoop/bin/ozone","datanode"] + env_file: + - docker-config + om: + build: + context: docker-image/runner + dockerfile: Dockerfile + args: + buildno: 1 + hostname: om + volumes: + - $SRC_VOLUME:/opt/hadoop + ports: + - 9874:9874 + environment: + ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION + env_file: + - docker-config + command: ["/opt/hadoop/bin/ozone","om"] + scm: + build: + context: docker-image/runner + dockerfile: Dockerfile + args: + buildno: 1 + hostname: scm + volumes: + - $SRC_VOLUME:/opt/hadoop + ports: + - 9876:9876 + env_file: + - docker-config + environment: + ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION + command: ["/opt/hadoop/bin/ozone","scm"] diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 new file mode 100644 index 00000000000..b5b931d8fe0 --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 @@ -0,0 +1,33 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License lsfor the specific language governing permissions and +# limitations under the License. + + +FROM frolvlad/alpine-oraclejdk8:slim +RUN apk add --update bash ca-certificates openssl krb5-server krb5 && rm -rf /var/cache/apk/* && update-ca-certificates +RUN wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 +RUN chmod +x /usr/local/bin/dumb-init +RUN wget -O /root/issuer https://github.com/ajayydv/docker/raw/kdc/issuer +RUN chmod +x /root/issuer +WORKDIR /opt +ADD krb5.conf /etc/ +ADD kadm5.acl /var/lib/krb5kdc/kadm5.acl +RUN kdb5_util create -s -P Welcome1 +RUN kadmin.local -q "addprinc -randkey admin/admin@EXAMPLE.COM" +RUN kadmin.local -q "ktadd -k /tmp/admin.keytab admin/admin@EXAMPLE.COM" +ADD launcher.sh . +RUN mkdir -p /data +ENTRYPOINT ["/usr/local/bin/dumb-init", "--", "/opt/launcher.sh"] + diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/README.md b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/README.md new file mode 100644 index 00000000000..b864a5fa5d9 --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/README.md @@ -0,0 +1,34 @@ + + +# Experimental UNSECURE krb5 Kerberos container. + +Only for development. Not for production. + +The docker image contains a rest service which provides keystore and keytab files without any authentication! + +Master password: Welcome1 + +Principal: admin/admin@EXAMPLE.COM Password: Welcome1 + +Test: + +``` +docker run --net=host krb5 + +docker run --net=host -it --entrypoint=bash krb5 +kinit admin/admin +#pwd: Welcome1 +klist +``` diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/kadm5.acl b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/kadm5.acl new file mode 100644 index 00000000000..8fe9f69ece4 --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/kadm5.acl @@ -0,0 +1 @@ +*/admin@EXAMPLE.COM x diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/krb5.conf b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/krb5.conf new file mode 100644 index 00000000000..34eabe14850 --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/krb5.conf @@ -0,0 +1,40 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[logging] +default = FILE:/var/log/krb5libs.log +kdc = FILE:/var/log/krb5kdc.log +admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_canonicalize_hostname = false + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + default_realm = EXAMPLE.COM + +[realms] + EXAMPLE.COM = { + kdc = localhost + admin_server = localhost + } + +[domain_realm] + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM + diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/launcher.sh b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/launcher.sh new file mode 100644 index 00000000000..0824f7b7ae6 --- /dev/null +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/launcher.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +/root/issuer & +krb5kdc -n & +sleep 4 +kadmind -nofork & +sleep 2 +tail -f /var/log/krb5kdc.log & +tail -f /var/log/kadmind.log +