HDDS-10. Add kdc docker image for secure ozone cluster. Contributed by Ajay Kumar.

This commit is contained in:
Xiaoyu Yao 2018-10-04 13:20:09 -07:00
parent d4511889fd
commit 0aab74026e
7 changed files with 210 additions and 39 deletions

View File

@ -0,0 +1,22 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
# Experimental UNSECURE krb5 Kerberos container.
Only for development. Not for production.
#### Dockerfile for KDC:
* ./docker-image/docker-krb5/Dockerfile-krb5
#### Dockerfile for SCM,OM and DataNode:
* ./docker-image/runner/Dockerfile

View File

@ -16,42 +16,58 @@
version: "3" version: "3"
services: services:
kdc: kdc:
image: ahadoop/kdc:v1 build:
hostname: kdc context: docker-image/docker-krb5
volumes: dockerfile: Dockerfile-krb5
- $SRC_VOLUME:/opt/hadoop args:
datanode: buildno: 1
image: ahadoop/runner:latest hostname: kdc
volumes: volumes:
- $SRC_VOLUME:/opt/hadoop - $SRC_VOLUME:/opt/hadoop
hostname: datanode datanode:
ports: build:
- 9864 context: docker-image/runner
command: ["/opt/hadoop/bin/ozone","datanode"] dockerfile: Dockerfile
env_file: args:
- ./docker-config buildno: 1
ozoneManager: volumes:
image: ahadoop/runner:latest - $SRC_VOLUME:/opt/hadoop
hostname: om hostname: datanode
volumes: ports:
- $SRC_VOLUME:/opt/hadoop - 9864
ports: command: ["/opt/hadoop/bin/ozone","datanode"]
- 9874:9874 env_file:
environment: - docker-config
ENSURE_OM_INITIALIZED: /data/metadata/ozoneManager/current/VERSION om:
env_file: build:
- ./docker-config context: docker-image/runner
command: ["/opt/hadoop/bin/ozone","om"] dockerfile: Dockerfile
scm: args:
image: ahadoop/runner:latest buildno: 1
hostname: scm hostname: om
volumes: volumes:
- $SRC_VOLUME:/opt/hadoop - $SRC_VOLUME:/opt/hadoop
ports: ports:
- 9876:9876 - 9874:9874
env_file: environment:
- ./docker-config ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION
environment: env_file:
ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION - docker-config
command: ["/opt/hadoop/bin/ozone","scm"] command: ["/opt/hadoop/bin/ozone","om"]
scm:
build:
context: docker-image/runner
dockerfile: Dockerfile
args:
buildno: 1
hostname: scm
volumes:
- $SRC_VOLUME:/opt/hadoop
ports:
- 9876:9876
env_file:
- docker-config
environment:
ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION
command: ["/opt/hadoop/bin/ozone","scm"]

View File

@ -0,0 +1,33 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License lsfor the specific language governing permissions and
# limitations under the License.
FROM frolvlad/alpine-oraclejdk8:slim
RUN apk add --update bash ca-certificates openssl krb5-server krb5 && rm -rf /var/cache/apk/* && update-ca-certificates
RUN wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64
RUN chmod +x /usr/local/bin/dumb-init
RUN wget -O /root/issuer https://github.com/ajayydv/docker/raw/kdc/issuer
RUN chmod +x /root/issuer
WORKDIR /opt
ADD krb5.conf /etc/
ADD kadm5.acl /var/lib/krb5kdc/kadm5.acl
RUN kdb5_util create -s -P Welcome1
RUN kadmin.local -q "addprinc -randkey admin/admin@EXAMPLE.COM"
RUN kadmin.local -q "ktadd -k /tmp/admin.keytab admin/admin@EXAMPLE.COM"
ADD launcher.sh .
RUN mkdir -p /data
ENTRYPOINT ["/usr/local/bin/dumb-init", "--", "/opt/launcher.sh"]

View File

@ -0,0 +1,34 @@
<!---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
# Experimental UNSECURE krb5 Kerberos container.
Only for development. Not for production.
The docker image contains a rest service which provides keystore and keytab files without any authentication!
Master password: Welcome1
Principal: admin/admin@EXAMPLE.COM Password: Welcome1
Test:
```
docker run --net=host krb5
docker run --net=host -it --entrypoint=bash krb5
kinit admin/admin
#pwd: Welcome1
klist
```

View File

@ -0,0 +1 @@
*/admin@EXAMPLE.COM x

View File

@ -0,0 +1,40 @@
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_canonicalize_hostname = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = localhost
admin_server = localhost
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

View File

@ -0,0 +1,25 @@
#!/bin/bash
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
/root/issuer &
krb5kdc -n &
sleep 4
kadmind -nofork &
sleep 2
tail -f /var/log/krb5kdc.log &
tail -f /var/log/kadmind.log