8.1 实验内容环境介绍
将Cloudera Manager在Kerberos环境下迁移至新的CM节点。
迁移Cloudera Manager节点 迁移MySQL元数据库 迁移Kerberos MIT KDC 主要分为以下几步:
准备Cloudera Manager新节点 MariaDB数据库迁移 迁移Kerberos MIT KDC 将原CM节点数据迁移至新节点 迁移后集群服务验证 Cloudera Manager节点迁移,并基于以下:
CDH环境已搭建并正常运行 旧Cloudera Manager节点包含Cloudera Manager Server(即cloudera-scm-server)服务和Cloudera Management Service服务(Alert Publisher/Event Server/Host Monitor/Reports Manager/Service Monitor) 集群已完成MIT Kerberos的配置,并正常使用 集群Hadoop服务HBase/Hive/HDFS/Hue/Kafka/Oozie/Spark/Spark2/Yarn/Zookeeper正常运行 测试环境:
操作系统:Redhat7.2 CM版本:CM5.11.1 CDH版本:CDH5.11.1 采用ec2-user对集群进行部署
8.2 准备CM新节点
8.2.1 新CM主机前置要求
操作系统版本与集群操作系统版本一致(Redhat7.2) 关闭防火墙 配置时钟同步,根据当前集群时钟同步服务进行配置 swap已设置为10 关闭透明大页面 关闭SElinux 配置/etc/hosts文件或者使用DNS服务 配置cm和os的yum源 创建mysql驱动的软链接
8.2.2 新布置主机信息
主机IP地址:xxx.xx.xx.xx Hostname:ip-xxx-xx-xx-xx.ap-southeast-1.compute.internal
主机操作系统版本 防火墙 时钟同步 swap信息 透明大页面 SElinux信息 host信息 CM和OS的yum 源 在/usr/share/java目录下创建mysql驱动包软链
8.2.3 安装CM服务
[ec2-user@ip-172-31-18-97 log]$ sudo yum -y install cloudera-manager-server cloudera-manager-agent
安装完成Cloudera Manager后暂时不要启动服务。 注意:
新节点的CM版本必须与原CM版本一致; 节点上不要安装CDH的其它组件;
8.2.4 安装MariaDB数据库
由于原CM节点安装有MariaDB数据库,所以在新的CM节点也安装MariaDB数据库进行数据迁移
[ec2-user@ip-172-31-18-97 log]$ sudo yum -y install mariadb-server mariadb-devel
[ec2-user @ ip-172-31-18-97 log]# sudo systemctl enable mariadb
[ec2-user@ip-172-31-18-97 log]$ sudo systemctl start mariadb
[ec2-user@ip-172-31-18-97 log]$ sudo /usr/bin/mysql_secure_installation
8.3 MariaDB数据库迁移
8.3.1 备份原MariaDB数据
[root@ip-172-31-25-3 ec2-user]# mysqldump -u root -p -A >oldmysql.dump
8.3.2 导入备份数据至新库
[root@ip-172-31-18-97 ec2-user]# mysql -u root -p < oldmysql.dump
### 注意:数据导入成功后,需要在mysql client执行命令:FLUSH PRIVILEGES;
8.4 迁移Kerberos MIT KDC
8.4.1 备份原Kerberos数据库
登录到主KDC服务器上,使用kdb5_util命令备份Kerberos数据库及配置文件
[ec2-user@ip-172-31-25-3 ~]$ sudo kdb5_util dump -verbose kerberosdb.dumpfile
HTTP/ip-172-31-18-97.ap-southeast-1.compute.internal@CLOUDERA.COM
HTTP/ip-172-31-19-209.ap-southeast-1.compute.internal@CLOUDERA.COM
….
zookeeper/ip-172-31-28-67.ap-southeast-1.compute.internal@CLOUDERA.COM
[ec2-user@ip-172-31-25-3 ~]$
/etc/krb5.conf
/var/kerberos/krb5kdc/kdc.conf
/var/kerberos/krb5kdc/kadm5.acl
8.4.2 恢复备份数据至新库
yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
将4.1备份的数据拷贝到新节点上,通过如下操作将数据还原到Kerberos数据库 修改krb5.conf文件,将该文件覆盖/etc目录下的krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CLOUDERA.COM
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
#default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
CLOUDERA.COM = {
kdc = ip-172-31-18-97.ap-southeast-1.compute.internal
admin_server = ip-172-31-18-97.ap-southeast-1.compute.internal
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.ip-172-31-18-97.ap-southeast-1.compute.internal = CLOUDERA.COM
ip-172-31-18-97.ap-southeast-1.compute.internal = CLOUDERA.COM
将上述标红部分修改为当前主机ip或者hostname 将kdc.conf和kadm5.acl文件拷贝至/var/kerberos/krb5kdc目录下进行覆盖
[ec2-user@ip-172-31-18-97 kerberos_bak]$ sudo scp kadm5.acl kdc.conf /var/kerberos/krb5kdc/
恢复kerberos数据库,在krb5kdc和kadmin服务停止的情况下进行如下操作
[ec2-user@ip-172-31-18-97 kerberos_bak]$ sudo kdb5_util create –r CLOUDERA.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'CLOUDERA.COM',
master key name 'K/M@CLOUDERA.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[ec2-user@ip-172-31-18-97 kerberos_bak]$
[ec2-user@ip-172-31-18-97 kerberos_bak]$ sudo kdb5_util load kerberosdb.dumpfile
### 注意:此处需要创建kerberos数据库,然后在做数据导入否则krb5kdc和kadmin服务不能正常启动;
[ec2-user@ip-172-31-18-97 kerberos_bak]$ sudo systemctl restart krb5kdc
[ec2-user@ip-172-31-18-97 kerberos_bak]$ sudo systemctl stop krb5kdc
验证Kerberos是否正常,使用导入的user_r进行测试
[ec2-user@ip-172-31-18-97 ~]$ kdestroy
[ec2-user@ip-172-31-18-97 ~]$ kinit user_r
Password for user_r@CLOUDERA.COM:
[ec2-user@ip-172-31-18-97 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user_r@CLOUDERA.COM
Valid starting Expires Service principal
08/09/2017 10:10:44 08/10/2017 10:10:44 krbtgt/CLOUDERA.COM@CLOUDERA.COM
renew until 08/16/2017 10:10:44
8.4.3 更新集群的krb5.conf配置