CDH集群,启用了Kerberos(使用FreeIPA管理),没有启动防火墙。

根据公司运维要求,需要启用防火墙。
由于端口太多,而且还有动态端口,所以设置了防火墙策略,每个节点对其他节点开放指定范围的端口,节点上运行的服务不同,对其他节点开放的端口范围也不同,这个需要自己测试调整。

在设置防火墙策略时,出现了zookeeper服务无法启动的问题,报错如下:

2021-01-05 13:14:46,382 INFO org.apache.zookeeper.server.ZooKeeperServer: maxSessionTimeout set to 60000
2021-01-05 13:16:16,588 ERROR org.apache.zookeeper.server.ZooKeeperServerMain: Unexpected exception, exiting abnormally
java.io.IOException: Could not configure server because SASL configuration did not allow the  ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Receive timed out
	at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:211)
	at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:82)
	at org.apache.zookeeper.server.ZooKeeperServerMain.runFromConfig(ZooKeeperServerMain.java:119)
	at org.apache.zookeeper.server.ZooKeeperServerMain.initializeAndRun(ZooKeeperServerMain.java:93)
	at org.apache.zookeeper.server.ZooKeeperServerMain.main(ZooKeeperServerMain.java:55)
	at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)
	at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:81)
2021-01-05 13:16:22,385 INFO org.apache.zookeeper.server.quorum.QuorumPeerConfig: Reading configuration from: /var/run/cloudera-scm-agent/process/2397-zookeeper-server/zoo.cfg
2021-01-05 13:16:22,414 ERROR org.apache.zookeeper.server.quorum.QuorumPeerConfig: Invalid configuration, only one server specified (ignoring)
2021-01-05 13:16:22,418 INFO org.apache.zookeeper.server.DatadirCleanupManager: autopurge.snapRetainCount set to 5

看起来是无法正常连接FreeIPA服务导致,开始以为是端口问题,将防火墙端口范围调整到0:65535也没有解决问题。
经过查找资料,发现这个问题是Kerberos服务默认会使用udp服务,而防火墙策略设置的tcp服务的端口范围。
解决办法有两个:
1、禁止Kerberos使用udp服务。
2、防火墙策略开放udp服务的端口范围。

我采用第一种方法,禁止Kerberos使用udp服务,编辑 /etc/krb5.conf 文件,调整相应配置如下:

[libdefaults]
udp_preference_limit = 1

分发krb5.conf配置文件,重启FreeIPA服务。

参考:
https://stackoverflow.com/questions/44214324/java-io-ioexception-login-failure-for-myuserexample-com-from-keytab/44228073
https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/errors.html

Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐