Configuring properties for OBS bucket replication using Ozone replication policies
Before you replicate OBS buckets, you must configure additional properties that assist Ozone replication policies in Cloudera Private Cloud Base Replication Manager to replicate data in OBS buckets.
-
Add the key-value pairs in the following table to the Ozone Client
Advanced Configuration Snippet (Safety Valve) property in the
ozone-site.xml file in the source cluster. Starting
from Cloudera Private Cloud Base 7.1.9 SP1 using Cloudera
Manager 7.11.3 CHF7, add the following key-value pairs to the
ozone_replication_core_site_safety_valve property in
the source cluster:
Property Description fs.s3a.endpoint Enter the same value as in Ozone S3 gateway web UI as the source cluster. hadoop.tmp.dir Enter the temporary directory on the source cluster to buffer file uploads. Ensure that the user running the Ozone replication policy jobs has write access to the Hadoop temporary folder.
fs.s3a.secret.key See Step 3 to get the required value. fs.s3a.access.key See Step 3 to get the required value. fs.s3a.impl Enter org.apache.hadoop.fs.s3a.S3AFileSystem. ozone.om.snapshot.load.native.lib (Available from 7.1.9 CHF3 onwards)
Enter false. Incremental Ozone replication policy run uses snapshot-diff operation. This parameter ensures that the replication policy run is not affected if the snapshot-diff operation goes down during the replication policy run.
-
Add the key-value pairs in the following table to the Ozone Client
Advanced Configuration Snippet (Safety Valve) property in the
ozone-site.xml file in the target cluster. Starting
from Cloudera Private Cloud Base 7.1.9 SP1 using Cloudera
Manager 7.11.3 CHF7, add the following key-value pairs to the
ozone_replication_core_site_safety_valve property in
the target cluster:
Property Description fs.s3a.endpoint Enter the same value as in Ozone S3 gateway web UI as the target cluster. fs.s3a.secret.key See Step 3 to get the required value. fs.s3a.access.key See Step 3 to get the required value. fs.s3a.change.detection.version.required Enter false. fs.s3a.change.detection.mode Enter none. fs.s3a.path.style.access Enter true. fs.s3a.impl Enter org.apache.hadoop.fs.s3a.S3AFileSystem. hadoop.tmp.dir Enter the temporary directory on the target cluster to buffer file uploads. Ensure that the user running the Ozone replication policy jobs has write access to the Hadoop temporary folder.
ozone.om.snapshot.load.native.lib (Available from 7.1.9 CHF3 onwards)
Enter false. Incremental Ozone replication policy run uses snapshot-diff operation. This parameter ensures that the replication policy run is not affected if the snapshot-diff operation goes down during the replication policy run.
-
If Kerberos is enabled on the source and target cluster, run the ozone
s3 getsecret --om-service-id=serviceId command to get the secret
and access key. Otherwise, enter any arbitrary value for the secret and access
key.
You can store the keys in a credstore such as JCEKS for non Auto-TLS clusters. After you store the keys, perform the following steps:
- Configure the credstore file path for the hadoop.security.credential.provider.path property in the ozone-site.xml file. For more information, see Using DistCp with Amazon S3.
- Add the HADOOP_CREDSTORE_PASSWORD parameter to the YARN Service Environment Advanced Configuration Snippet (Safety Valve) property for the YARN service in source Cloudera Manager.
-
The /s3v volumes store S3 buckets. By default, you can
access the buckets in /s3v volumes using S3 interface. To
access other buckets through the S3 interface, you must create a “symbolic
linked” bucket. You can use the ‘symbolic linked’ bucket in Ozone replication
policies.
Configure the required OBS buckets as S3-compatible buckets using the following commands before you use it in Ozone replication policies:
- ozone sh volume create /s3v
- ozone sh volume create /[***VOLUME NAME***]
- ozone sh bucket create --layout=OBJECT_STORE /[***VOLUME NAME***]/[***BUCKET NAME***]
- ozone sh bucket link /[***VOL NAME***]/[***BUCKET NAME***] /s3v/[***SYMBOLIC LINKED BUCKET NAME***]
-
Import the S3G CA certificate from the cluster to the local JDK path using the
following commands:
-
Run the keytool -importkeystore -destkeystore
[***JDK CACERTS_LOCATION***] -srckeystore
[***CM-AUTO-GLOBAL_TRUSTSTORE.JKS
LOCATION***] -srcalias
[***CM_ALIAS_ON_SRC_CM***]
command on all the hosts of the source Cloudera
Manager.
For example, keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-0
-
Run the following commands on all the hosts of the target
Cloudera Manager:
-
keytool -importkeystore -destkeystore [***JDK CACERTS LOCATION***] -srckeystore [***CM-AUTO-GLOBAL_TRUSTSTORE.JKS LOCATION***] -srcalias [***CM ALIAS ON SRC CM***]
-
keytool -importkeystore -destkeystore [***JDK_CACERTS_LOCATION***] -srckeystore [***CM-AUTO-GLOBAL_TRUSTSTORE.JKS LOCATION***] -srcalias [***CM_ALIAS_ON_DEST_CM***]
For example,keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-0 keytool -importkeystore -destkeystore /usr/java/default/lib/security/cacerts -srckeystore /var/lib/cloudera-scm-agent/agent-cert/cm-auto-global_truststore.jks -srcalias cmrootca-1
-
-
Run the keytool -importkeystore -destkeystore
[***JDK CACERTS_LOCATION***] -srckeystore
[***CM-AUTO-GLOBAL_TRUSTSTORE.JKS
LOCATION***] -srcalias
[***CM_ALIAS_ON_SRC_CM***]
command on all the hosts of the source Cloudera
Manager.