Fixed Issues in Navigator Encrypt
Review the list of Navigator Encrypt issues that are resolved in Cloudera Runtime 7.1.9 SP1.
- KT-7503: Navigator Encrypt, when using KMS, does not do kinit on host reboot
- When working with Ranger KMS, it is a requirement that user root obtain a Kerberos ticket otherwise any Navigator Encrypt request to Ranger KMS will fail with an Unauthorized request error. If a ticket does not exist during a host reboot, NavEncrypt will be unable to mount any drives. This means when a host reboots NavEncrypt needs to obtain a Kerberos ticket.
- KT-7513: Navigator Encrypt needs to generate a Kerberos keytab file when working with Ranger KMS
- There is a new script that builds a Kerberos keytab file if you are using
Navigator Encrypt with Ranger KMS. It is called navencrypt-gen-keytab and
invokes Cloudera Manager to create the keytab.This script works with Cloudera Manager to create a keytab file to be used by Navigator Encrypt. It accepts the URL of Cloudera Manager and credentials that works with Cloudera Manager. The script format is as follows:
navencrypt-gen-keytab <cm-url> <user:pw> - KT-7519: When removing the kernel module, Navigator Encrypt needs better version checking
- When removing the kernel module from the system, Navigator Encrypt now makes better version checks.
- KT-7528: Log message emitted when drive is mounted with Navigator Encrypt
- When a drive is mounted by Navigator Encrypt (by using navencrypt-prepare) the
log message emitted is useless. This is what it looks like:
2024-02-22 17:47:32,342 +0000 level=INFO app=mount-navencrypt action=mount 11
This issue is fixed now.
- KT-7529: Logging issues in Navigator Encrypt
- Currently, the message "Registration was successful" is emitted too soon before
all the operations for a successful registration are completed. Now this message
is emitted after all deposits are written to the Key Manager.Currently all messages in the navencrypt log include a timestamp with "+0000" in the timestamp, which indicates GMT. Now the log entries look like the following format with the new timestamp:
2024-02-28T11:53:01-0800 level=INFO app=navencrypt action=control Fetching deposit from Key Manager 2024-02-28T11:53:06-0800 level=INFO app=navencrypt action=control Deposit fetched successfully - KT-7559: Page allocation failures in kernel memory
- A problem has been fixed whereby Navigator Encrypt was causing the kernel to
hang while obtaining kernel memory.
Due to this fix, the command "navencrypt acl --update" has to be run before the 7.1.9.1000 version is started.
- ENGESC-25935: Page allocation failure
- If a customer is running RHEL 8.8 (which is Linux Kernel 4.18), it is possible for the kernel to report a page allocation failure and cause a kernel panic.
