Optimizing Performance for HDFS Transparent Encryption
CDP implements the Advanced Encryption Standard New Instructions (AES-NI),
which provide substantial performance improvements. To get these improvements, you need a recent
version of libcrypto.so
on HDFS and MapReduce client hosts -- that is, any host
from which you originate HDFS or MapReduce requests.
Many OS versions have an older version of the library that does not support AES-NI. The instructions that follow tell you what you need to do for each OS version that CDP supports.
OS Installations
- On RHEL
-
$ sudo yum install openssl openssl-devel
- On SUSE (zypper)
-
$ sudo zypper install openssl openssl-devel
- On Ubuntu
-
$ sudo apt-get install libssl-dev
Testing if
encryption optimization works
To verify that a client host is ready to use the AES-NI instruction set
optimization for HDFS encryption at rest, use the following
command:
hadoop checknative
You
should see a response such as the
following:14/12/12 13:48:39 INFO bzip2.Bzip2Factory: Successfully loaded & initialized native-bzip2
library system-native14/12/12 13:48:39 INFO zlib.ZlibFactory: Successfully loaded & initialized native-zlib library
Native library checking:
hadoop: true /usr/lib/hadoop/lib/native/libhadoop.so.1.0.0
zlib: true /lib64/libz.so.1
snappy: true /usr/lib64/libsnappy.so.1
lz4: true revision:99
bzip2: true /lib64/libbz2.so.1
openssl: true /usr/lib64/libcrypto.so
If
you see true
in the openssl
row, Hadoop
has detected the right version of libcrypto.so
and
optimization will work. If you see false
in this row, you
do not have the right version.