Installing Cloudera Data Services on premises using Cloudera Embedded Container Service

Learn about installing Cloudera Data Services on premises with the Cloudera Embedded Container Service.

If you are installing Cloudera Embedded Container Service on RHEL 8 or RHEL 9, perform the following steps
1. Run the following command to check if the nm-cloud-setup.service and nm-cloud-setup.timer services are enabled:
```
systemctl status nm-cloud-setup.service nm-cloud-setup.timer
```
2. If the nm-cloud-setup.service and nm-cloud-setup.timer services are enabled, disable them by running the following command on each host you added:
```
systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
```
  For more information, see Known issues and limitations.
  note
  If the service is active, you have to first stop the service then disable the service.
3. If you disabled the nm-cloud-setup.service and nm-cloud-setup.timer services, reboot the added hosts.
In Cloudera Manager UI, click Data Services in the left menu.

The Add Cloudera on premises Containerized Cluster page appears. Click Continue.

note
Alternatively, in Cloudera Manager, you can also go to Add > Add Cluster at the top right in Cloudera Manager, then select Cloudera on premises as the cluster type.

On the Getting Started page of the installation wizard, select Internet or Air Gapped as the Install Method.

Internet install method (To use a custom repository link provided to you by Cloudera, click Custom Repository) :

If you select the Air Gapped install option, extra steps are displayed. Follow these steps to download and mirror the Cloudera archive URL using a local HTTP server.

Download everything under: https://archive.cloudera.com/p/cdp-pvc-ds/latest

wget -l 0 --recursive --no-parent -e robots=off -nH --cut-dirs=2 --reject="index.html*" -t 10 https://<username>:<password>@archive.cloudera.com/p/cdp-pvc-ds/latest/

To download only the required images, you can follow the below script:

DSPATH=<https://<username>>:<password>@archive.cloudera.com/p/cdp-pvc-ds/latest
IMGPATH=${DSPATH}/images/wget ${DSPATH}/manifest.json
wget ${DSPATH}/cdp-private*.tgz
wget -r -nc --no-parent -A * ${DSPATH}/parcels
wget -r -nc --no-parent -A a*.tar.gz $IMGPATH
wget -r -nc --no-parent -A u*.tar.gz $IMGPATH
wget -r -nc --no-parent -A v*.tar.gz $IMGPATH
wget -r -nc --no-parent -A w*.tar.gz $IMGPATH
wget -r -nc --no-parent -A y*.tar.gz $IMGPATH
wget -r -nc --no-parent -A c*.tar.gz $IMGPATH
wget -r -nc --no-parent -A e*.tar.gz $IMGPATH
wget -r -nc --no-parent -A f*.tar.gz $IMGPATH
wget -r -nc --no-parent -A i*.tar.gz $IMGPATH
wget -r -nc --no-parent -A j*.tar.gz $IMGPATH
wget -r -nc --no-parent -A k*.tar.gz $IMGPATH
wget -r -nc --no-parent -A o*.tar.gz $IMGPATH
wget -r -nc --no-parent -A q*.tar.gz $IMGPATH
wget -r -nc --no-parent -A w*.tar.gz $IMGPATH
wget -r -nc --no-parent -A z*.tar.gz $IMGPATH
wget -r -nc --no-parent -A b*.tar.gz -R boltz2*.tar.gz $IMGPATH
wget -r -nc --no-parent -A d*.tar.gz -R deepseek*.tar.gz $IMGPATH
wget -r -nc --no-parent -A g*.tar.gz -R gpt-oss*.tar.gz $IMGPATH
wget -r -nc --no-parent -A h*.tar.gz -R hugging*.tar.gz $IMGPATH
wget -r -nc --no-parent -A l*.tar.gz -R llama*.tar.gz $IMGPATH
wget -r -nc --no-parent -A m*.tar.gz -R mix*.tar.gz,mis*.tar.gz $IMGPATH
wget -r -nc --no-parent -A n*.tar.gz -R nemo*.tar.gz $IMGPATH
wget -r -nc --no-parent -A p*.tar.gz -R paddle*.tar.gz $IMGPATH
wget -r -nc --no-parent -A r*.tar.gz -R riva-asr*.tar.gz $IMGPATH
wget -r -nc --no-parent -A s*.tar.gz -R starcoder2*.tar.gz $IMGPATH
wget -r -nc --no-parent -A t*.tar.gz -R triton*.tar.gz $IMGPATH
wget -r -nc --no-parent -A *.tar.gz.asc $IMGPATH

Edit the manifest.json file in the downloaded directory. Change "http_url": "..." to

"http_url": "http://your_local_repo/cdp-pvc-ds/latest"
Mirror the downloaded directory to your local http server, e.g. http://your_local_repo/cdp-pvc-ds/latest
Click Custom Repository and add http://your_local_repo/cdp-pvc-ds/latest as a custom repository.
Click the Select Repository drop-down and select http://your_local_repo/cdp-pvc-ds/latest

Click Continue.

On the Cluster Basics page, type a name for the Cloudera on premises cluster that you want to create in the Cluster Name field. From the Base Cluster drop-down list, select the cluster that has the storage and SDX services that you want this new Cloudera Data Services on premises instance to connect with. Click Continue.
On the Specify Hosts page, hosts that have already been added to Cloudera Manager are listed on the Currently Managed Hosts tab. You can select one or more of these hosts to add to the Cloudera Embedded Container Service cluster.

You can also click the New Hosts tab to specify one or more hosts that have not been added to Cloudera Manager. Enter a Fully Qualified Domain Name in the Hostname box, then click Search.

note
Click the pattern link under the Hostname box to display more information about allowed FQDN patterns.

After you have finished specifying the Cloudera Embedded Container Service hosts, click Continue.
On the Select JDK page, select any one from the below options:
1. Manually manage JDK
2. Install a Cloudera-provided version of OpenJDK
3. Install a system-provided version of OpenJDK
On the Enter Login Credentials page, All hosts accept the same password is selected by default. Enter the user name in the SSH Username box, and type in and confirm the password. You can also select the All hosts accept the same private key option and provide the Private Key and passphrase.
The Install Agents page appears and displays a progress indicator as the agent packages are installed.
On the Assign Roles page, you can customize the roles assignment for your new Cloudera on premises Containerized cluster.

important
Cloudera does not recommend altering assignments unless you have specific requirements such as having selected a specific host for a specific role.

Single node Cloudera Embedded Container Service installation is supported, but is only intended to enable CDSW to Cloudera AI migration. If you are installing Cloudera Embedded Container Service on a single node, only the Docker and Cloudera Embedded Container Service Server roles are assigned. The Cloudera Embedded Container Service Agent role is not required for single node installation.

Click the Continue button.

Configure a Docker Repository.

There are several options for configuring a Docker Repository. For more information about these options, see Docker repository access.

The following ports must be opened and allowed no matter which Docker repository option you choose. For more information on the ports, see RKE2 Documentation.

Ports required for / agent (port 5000 is required for ):

Protocol	Port
TCP	7180-7192
TCP	19001
TCP	5000
TCP	9000

Inbound rules for Server nodes (Kubernetes/RKE2):

Protocol	Port
TCP	9345
TCP	6443
UDP	8472
TCP	9099
UDP	51820
UDP	51821
TCP	10250
TCP	2379
TCP	2380
TCP	2381
TCP	30000-32767

Inbound Rules for the Agent (Kubernetes/RKE2):

Protocol	Port
UDP	4789
TCP	179

On the Configure Docker Repository page, select one of these options:

Embedded Docker Repository

If you select the Internet Install Method option on the Getting Started page, images are copied over the internet from the Cloudera repository.
If you select the Air Gapped option, images are copied from a local http mirror you have set up in your environment.
Select Default to deploy all of the default Docker images to the repository, or select Select the Optional Images to choose which images to deploy. If you will be deploying , toggle the switch on to copy the images for .
Custom Docker Repository
Cloudera default Docker RepositoryThis option requires that cluster hosts have access to the internet and you have selected Internet as the install method.
This option requires that you set up a Docker Repository in your environment and that all cluster hosts have connectivity to the repository.

note
If you are installing on a single node, you should select the Use a Custom Docker Repository option. Single node installation is supported, but is only intended to enable CDSW to migration.
You must enter the following options:
- Custom Docker Repository – Enter the URL for your Docker Repository
- Docker Username – Enter the username for the Docker Repository.
- Docker Password – Enter the password for the Docker Repository.
  important
  Do not use the $ character for this Docker Usernamne and Docker Password.
- Docker Certificate – Click the Choose File button to upload a TLS certificate to secure communications with the Docker Repository.
Click the Generate the copy-docker script button to generate and download a script that copies the Docker images from Cloudera, or (for air-gapped installation) from a local http mirror in your network.
Run the script from a machine that is running Docker locally and has access to the Docker images using the following commands:
```
docker login [***URL for Docker Repository***] -u [***username of user with write access***]

bash copy-docker.txt
```
The copying operation may take 4 - 5 hours.

On the Configure Data Services page, you can modify configuration settings such as the data storage directory, number of replicas, and so on. If there are multiple disks mounted on each host with different characteristics (HDD and SSD), then Local Path Storage Directory must point to the path belonging to the optimal storage. Ensure that you have reviewed your changes. If you want to specify a custom certificate, place the certificate and the private key in a specific location on the Cloudera Manager server host and specify the paths in the input boxes labelled as Ingress Controller TLS/SSL Server Certificate/Private Key File below. This certificate will be copied to the Cloudera Control Plane during the installation process.

note

The Ingress Controller TLS/SSL Server Certificate File (PEM Format) configuration value must only contain -----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----, inclusive, for the server certificates. The value cannot include any preamble text and must not include a private key.

The Ingress Controller TLS/SSL Server Private Key File (PEM Format) configuration value must only contain the unencrypted key, and only the header through the footer, with no preamble text.

Both of these files must be readable by the cloudera-scm account.

For information on the required entries that must be present in DNS and TLS certificates when not using wildcards, see No Wildcard DNS/TLS Setup.

Click the Continue button.

note
In an Air Gapped installation, ensure to use the IP range from 10.42.0.0/16 to 10.43.0.0/16 to allow communication across all Cloudera Embedded Container Service nodes and Cloudera Manager node.
On the Configure Databases page, click Continue.
On the Install Parcels page, the selected parcel is downloaded to the Cloudera Manager server host, distributed, unpacked, and activated on the Cloudera Embedded Container Service cluster hosts. Click Continue.

If the hosts do not meet the prerequisites, the Check Prerequisites page displays the applicable issues. Correct the issues, then click Run Again. After all of the issues have been resolved, click Continue.

The following prerequisites are checked:


Host Prerequisite Inspection	Validation
`StorageInspection`	Checks for a minimum of 300 GiB space in the `/var/lib` and `docker` data directories respectively. Checks if the `/var/lib/longhorn` directory or its parent directories are symlinked. If they are, this inspection will fail.
`CPUInspection`	Checks to ensure that the hosts have 16 virtual cores.
`PortsInspection`	Checks for the availability of ports 443 and 80.
EcsHostDnsInspection	Checks to make sure there are less than 3 nameserver entries in the `/etc/resolv.conf` file, and checks the connections to the Cloudera Manager cluster and the Cloudera Data Platform console. It also checks to see if `vault.localhost.localdomain`’s ping can be resolved. If not, it is likely that the host `/etc/nsswitch.conf` file is misconfigured. If this inspection fails, perform the following steps: Check the `/etc/resolv.conf` and `/etc/nsswitch.conf` files and ensure that the `/etc/resolv.conf` fiel does not contain three or more nameservers, and that the `/etc/nsswitch.conf` file contains the `myhostname` field under the `hosts` field. Check to see if the connections were resolved correctly. If connection to the Cloudera Data Platform console fails, check to see if your DNS wildcard is configured properly.
`VersionInspection`	Checks that Java is installed and consistent among all Cloudera Embedded Container Service hosts.
`IPTablesInspection`	Checks that if the `iptables` command exists, rules are cleared. If the `iptables` command does not exist, iptables gets installed during FirstRun so this inspection passes. If iptables are installed and the rules are not cleared, this inspection will fail. For information on installing iptables, see Install iptables on the new Cloudera Embedded Container Service master nodes.
`EcsCleanUpHostInspection`	Checks to ensure that the `/var/lib/rancher` and `docker` data directories do not contain any files.

The EcsSystemConfigInspection check is part of the Host Prerequisites Inspections, section of install and upgrade. This check must be fixed and cannot be bypassed to continue the installation or upgrade.

To fix this issue temporarily, you can perform the following steps:

Login to the affected host.
Enter the following command:
```
sysctl fs.inotify.max_user_instances=256
```

For fixing this issue permanently, perform the following steps:

Login to each affected host.
Verify that the current configuration is 128 by executing the following command:
```
cat /proc/sys/fs/inotify/max_user_instances
```
Edit the vi /etc/sysctl.conf file.
Add the following contents to the end of the file and save:
```
fs.inotify.max_user_instances=256
```
Reload the configuration by using the following command:
```
sudo sysctl -p
```
Verify if the configuration is updated, by using the following command that is exptected to return 256:
```
cat /proc/sys/fs/inotify/max_user_instances
```

On the Inspect Cluster page, click Inspect Cluster and Inspect Network Performance to inspect your hosts and network performance . If the Inspect tool displays any issues, you can fix those issues and click Run Again to rerun the inspections. After all of the issues have been resolved, click Continue.

note

These inspections are comprehensive host and network tests that you can optionally run. To skip these tests, select the I understand the risks of not running the inspections or the detected issues, let me continue with cluster setup checkbox.
The installation progress is displayed on the Install Data Services page. When the installation is complete, click the Continue button.

note
After the installation is complete, Cert Manager is installed by default from Cloudera Data Services on premises1.5.5 release.

note
“Enable Cert Manager” toggle is enabled by default. When this is enabled, during installation it will install cert manager on the cluster. If unchecked, cert manager will not be installed.
For setting up Cert Manager using Venafi TPP, see Setting up Cert Manager using Venafi TPP.
When the installation is complete, the Summary page appears. Click Launch Cloudera on premises. You can also click Finish and then access the Data Services cluster from Cloudera Manager.
When the installation is complete, you can access your Cloudera Data Services on premises instance from Cloudera Manager. Click Data Services, then click Open Cloudera on premises for the applicable Data Services cluster.

If the installation fails, and you see the following error message in the stderr output during the Install Longhorn UI step, retry the installation by clicking the Resume button:

++ openssl passwd -stdin -apr1 + echo 'cm-longhorn:$apr1$gp2nrbtq$1KYPGI0QNlFJ2lo5sV62l0' + kubectl -n longhorn-system create secret generic basic-auth --from-file=auth + rm -f auth + kubectl -n longhorn-system apply -f /opt/cloudera/cm-agent/service/ecs/longhorn-ingress.yaml Error from server (InternalError): error when creating "/opt/cloudera/cm-agent/service/ecs/longhorn-ingress.yaml": 
Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post "https://rke2-ingress-nginx-controller-admission.kube-system.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate signed by unknown authority

In Cloudera Data Services on premises deployments using RKE2, container life cycle events, such as container mounts, start, or stop, are logged to the /var/log/messages file through systemd.

Since, Cloudera Data Services on premises installation is not OS-integrated, no systemd, rsyslogd, or logrotate configurations are delivered. As a result, these verbose messages are flooding /var/log/messages, risking disk pressure on /var, which may lead to stability or availability issues.

To avoid the flooding of container events in /var/log/messages file:

Product packaging for Cloudera Data Services on premises (especially for Cloudera Embedded Container Service on RKE2) must include:
- The sample rsyslog.d configuration or journald filters to redirect container lifecycle logs to a separate file. For example, to /var/log/rancher-container-events.log.
- Safety valve-based injection method, if feasible, or post-install script guidance for such OS-level logging configurations.
Alternatively, consider filtering or rate-limiting verbose lifecycle logs at the container runtime layer if possible.

If you specified a custom certificate, select the Cloudera Embedded Container Service cluster in Cloudera Manager, then select Actions > Update Ingress Controller. This command copies the cert.pem and key.pem files from the Cloudera Manager server host to the Cloudera Embedded Container Service Management Console host.
Click Open Cloudera on premises to launch your Cloudera Data Services on premises instance.
Log in using the default username and password admin.
On the Welcome to Cloudera on premises page, click Reset Admin Password to change the Local Administrator Account password.
Set up external authentication using the URL of the LDAP server and a CA certificate of your secure LDAP. Set up external authentication using the URL of the SAML and uplolad SAML Identity Provider Metadata file. Follow the instructions on the Welcome to Cloudera on premises page to complete this step.
Click Test Connection to ensure that you are able to connect to the configured LDAP server.
Create your first Virtual Warehouse in the Cloudera Data Warehouse Data Service
Provision an Cloudera AI Workbench in the Cloudera AI Data Service
Add a Cloudera Data Engineering service in the Cloudera Data Engineering Data Service