Procedure to Downgrade from CDP 7.1.9
Perform the below procedure to downgrade your cluster from 7.1.9 to 7.1.8 or 7.1.7 SP2.
Downgrade restores the software to the prior release version but data remains intact. Service interruptions are still expected, but the use of Rolling Restart minimizes it. After HDFS and/or Ozone is finalized, it is not possible to Downgrade or Rollback.
- Ranger RMS
- Ranger KMS
- YARN Queue Manager
- Schema Registry
This procedure is applicable only if you are downgrading from CDP 7.1.9 to CDP 7.1.8.
- Stop the Ozone Recon Web UI. Within Cloudera Manager UI, navigate to the .
- Navigate to Configuration within the Ozone service and collect the value of ozone.recon.db.dir (default value is /var/lib/hadoop-ozone/recon/data).
- SSH to the Ozone Recon Web UI host and move the ozone.recon.db.dir parent directory to a backup location: mv /var/lib/hadoop-ozone/recon /var/lib/hadoop-ozone/recon-backup-CDP.
Stop the HBase Master(s). Execute knit as the hbase user if kerberos is enabled.
- Stop Omid within Cloudera Manager UI
- Navigate to the HBase service > Instances within Cloudera Manager UI and note the hostname of the HBase Master instance(s). Login to the host(s) and execute the following: hbase master stop --shutDownCluster
- Stop the remaining HBase components. Navigate to the HBase service within
The following must be performed when downgrading to 7.1.7 SP2 from 7.1.9. You will need to kinit as the hbase user if kerberos is enabled.
- Contact support for the appropriate hbck2 jar
- Execute a dry run of the shortenTableinfo command and validate the appropriate files have been identified hbase --config /etc/hbase/conf hbck -j hbase-hbck2-X.Y.Z.jar shortenTableinfo
- Run the shortenTableinfo -fix command to fix the file format hbase --config /etc/hbase/conf hbck -j hbase-hbck2-X.Y.Z.jar shortenTableinfo -fix
- Cruise Control
The following steps are applicable only if you downgrade from 7.1.9 to 7.1.7 SP2 and not from 7.1.9 to 7.1.8. You can skip this section if the Cruise Control Goal configurations were set to the default values before performing the upgrade. However, if the Cruise Control Goal configuration values were changed before performing the upgrade, then you must proceed with this section.
In Cruise Control, you must rename com.linkedin.kafka.cruisecontrol.analyzer.goals.RackAwareDistributionGoal to com.linkedin.kafka.cruisecontrol.analyzer.goals.RackAwareGoal in Cloudera Manager > Clusters > Cruise Control > Configurations tab in every occurrences as described below during downgrade process.
In Cruise Control, from 7.1.8 and higher, com.linkedin.kafka.cruisecontrol.analyzer.goals.RackAwareGoal is renamed to com.linkedin.kafka.cruisecontrol.analyzer.goals.RackAwareDistributionGoal.
Perform the below steps:
- Check the following goal sets if RackAwareDistributionGoal is present
(Cloudera Manager > Clusters >
Cruise Control > Configurations tab):
- Create a note for yourself about where RackAwareDistributionGoal were present
- Remove RackAwareDistributionGoal from all of the goal lists
- Perform the runtime downgrade process
- Check the following goal sets if RackAwareDistributionGoal is present (Cloudera Manager > Clusters > Cruise Control > Configurations tab):
Downgrading the Runtime parcel
- Navigate to Parcels within Cloudera Manager.
- Locate the CDP Private Cloud Base 7.1.7 SP2/7.1.8 parcel and click Upgrade.
- Follow the wizard and address any issues from the various inspectors.
The upgrade activates the parcel and restarts services.
Restart Services with Stale Configuration
- Navigate to Clusters and find the cluster being downgraded.
- Inspect the list of services for the stale configuration indicator (yellow power button), if found, click on the indicator.
- Follow the wizard to restart services with stale configuration.
Restore CDH Databases
- Ranger KMS
- Stream Messaging Manager
- Schema Registry
- Hue (only if you are downgrading to 7.1.7 SP2)
The steps for backing up and restoring databases differ depending on the database vendor and version you select for your cluster and are beyond the scope of this document.
- MariaDB 10.2, 10.3, 10.4 and 10.5:https://mariadb.com/kb/en/backup-and-restore-overview/
- MySQL 5.7:https://dev.mysql.com/doc/refman/5.7/en/backup-and-recovery.html
- MySQL 8:https://dev.mysql.com/doc/refman/8.0/en/backup-and-recovery.html
- PostgreSQL 10:https://www.postgresql.org/docs/10/backup.html
- PostgreSQL 11:https://www.postgresql.org/docs/11/backup.html
- PostgreSQL 12:https://www.postgresql.org/docs/12/backup.html
- PostgreSQL 13:https://www.postgresql.org/docs/13/backup.html
- PostgreSQL 14:https://www.postgresql.org/docs/14/backup.html
- Oracle 19c:https://docs.oracle.com/en/database/oracle/oracle-database/19/index.html
Rollback Cloudera Navigator Encryption Components
Rollback Key Trustee Server
To roll back Key Trustee Server, replace the currently used parcel (for example, the parcel for version 7.1.9) with the parcel for the version to which you wish to roll back (for example, version 7.1.8). See Parcels for detailed instructions on using parcels.
- Open the Cloudera Manager Admin Console and go to the Key Trustee Server service. If you see that Key Trustee Server has stale configurations, click the yellow or blue button and follow the prompts.
- Make sure that the Keytrustee Server database roles are stopped. Then rename the
folder containing Keytrustee Postgres database data (both on master and slave hosts):
mv /var/lib/keytrustee/db /var/lib/keytrustee/db-14_2
- Open the Cloudera Manager Admin Console and go to the Key Trustee Server service.
- Select the Instances tab.
- Select the Active Database role type.
- Click .
- Click Set Up the Key Trustee Server Database to confirm.
Cloudera Manager sets up the Key Trustee Server database.
- Start the PostgreSQL server:
sudo ktadmin db --start --pg-rootdir /var/lib/keytrustee/db --background
- On the master KTS node: running as user
keytrustee,restore the keytrustee database on active hosts by running the following commands:
If the zip file is encrypted, you are prompted for the password to decrypt the file.
sudo -su keytrustee export PATH=$PATH:/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/12.1/bin/ export LD_LIBRARY_PATH=/opt/cloudera/parcels/KEYTRUSTEE_SERVER/PG_DB/opt/postgres/12.1/lib/ unzip -p keytrustee-db.zip | psql -p 11381 -d keytrustee
- Restore the Key Trustee Server configuration directory, on Active
If the zip file is encrypted, you are prompted for the password to decrypt the file.
su - keytrustee cd /var/lib/keytrustee unzip keytrustee-conf.zip
- Stop the PostgreSQL server : Change the login user to root and run the
sudo ktadmin db --stop --pg-rootdir /var/lib/keytrustee/db
- Remove the backup files (keytrustee-db.zip and keytrustee-conf.zip) from the Key Trustee
su - keytrustee cd /var/lib/keytrustee rm keytrustee-conf.zip rm keytrustee-db.zip
- Start the Active Database role in Cloudera Manager by clicking .
- Click Start to confirm.
- Select the Active Database.
- Click .
- Start the Passive Database instance: select the Passive Database, click .
- In the Cloudera Manager Admin Console, start the active KTS instance.
- In the Cloudera Manager Admin Console, start the passive KTS instance.
Start the Key Management Server
Restart the Key Management Server. Open the Cloudera Manager Admin Console, go to the KMS service page, and select.
Rollback Key HSM
- Install the version of Navigator Key HSM to which you wish to roll
backInstall the Navigator Key HSM package using
sudo yum downgrade keytrustee-keyhsm
Cloudera Navigator Key HSM is installed to the
/usr/share/keytrustee-server-keyhsmdirectory by default.
- Rename Previously-Created Configuration Files
For Key HSM major version rollbacks, previously-created configuration files do not authenticate with the HSM and Key Trustee Server, so you must recreate these files by re-executing the
trustcommands. First, navigate to the Key HSM installation directory and rename the
cd /usr/share/keytrustee-server-keyhsm/ mv application.properties application.properties.bak mv keystore keystore.bak mv truststore truststore.bak
- Initialize Key HSMRun the
service keyhsm setupcommand in conjunction with the name of the target HSM distribution:
sudo service keyhsm setup [keysecure|thales|luna]
For more details, see Initializing Navigator Key HSM.
- Establish Trust Between Key HSM and the Key Trustee ServerThe Key HSM service must explicitly trust the Key Trustee Server certificate (presented during TLS handshake). To establish this trust, run the following command:
sudo keyhsm trust /path/to/key_trustee_server/cert
For more details, see Establish Trust from Key HSM to Key Trustee Server.
- Start the Key HSM ServiceStart the Key HSM service:
sudo service keyhsm start
- Establish Trust Between Key Trustee Server and Key HSM
Establish trust between the Key Trustee Server and the Key HSM by specifying the path to the private key and certificate:
sudo ktadmin keyhsm --server https://keyhsm01.example.com:9090 \ --client-certfile /etc/pki/cloudera/certs/mycert.crt \ --client-keyfile /etc/pki/cloudera/certs/mykey.key --trustFor a password-protected Key Trustee Server private key, add the
--passphraseargument to the command (enter the password when prompted):
sudo ktadmin keyhsm --passphrase \ --server https://keyhsm01.example.com:9090 \ --client-certfile /etc/pki/cloudera/certs/mycert.crt \ --client-keyfile /etc/pki/cloudera/certs/mykey.key --trust
For additional details, see Integrate Key HSM and Key Trustee Server.
- Remove Configuration Files From Previous InstallationAfter completing the rollback, remove the saved configuration files from the previous installation:
cd /usr/share/keytrustee-server-keyhsm/ rm application.properties.bak rm keystore.bak rm truststore.bak
Rollback Navigator Encrypt
- If you have configured and are using an RSA master key file with OAEP padding, then
you must revert this setting to its original
navencrypt key --change
- Stop the Navigator Encrypt mount
sudo /etc/init.d/navencrypt-mount stop
- Confirm that the mount-stop command
sudo /etc/init.d/navencrypt-mount status
- If rolling back to a release lower than NavEncrypt 6.2:
- a. Print the existing ACL rules and save that output to a
sudo navencrypt acl --print+ vim acls.txt
- b. Delete all existing ACLs, for example, if there are a total of 7 ACL rules
sudo navencrypt acl --del --line=1,2,3,4,5,6,7
- a. Print the existing ACL rules and save that output to a file:
- To fully downgrade Navigator Encrypt, manually downgrade all of the associated
Navigator Encrypt packages (in the order listed):
- (Only required for operating systems other than SLES) navencrypt-kernel-module
- (Only required for the SLES operating system) cloudera-navencryptfs-kmp-<kernel_flavor>
- If rolling back to a release less than NavEncrypt 6.2
- Reapply the ACL
sudo navencrypt acl --add --file=acls.txt
- Reapply the ACL rules:
- Recompute process
sudo navencrypt acl --update
- Restart the Navigator Encrypt mount
sudo /etc/init.d/navencrypt-mount start
Due to on-disk format changes, Solr collections need to be restored from backup. Rollback of HDFS and ZooKeeper are NOT necessary when restoring individual collections.
For more information, see Restoring a Collection documentation.
- Rollback Atlas Solr Collections
- Atlas has several collections in Solr that must be restored from the pre-upgrade backup - vertex_index, edge_index, and fulltext_index. These collections may already have been restored using the Rollback Solr documentation. If the collections are not yet restored, you must restore collections now using the Rollback Solr documentation.
- Rollback Atlas HBase Tables
- From a client host, start the hbase shell hbase shell
- Within the hbase shell, list the snapshots, that must contain the pre-upgrade snapshots list_snapshots
- Within the hbase shell, disable the atlas_janus table, restore the snapshot, and enable the table disable 'atlas_janus' restore_snapshot '<name of atlas_janus snapshot from list_snapshots>' disable 'atlas_janus'
- Within the hbase shell, disable the ATLAS_ENTITY_AUDIT_EVENTS table, restore the snapshot, and enable the table disable 'ATLAS_ENTITY_AUDIT_EVENTS' restore_snapshot '<name of ATLAS_ENTITY_AUDIT_EVENTS snapshot from list_snapshots>' disable 'ATLAS_ENTITY_AUDIT_EVENTS'
- Restart Atlas.
Rollback YARN Queue Manager
You can rollback YARN Queue Manager using the pre-upgrade backup of config-service.mv.db and config-service.trace.db.
- Navigate to the YARN Queue Manager service in Cloudera Manager and record the configuration value for config_service_db_loc (or queuemanager_user_home_dir if blank) and the host where the YARN Queue Manager Store is running.
- Stop the YARN Queue Manager service.
- SSH to the YARN Queue Manager Store host and copy the pre-upgrade config-service.mv.db and config-service.trace.db to the config_service_db_loc obtained in the previous step.
- Start the YARN Queue Manager service.
Deploy the Client Configuration
- On the Cloudera Manager Home page, click the Actions menu and select Deploy Client Configuration.
- Click Deploy Client Configuration.
Post downgrade steps
- Streams Replication Manager (SRM)
- Reset the state of the internal Kafka Streams application. Run the following command on
the hosts of the SRM Service
kafka-streams-application-reset \ --bootstrap-servers [***SRM SERVICE HOST***] \ --config-file [***PROPERTIES FILE***] \ --application-id srm-service_v2
Replace [***PROPERTIES FILE***] with the location of a configuration file that contains all necessary security properties that are required to establish a connection with the Kafka service. This option is only required if your Kafka service is secured.
- Cruise Control
- Insert the removed goal back to the relevant goal sets, but with the renamed goal name RackAwareGoal (Not RackAwareDistributionGoal)
- Restart Cruise Control
- Finalize the HDFS Upgrade
- This step should be performed only after all validation is completed. For more information, see Finalize the HDFS upgrade documentation.
- Following the downgrade to 7.1.7 SP2, Knox may be found in an unhealthy state. In this case, perform a Rolling Restart of the Knox service using the Cloudera Manager UI.