Single User Mode Requirements
In a conventional Cloudera Manager deployment, the Cloudera Manager Agent, which manages Hadoop processes on each host, runs as the root user. However, some environments restrict access to the root account.
Cloudera Manager 5.3 and higher provides single user mode, which satisfies the requirements of such environments. In single user mode, the Cloudera Manager Agent and all the processes run by services managed by Cloudera Manager are started as a single configured user and group. Single user mode prioritizes isolation between Hadoop and the rest of the system over isolation between Hadoop processes running on the system.
Within a Cloudera Manager deployment, single user mode is global and applies to all clusters managed by that instance of Cloudera Manager.
By default, the single user is cloudera-scm and the configuration steps described in the following sections assume that user. However, other users are supported. If you choose another user, replace cloudera-scm in the following steps with the selected user, and perform the additional steps in Using a Non-default Single User.
The following sections describe limitations of single user mode and the required configuration steps for the supported installation scenarios at specific points during the installation process.
- Limitations
- Using a Non-default Single User
- Configuration Steps Before Starting Cloudera Manager Agents in Installation Paths B and C
- Configuration Steps Before Running the Installation Wizard
- Configuration Steps Before Starting the Installation Wizard in Installation Paths B and C
- Configuration Steps While Running the Installation Wizard
- Configuration for Secure Clusters
Limitations
- Switching between conventional and single user mode is not supported.
- Single user mode is supported for clusters running CDH 5.2 and higher.
- NFS Gateway is not supported in single user mode.
- Cloudera Navigator data encryption components are not supported in single user mode.
Using a Non-default Single User
When configuring single user mode for a user other than the default (cloudera-scm), perform the following configuration steps:
- Make the following directories writable by the single user:
- /var/log/cloudera-scm-agent/
- /var/lib/cloudera-scm-agent/
- Cloudera Manager stores parcels under /opt/cloudera, which by default is owned by
cloudera-scm. Do one of the following:
- Change /opt/cloudera to be writable by the single user.
- Change the parcel directory location to be writable by the single user:
- Go to .
- Set the Local Parcel Repository Path property.
- Click Save Changes.
- For a single user username, create the process limits configuration file at
/etc/security/limits.d/username.conf with the following settings:
username soft nofile 32768 username soft nproc 65536 username hard nofile 1048576 username hard nproc unlimited username hard memlock unlimited username soft memlock unlimited
Configuration Steps Before Starting Cloudera Manager Agents in Installation Paths B and C
- If you manually install Agent packages, before starting the Agents, configure them to run as cloudera-scm by editing the file /etc/default/cloudera-scm-agent and uncommenting the line:
USER="cloudera-scm"
- Configure the parcels directory. Do one of the following:
- On each host, in the Agent configuration file /etc/cloudera-scm-agent/config.ini, set
the parcel_dir property:
# Parcel directory. Unpacked parcels will be stored in this directory. # Downloaded parcels will be stored in <parcel_dir>/../parcel-cache # parcel_dir=/opt/cloudera/parcels
-
- Click Hosts in the top navigation bar.
- Click the Configuration tab.
- Select .
- Configure the value of the Parcel Directory property. The setting of the parcel_dir property in the Cloudera Manager Agent configuration file overrides this setting.
- Click Save Changes to commit the changes.
- Restart the Cloudera Manager Agent on all hosts.
- On each host, in the Agent configuration file /etc/cloudera-scm-agent/config.ini, set
the parcel_dir property:
Configuration Steps Before Running the Installation Wizard
- Give the single user passwordless sudo access. You must create the user if it doesn’t exist. One common way of achieving this is to add the user to the configured sudoers group by
running the command:
usermod -a -G sudo cloudera-scm
or adding a new sudo configuration for the cloudera-scm group by running the command visudo and then adding the following line:%cloudera-scm ALL=(ALL) NOPASSWD: ALL
- Sudo must be configured so that /usr/sbin is in the path when running sudo. One way
to achieve this is by adding the following configuration to sudoers:
- Edit the /etc/sudoers file using the visudo command
- Add this line to the configuration file:
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
- Set up per user limits for su prior to setting up the Agent.
- Edit/etc/pam.d/su.
- Uncomment:
session required pam_limits.so
- Roles that run on Tomcat require some directories to exist in non-configurable paths. The following directories must be created and be writable by cloudera-scm:
- HDFS (HttpFS role) - /var/lib/hadoop-httpfs
- Oozie Server - /var/lib/oozie
- Sqoop 2 Server - /var/lib/sqoop2
- Solr Server - /var/lib/solr
- Cloudera recommends that you create a prefix directory (for example, /cm) owned by cloudera-scm under which all other service directories will be placed. In single user mode, the Cloudera Manager Agent creates directories under the prefix directory with the correct ownership. If hosts have additional volumes on them that will be used for data directories Cloudera recommends creating a directory on each volume (for example, /data0/cm and /data1/cm) that is writable by cloudera-scm.
Configuration Steps Before Starting the Installation Wizard in Installation Paths B and C
Perform the following steps for the indicated scenarios:- Path C - Do one of the following:
- Create and change the ownership of /var/lib/cloudera-scm-server to the single user.
- Set the Cloudera Manager Server local storage directory to one owned by the single user:
- Go to .
- Set the Cloudera Manager Server Local Data Storage Directory property to a directory owned by the single user.
- Click Save Changes to commit the changes.
- Path B and C when using already managed hosts - Configure single user mode:
- Go to .
- Check the Single User Mode checkbox.
- Click Save Changes to commit the changes.
Configuration Steps While Running the Installation Wizard
When configuring the first cluster in Cloudera Manager using the Installation wizard you’ll have the option to set up the cluster in single user mode. This configures the Agents to run as cloudera-scm.
During the review configuration step you confirm that all the configured paths are writable by cloudera-scm. The directories themselves don’t have to exist as long as the parent directory is writable by cloudera-scm.
- Paths under /var - These are log, run, and data directories for the different services.
- Per volume data directories - These are data directory configurations that list a directory per volume. Such configurations are used by HDFS, MapReduce, YARN and Impala.
Configuration for Secure Clusters
- When configuring Kerberos, also refer to Enabling Kerberos Authentication for Single User Mode or Non-Default Users.
- Configure HDFS with TLS/SSL encryption.
- Do not configure the DataNode Transceiver port and HTTP Web UI port to use privileged ports.
- Configure DataNode data transfer protection.