performing a non-root ambari install (with hortonworks admin 1 course)
These instructions have been tested on Rev 1.2 of the HDP Operations: Hadoop Administration I course.
These steps are captured to support a client who wants to do the Installing HDP lab from Hortonworks' Admin I course, but use a non-root
user for the install. The current version of this course is based on HDP 2.3.0 and you can visit http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_Installing_HDP_AMB/content/_set_up_password-less_ssh.html to see that the simple & novel instructions for this are as follows.
It is possible to use a non-root SSH account, if that account can execute sudo
without entering a password.
The good news is that for this lab (especially in the order it is now; at the END of the course) is only installing to node1
which makes this much easier. Basically, you just need to do some of the steps I previously publicly published in setting up hdp 2.1 with non-standard users for hadoop services (why not use a non-standard user for ambari, too). Specifically, the following steps need to happen just after the Resetting the Lab Environment section and just before the Installing Ambari Server section.
From the ubuntu
host, log into node1
and create the user for the install.
root@ubuntu:~# ssh node1 Last login: Fri Sep 18 22:48:18 2015 from 172.17.42.1 [root@node1 ~]# useradd -m -s /bin/bash ryoambari [root@node1 ~]# groupadd ryoambari groupadd: group 'ryoambari' already exists
This creates a user w/ID of 500, but we need to increase that.
[root@node1 ~]# id -u ryoambari 500 [root@node1 ~]# usermod -u 1500 ryoambari [root@node1 ~]# groupmod -g 1500 ryoambari [root@node1 ~]# id -u ryoambari 1500
Now we need to make sure this new user can run password-less sudo
commands.
[root@node1 ~]# cp /etc/sudoers ./sudoers.original [root@node1 ~]# visudo
Now that you are editing this file, go to the end and add the following line then save the file. If using vi, you can just hit ESC twice, then type a colon and finally type wq
to write & quit.
ALL ALL=(ALL) NOPASSWD: ALL
You can verify this is all that was changed by running a diff
command whose results should look something like the following.
[root@node1 ~]# diff sudoers.original /etc/sudoers 118a119,120 > > ALL ALL=(ALL) NOPASSWD: ALL
Now, verify it worked by seeing if this new user can edit the /etc/passwd
file (be sure to hit ESC twice, then type a colon and finally type q!
to quit w/o saving!!).
[root@node1 ~]# su - ryoambari [ryoambari@node1 ~]$ sudo vi /etc/passwd
NOTE: This is clearly a hack and not at all what one would do in a production environment to give this service account elevated privledges, but this brute-force approach lets us then perform the install with a non-root
user.
You will also need to be able to perform SSH connections to all the hosts (yes, we're only doing node1
, but let's stick to the script) and this can be setup by running the following commands.
[ryoambari@node1 ~]$ sudo yum install openssh-clients ... Complete! [ryoambari@node1 ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/ryoambari/.ssh/id_rsa): Created directory '/home/ryoambari/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ryoambari/.ssh/id_rsa. Your public key has been saved in /home/ryoambari/.ssh/id_rsa.pub. The key fingerprint is: a8:60:cf:43:29:50:57:e9:0f:71:78:73:ae:b1:bc:11 ryoambari@node1 The key's randomart image is: +--[ RSA 2048]----+ | . ...o | | . . + + . | |. . + + | | . .o.E . | | + o .+S= | | . * . * | | = o | | . . | | | +-----------------+ [ryoambari@node1 ~]$ cd .ssh [ryoambari@node1 .ssh]$ pwd /home/ryoambari/.ssh [ryoambari@node1 .ssh]$ ls -l total 8 -rw------- 1 ryoambari ryoambari 1671 Apr 18 19:45 id_rsa -rw-r--r-- 1 ryoambari ryoambari 397 Apr 18 19:45 id_rsa.pub [ryoambari@node1 .ssh]$ cat id_rsa.pub >> authorized_keys [ryoambari@node1 .ssh]$ ls -l total 12 -rw-rw-r-- 1 ryoambari ryoambari 397 Apr 18 19:46 authorized_keys -rw------- 1 ryoambari ryoambari 1671 Apr 18 19:45 id_rsa -rw-r--r-- 1 ryoambari ryoambari 397 Apr 18 19:45 id_rsa.pub [ryoambari@node1 .ssh]$ chmod 600 authorized_keys [ryoambari@node1 .ssh]$ ls -l total 12 -rw------- 1 ryoambari ryoambari 397 Apr 18 19:46 authorized_keys -rw------- 1 ryoambari ryoambari 1671 Apr 18 19:45 id_rsa -rw-r--r-- 1 ryoambari ryoambari 397 Apr 18 19:45 id_rsa.pub [ryoambari@node1 .ssh]$ cd .. [ryoambari@node1 ~]$ ssh localhost The authenticity of host 'localhost (::1)' can't be established. RSA key fingerprint is 2e:0c:53:b1:d4:06:7d:ab:bd:79:f9:17:08:f2:8a:4b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. [ryoambari@node1 ~]$ cd .ssh [ryoambari@node1 .ssh]$ echo 'StrictHostKeyChecking no' >> config [ryoambari@node1 .ssh]$ cat config StrictHostKeyChecking no [ryoambari@node1 .ssh]$ exit logout Connection to localhost closed.
Yep, that was a mouthful, but it is really sysadmin stuff that would need to be setup ahead of time to allow the ryoadmin
non-root
user to perform SSH operations to the other hosts. The good news is that is customers don't want to do this, Ambari tells them that they can just do a yum install ambari-agent
operation on all nodes and configure the .ini file to point back to the ambari server address, but I digress...
At the beginning of the Installing Ambari Server section, go ahead and do steps 1 - 3 as root
(i.e. type exit
to ensure you are no longer ryoambari
) which won't affect the scenario we are trying to test as these are specific to the course's lab environment and are not normal Ambari install activities.
PRIOR TO STEP 4, switch back to ryoambari
and kick off the yum
step to download and install the Ambari Server software, but prefix this operation with sudo
since you are no longer root
.
[root@node1 scripts]# su - ryoambari [ryoambari@node1 ~]$ sudo yum -y install ambari-server ... Complete!
Once that is complete, you'll need to change back to root
to be able to run the JDK copy script (again, this is special to this lab environment) in Step 5.
[ryoambari@node1 ~]$ pwd /home/ryoambari [ryoambari@node1 ~]$ exit logout [root@node1 scripts]# pwd /root/scripts [root@node1 scripts]# ./copy_jdk.sh
Then switch back to ryoambari
for Step 6 and beyond, but realize these commands need to run with sudo
prefixed to them as identified below.
[root@node1 scripts]# su - ryoambari [ryoambari@node1 ~]$ sudo ambari-server setup -s ... Ambari Server 'setup' completed successfully. [ryoambari@node1 ~]$ sudo ambari-server start ... Ambari Server 'start' completed successfully.
This takes us to the Installing HDP section and we need to make a couple of changes in Step 10. The "SSH User Account" textbox's value needs to change from root
to ryoambari
as shown in the following screenshot. Additionally, you'll need to copy the contents of the /home/ryoambari/.ssh/id_rsa
into the textbox identified below (include the BEGIN and END lines).
At this point, the rest of the lab can be completed as is and you will have validated that you can install HDP with Ambari without needing access to the root user.
NOTE: it is my recommendation that you simply take it as a fact that this can be done and not go through all of these steps to validate a documented and supported process.