Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
229 lines (152 sloc) 7.54 KB
This is intended to get a secure 2.0-era Hadoop installed, from
source, in a purely-local configuration on your computer for
development purposes. It uses a private host-only network to run the
Hadoop network on. This allows you to work with secure Hadoop even when
your computer is not connected to the Internet. It requires that you
install a virtual machine running Linux to provide a DNS server
(named) and a Kerberos Key Distribution Center (KDC). The host computer
provides the virtualization environment, runs a NTP (network time
protocol) server. The latter service allows your VM to sync itself to
the correct (host-determined time and date) when you awaken your
computer from sleep. Finally, the host computer also runs the actual
Hadoop daemons.
For more information on compiling and running Hadoop, please also see:
Quick Start
Below, I use "(host)" and "(guest)" at the top of each step to clarify
which action should be done on your host computer or your guest VM,
1. Set up a VM with Linux with a host-only network. (host)
VMWare, Virtual Box, or another virtualization product should
work. You should set up the VM so that the guest OS has access to two
networks. One will be a bridged network that allows the guest
OS to connect to the Internet so that it can install packages and
updates and access remote git software repositories.
The other is a host-only network on a private range
(e.g. This will be the network that we will run
Hadoop on. All configuration below will be done with reference only
to this latter network.
2. Set up your hadoop-runtime dir (host)
git clone git://
cd hadoop-common
mvn clean package -DskipTests -Pdist
ls hadoop-common/hadoop-dist/target/hadoop-*
There should be a directory whose name begins with hadoop that's returned
by this "ls". Find this suffix and use it below here:
ln -s hadoop-common/hadoop-dist/target/hadoop-$SUFFIX hadoop-runtime
3. Create hadoop-conf directory if you haven't already:
git clone
4. On host computer, make sure ntpd is running (host)
Eugenes-MacBook-Pro:hadoop-conf ekoontz$ ps -ef | grep ntpd
0 81521 1 0 3:05PM ?? 0:01.03 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf -n -g -p /var/run/ -f /var/db/ntp.drift
The guest VM should be able to connect to the host computer's ntpd so
that the guest can keep its time in sync with the host, which is
important for Kerberos tickets to work correctly. See also step 7
below for ntp configuration on the guest VM.
5. Install krb5kdc, bind and ntpdate (guest)
[root@centos1 ekoontz]# cat /etc/ntp.conf | grep ^server
[root@centos1]# yum -y install krb5-server bind ntpdate
[root@centos1]# chkconfig ntpd off
[root@centos1]# chkconfig ntpdate on
We will use the host computer's ntp daemon to set the guest's date, so
we can shut down ntpd on the guest and start ntpdate (client-only).
You may also prefer to run the ntpd server on the guest, in which case
your configuration may differ.
6. Configure bind on guest VM (guest)
Add the following at the bottom of /etc/named.conf:
zone "local" {
type master;
file "local.db";
zone "" {
type master;
file "local.ptr.db";
Add the following as the file /var/named/local.db:
*note that I use and as the hostnames of the host computer and the guest VM, respectively, on the host-only network; substitute your own values*.
@ SOA LOCALHOST. foobar (1 1h 15m 30d 2h)
eugenes-macbook-pro A
centos A
Add the following as the file /var/named/local.ptr.db:
*175.16.172 should be substituted for your host-only network most-significant bytes, reversed. So if your host-only network was on 1.2.3.x, you'd use below*
@ SOA LOCALHOST. foobar (1 1h 15m 30d 2h)
1 IN PTR eugenes-macbook-pro.local.
3 IN PTR centos.local.
7. On guest VM, make sure ntpdate is set to use IP of Host computer on host-only network (guest)
I recommend that you use *only* this server as the DNS server to simplify diagnostics.
[ekoontz@centos1 ~]$ cat /etc/ntp.conf | grep server
8. Start services on guest VM (guest)
[root@centos1]# chkconfig krb5kdc on
[root@centos1]# chkconfig named on
[root@centos1]# chkconfig ntpdate on
9. On guest VM, make sure bind and krb5kdc are running (guest)
[ekoontz@centos1 ~]$ ps -ef | grep krb5kdc
root 2477 1 0 11:39 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/
[ekoontz@centos1 ~]$ ps -ef | grep bind
nobody 2815 1 0 11:39 ? 00:00:00 /usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/ --conf-file= --except-interface lo --listen-address --dhcp-range, --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases --dhcp-lease-max=253 --dhcp-no-override
10. Test guest-run named from host (host)
Both of the hostnames you added in step 6 should be resolvable:
$ dig @ centos.local +short
$ dig @ eugenes-macbook-pro.local +short
And reverse-resolvable:
$ dig @ -x +short
$ dig @ -x +short
11. Setup
make install start
12. Test
make test
13. Diagnostics
make report
If you do:
make login
and get something like:
kinit: krb5_get_init_creds: time skew (41863) larger than max (300)
, it is likely that your KDC's time is behind the Master's time.
Check using:
make report
and look for MASTER DATE: and DNS_SERVER DATE:. (Note that the report
shows DNS_SERVER, but if you are using this setup, the KDC should be
running on the same machine as the DNS_SERVER).
If the two DATEs are not in sync, the master's time will be the more
accurate since it is running directly on your computer, not on a VM.
To fix the date skew, run:
make sync
Then try "make report" to verify that the MASTER DATE: and DNS_SERVER
DATE: are the same (a second or two difference is ok). Now "make login"
should work also.
If the DNS_SERVER DATE is still out of sync, read below.
Syncing guest clock (guest vm)
[root@centos1]# sudo service ntpdate restart; date
You will need to do this every time your host computer is put to
sleep. Your host computer will sync its time automatically using its
built-in battery-powered clock (and using an external NTP server if
configured to do so and if it's connected to the Internet), but the
guest VM must be synced manually via the above step. (Perhaps there's
a way to have it automatically sync periodically but I am not aware of
If you get an error message from ntpdate such as "no server suitable
for synchronization found", try running with -d for more information:
[root@centos1]# sudo ntpdate -d
Where "" is the host-only IP of your host machine. If your
debugging output shows " Server dropped: strata too
high", then your host OS's ntpd server is probably not synced with its
own external time source. Try restarting ntpd on your host OS:
$ sudo killall ntpd
Wait a few seconds and make sure that ntpd is running on the host OS,
then try again on the guest OS to do:
[root@centos1]# sudo ntpdate -d