-
Notifications
You must be signed in to change notification settings - Fork 4
/
cassandra_config.go
263 lines (247 loc) · 9.89 KB
/
cassandra_config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
package templates
import "text/template"
// CassandraConfig is the template of a full Cassandra configuration.
var CassandraConfig = template.Must(template.New("").Parse(`cluster_name: ContrailConfigDB
num_tokens: 256
hinted_handoff_enabled: true
max_hint_window_in_ms: 10800000 # 3 hours
hinted_handoff_throttle_in_kb: 1024
max_hints_delivery_threads: 2
hints_directory: /var/lib/cassandra/hints
hints_flush_period_in_ms: 10000
max_hints_file_size_in_mb: 128
batchlog_replay_throttle_in_kb: 1024
authenticator: AllowAllAuthenticator
authorizer: AllowAllAuthorizer
role_manager: CassandraRoleManager
roles_validity_in_ms: 2000
permissions_validity_in_ms: 2000
credentials_validity_in_ms: 2000
partitioner: org.apache.cassandra.dht.Murmur3Partitioner
data_file_directories:
- /var/lib/cassandra/data
commitlog_directory: /var/lib/cassandra/commitlog
disk_failure_policy: stop
commit_failure_policy: stop
key_cache_size_in_mb:
key_cache_save_period: 14400
row_cache_size_in_mb: 0
row_cache_save_period: 0
counter_cache_size_in_mb:
counter_cache_save_period: 7200
saved_caches_directory: /var/lib/cassandra/saved_caches
commitlog_sync: periodic
commitlog_sync_period_in_ms: 10000
commitlog_segment_size_in_mb: 32
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
- seeds: {{ .Seeds }}
concurrent_reads: {{ or .Parameters.ConcurrentReads 32 }}
concurrent_writes: {{ or .Parameters.ConcurrentWrites 32 }}
concurrent_counter_writes: {{ or .Parameters.ConcurrentCounterWrites 32 }}
concurrent_materialized_view_writes: {{ or .Parameters.ConcurrentMaterializedViewWrites 32 }}
concurrent_compactors: {{ or .Parameters.ConcurrentCompactors 1 }}
memtable_flush_writers: {{ or .Parameters.MemtableFlushWriters 2 }}
disk_optimization_strategy: ssd
memtable_allocation_type: {{ or .Parameters.MemtableAllocationType "heap_buffers" }}
index_summary_capacity_in_mb:
index_summary_resize_interval_in_minutes: 60
trickle_fsync: false
trickle_fsync_interval_in_kb: 10240
storage_port: {{ .StoragePort}}
ssl_storage_port: {{ .SslStoragePort }}
listen_address: {{ .ListenAddress }}
broadcast_address: {{ .BroadcastAddress }}
start_native_transport: true
native_transport_port: {{ .CqlPort }}
start_rpc: {{ .StartRPC }}
rpc_address: {{ .RPCAddress }}
rpc_port: {{ .RPCPort }}
broadcast_rpc_address: {{ .RPCBroadcastAddress}}
rpc_keepalive: true
rpc_server_type: sync
thrift_framed_transport_size_in_mb: 15
incremental_backups: false
snapshot_before_compaction: false
auto_snapshot: true
tombstone_warn_threshold: 1000
tombstone_failure_threshold: 100000
column_index_size_in_kb: 64
batch_size_warn_threshold_in_kb: 5
batch_size_fail_threshold_in_kb: 50
compaction_throughput_mb_per_sec: {{ or .Parameters.CompactionThroughputMbPerSec 16 }}
compaction_large_partition_warning_threshold_mb: 100
sstable_preemptive_open_interval_in_mb: 50
read_request_timeout_in_ms: 5000
range_request_timeout_in_ms: 10000
write_request_timeout_in_ms: 2000
counter_write_request_timeout_in_ms: 5000
cas_contention_timeout_in_ms: 1000
truncate_request_timeout_in_ms: 60000
request_timeout_in_ms: 10000
cross_node_timeout: false
endpoint_snitch: SimpleSnitch
dynamic_snitch_update_interval_in_ms: 100
dynamic_snitch_reset_interval_in_ms: 600000
dynamic_snitch_badness_threshold: 0.1
request_scheduler: org.apache.cassandra.scheduler.NoScheduler
# node-to-node encrypion
server_encryption_options:
internode_encryption: all
keystore: /etc/keystore/server-keystore.jks
keystore_password: {{ .KeystorePassword }}
truststore: /etc/keystore/server-truststore.jks
truststore_password: {{ .TruststorePassword }}
require_client_auth: true
store_type: JKS
# client-to-node encrypion
client_encryption_options:
enabled: true
optional: false
keystore: /etc/keystore/server-keystore.jks
keystore_password: {{ .KeystorePassword }}
truststore: /etc/keystore/server-truststore.jks
truststore_password: {{ .TruststorePassword }}
require_client_auth: false
store_type: JKS
internode_compression: all
inter_dc_tcp_nodelay: false
tracetype_query_ttl: 86400
tracetype_repair_ttl: 604800
gc_warn_threshold_in_ms: 1000
enable_user_defined_functions: false
enable_scripted_user_defined_functions: false
windows_timer_interval: 1
transparent_data_encryption_options:
enabled: false
chunk_length_kb: 64
cipher: AES/CBC/PKCS5Padding
key_alias: testing:1
key_provider:
- class_name: org.apache.cassandra.security.JKSKeyProvider
parameters:
- keystore: conf/.keystore
keystore_password: cassandra
store_type: JCEKS
key_password: cassandra
auto_bootstrap: true
`))
// CassandraCqlShrc is a template for cqlsh tool
var CassandraCqlShrc = template.Must(template.New("").Parse(`
[ssl]
certfile = {{ .CAFilePath }}
version = SSLv23
userkey = /etc/certificates/client-key-{{ .ListenAddress }}.pem
usercert = /etc/certificates/client-{{ .ListenAddress }}.crt
`))
// CassandraJmxRemotePassword is a template for jmxrempote.password file
var CassandraJmxRemotePassword = template.Must(template.New("").Parse(`
cassandra cassandra
reaperUser reaperPass
`))
// CassandraJmxRemoteAccess is a template for jmxrempote.access file
var CassandraJmxRemoteAccess = template.Must(template.New("").Parse(`
cassandra readwrite
reaperUser readwrite
`))
// CassandraJmxRemoteAccess is a template for jmxrempote.access file
var CassandraNodetoolSslProperties = template.Must(template.New("").Parse(`
-Dssl.enable=true
-Djavax.net.ssl.keyStore=/etc/keystore/server-keystore.jks
-Djavax.net.ssl.keyStorePassword={{ .KeystorePassword }}
-Djavax.net.ssl.trustStore=/etc/keystore/server-truststore.jks
-Djavax.net.ssl.trustStorePassword={{ .TruststorePassword }}
`))
// ReaperEnvTemplate start script
var ReaperEnvTemplate = template.Must(template.New("").Parse(`
CASSANDRA_SEEDS={{ .CassandraServerList }}
export CASSANDRA_COUNT=$(echo $CASSANDRA_SEEDS | tr ',' ' ' | wc -w)
export CASSANDRA_CONNECT_POINTS=$(echo $CASSANDRA_SEEDS | sed 's/,/", "/g')
export CASSANDRA_REAPER_APP_PORT={{ .ReaperAppPort }}
export CASSANDRA_REAPER_ADM_PORT={{ .ReaperAdmPort }}
export CASSANDRA_REAPER_JMX_AUTH_USERNAME=reaperUser
export CASSANDRA_REAPER_JMX_AUTH_PASSWORD=reaperPass
export CASSANDRA_CLUSTER_NAME=ContrailConfigDB
export CASSANDRA_CQL_PORT={{ .CqlPort }}
export CASSANDRA_SSL_ENABLE=True
export CASSANDRA_SSL_KEYSTORE_PASSWORD={{ .KeystorePassword }}
export CASSANDRA_SSL_TRUSTSTORE_PASSWORD={{ .TruststorePassword }}
export CASSANDRA_LISTEN_ADDRESS=${POD_IP}
export CASSANDRA_JMX_LOCAL_PORT={{ .JmxLocalPort }}
export JKS_DIR="/etc/keystore"
`))
// CassandraCommandTemplate start script
var CassandraCommandTemplate = template.Must(template.New("").Parse(`
function _prepare_keystore() {
local type=$1
rm -f /etc/keystore/${type}-truststore.jks /etc/keystore/${type}-keystore.jks
mkdir -p /etc/keystore
openssl pkcs12 -export -chain -name $type \
-in /etc/certificates/${type}-${POD_IP}.crt \
-inkey /etc/certificates/${type}-key-${POD_IP}.pem \
-CAfile {{ .CAFilePath }} \
-password pass:{{ .TruststorePassword }} \
-out TmpFileKeyStore.$type
openssl pkcs12 -password pass:{{ .TruststorePassword }} -in TmpFileKeyStore.$type -info -chain -nokeys
openssl pkcs12 -info -chain -nokeys -cacerts \
-password pass:{{ .TruststorePassword }} \
-in TmpFileKeyStore.$type 2>/dev/null | sed -n '/-\+BEGIN.*-\+/,/-\+END .*-\+/p' > TmpCA.pem.$type
cat TmpCA.pem.$type
keytool -import -noprompt -alias CARoot \
-keystore /etc/keystore/${type}-truststore.jks \
-keypass {{ .KeystorePassword }} \
-storepass {{ .TruststorePassword }} \
-file TmpCA.pem.$type
keytool -importkeystore -alias $type -noprompt \
-deststoretype PKCS12 \
-deststorepass {{ .KeystorePassword }} \
-destkeypass {{ .KeystorePassword }} \
-destkeystore /etc/keystore/${type}-keystore.jks \
-srcstoretype PKCS12 \
-srcstorepass {{ .TruststorePassword }} \
-srckeystore TmpFileKeyStore.$type
}
# generate server keystore for ssl
_prepare_keystore server
# generate client keystore for ssl
_prepare_keystore client
# for cqlsh cmd tool
ln -sf /etc/contrailconfigmaps/cqlshrc.${POD_IP} /root/.cqlshrc ;
# cassandra docker-entrypoint tries patch the config, and nodemanager uses hardcoded path to
# detect cassandra data path for size checks, this file will contains wrong seeds as entrypoint
# sets it from env variable
rm -f /etc/cassandra/cassandra.yaml ;
cp /etc/contrailconfigmaps/cassandra.${POD_IP}.yaml /etc/cassandra/cassandra.yaml ;
cat /etc/cassandra/cassandra.yaml ;
# reaper configurations
{{ if .ReaperEnabled }}
# for reaper access
ln -sf /etc/contrailconfigmaps/jmxremote.password.${POD_IP} /etc/cassandra/jmxremote.password ;
ln -sf /etc/contrailconfigmaps/jmxremote.access.${POD_IP} /etc/cassandra/jmxremote.access ;
ln -sf /etc/contrailconfigmaps/nodetool-ssl.properties.${POD_IP} ~/.cassandra/nodetool-ssl.properties ;
source /etc/contrailconfigmaps/reaper.${POD_IP}.env
export LOCAL_JMX=no
{{ end }}
# for gracefull shutdown implemented in docker-entrypoint.sh in trap_cassandra_term
export CASSANDRA_JMX_LOCAL_PORT={{ .JmxLocalPort }}
export CASSANDRA_LISTEN_ADDRESS=${POD_IP}
{{ if .ReaperEnabled }}
/run-reaper.sh &
# start service
exec /docker-entrypoint.sh -f -Dcassandra.jmx.local.port={{ .JmxLocalPort }} \
-Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access \
-Dcom.sun.management.jmxremote.ssl=true \
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true \
-Dcassandra.jmx.remote.port={{ .JmxLocalPort }} \
-Dcom.sun.management.jmxremote.rmi.port={{ .JmxLocalPort }} \
-Djavax.net.ssl.keyStore=/etc/keystore/server-keystore.jks \
-Djavax.net.ssl.keyStorePassword={{ .KeystorePassword }} \
-Djavax.net.ssl.trustStore=/etc/keystore/server-truststore.jks \
-Djavax.net.ssl.trustStorePassword={{ .TruststorePassword }} \
-Dcassandra.config=file:///etc/contrailconfigmaps/cassandra.${POD_IP}.yaml
{{ else }}
# start service
exec /docker-entrypoint.sh -f -Dcassandra.jmx.local.port={{ .JmxLocalPort }} -Dcassandra.config=file:///etc/contrailconfigmaps/cassandra.${POD_IP}.yaml
{{ end }}
`))