[DCOS-39050] Added files for Hive Docker image

[susanxhuynh]

This Hive Docker image is intended for use in Spark integration tests.

It's based on https://github.com/tilakpatidar/cdh5_hive_postgres (the one Evan found) with the following changes:

• Removed docker-compose (not supported by Marathon)
• Added Kerberos (see the kerberos/ directory)
  • Kerberized versions of hadoop, hive xml config files
  • krb5.conf
  • Marathon config to run the container
• Hive: changes in hive_pg/scripts/bootstrap.sh for Kerberos
• You can also refer to my fork to see what I added.

Testing

• I've tested by running a Spark Hive job against the kerberized image.
• You can try the unkerberized image with: docker run -it susanxhuynh/cdh5-hive:latest /etc/hive-bootstrap.sh -bash
• To run the kerberized image with a KDC, see the README.

[susanxhuynh]

Tests are passing now. The failures yesterday seem to have been temporary connectivity problems at the sbt mirror site.

[samvantran]

Had a few comments but overall looks good. I'll try testing it myself tomorrow

[samvantran]

The end includes | tar -xz -C /usr/local/ but not in the actual shell command on L11. Typo?

[elezar]

We definitely don't want to extract to /usr/local.

[samvantran]

These all point to the same directory... is it necessary to have all of them?
Also I don't think you use HADOOP_HDFS_HOME nor HADOOP_YARN_HOME in this file.

[susanxhuynh]

I thought they might be used while the container is running, but let me check on that.

[samvantran]

same comment above, a few of these ENV vars are not used in this file including this one

[samvantran]

Clever :)

[samvantran]

Is this supposed to setup hive and then another process ssh's/executes commands inside the container? Just trying to understand how all of these parts intersect.

[susanxhuynh]

This command sets up a few directories and then starts the Hive servers. To create and query Hive tables, we would install Spark on the cluster and run a Spark job ... the job would point to the Hive container's IP address. Alternatively, you could go inside the container and start the Hive "beeline" program, in which you could also perform Hive queries.

[samvantran]

Is this guaranteed to be there?

[samvantran]

Not a big deal but can we delete this if its commented out?

[samvantran]

Needs a newline?

[samvantran]

Are all of these supposed to point to the same dir?

[elezar]

Thanks @susanxhuynh. Great work in showing that this is possible and that we don't need an external Cloudera cluster for testing our Hive interactions. I have made comments while reviewing this, but it could definitely be that I'm missing some context along the way, so please let me know if that is the case.

Some general comments:

• This 3 Docker Image (4 if one counts Kerberos) seems a bit excessive.
• The images enable SSH access as well as an Apache web server.
• The config for Hadoop / Hive is spread through the various layers and external file.
• I don't know if the spark-build repo is the best place for this. As it is, we have problems with our "testing" docker images not being properly versioned, in the Mesosphere or, or under version control.
• The removal of docker-compose has complicated the building of the images and identifying which changes are really required by us -- e.g. Kerberos-related changes.

Ideally, I would like to see:

• The number of Docker images reduced. Another search for "standalone hive" brings up other solutions such as: https://github.com/jqcoffey/hive-standalone, which at first glance has the following points to note:
  ** ADVANTAGE: It uses a single image based off an OS image
  ** ADVANTAGE: It does not install postgres or sshd
  ** DISADVANTAGE: It installs system packages
• The docker image moved to a separate repo so that its lifetime can be managed independently. For the Kafka and HDFS clients, we are looking at moving them to dcos-commons-ci for example.

[elezar]

We definitely don't want to extract to /usr/local.

[elezar]

To tell you the truth, I'm not sure what advantage the download_deps.sh file really give us. We could download the archives as part of the docker build process directly. We have in the past (e.g. with TensorFlow) had issues with certain hadoop archives no longer being present, but this is an issue with this script too.

[elezar]

This seems to be explicitly setting the contents of the /etc/hadoop/hadoop-env.sh file. Why is it not sufficient to rely on the environment variables in this case?

[susanxhuynh]

That is strange and Hadoop seems to work without this step, with the exception of setting JAVA_HOME. I don't know why, but it seems that JAVA_HOME has to be set directly in this file. https://stackoverflow.com/questions/14325594/working-with-hadoop-localhost-error-java-home-is-not-set

[elezar]

Is this just to preserve the contents of the original files?

[susanxhuynh]

I guess, removing ...

[elezar]

Why is it required to fix the native libraries?

[susanxhuynh]

The native libraries are not part of the Cloudera distribution. OTOH, hadoop seems to work okay without the native libraries.

[elezar]

I think the native libraries are only required when using Hadoop from languages such as C/C++.

[elezar]

Similar comments as for the non-kerberized version. Switching to mustache should allow us to to unify the templates a little.

[elezar]

This is pretty old version of ubuntu. Furthermore, all this image seems to do is add the SSD Daemon (which I'm not sure if we need), and set environment variables that are later overwritten.

[elezar]

Here we are setting the path to folders that don't exist yet.

[elezar]

We're not cleaning up the cache.

[elezar]

Is there a reason that we need an Apache webserver too?

[susanxhuynh]

I don't think this is actually used. I will remove it.

[susanxhuynh]

@elezar

• I will reduce the number of images.
• I can remove the apache2 web server but not sshd or postgres.
• Sshd is a prerequisite for Hadoop. See https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/SingleCluster.html#Setup_passphraseless_ssh
• Postgres is needed to run Hive in remote mode, which is necessary to reproduce the Spark bug that I need to repro (https://issues.apache.org/jira/browse/SPARK-24338). The exception occurs in the "ThriftHiveMetastore" Client class, which is only used in Hive remote mode. More information about remote mode: https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_ig_hive_metastore_configure.html#topic_18_4_1__title_508
• I'll move this docker image into a separate repo, but I'll make changes here for now since you and Sam have already left comments here.

[susanxhuynh]

First pass at combining ubuntu + hadoop + hive into a single image (currently under the "single-image" directory). Still a WIP.

[susanxhuynh]

@elezar @samvantran I think I have addressed most of your comments. The highlights are:

• Removed about 2k LOC.
• Based on ubuntu 16.04.
• Combined ubuntu + hadoop + hive into one image. There's a second image that adds kerberos support.
• Removed the apache2 web server, but kept sshd (used by Hadoop) and Postgres (for Hive Metastore "remote" mode).
• Removed unnecessary properties from Hadoop / Hive xml config files and log4j files.
• Removed unused HADOOP_ env vars.
• No mustache, but there's a simple shell script generate_configs.sh that autogenerates the Kerberos config files.

[susanxhuynh]

@samvantran @elezar Gentle ping. See comment above.

[samvantran]

Looks good to me w/ a minor question
Probably want Evan to 👍 this PR since his review was extensive

*also probably want to merge with master to get over the failing CI tests that look similar to the statsd jar errors

[samvantran]

Is this file necessary? It's essentially empty.

[susanxhuynh]

Strictly speaking, it's not necessary, but it serves as a placeholder for the "generate_configs.sh", so that the script can treat all config files (including yarn-site) equally.

[samvantran]

Follow up to my question below, it doesn't look like yarn-site.xml.template has a {{HOSTNAME}} to replace

[susanxhuynh]

I'll admit this one is a little confusing. What happens is this script gets called in both the non-kerberized and kerberized images. And, the kerberized version of yarn-site.xml does have a {{HOSTNAME}} in it, and I wanted to avoid special processing to account for that.

[elezar]

Thanks @susanxhuynh, this is looking great now.

I have made one or two comments, but none of them are blockers on getting this PR in. Depending on what you're priorities are, I would say that we could merge this as is and create a follow-up ticket to get any improvements made.

The one thing that I think should be addressed is the fact that there is no -d option supported in the hadoop-bootstrap.sh script.

[elezar]

We can handle this in a follow-up, but should we consider using the 18.04 LTS image?

[samvantran]

I remember this email thread not long ago asking about DCOS on 18.04 and it seemed like Mesos still had to sort out some issues.

Let's hold off this for now

[elezar]

We could also pull in the java archive that we use in all our applications, but this isn't a blocker.

[elezar]

This is set on https://github.com/mesosphere/spark-build/pull/392/files#diff-0aa25f6cadbb637eae9df102b049a59dR5 as well. Rather just set it in one place.

[samvantran]

👍 deleted the first instance

[elezar]

Should this not be moved to AFTER the postgres install below?

[samvantran]

looks like it was copied from the parent project: https://github.com/tilakpatidar/cdh5_hive_postgres/blob/master/hive_pg/Dockerfile#L31

If I move it, docker build runs fine but I'd have to test it against the hive integration PR to know everything works

[elezar]

Nit &&\ => && \

[samvantran]

fixed

[elezar]

There is no -d flag in the hadoop-bootstrap.sh script above. Is this intentional?

[samvantran]

removed -d

[elezar]

We could use an elif here instead followed by an else block that prints something if the argument is unknown.

[samvantran]

fixed

[elezar]

Is there a better way to check for readiness?

[samvantran]

Not sure. I'm not very familiar enough w/ Hive.

[elezar]

In our other applications, we use a different endpoint here Should we make this configurable too?

[samvantran]

Hm, this is just for testing. Not sure we need to make this configurable.

[elezar]

My concern is that it is different to how we handle KDC in all our other applications. If we need to move forward with this though, I'm not going to block the PR, but we should consider creating a follow-up ticket to unify this.

[samvantran]

included in DCOS-42219

[elezar]

Not a blocker, but if we were to use Python for this, we could combine the XML as a structured document?
(see for example: https://github.com/mesosphere/dcos-commons/blob/master/frameworks/hdfs/tests/test_overlay.py#L65)

Changes addressed. No blockers currently.

[elezar]

The one thing that I think should be addressed is the fact that there is no -d option supported in the hadoop-bootstrap.sh script.

[samvantran]

@elezar, please take another look at this PR. Among other fixes, I removed the -d flag which seemed most important to address.

[samvantran]

👍 deleted the first instance

[samvantran]

fixed

[samvantran]

fixed

[samvantran]

looks like it was copied from the parent project: https://github.com/tilakpatidar/cdh5_hive_postgres/blob/master/hive_pg/Dockerfile#L31

If I move it, docker build runs fine but I'd have to test it against the hive integration PR to know everything works

[samvantran]

removed

[samvantran]

removed -d

[samvantran]

I don't think so. This is a script that gets called from hive-bootstrap.sh so it'll just continue on afterward

[samvantran]

Not sure. I'm not very familiar enough w/ Hive.

[samvantran]

fixed

[samvantran]

Hm, this is just for testing. Not sure we need to make this configurable.

[elezar]

Thanks @samvantran.

This is definitely something that we can iterate on.

Some final thoughts:

• There is a bit of a disconnect with how we handle Kerberos configuration for other services. I know that we're treating this as a one-off, but getting a bit more uniformity could be useful. Definitely out of scope for this Pr though.
• We're depending on @susanxhuynh's private docker repository here. This means that we'll have one more docker image to migrate to the mesosphere repo. We should probably consider doing it now. For what it's worth -- we can use https://jenkins.mesosphere.com/service/jenkins/view/Infinity/job/infinity-tools/job/release-tools/job/build-docker-image/ to build arbitrary docker images.

[elezar]

My concern is that it is different to how we handle KDC in all our other applications. If we need to move forward with this though, I'm not going to block the PR, but we should consider creating a follow-up ticket to unify this.

[elezar]

In other tests we generate these kinds of application definitions on the fly in python -- templating where applicable. Not a blocker, but we could create a follow-up ticket.

[samvantran]

created https://jira.mesosphere.com/browse/DCOS-42219 to address this and other non-blocking-but-should-still-do comments

[elezar]

This is also quite different to how we currently deploy kerberized HDFS. I know there isn't necessary too much overlap, but it would be good to not have to context switch too much when debugging issues with hive / hdfs.

[elezar]

Is server2 a predefined property of some kind?

[samvantran]

yes, its the improved version of hiveserver: https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2

[samvantran]

Cleaned up the postgres conf file and added back an envvar I mistakenly deleted. I created ticket https://jira.mesosphere.com/browse/DCOS-42219 to address followups

Also I tried the jenkins job you mentioned but was unsuccessful in publishing a docker image

[samvantran]

cleaned up in fed868e

[samvantran]

yes, its the improved version of hiveserver: https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2

[samvantran]

created https://jira.mesosphere.com/browse/DCOS-42219 to address this and other non-blocking-but-should-still-do comments

[samvantran]

included in DCOS-42219