JVM config overrides (#384)

* First working version.

* Update docs and use default JVM props.

* Typo

* Update docs/modules/hdfs/pages/usage-guide/configuration-environment-overrides.adoc

Co-authored-by: Sebastian Bernauer <[email protected]>

---------

Co-authored-by: Sebastian Bernauer <[email protected]>

Author: razvan

CHANGELOG.md

@@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Default stackableVersion to operator version ([#381]).
+- Configuration overrides for the JVM security properties, such as DNS caching ([#384]).
 
 ### Changed
 
@@ -15,6 +16,7 @@ All notable changes to this project will be documented in this file.
 
 [#378]: https://github.com/stackabletech/hdfs-operator/pull/378
 [#381]: https://github.com/stackabletech/hdfs-operator/pull/381
+[#384]: https://github.com/stackabletech/hdfs-operator/pull/384
 
 ## [23.7.0] - 2023-07-14
 
@@ -85,7 +87,6 @@ All notable changes to this project will be documented in this file.
 [#341]: https://github.com/stackabletech/hdfs-operator/pull/341
 [#342]: https://github.com/stackabletech/hdfs-operator/pull/342
 
-
 ## [23.1.0] - 2023-01-23
 
 ### Added

deploy/config-spec/properties.yaml

@@ -9,6 +9,120 @@ spec:
         comment: "Specified in https://tools.ietf.org/html/rfc3986#appendix-B"
 
 properties:
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "30"
+      roles:
+        - name: "namenode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for successfully resolved domain names."
+      description: "TTL for successfully resolved domain names."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "30"
+      roles:
+        - name: "datanode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for successfully resolved domain names."
+      description: "TTL for successfully resolved domain names."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "30"
+      roles:
+        - name: "journalnode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for successfully resolved domain names."
+      description: "TTL for successfully resolved domain names."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.negative.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "0"
+      roles:
+        - name: "namenode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for domain names that cannot be resolved."
+      description: "TTL for domain names that cannot be resolved."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.negative.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "0"
+      roles:
+        - name: "datanode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for domain names that cannot be resolved."
+      description: "TTL for domain names that cannot be resolved."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.negative.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "0"
+      roles:
+        - name: "journalnode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for domain names that cannot be resolved."
+      description: "TTL for domain names that cannot be resolved."
+
   - property:
       propertyNames:
         - name: "dfs.namenode.name.dir"
@@ -164,4 +278,3 @@ properties:
           required: false
       asOfVersion: "0.0.0"
       description: "The address and port the JournalNode HTTPS server listens on. If the port is 0 then the server will start on a free port."
-

deploy/helm/hdfs-operator/configs/properties.yaml

@@ -9,6 +9,120 @@ spec:
         comment: "Specified in https://tools.ietf.org/html/rfc3986#appendix-B"
 
 properties:
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "30"
+      roles:
+        - name: "namenode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for successfully resolved domain names."
+      description: "TTL for successfully resolved domain names."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "30"
+      roles:
+        - name: "datanode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for successfully resolved domain names."
+      description: "TTL for successfully resolved domain names."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "30"
+      roles:
+        - name: "journalnode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for successfully resolved domain names."
+      description: "TTL for successfully resolved domain names."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.negative.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "0"
+      roles:
+        - name: "namenode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for domain names that cannot be resolved."
+      description: "TTL for domain names that cannot be resolved."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.negative.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "0"
+      roles:
+        - name: "datanode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for domain names that cannot be resolved."
+      description: "TTL for domain names that cannot be resolved."
+
+  - property:
+      propertyNames:
+        - name: "networkaddress.cache.negative.ttl"
+          kind:
+            type: "file"
+            file: "security.properties"
+      datatype:
+        type: "integer"
+        min: "0"
+      recommendedValues:
+        - fromVersion: "0.0.0"
+          value: "0"
+      roles:
+        - name: "journalnode"
+          required: true
+      asOfVersion: "0.0.0"
+      comment: "TTL for domain names that cannot be resolved."
+      description: "TTL for domain names that cannot be resolved."
+
   - property:
       propertyNames:
         - name: "dfs.namenode.name.dir"
@@ -164,4 +278,3 @@ properties:
           required: false
       asOfVersion: "0.0.0"
       description: "The address and port the JournalNode HTTPS server listens on. If the port is 0 then the server will start on a free port."
-

docs/modules/hdfs/pages/usage-guide/configuration-environment-overrides.adoc

@@ -7,7 +7,17 @@ IMPORTANT: Overriding certain properties can lead to faulty clusters. In general
 
 == Configuration Properties
 
-For a role or role group, at the same level of `config`, you can specify `configOverrides` for the `hdfs-site.xml` and `core-site.xml`. For example, if you want to set additional properties on the namenode servers, adapt the `nameNodes` section of the cluster resource like so:
+For a role or role group, at the same level of `config`, you can specify `configOverrides` for the following files:
+
+- `hdfs-site.xml`
+- `core-site.xml`
+- `hadoop-policy.xml`
+- `ssl-server.xml`
+- `ssl-client.xml`
+- `security.properties`
+
+
+For example, if you want to set additional properties on the namenode servers, adapt the `nameNodes` section of the cluster resource like so:
 
 [source,yaml]
 ----
@@ -43,6 +53,35 @@ All override property values must be strings. The properties will be formatted a
 
 For a full list of configuration options we refer to the Apache Hdfs documentation for https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/hdfs-default.xml[hdfs-site.xml] and https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/core-default.xml[core-site.xml]
 
+=== The security.properties file
+
+The `security.properties` file is used to configure JVM security properties. It is very seldom that users need to tweak any of these, but there is one use-case that stands out, and that users need to be aware of: the JVM DNS cache.
+
+The JVM manages it's own cache of successfully resolved host names as well as a cache of host names that cannot be resolved. Some products of the Stackable platform are very sensible to the contents of these caches and their performance is heavily affected by them. As of version 3.3.4 HDFS performs poorly if the positive cache is disabled. To cache resolved host names, and thus speeding up Hbase queries you can configure the TTL of entries in the positive cache like this:
+
+[source,yaml]
+----
+  namenodes:
+    configOverrides:
+      security.properties:
+        networkaddress.cache.ttl: "30"
+        networkaddress.cache.negative.ttl: "0"
+  datanodes:
+    configOverrides:
+      security.properties:
+        networkaddress.cache.ttl: "30"
+        networkaddress.cache.negative.ttl: "0"
+  journalnodes:
+    configOverrides:
+      security.properties:
+        networkaddress.cache.ttl: "30"
+        networkaddress.cache.negative.ttl: "0"
+----
+
+NOTE: The operator configures DNS caching by default as shown in the example above.
+
+For details on the JVM security see https://docs.oracle.com/en/java/javase/11/security/java-security-overview1.html
+
 
 == Environment Variables
 

rust/crd/src/constants.rs

@@ -16,6 +16,7 @@ pub const HADOOP_POLICY_XML: &str = "hadoop-policy.xml";
 pub const SSL_SERVER_XML: &str = "ssl-server.xml";
 pub const SSL_CLIENT_XML: &str = "ssl-client.xml";
 pub const LOG4J_PROPERTIES: &str = "log4j.properties";
+pub const JVM_SECURITY_PROPERTIES_FILE: &str = "security.properties";
 
 pub const SERVICE_PORT_NAME_RPC: &str = "rpc";
 pub const SERVICE_PORT_NAME_IPC: &str = "ipc";

rust/crd/src/lib.rs

@@ -616,6 +616,7 @@ impl HdfsCluster {
             PropertyNameKind::File(HADOOP_POLICY_XML.to_string()),
             PropertyNameKind::File(SSL_SERVER_XML.to_string()),
             PropertyNameKind::File(SSL_CLIENT_XML.to_string()),
+            PropertyNameKind::File(JVM_SECURITY_PROPERTIES_FILE.to_string()),
             PropertyNameKind::Env,
         ];
 

rust/operator/src/container.rs

@@ -25,9 +25,9 @@ use snafu::{OptionExt, ResultExt, Snafu};
 use stackable_hdfs_crd::{
     constants::{
         DATANODE_ROOT_DATA_DIR_PREFIX, DEFAULT_DATA_NODE_METRICS_PORT,
-        DEFAULT_JOURNAL_NODE_METRICS_PORT, DEFAULT_NAME_NODE_METRICS_PORT, LOG4J_PROPERTIES,
-        NAMENODE_ROOT_DATA_DIR, SERVICE_PORT_NAME_IPC, SERVICE_PORT_NAME_RPC,
-        STACKABLE_ROOT_DATA_DIR,
+        DEFAULT_JOURNAL_NODE_METRICS_PORT, DEFAULT_NAME_NODE_METRICS_PORT,
+        JVM_SECURITY_PROPERTIES_FILE, LOG4J_PROPERTIES, NAMENODE_ROOT_DATA_DIR,
+        SERVICE_PORT_NAME_IPC, SERVICE_PORT_NAME_RPC, STACKABLE_ROOT_DATA_DIR,
     },
     storage::DataNodeStorageConfig,
     DataNodeContainer, HdfsCluster, HdfsPodRef, HdfsRole, MergedConfig, NameNodeContainer,
@@ -975,6 +975,8 @@ impl ContainerConfig {
             ContainerConfig::Hdfs {
                 role, metrics_port, ..
             } => {
+                let cvd = ContainerVolumeDirs::from(role);
+                let config_dir = cvd.final_config();
                 // This currently points at 0.16.1 for historic reasons.
                 // We used to (and actually still do) hardcode the version number of JMX Exporter
                 // Newer Docker Images (anything after 23.7) do upgrade the version however and they do
@@ -985,7 +987,7 @@ impl ContainerConfig {
                 // We can fix this properly by pointing at the versionless JAR in one of our upcoming releases (e.g. 24.x)
                 let mut jvm_args = vec![
                     format!(
-                        "-javaagent:/stackable/jmx/jmx_prometheus_javaagent-0.16.1.jar={metrics_port}:/stackable/jmx/{role}.yaml",
+                        "-Djava.security.properties={config_dir}/{JVM_SECURITY_PROPERTIES_FILE} -javaagent:/stackable/jmx/jmx_prometheus_javaagent-0.16.1.jar={metrics_port}:/stackable/jmx/{role}.yaml",
                     )];
 
                 if hdfs.has_kerberos_enabled() {
@@ -1259,6 +1261,18 @@ impl From<HdfsRole> for ContainerVolumeDirs {
     }
 }
 
+impl From<&HdfsRole> for ContainerVolumeDirs {
+    fn from(role: &HdfsRole) -> Self {
+        ContainerVolumeDirs {
+            final_config_dir: format!("{base}/{role}", base = Self::NODE_BASE_CONFIG_DIR),
+            config_mount: format!("{base}/{role}", base = Self::NODE_BASE_CONFIG_DIR_MOUNT),
+            config_mount_name: ContainerConfig::HDFS_CONFIG_VOLUME_MOUNT_NAME.to_string(),
+            log_mount: format!("{base}/{role}", base = Self::NODE_BASE_LOG_DIR_MOUNT),
+            log_mount_name: ContainerConfig::HDFS_LOG_VOLUME_MOUNT_NAME.to_string(),
+        }
+    }
+}
+
 impl TryFrom<&str> for ContainerVolumeDirs {
     type Error = Error;