About bgooley

bgooley · ‎08-12-2019

@rjotwani-211490215, The error message regarding the supervisor_status file can be ignored. We will fix the code that generates that error sometime in the future. The message that indicates the cause of the formatting failure is: Running in non-interactive mode, and data appears to exist in Storage Directory /dfs/nn. Not formatting. It may be you have some old data in /dfs/nn. If you are sure you do not need what is in /dfs/nn you can copy it to another location or delete it. Just be sure you don't need/want whatever is there.

bgooley · ‎08-05-2019

@BrettM, This makes me think that the code change did not actually take effect since the cipher list I gave you as an example removes DES and 3DES ciphers. This worked in my environment so the ciphers that were available before the change were no longer available afterward. Can you confirm that the agent Nessus is detecting as having vulnerable ciphers has the following code changes in https.py: ctx = SSL.Context('sslv23') ctx.set_options(m2.SSL_OP_NO_TLSv1 | 0x10000000L | m2.SSL_OP_NO_SSLv2 | m2.SSL_OP_NO_SSLv3) ctx.set_cipher_list("HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!RC4:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1") ctx.set_session_id_ctx("cm-agent") I added "!RC4" in there just in case but really "HIGH" should have taken care of that I think. Also, be sure you restarted the agent after the last change to make sure the changes took place.

bgooley · ‎08-05-2019

@BrettM, The openssl cipher list I provided was an example that worked for me, basically. What ciphers did your scan report to be vulnerable? The cipher list can be modified to suit your needs if necessary. I am surprised, though, since I thought the openssl string I provided was able to resolve for me. Knowing exactly which ciphers were flagged by nessus would help us understand perhaps. As for a fix in the product, we need to evaluate the changes, get the approved for release, then run then through testing, so it will be a while yet.

bgooley · ‎08-01-2019

@TCloud, The exception is in the agent and indicates to us that the agent is not able to verify the certificate that was returned by Cloudera Manager during the TLS handshake. In order to know why, we should look at what host the agent tried to contact (server_host in config.ini) and what certificates were listed in the SAN of the server certificate. You can use the following command to see what certificate is returned: openssl s_client -connect $(grep "server_host" /etc/cloudera-scm-agent/config.ini | sed s/server_host=//):7182 </dev/null | openssl x509 -text -noout Then, check to make sure agent's truststore has the proper certificate that trusts the CM cert. To test, you can use: openssl s_client -connect $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "server_host=" | sed s/server_host=//):7182 -CAfile $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "verify_cert_file=" |sed s/verify_cert_file=//) -verify_hostname $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "server_host=" | sed s/server_host=//)</dev/null The above is probably not that elegant, but you should be able to run it as it is. It will grab your hostname and trust store file from the host's config.ini and then connect to your CM host to do a TLS handshake. "-verify_hostname" will tell openssl to also do hostname validation to mimic what the agent does. The result code of the above command should give us a better idea of why the handshake is failing.

bgooley · ‎07-31-2019

@sparkd, While we can't be sure, it is likely that some permissions were changed on the /tmp directory so that the Service Monitor (that executes the HDFS canary health check) could not access the directory. Service Monitor utilizes the "hue" user and principal to access other resources so it is reasonable to assume that /tmp in HDFS did not allow the hue user or group to write to /tmp. Are you having similar trouble? If so, check your service monitor log file for stack traces and errors related to the hdfs canary.

bgooley · ‎07-31-2019

@Dominic_kim, It might be more work, but it would be better to have a cluster where trust can be established. Clients expect that the server they connected to (whether FQDN, short name, or IP) will be included in the Subject Alternative Name extension or in the CN subject. Note that recent releases of CM and CDH do support wildcard certificates so I'm not sure what the problem is in your case... we would need some more specific info. That said, you can turn off validation in some places like Hue, but it is not so easily done in others. Depends on the client. For Hue, I think you can turn off all validation by setting: [desktop] ssl_validate=False If you don't have ssl_cert_ca_verify or other configuration in other sections, then they will look to the global "desktop" section setting. Restart Hue after making the change.

bgooley · ‎07-30-2019

@wert_1311, Cloudera and the agents will communicate to make sure that parcels are distributed and enabled on all hosts that are managed. In this case, it sounds as if your attempts to copy information may have contributed to running out of space. 5GB isn't much space, though, so it could be you will need more space. To allow the agent to correct the situation, you can do the following: (1) Stop the agent service cloudera-scm-agent stop (2) remove the contents of the parcels directory: /opt/cloudera/parcels/* (3) Start the agent: service cloudera-scm-agent start (4) Monitor the agent log to see if it starts downloading the files.

bgooley · ‎07-30-2019

Hi @BrettM , Thank you once again for pointing out a security issue! I ran nmap with ssl-enum-ciphers and saw the same problems. I took a stab and found that M2Crypto does let you set ciphers. I chose a set that limits to good ciphers. As before, you can test the fix I proposed by editing the "https.py" file on each host. On an el7 host, the path will likely be: /opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py (1) Back up the https.py file so you can revert if there is a problem starting the agent (2) Below the line you edited: ctx.set_options(m2.SSL_OP_NO_TLSv1 | 0x10000000L | m2.SSL_OP_NO_SSLv2 | m2.SSL_OP_NO_SSLv3) add this: ctx.set_cipher_list("HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1") (3) Save your change Restart the agent with: service cloudera-scm-agent restart (4) Test to see if any vulnerable ciphers are still allowed. As before, if the change helps in your deployment, this would need to be applied on all hosts where the agent runs. Any upgrades of CM that do not include fixes would also require you to edit manually. I have already created another Jira for this with Cloudera Manager engineering.

bgooley · ‎07-24-2019

@vincenth, A public CA can sign certificates that for "private" hosts. Usually, you would generate a CSR (Certificate Signing Request) and then submit that on the CA's website. Different CAs have different licenses, deals, etc.

bgooley · ‎07-24-2019

@Da, CSD files used with CM 5 should be compatible with CM 6. If you hit any problems that you think may be related to CM 6, please do let us know.

Online	Offline
Last Visited	‎04-24-2020 01:13 PM

Member Since	‎04-22-2014 02:47 PM
Last Visited	‎04-24-2020 01:13 PM
Posts	1,218
Kudos received	339

Cloudera Community

Re: ALL hadoop-mapreduce-examples.jar fail cdh6

Re: YARN NodeManagers failed to start with permiss...

Re: Disable admin Login in Cloudera Manager

Re: Kerberos not authenticating from Hadoop Gatewa...

Re: Sqoop connection to Kerberos authenticated RDB...

Re: Failed to format namenode error during while i...

Re: How can we disable TLSv1 cipher for the Cloude...

Re: How can we disable TLSv1 cipher for the Cloude...

Re: SSLError: certificate verify failed

Re: HDFS goes in bad health

Re: How do I not validate a TLS certificate?

Re: Error while activating parcels

Re: How can we disable TLSv1 cipher for the Cloude...

Re: TLS/SSL Self-Certificate or Authority Certific...

Re: Custom CSDs from CM 5.x to 6.x