作者：櫰木

1、集群规划

主机

版本

角色

系统用户

hd1.dtstack.com

3.7.1

follower

zookeeper

hd2.dtstack.com

3.7.1

leader

zookeeper

hd3.dtstack.com

3.7.1

follower

zookeeper

2、zookeeper kerberos主体创建

在生产中zk服务端和客户端票据可以设置成不通名称或相同名称，本次设置成同一个票据名称zookeeper/HOST@DTSTACK.COM格式表示zk服务端和客户端票据。

票据名

票据文件

文件分布

zookeeper/hd1.dtstack.com@DTSTACK.COM

/etc/security/keytab/zookeeper.keytab

hd1.dtstack.com主机

zookeeper/hd2.dtstack.com@DTSTACK.COM

/etc/security/keytab/zookeeper.keytab

hd2.dtstack.com主机

zookeeper/hd3.dtstack.com@DTSTACK.COM

/etc/security/keytab/zookeeper.keytab

hd3.dtstack.com主机

在hd1.dtstack.com主机上root权限下创建kerberos主体，使用zookeeper系统用

在每台机器上执行生成脚本，执行此脚本可自动生成principal（在每个节点执行）

bash /root/bigdata/getkeytabs.sh /etc/security/keytab/zookeeper.keytab zookeeper3、zookeeper 安装

修改配置文件

root@hd2.dtstack.com ~]# cd /root/bigdata && tar -xzvf apache-zookeeper-3.7.1-bin.tar.gz -C /opt[root@hd2.dtstack.com ~]# ln -s /opt/apache-zookeeper-3.7.1-bin/ /opt/zookeeper[root@hd2.dtstack.com ~]#cd /opt/zookeeper[root@hd2.dtstack.com conf]#cat >zoo.cfg<<EOFtickTime=2000initLimit=10syncLimit=5dataDir=/data/zookeeper/data/dataLogDir=/data/zookeeper/log/clientPort=2181maxCnxns=20000maxClientCnxns=2000minSessionTimeout=4000maxSessionTimeout=60000autopurge.purgeInterval=24autopurge.snapRetainCount=5quorum.cnxn.threads.size=20#zk集群服务地址配置server.1=hd1:2888:3888server.2=hd2:2888:3888server.3=hd3:2888:3888#zk kerberos配置authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProviderjaasLoginRenew=3600000kerberos.removeHostFromPrincipal=truekerberos.removeRealmFromPrincipal=truerequireClientAuthScheme=saslquorum.auth.enableSasl=truequorum.auth.learner.saslLoginContext=Learnerquorum.auth.server.saslLoginContext=Serverquorum.auth.kerberos.servicePrincipal=zookeeper/hd1.dtstack.com@DTSTACK.COM4lw.commands.whitelist=mntr,conf,ruok,consEOF

说明：

改配置文件中ssl配置（标红色部分）目的是解决ranger 配置hive等组件在连接测试过程出现无权限问题创建SSL认证文件zookeeper-jaas.conf、java.envroot@hd2.dtstack.com conf]# cat >zookeeper-jaas.conf<<EOFServer { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytab/zookeeper.keytab" storeKey=true useTicketCache=false principal="zookeeper/hd2.dtstack.com@DTSTACK.COM";};Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytab/zookeeper.keytab" storeKey=true useTicketCache=false principal="zookeeper/hd2.dtstack.com@DTSTACK.COM";};Learner { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytab/zookeeper.keytab" storeKey=true useTicketCache=false principal="zookeeper/hd2.dtstack.com@DTSTACK.COM";};EOF

说明：

principal用具体票据名，不能用hadoop/host_name@DTSTACK.COM或hadoop/_HOST@DTSTACK.COM,否则报错zk服务端和客户端票据在kerberos中已经创建，此处省略，客户端和服务端票据是不一样的root@hd2.dtstack.com conf]# cat >java.env<<EOFexport JVMFLAGS="-Djava.security.auth.login.config=/opt/zookeeper/conf/zookeeper-jaas.conf"export JAVA_HOME="/opt/java"EOF [root@hd2.dtstack.com conf]# cat >/data/zookeeper/data/myid<<EOF2EOF

同步到其他机器

root@hd2.dtstack.com conf]# cd /opt/[root@hd2.dtstack.com software]# scp -r apache-zookeeper-3.7.1-bin root@hd1.dtstack.com:/opt/[root@hd2.dtstack.com software]# scp -r apache-zookeeper-3.7.1-bin root@hd3.dtstack.com:/opt/

在其他机器修改对应配置

hd1.dtstack.com主机root权限：

[root@hd1.dtstack.com conf]# cat >/data/zookeeper/data/myid<<EOF1EOF[root@hd1.dtstack.com ~]# cd /opt/apache-zookeeper-3.7.1-bin/conf[root@hd1.dtstack.com ~]# sed -i 's#hd2.dtstack.com#hd1.dtstack.com#g' zookeeper-jaas.conf[root@hd1.dtstack.com ~]# sed -i 's#hd2.dtstack.com#hd1.dtstack.com#g' zoo.cfg

hd3.dtstack.com主机root权限：

[root@hd3.dtstack.com conf]# cat >/data/zookeeper/data/myid<<EOF3EOF[root@hd3.dtstack.com ~]# cd /opt/apache-zookeeper-3.7.1-bin/conf[root@hd3.dtstack.com ~]# sed -i 's#hd2.dtstack.com#hd3.dtstack.com#g' zookeeper-jaas.conf[root@hd3.dtstack.com ~]# sed -i 's#hd2.dtstack.com#hd3.dtstack.com#g' zoo.cfg4 zookeeper集群启停

zk集群启停脚本zk_cluster.sh内容如下：

[root@hd1.dtstack.com apache-zookeeper-3.7.1-bin]# cat >zk_cluster.sh<<EOF#!/bin/bash case $1 in"start"){for i in hd1.dtstack.com hd2.dtstack.com hd3.dtstack.comdo echo ---------- zookeeper $i 启动 ------------ssh $i "source /etc/profile;/opt/zookeeper/bin/zkServer.sh start"done};;"stop"){for i in hd1.dtstack.com hd2.dtstack.com hd3.dtstack.comdo echo ---------- zookeeper $i 停止 ------------ ssh $i "source /etc/profile;/opt/zookeeper/bin/zkServer.sh stop"done};;"status"){for i in hd{1..3}do echo ---------- zookeeper $i 状态 ------------ ssh $i "source /etc/profile;/opt/zookeeper/bin/zkServer.sh status"done};;esacEOF

修改整体目录文件权限

[root@hd1.dtstack.com apache-zookeeper-3.6.3-bin]# chown -R zookeeper:zookeeper /opt/apache-zookeeper-3.7.1-bin

启动命令：

sh zk_cluster.sh start

停止命令：

sh zk_cluster.sh stop

查看状态命令：

sh zk_cluster.sh status5 zookeeper集群验证

可通过执行sh zk_cluster.sh status查看

端口查看，命令netstat -an|grep 2181

进程查看，命令jps

至此，zk三节点集群搭建完成

更多技术信息请查看云掣官网