HDP: We added code to run the patch on the active name node only.

cloudera / cloudera-scripts-for-log4j

Scripts for addressing log4j zero day security issue

Apache License 2.0

86 stars 68 forks source link

HDP: We added code to run the patch on the active name node only. #25

Open nashvm opened 2 years ago

nashvm commented 2 years ago

We run the patch with ansible on all machines.

Added code in patch_hdfs_tgz.sh:

kinit -kt $keytab $principal # under this line.

hdfs haadmin -getAllServiceState | grep active | grep hostname active_nn=$? if [ $active_nn -eq 1 ] exit 0 fi

jtran-cloudera commented 2 years ago

Thanks for the suggestion. We will look into this. Note that there is already code which ensures via a marker file that even when the HDFS phase runs on multiple hosts, only one will modify the HDFS contents.

dins2k2 commented 2 years ago

Thanks for the suggestion. We will look into this. Note that there is already code which ensures via a marker file that even when the HDFS phase runs on multiple hosts, only one will modify the HDFS contents.

But this command ps -efww | grep org.apache.hadoop.hdfs.server.namenode.NameNode | grep -v grep in hdp_log4j_jndi_removal.sh returns true for both the active and standby NNs, so patch_hdfs_tgz.sh script run twice which will be duplicate effort and time consuming.

jtran-cloudera commented 2 years ago

Ah, this was on HDP? I see that the marker file logic doesn't exist there.

dins2k2 commented 2 years ago

Ah, this was on HDP? I see that the marker file logic doesn't exist there.

Yes

dins2k2 commented 2 years ago

@jtran-cloudera Any update on fixing this?