1. Plan the cluster
Architecture diagram:
Every connection in the diagram should be in secure.
Make sure the hostname and IP addresses can be resolved correctly.
The nodes should can reach each other.
|
Node name |
IP addresses |
DNS servers |
|
|
cassnode01 |
172.27.192.111 |
||
|
cassnode02 |
172.27.192.112 |
||
|
cassnode03 |
172.27.192.113 |
Disk requirements:
One spinning 500GB disk for data; one 100GB SSD disk for commitlog and cache
|
Node name |
Data folder |
Commit log folder |
Cache folder |
|
cassnode01 |
/var/lib/cassandra/data |
/var/lib/cassandra/commitlog |
/var/lib/cassandra/saved_caches |
|
cassnode02 |
/var/lib/cassandra/data |
/var/lib/cassandra/commitlog |
/var/lib/cassandra/saved_caches |
|
cassnode03 |
/var/lib/cassandra/data |
/var/lib/cassandra/commitlog |
/var/lib/cassandra/saved_caches |
2. prepare server certificates
This includes 3 steps:
- Create the keystore and generate a certificate on each node
- Export the public part of the certificate to a separate file and copy these certificates to all other nodes
- Add the certificate of each node to the truststore of each node, so the nodes can verify the identity of other nodes
Ref: https://docs.datastax.com/en/datastax_enterprise/4.8/datastax_enterprise/sec/secPrepareCerts.html
3. Use puppet to provision everything
The configuration data can be assigned by hiera or profile. This below has been tested.
node ‘cassnode01’ {
class { ‘jdk_oracle’: #provisioning Oracle JDK instead of openjdk
jce => ‘true’, #Oracle Java Cryptography Extension (JCE) is needed
before => Class[‘cassandra::datastax_repo’],
}
class { ‘cassandra::datastax_repo’: #configure datastax repo
descr => ‘DataStax Repo for DataStax Enterprise’,
pkg_url => ‘https://robert1.chen_66827:Testing123@rpm.datastax.com/enterprise’,
before => Class[‘cassandra’],
}
class { ‘cassandra’:
cluster_name => ‘MyCassandraCluster’, #the cluster name
endpoint_snitch => ‘GossipingPropertyFileSnitch’,
listen_address => $::ipaddress, #it is needed or default is localhost
rpc_address => $::ipaddress, #it is needed or default is localhost
seeds => ‘172.27.192.68’,
config_path => ‘/etc/dse/cassandra’,
#for client ssl:
client_encryption_enabled => ‘true’,
client_encryption_keystore => ‘/etc/dse/cassandra/keys/.keystore’,
client_encryption_keystore_password => ‘Testing123’,
client_encryption_truststore => ‘/etc/dse/cassandra/keys/.truststore’,
client_encryption_truststore_password =>’Testing123′,
client_encryption_require_client_auth => ‘true’, #there is a bug for this right now? Checking with datastax
#for server ssl:
server_encryption_internode => ‘all’,
server_encryption_keystore => ‘/etc/dse/cassandra/keys/.keystore’,
server_encryption_keystore_password => ‘Testing123’,
server_encryption_truststore => ‘/etc/dse/cassandra/keys/.truststore’,
server_encryption_require_client_auth => ‘true’,
package_ensure => ‘4.8.7-1’,
package_name => ‘dse-full’,
service_name => ‘dse’,
service_systemd => true
} ->
class { ‘cassandra::datastax_agent’: #configure datastax_agent
service_enable => ‘true’,
stomp_interface => ‘172.27.192.68’
}
#setup opscenter and security settings
class { ‘::cassandra::opscenter’:
service_enable => ‘true’,
authentication_enabled => ‘true’,
agents_use_ssl => ‘true’,
webserver_ssl_certfile => ‘/var/lib/opscenter/ssl/opscenter.pem’,
webserver_ssl_keyfile => ‘/var/lib/opscenter/ssl/opscenter.key’,
webserver_ssl_port => ‘8443’
}
}
4. configure cqlsh and devcenter
For cqlsh, refer to: https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html
For devcenter:
- Copy the truststore which include all nodes certificate to the devcenter machine
- Generate a certificate of the devcenter machine and import to the cluster so Cassandra can recognize this devcenter machine
The post Provision Cassandra (datastax enterprise) using puppet appeared first on Robert Chen.