Alluxio Logo

GCP Deployment Guide using Terraform

Slack Docker Pulls

This guide describes the Terraform modules used to deploy Alluxio on AWS GCP as a hybrid cloud compute cluster, connecting to a HDFS cluster in a remote network.

Overview

The hybrid cloud tutorial uses several modules to set up the GCP resources necessary to create two VPCs connected via VPC peering, a HDFS cluster in one of the VPCs, and an Alluxio cluster in the other VPC that mounts the HDFS cluster into its filesystem. To customize the Alluxio cluster to connect to an existing HDFS cluster, it is expected that the users will build their own Terraform configuration, invoking modules used in the tutorial. Several tools are provided within the Alluxio cluster to ensure that the cluster in AWS is able to successfully connect to a remote HDFS cluster.

Prerequisites

Terraform configuration layout

Using the tutorial’s configuration layout as an example, the layout of the hybrid cloud setup consists of the following components:

  • A VPC and subnet, to define the network in which cloud resources will be created within. It is strongly recommended to create a new VPC as opposed to using the default VPC. The vpc_with_internet module creates a VPC, a subnet within the VPC, a firewall to allow all traffic ingress from the created subnet, and another firewall to allow external ssh access.
  • VPC peering connection, to enable the corporate network in which the HDFS and Hive clusters reside to communicate with the cloud VPC in which the Alluxio cluster will reside and vice versa. The vpc_peering module creates the resources needed for the peering connection.
  • The Alluxio Dataproc cluster, consisting of the cluster of instances hosting the Alluxio service. The alluxio_cloud_cluster module encompasses the various resources needed to set up Alluxio in Dataproc. A firewall is added to open the Alluxio and Presto web ports.
  • A GCS bucket to serve as an intermediary for initialization and configuration files to be downloaded to or copied between instances.

The following diagram outlines the basic relationships and resources created by each module:

alluxio_terraform_gcp_modules (click image to enlarge)

Connectivity tools

While developing the terraform configuration, we strongly recommend testing the connectivity with a small Alluxio cluster before launching a full sized cluster. These tools can be found in the Alluxio master web UI Manager tab (http://MASTER_PUBLIC_DNS:19999).

The tools provided are:

This tool serves as a validation step before mounting the target HDFS path to Alluxio. It validates various aspects of the HDFS path with the current Alluxio configurations and identifies issues before the path is mounted to Alluxio.

  • It uses the same mount options as the Alluxio mount command. For example: 
    $ alluxio fs mount --readonly \
  --option alluxio.underfs.version=2.7 \
  --option alluxio.underfs.hdfs.configuration=/etc/hadoop/core-site.xml:/etc/hadoop/hdfs-site.xml \
  <alluxio-path> hdfs://<hdfs-path>
  • Set the readonly flag using the checkbox
  • Specify options as alluxio.underfs.version=2.7 alluxio.underfs.hdfs.configuration=/etc/hadoop/core-site.xml:/etc/hadoop/hdfs-site.xml in order for the validation tool to know what the configuration will look like for the target mount point.

This tool measures and visualizes the read/write IO throughput from the Alluxio cluster to the UFS.

  • The path specifies a UFS path to be used to read/write temporary data. Please make sure the target path is writable by Alluxio.
  • The IO size field specifies how much data each thread should read/write. It defaults to “4G”.
  • The threads field specifies how many threads to use concurrently on each worker. It defaults to 4.
  • The cluster limit field defines how many worker can run the IO throughput benchmark concurrently. It defaults to 1.

This tool checks to see if Alluxio can be connected to the Hive metastore. It identifies problems and provides advice on how to solve them.

  • The Metastore URI field defines the Hive Metastore URI(s) to connect to.
  • The database field defines the database to run tests against.
  • The tables field defines the list of tables to run tests against.
  • The Client Principal field specifies the client-side Kerberos principal to connect to a hive metastore with Kerberos enabled.
  • The Service Principal field specifies the hive metastore service principal. Provide when Kerberos is enabled in the target hive metastore.
  • The Client Keytab field specifies the path of the client keytab which contains the provided Client Principal. Provide when Kerberos is enabled in the target hive metastore.

Alluxio modules

Terraform modules are generally sourced from the public Terraform Registry, but they can also be sourced from a local path. This is the approach used by the GCP hybrid cloud tutorial.

Getting started

Create an empty directory to host your Terraform configuration files; henceforth this path will be referred to as /path/to/terraform/root.

Copy modules in the alluxio directory and scripts in the dataproc directory from the extracted tutorial tarball.

$ wget https://alluxio-public.storage.googleapis.com/enterprise-terraform/stable/gcp_hybrid_apache_simple.tar.gz
$ tar -zxf gcp_hybrid_apache_simple.tar.gz
$ cd gcp_hybrid_apache_simple
$ cp -r alluxio/ /path/to/terraform/root
$ cp -r dataproc/ /path/to/terraform/root

Create a main.tf file and declare an GCP provider. google-beta provider is used instead of google provider because some of the features needed only exist in google-beta. When those features are merged back to google provider in future releases, google provider will be used.

Set its region and zone to the desired GCP region and zone. By default, all resources will be created using this provider in its defined region. In order to create resources in distinct regions, declare another provider and set an alias for both providers.

provider "google-beta" {
  alias       = "google_compute"
  credentials = file("account.json")
  project     = "my-project-id"
  region      = "us-east1"
  zone        = "us-east1-d"
  version     = "~> 3.21"
}
  • project field can be removed if launching in a Cloud Shell
  • credentials field can be removed if launching a Cloud Shell or authenticating with ‘gcloud auth application-default login`.

Similarly, each resource must also declare which provider it is associated with.

resource "google_storage_bucket" "shared_gs_bucket" {
  provider      = google-beta.google_compute
}

Also in the main file, you can declare a module by setting its source to the relative path of the desired module. For example, to create a VPC using the aforementioned provider, add:

module "vpc_compute" {
  source = "./alluxio/vpc_with_internet/gcp"
  providers = {
    google-beta = google-beta.google_compute
  }
}

Below is a template main.tf with 2 GCP providers and a minimal layout of Alluxio modules, denoting the relationship between modules.

provider "google-beta" {
  alias   = "google_compute"
  region  = "us-east1"
  zone    = "us-east1-d"
  version = "~> 3.21"
}

provider "google-beta" {
  alias   = "google_on_prem"
  region  = "us-west1"
  zone    = "us-west1-a"
  version = "~> 3.21"
}

resource "google_storage_bucket" "shared_gs_bucket" {
  provider      = google-beta.google_compute
  name          = "my-bucket-name"
  force_destroy = true
}

// Mocking for the VPC network of on-prem HDFS/Hive cluster
module "vpc_on_prem" {
  source = "./alluxio/vpc_with_internet/gcp"
  providers = {
    google-beta = google-beta.google_on_prem
  }
}

// VPC for the compute cluster
module "vpc_compute" {
  source = "./alluxio/vpc_with_internet/gcp"
  providers = {
    google-beta = google-beta.google_compute
  }
}

resource "google_storage_bucket_object" "compute_alluxio_bootstrap" {
  provider = google-beta.google_compute
  bucket   = google_storage_bucket.shared_gs_bucket.name
  name     = "alluxio-dataproc.sh"
  source = "dataproc/alluxio-dataproc.sh"
}

resource "google_storage_bucket_object" "compute_presto_bootstrap" {
  provider = google-beta.google_compute
  bucket   = google_storage_bucket.shared_gs_bucket.name
  name     = "presto-dataproc.sh"
  source   = "dataproc/presto-dataproc.sh"
}

module "dataproc_compute" {
  source = "./alluxio/alluxio_cloud_cluster/gcp"
  providers = {
    google-beta = google-beta.google_compute
  }

  vpc_self_link    = module.vpc_compute.vpc_self_link
  subnet_self_link = module.vpc_compute.subnet_self_link
  staging_bucket   = google_storage_bucket.shared_gs_bucket.name

  alluxio_bootstrap_gs_uri = "gs://${google_storage_bucket.shared_gs_bucket.name}/${google_storage_bucket_object.compute_alluxio_bootstrap.name}"
  presto_bootstrap_gs_uri  = "gs://${google_storage_bucket.shared_gs_bucket.name}/${google_storage_bucket_object.compute_presto_bootstrap.name}"
  
  // Values from the on-prem HDFS/Hive cluster need to be filled in
  // so that alluxio and presto inside this compute cluster can connect to the on-prem HDFS/Hive cluster
  on_prem_hdfs_address = "${on_prem_hdfs_address}"
  on_prem_hms_address  = "${on_prem_hive_metastore_address}"
}

// Mocking for the network connection between on-prem cluster and compute cluster
module "vpc_peering" {
  source = "./alluxio/vpc_peering/gcp"
  providers = {
    google-beta.on_prem       = google-beta.google_on_prem
    google-beta.cloud_compute = google-beta.google_compute
  }

  use_default_name = var.use_default_name
  custom_name      = var.custom_name

  on_prem_vpc_self_link          = module.vpc_on_prem.vpc_self_link
  on_prem_subnet_self_link       = module.vpc_on_prem.subnet_self_link
  cloud_compute_vpc_self_link    = module.vpc_compute.vpc_self_link
  cloud_compute_subnet_self_link = module.vpc_compute.subnet_self_link
}

A more concrete example can be found in gcp_hybrid_apache_simple/main.tf which creates a Dataproc cluster mocking the HDFS and Hive cluster in high availability mode, a Dataproc cluster running Alluxio and Presto connecting to the remote HDFS and Hive, and a VPC peering connecting the network between two Dataproc clusters.

The following sections describe the various input variables and outputs of each module.

Module common variables

Each module published by Alluxio has the following Terraform variables in common:

  • enabled
    • type: bool
    • default: true
    • description: If set to false, the module will not create any resources, effectively disabling the module. This is useful when a module should only be invoked conditionally.
  • depends_on_variable
    • type: any
    • default: null
    • description: This placeholder variable can be used to define an explicit dependency to another module or resource.
  • use_default_name
    • type: bool
    • default: true
    • description: Each resource has a default readable name. If set to false, a random string will be prefixed to the default name to avoid name collisions when the same Terraform configuration is invoked concurrently. When developing and testing, it is recommended to set this to false, but on a production cluster, this should be set as false.
  • custom_name
    • type: string
    • default: ""
    • description: Each resource created will be prefixed with the provided custom name. This is helpful to identify the resources created by Terraform.

Specific module input variables and outputs

The alluxio_cloud_cluster module creates a Dataproc cluster configured with a bootstrap action to configure and deploy Alluxio.

  • vpc_self_link
    • type: string
    • REQUIRED
    • description: Self link of VPC to create Dataproc cluster in
  • subnet_self_link
    • type: string
    • REQUIRED
    • description: Self link of VPC subnet to create Dataproc cluster in

  • optional_components
    • type: list(string)
    • default: []
    • description: List of optional components to activate on the cluster. Presto optional components will be activated by default if value is left as an empty list.
  • initialization_actions
    • type: list(string)
    • default: []
    • description: List of additional initialization actions to execute after provisioning
  • metadata
    • type: string
    • default: ""
    • description: A map of Compute Engine metadata entries to add to all instances. Metadata contains the key value configuration pairs needed for initialization actions.
  • override_properties
    • type: map(string)
    • default: {}
    • description: A list of override and additional properties (key/value pairs) used to modify various aspects of the common configuration files used when creating a cluster. For a list of valid properties please see Cluster properties
  • dataproc_image_version
    • type: string
    • default: "1.4.27-debian10"
    • description: The image version for Dataproc cluster.
  • staging_bucket
    • type: string
    • default: ""
  • master_config
    • type: 
      object({
instance_count  = number
instance_type   = string
})
    • default: 
      {
instance_count  = 1
instance_type   = "n1-highmem-4"
}
    • description: Master instance(s) configuration details.
  • worker_config
    • type: 
      object({
num_local_ssds  = number
instance_count  = number
instance_type   = string
})
    • default: 
      {
num_local_ssds  = 1
instance_count  = 2
instance_type   = "n1-highmem-4"
}
    • description: Worker instance(s) configuration details

  • alluxio_tarball_url
    • type: string
    • default: "https://downloads.alluxio.io/protected/files/alluxio-enterprise-trial.tar.gz"
    • description: Alluxio tarball download url
  • alluxio_additional_properties
    • type: string
    • default: ""
    • description: A string containing a delimited set of properties which should be added to the alluxio-site.properties file. The delimiter by default is a semicolon ‘;’.
  • alluxio_active_sync_list
    • type: string
    • default: "/"
    • description: A string containing a delimited set of Alluxio paths where UFS metadata will be periodically synced with the Alluxio namespace. The delimiter by default is a semicolon ‘;’.
  • alluxio_ssd_percentage_usage
    • type: number
    • default: 60
    • description: Percentage of the machine attached SSDs to be configured as Alluxio worker storage. O means that machine memory will be configured as Alluxio worker storage.
  • alluxio_bootstrap_gs_uri
    • type: string
    • default: null
    • description: GS uri of the alluxio bootstrap script
  • presto_bootstrap_gs_uri
    • type: string
    • default: null
    • description: GS uri of the presto bootstrap script
  • on_prem_hdfs_address
    • type: string
    • default: ""
    • description: On-prem hdfs address (e.g. hdfs://<on_prem_hdfs_master_hostname>:8020/path/to/mount) for alluxio to connect to.
  • on_prem_hms_address
    • type: string
    • default: ""
    • description: On-prem hive metastore address (e.g. thrift://:9083) for Presto and Spark to connect to
  • on_prem_core_site_uri
    • type: string
    • default: ""
    • description: An gs:// or http(s):// URI to download on_prem core-site.xml file from. If provided, Presto and Alluxio will be configured with the given core-site.xml
  • on_prem_hdfs_site_uri
    • type: string
    • default: ""
    • description: An gs:// or http(s):// URI to download on_prem hdfs-site.xml file from. If provided, Presto and Alluxio will be configured with the given hdfs-site.xml
  • hdfs_version
    • type: string
    • default: "hadoop-2.9"
    • description: Version of the hdfs to connect to. Valid values include cdh-5.11, cdh-5.12, cdh-5.13, cdh-5.14, cdh-5.15, cdh-5.16, cdh-5.6, cdh-5.8, cdh-6.0, cdh-6.1, cdh-6.2, cdh-6.3, hadoop-2.2, hadoop-2.3, hadoop-2.4, hadoop-2.5, hadoop-2.6, hadoop-2.7, hadoop-2.8, hadoop-2.9, hadoop-3.0, hadoop-3.1, hadoop-3.2, hdp-2.0, hdp-2.1, hdp-2.2, hdp-2.3, hdp-2.4, hdp-2.5, hdp-2.6, hdp-3.0, hdp-3.1

  • cluster_master_hostname
    • description: Master hostname of the Dataproc cluster
  • cluster_master_public_ip
    • description: Master public ip of the Dataproc cluster
  • cluster_master_private_hostname
    • description: Master private hostname of the Dataproc cluster
  • dataproc_cluster_name
    • description: Name of the Dataproc cluster

The vpc_peering module creates a peering connection between two VPCs. Each of the declared variables are required.

  • cloud_compute_vpc_self_link
    • type: string
    • REQUIRED
    • description: VPC self link of the cloud compute cluster
  • cloud_compute_subnet_self_link
    • type: string
    • REQUIRED
    • description: Subnet self link of the cloud compute cluster
  • on_prem_vpc_self_link
    • type: string
    • REQUIRED
    • description: Vpc self link of the on-prem cluster
  • on_prem_subnet_self_link
    • type: string
    • REQUIRED
    • description: Subnet self link of the on-prem cluster

The vpc_with_internet module creates a VPC and subnet within the VPC.

  • subnet_cidr
    • type: string
    • default: ""
    • description: Subnet CIDR block to create VPC with. If left empty, a random CIDR block will be used

  • vpc_self_link
    • description: VPC self link
  • subnet_self_link
    • description: Subnet self link

Connecting to an existing HDFS cluster

After the Terraform configuration is ready, launch a small cluster with 1 worker. The Alluxio web UI url should be accessible at http://MASTER_PUBLIC_IP:19999; this is also provided as an output of the alluxio_cloud_cluster module. Access the connectivity tools under the Manager tab.

Firewall Configuration between On-premise and Compute Clusters

With respect to communication between the cloud compute cluster and on-premise cluster, there are 4 considerations for network connectivity:

  1. Compute cluster egress = what traffic is allowed to be sent out of the compute cluster to a destination
  2. Compute cluster ingress = what traffic is allowed to be received into the compute cluster from a destination
  3. On-premise cluster egress = what traffic is allowed to be sent out of the on-premise cluster to a destination
  4. On-premise cluster ingress = what traffic is allowed to be received into the on-premise cluster from a destination For each consideration, one needs to know the ports in which traffic will be traversing through.

The compute cluster settings are defined by configuring the security group(s) associated with the instances. Generally, all egress traffic is open; this implies all ports are available to send information to any destination. Ingress traffic typically should be more restrictive to protect services from being publicly accessible. Specific ports and destinations should be whitelisted to permit the expected traffic from the on-premise cluster.

For the on-premise cluster, its firewall similarly needs to allow the compute cluster to communicate by opening its ports.

HDFS

As of Dec 2020, the default Dataproc version is 1.4-debian10, which uses Hadoop 2.9.2. The below section covers the default setup. You can find more about component versions corresponding to this Dataproc version here.

By default there are two NameNodes coordinated with high availability. The name node will have the below ports on the master nodes:

  • NameNode port: 8020
  • Lifeline RPC port (dfs.namenode.lifeline.rpc-address): 8050
  • Service RPC port (dfs.namenode.servicerpc-address): 8051
  • HTTP port: 9870
  • HTTPS port (default not open, using HTTP): 9871

The data node will have the below ports on the worker nodes:

  • HTTP port: 9864
  • HTTPS port (default not open, using HTTP): 9865
  • DataNode port: 9866
  • IPC port: 9867

If you need access to more ports you will find the related configuration at Apache HDFS hdfs-default.xml.

Note: Dataproc has some specific configurations defined in /etc/hadoop/conf that are different from the Apache default.

Hive Metastore

As of Dec 2020, the default Dataproc version is 1.4-debian10, which uses Hive 2.3.7. The below section covers the default setup. You can find more about component versions corresponding to this Dataproc version here.

The Hive metastore will be using the below port:

  • Metastore: 9083

You can find more detailed documentations about Hive configuration properties here.