Config Doris to Deploy
Cluster planningβ
In the default DorisCluster resource deployment, the FE and BE images may not be the latest versions, and the default replica count for both FE and BE is set to 3. Additionally, Additionally, the default resource configuration for FE is 6 CPUs and 12Gi of memory, while for BE, it is 8 CPUs and 16Gi of memory. This section describes how to modify these default configurations according to your requirements.
Image settingsβ
Doris Operator is decoupled from the Doris version and supports deploying Doris versions 2.0 and above.
FE image configuration
To specify the FE image version, use the following configuration:
spec:
feSpec:
image: ${image}
Replace ${image} with the desired image name, then update the configuration in the target DorisCluster resource. Official FE images are available at FE Image.
BE image configuration
To specify the BE image version, use the following configuration:
spec:
beSpec:
image: ${image}
Replace ${image} with the desired image name, then update the configuration in the target DorisCluster resource. Official BE images are available at BE Image.
Replicas settingsβ
FE Replicas Setting
To modify the default FE replica count of 3 to 5, use the following configuration:
spec:
feSpec:
replicas: 5
Update the configuration in the target DorisCluster resource.
BE Replicas Setting
To modify the default FE replica count of 3 to 5, use the following configuration:
spec:
beSpec:
replicas: 5
Update the configuration to the DorisCluster resource that needs to be deployed.
Computing resource settingsβ
FE computing resource configuration
The default compute resource configuration for FE is 6 CPUs and 12Gi of memory. To modify it to 8CPUs and 16Gi, use the following configuration:
spec:
feSpec:
requests:
cpu: 8
memory: 16Gi
limits:
cpu: 8
memory: 16Gi
Update the configuration in the target DorisCluster resource.
BE computing resource setting
The default compute resource configuration for BE is 8 CPUs and 16Gi of memory. To modify it to 16 CPUs and 32Gi of memory, use the following configuration:
spec:
beSpec:
requests:
cpu: 16
memory: 32Gi
limits:
cpu: 16
memory: 32Gi
Update the configuration in the target DorisCluster resource.
The minimum required resources for FE and BE to start are 4 CPUs and 8Gi of memory. For normal performance testing, it is recommended to configure 8 CPUs and 8Gi of memory.
Custom startup configurationβ
Doris uses ConfigMap to decouple configuration files from services, in Kubernetes. By default, services use the default configurations in the image as startup parameter configurations. To customize the startup parameters, create a specific ConfigMap following the instructions in the FE Configuration Document and the BE Configuration Document. Then deploy the customized ConfigMap to the namespace where the DorisCluster resource is to be deployed.
Custom FE startup configurationβ
Step 1: Create and deploy the FE ConfigMapβ
The following example defines a ConfigMap named fe-conf for use with Doris FE:
apiVersion: v1
kind: ConfigMap
metadata:
name: fe-conf
labels:
app.kubernetes.io/component: fe
data:
fe.conf: |
CUR_DATE=`date +%Y%m%d-%H%M%S`
# the output dir of stderr and stdout
LOG_DIR = ${DORIS_HOME}/log
JAVA_OPTS="-Djavax.security.auth.useSubjectCredsOnly=false -Xss4m -Xmx8192m -XX:+UseMembar -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=7 -XX:+PrintGCDateStamps -XX:+PrintGCDetails -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+CMSClassUnloadingEnabled -XX:-CMSParallelRemarkEnabled -XX:CMSInitiatingOccupancyFraction=80 -XX:SoftRefLRUPolicyMSPerMB=0 -Xloggc:$DORIS_HOME/log/fe.gc.log.$CUR_DATE"
# For jdk 9+, this JAVA_OPTS will be used as default JVM options
JAVA_OPTS_FOR_JDK_9="-Djavax.security.auth.useSubjectCredsOnly=false -Xss4m -Xmx8192m -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=7 -XX:+CMSClassUnloadingEnabled -XX:-CMSParallelRemarkEnabled -XX:CMSInitiatingOccupancyFraction=80 -XX:SoftRefLRUPolicyMSPerMB=0 -Xlog:gc*:$DORIS_HOME/log/fe.gc.log.$CUR_DATE:time"
# INFO, WARN, ERROR, FATAL
sys_log_level = INFO
# NORMAL, BRIEF, ASYNC
sys_log_mode = NORMAL
# Default dirs to put jdbc drivers,default value is ${DORIS_HOME}/jdbc_drivers
# jdbc_drivers_dir = ${DORIS_HOME}/jdbc_drivers
http_port = 8030
rpc_port = 9020
query_port = 9030
edit_log_port = 9010
enable_fqdn_mode = true
When using the ConfigMap to mount FE startup configuration, the key corresponding to the configuration must be fe.conf. Write the ConfigMap to a file and deploy it to the namespace where the DorisCluster resource is deployed, using the following command:
kubectl -n ${namespace} apply -f ${feConfigMapFile}.yaml
Here, ${namespace} refers to the namespace where the DorisCluster is to be deployed, and ${feConfigMapFile} is the name of the ConfigMap file for FE.
Step 2: Update the DorisCluster resourceβ
To use the ConfigMap named fe-conf for mounting the startup configuration, add the following config to the FE spec of the DorisCluster resource:
spec:
feSpec:
configMapInfo:
configMapName: fe-conf
resolveKey: fe.conf
Please ensure that enable_fqdn_mode=true is included in the startup configuration.. If you want to use IP mode and K8s have the ability that the pod IP keep the same after restarted, please refer to the issue #138 to config.
Custom BE startup configurationβ
Step 1: Create and deploy the BE ConfigMapβ
The following example defines a ConfigMap named be-conf for use with Doris BE:
apiVersion: v1
kind: ConfigMap
metadata:
name: be-conf
labels:
app.kubernetes.io/component: be
data:
be.conf: |
CUR_DATE=`date +%Y%m%d-%H%M%S`
PPROF_TMPDIR="$DORIS_HOME/log/"
JAVA_OPTS="-Xmx1024m -DlogPath=$DORIS_HOME/log/jni.log -Xloggc:$DORIS_HOME/log/be.gc.log.$CUR_DATE -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.java.command=DorisBE -XX:-CriticalJNINatives -DJDBC_MIN_POOL=1 -DJDBC_MAX_POOL=100 -DJDBC_MAX_IDLE_TIME=300000 -DJDBC_MAX_WAIT_TIME=5000"
# For jdk 9+, this JAVA_OPTS will be used as default JVM options
JAVA_OPTS_FOR_JDK_9="-Xmx1024m -DlogPath=$DORIS_HOME/log/jni.log -Xlog:gc:$DORIS_HOME/log/be.gc.log.$CUR_DATE -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.java.command=DorisBE -XX:-CriticalJNINatives -DJDBC_MIN_POOL=1 -DJDBC_MAX_POOL=100 -DJDBC_MAX_IDLE_TIME=300000 -DJDBC_MAX_WAIT_TIME=5000"
# since 1.2, the JAVA_HOME need to be set to run BE process.
# JAVA_HOME=/path/to/jdk/
# https://github.com/apache/doris/blob/master/docs/zh-CN/community/developer-guide/debug-tool.md#jemalloc-heap-profile
# https://jemalloc.net/jemalloc.3.html
JEMALLOC_CONF="percpu_arena:percpu,background_thread:true,metadata_thp:auto,muzzy_decay_ms:15000,dirty_decay_ms:15000,oversize_threshold:0,lg_tcache_max:20,prof:false,lg_prof_interval:32,lg_prof_sample:19,prof_gdump:false,prof_accum:false,prof_leak:false,prof_final:false"
JEMALLOC_PROF_PRFIX=""
# INFO, WARNING, ERROR, FATAL
sys_log_level = INFO
# ports for admin, web, heartbeat service
be_port = 9060
webserver_port = 8040
heartbeat_service_port = 9050
brpc_port = 8060
When using the ConfigMap to mount BE startup configuration, the key corresponding to the configuration must be be.conf. Write the ConfigMap to a file and deploy it to the namespace where the DorisCluster resource is deployed using the following command:
kubectl -n ${namespace} apply -f ${beConfigMapFile}.yaml
Here, ${namespace} refers to the namespace where the DorisCluster resource needs to be deployed, and ${beConfigMapFile} is the name of the ConfigMap file for BE.
Step 2: Update the DorisCluster resourceβ
To use the ConfigMap named be-conf for mounting the startup configuration, add the following config to the BE spec of the DorisCluster resource:
spec:
feSpec:
configMapInfo:
configMapName: be-conf
resolveKey: be.conf
Please use the startup configMap to mount files, when you want mount the file into the config directory in container, the config directory is ${DORIS_HOME}/conf.
Mounting multiple ConfigMapsβ
The Doris Operator supports mounting multiple ConfigMaps into different directories within the container, allowing flexible configuration management.
Mounting multiple ConfigMaps for FE
The following example demonstrates how to mount two ConfigMaps test-fe1 and test-fe2 to the directories "/etc/fe/config1/" and "/etc/fe/config2",respectively, within the FE container:
spec:
feSpec:
configMaps:
- configMapName: test-fe1
mountPath: /etc/fe/config1
- configMapName: test-fe2
mountPath: /etc/fe/config2
Mounting multiple ConfigMaps for BE
Similarly, the following example shows how to mount two ConfigMaps test-be1 and test-be2 into the directories "/etc/be/config1" and "/etc/be/config2", respectively, within the BE container:
spec:
beSpec:
configMaps:
- configMapName: test-be1
mountPath: /etc/be/config1
- configMapName: test-be2
mountPath: /etc/be/config2
Persistent storageβ
Kubernetes provides the Persistent Volumes to persist data to physical storage. In Kubernetes, the Doris Operator automatically creates PersistentVolumeClaims associated with appropriate PersistentVolumes, based on the template that defined in the need deployed DorisCluster Resource.
Persistent storage for FEβ
In a Kubernetes-based Doris deployment, it is recommended to persist the following paths for FE:
- Metadata: /opt/apache-doris/fe/doris-meta (default storage configuration for FE metadata).
- Logs: /opt/apache-doris/fe/log (if log persistence is required).
Persistent metadata for FEβ
To persist FE metadata using the default storage configuration, add the following configuration to the DorisCluster resource:
spec:
feSpec:
persistentVolumes:
- mountPath: /opt/apache-doris/fe/doris-meta
name: meta
persistentVolumeClaimSpec:
# when use specific storageclass, the storageClassName should reConfig, example as annotation.
storageClassName: ${your_storageclass}
accessModes:
- ReadWriteOnce
resources:
# notice: if the storage size less 5G, fe will not start normal.
requests:
storage: ${storageSize}
In the above configuration, ${your_storageclass} represents the name of the StorageClass you want to use, and ${storageSize} represents the storage size you want to allocation. The format is quantity expression, such as: 100Gi.
Persistent FE logβ
If your cluster lacks a centralized log collection system, persist the FE log directory by adding the following configuration to the DorisCluster resource:
spec:
feSpec:
persistentVolumes:
- mountPath: /opt/apache-doris/fe/log
name: log
persistentVolumeClaimSpec:
# when use specific storageclass, the storageClassName should reConfig, example as annotation.
storageClassName: ${your_storageclass}
accessModes:
- ReadWriteOnce
resources:
# notice: if the storage size less 5G, fe will not start normal.
requests:
storage: ${storageSize}
In the above configuration, ${your_storageclass} represents the name of the StorageClass you want to use, and ${storageSize} represents the storage size you want to allocation. The format of ${storageSize} follows the quantity expression method of K8s, such as: 100Gi. Please replace them as needed when using.
If you have reconfigured meta_dir or sys_log_dir in the customized configuration file, please reconfigure the mountPath.
Persistent storage for BEβ
For BE nodes in a Doris deployment, it is recommended to persist the following paths:
- Data Storage: /opt/apache-doris/be/storage (default storage for BE data).
- Logs: /opt/apache-doris/be/log (if log persistence is required).
Persistent dataβ
Using default storage configuration
To persist data uses the default storage configuration, update the DorisCluster resource with the following configuration:beSpec:
persistentVolumes:
- mountPath: /opt/apache-doris/be/storage
name: be-storage
persistentVolumeClaimSpec:
storageClassName: ${your_storageclass}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: ${storageSize}In the above configuration, ${your_storageclass} represents the name of the StorageClass you want to use, and ${storageSize} represents the storage size you want to use. The format of ${storageSize} follows the quantity expression method of K8s, such as: 100Gi. Please replace them as needed when using.
Customizing BE storage paths
To leverage multiple disks, you can configure multiple storage directories using storage_root_path. For example, if storage_root_path=/home/disk1/doris.HDD;/home/disk2/doris.SSD, the configuration should include:beSpec:
persistentVolumes:
- mountPath: /home/disk1/doris
name: be-storage1
persistentVolumeClaimSpec:
storageClassName: ${your_storageclass}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: ${storageSize}
- mountPath: /home/disk2/doris
name: be-storage2
persistentVolumeClaimSpec:
storageClassName: ${your_storageclass}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: ${storageSize}In the above configuration, ${your_storageclass} represents the name of the StorageClass you want to use, and ${storageSize} represents the storage size you want to use. The format of ${storageSize} follows the quantity expression method of K8s, such as: 100Gi. Please replace them as needed when using.
Persistent BE logβ
To persist BE logs when using the default configuration, update the DorisCluster resource DorisCluster resource as follows:
beSpec:
persistentVolumes:
- mountPath: /opt/apache-doris/be/log
name: belog
persistentVolumeClaimSpec:
storageClassName: ${your_storageclass}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: ${storageSize}
In the above configuration, ${your_storageclass} represents the name of the StorageClass you want to use, and ${storageSize} represents the storage size you want to use. The format of ${storageSize} follows the quantity expression method of K8s, such as: 100Gi. Please replace them as needed when using.
Access Configurationβ
Kubernetes provides the use of Service as VIP (Virtual IP) and load balancer. There are three external exposure modes for Service: ClusterIP, NodePort, and LoadBalancer.
ClusterIPβ
Doris provides the ClusterIP access mode by default on Kubernetes. The ClusterIP access mode provides an internal IP address within the Kubernetes cluster to expose services through this internal IP. With the ClusterIP mode, services can only be accessed within the cluster.
Step 1: Configure ClusterIPβ
Doris provides the ClusterIP access mode by default on Kubernetes. You can use the ClusterIP access mode without any modification.
Step 2: Obtain the Serviceβ
After deploying the cluster, you can view the services exposed by the Doris Operator using the following command:
kubectl -n doris get svc
The returned result is as follows:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
doriscluster-sample-be-internal ClusterIP None <none> 9050/TCP 9m
doriscluster-sample-be-service ClusterIP 10.1.68.128 <none> 9060/TCP,8040/TCP,9050/TCP,8060/TCP 9m
doriscluster-sample-fe-internal ClusterIP None <none> 9030/TCP 14m
doriscluster-sample-fe-service ClusterIP 10.1.118.16 <none> 8030/TCP,9020/TCP,9030/TCP,9010/TCP 14m
In the above results, there are two types of services for FE and BE, with suffixes of "internal" and "service" respectively:
- The services with the "internal" suffix can only be used for internal communication within Doris, such as heartbeat, data exchange, and other operations, and are not for external use.
- The services with the "service" suffix can be used by users.
Step 3: Access doris from inside the containerβ
You can create a pod containing the mysql client in the current Kubernetes cluster using the following command:
kubectl run mysql-client --image=mysql:5.7 -it --rm --restart=Never --namespace=doris -- /bin/bash
From within the container in the cluster, you can access the Doris cluster using the service name with the "service" suffix that is exposed externally:
mysql -uroot -P9030 -hdoriscluster-sample-fe-service
NodePortβ
To access Doris from outside the Kubernetes cluster, you can use the NodePort service type. There are two ways to allocate a port for the NodePort: dynamic allocation and static allocation.
- Dynamic Allocation: If the port is not explicitly set, Kubernetes will automatically allocate an unused port from the default range (30000-32767) when the pod is created.
- Static Allocation:I f a port is explicitly specified, Kubernetes will allocate that port if it is available, ensuring it remains fixed.
Doris exposes the following ports for external access:
| Port Name | default value | Port Description |
|---|---|---|
| Query Port | 9030 | Used to access the Doris cluster via the MySQL protocol |
| HTTP Port | 8030 | The http server port on FE, used to view FE information |
| Web Server Port | 8040 | The http server port on BE, used to view BE information |
Step 1: Configure NodePortβ
FE NodePort
- Dynamic Allocation:
spec:
feSpec:
service:
type: NodePort - Static Allocation:
spec:
feSpec:
service:
type: NodePort
servicePorts:
- nodePort: 31001
targetPort: 8030
- nodePort: 31002
targetPort: 9030
BE NodePort
- Dynamic Allocation:
spec:
beSpec:
service:
type: NodePort - Static Allocation:
beSpec:
service:
type: NodePort
servicePorts:
- nodePort: 31006
targetPort: 8040
Step 2: Obtain the serviceβ
After deploying the cluster, you can view the services exposed by the Doris Operator using the following command:
kubectl get service
The returned result is as follows:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 169d
doriscluster-sample-fe-internal ClusterIP None <none> 9030/TCP 2d
doriscluster-sample-fe-service NodePort 10.152.183.58 <none> 8030:31041/TCP,9020:30783/TCP,9030:31545/TCP,9010:31610/TCP 2d
doriscluster-sample-be-internal ClusterIP None <none> 9050/TCP 2d
doriscluster-sample-be-service NodePort 10.152.183.244 <none> 9060:30940/TCP,8040:32713/TCP,9050:30621/TCP,8060:30926/TCP 2d
Step 3: Access service using NodePortβ
To access Doris via NodePort, you need to know the Node IP and the mapped port. You can retrieve the node IPs using:
kubectl get nodes -owide
Example output::
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
r60 Ready control-plane 14d v1.28.2 192.168.88.60 <none> CentOS Stream 8 4.18.0-294.el8.x86_64 containerd://1.6.22
r61 Ready <none> 14d v1.28.2 192.168.88.61 <none> CentOS Stream 8 4.18.0-294.el8.x86_64 containerd://1.6.22
r62 Ready <none> 14d v1.28.2 192.168.88.62 <none> CentOS Stream 8 4.18.0-294.el8.x86_64 containerd://1.6.22
r63 Ready <none> 14d v1.28.2 192.168.88.63 <none> CentOS Stream 8 4.18.0-294.el8.x86_64 containerd://1.6.22
You can then use the IP address of any node (e.g., 192.168.88.61, 192.168.88.62, or 192.168.88.63) along with the mapped port to access Doris. For example, using node 192.168.88.62 and port 31545:
mysql -h 192.168.88.62 -P 31545 -uroot
LoadBalancerβ
LoadBalancer service type provides an additional load balancer, typically offered by cloud service providers. This mode is only available when deploying the Doris cluster on Kubernetes clusters managed by a cloud platform.
Step 1: Configure the LoadBalancer modeβ
FE LoadBalancer
spec:
feSpec:
service:
type: LoadBalancer
BE LoadBalancer
spec:
beSpec:
service:
type: LoadBalancer
Step 2: Obtain the serviceβ
After deploying the cluster, you can view the services exposed by the Doris Operator using the following command:
kubectl get service
The returned result is as follows:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 169d
doriscluster-sample-fe-internal ClusterIP None <none> 9030/TCP 2d
doriscluster-sample-fe-service LoadBalancer 10.152.183.58 ac4828493dgrftb884g67wg4tb68gyut-1137856348.us-east-1.elb.amazonaws.com 8030:31041/TCP,9020:30783/TCP,9030:31545/TCP,9010:31610/TCP 2d
doriscluster-sample-be-internal ClusterIP None <none> 9050/TCP 2d
doriscluster-sample-be-service LoadBalancer 10.152.183.244 ac4828493dgrftb884g67wg4tb68gyut-1137823345.us-east-1.elb.amazonaws.com 9060:30940/TCP,8040:32713/TCP,9050:30621/TCP,8060:30926/TCP 2d
Step 3: Access service using LoadBalancerβ
To access Doris through the LoadBalancer, use the external IP (provided in the EXTERNAL-IP field) and the corresponding port. For example, using the mysql command:
mysql -h ac4828493dgrftb884g67wg4tb68gyut-1137856348.us-east-1.elb.amazonaws.com -P 31545 -uroot
Configuring the Username and Password for the Management Clusterβ
Managing Doris nodes requires connecting to the live FE nodes via the MySQL protocol using a username and password for administrative operations. Doris implements a permission management mechanism similar to RBAC, where the user must have the Node_priv permission to perform node management. By default, the Doris Operator deploys the cluster with the root user in passwordless mode.
The process of configuring the username and password can be divided into three scenarios:
- initializing the root user password during cluster deployment;
- automatically setting a non-root user with management permissions in the root passwordless deployment;
- setting the root user password after deploying the cluster in root passwordless mode.
To secure access, you must configure a username and password with Node_Priv permission in the DorisCluster resource after adding a password to the root user. There are two ways to set up the username and password for managing the cluster nodes:
- Using environment variables
- Using a Kubernetes Secret
Configuring the Root User Password during Cluster Deploymentβ
To set the root user's password securely, Doris supports encrypting it in fe.conf using a two-stage SHA-1 encryption process. Here's how to set up the password.
Step 1: Generate the root encrypted passwordβ
Use the following methods to encrypt the root password using two-stage SHA-1 encryption:
Java Code:
import org.apache.commons.codec.digest.DigestUtils;
public static void main( String[] args ) {
//the original password
String a = "123456";
String b = DigestUtils.sha1Hex(DigestUtils.sha1(a.getBytes())).toUpperCase();
//output the 2 stage encrypted password.
System.out.println("*"+b);
}Golang Code:
import (
"crypto/sha1"
"encoding/hex"
"fmt"
"strings"
)
func main() {
//original password
plan := "123456"
//the first stage encryption.
h := sha1.New()
h.Write([]byte(plan))
eb := h.Sum(nil)
//the two stage encryption.
h.Reset()
h.Write(eb)
teb := h.Sum(nil)
dst := hex.EncodeToString(teb)
tes := strings.ToUpper(fmt.Sprintf("%s", dst))
//output the 2 stage encrypted password.
fmt.Println("*"+tes)
}Configure the encrypted password into
fe.confaccording to the requirements of the configuration file format. Then, Then, distribute the configuration to the Kubernetes cluster using a ConfigMap, describes in the Cluster Parameter Configuration Section.
Step 2: Configure the DorisCluster resourceβ
After setting the root password in fe.conf, Doris will automatically apply the password to the first FE node when it starts. For other nodes to join the cluster, specify the username and password in the DorisCluster resource so that Doris Operator can perform automatic node management.
Using environment variables
Configure the username root and password into the ".spec.adminUser.name" and ".spec.adminUser.password" fields in the DorisCluster resource. Doris Operator will automatically convert the following configuration into environment variables for the container to use. The auxiliary services inside the container will use the username and password configured by the environment variables to add themselves to the specified cluster. The configuration format is as follows:
spec:
adminUser:
name: root
password: ${password}Here, ${password} is the unencrypted password of root.
Using secret
To securely manage the username and password, you can use a Kubernetes Basic Authentication Secret. Configure the Secret to store the root username and password and reference it in the DorisCluster resource. a. Configure the Required Secret
Configure the required Basic authentication Secret according to the following format:
stringData:
username: root
password: ${password}Here, ${password} is the unencrypted password set for root.
b. Configure the DorisCluster Resource to be Deployed
Configure the DorisCluster to specify the required Secret in the following format:
spec:
authSecret: ${secretName}Here, ${secretName} is the name of the Secret containing the root username and password.
Automatically Creating Non-Root Management Users and Passwords during Deployment (Recommended)β
For enhanced security, it is recommended to create a non-root user for management during the first deployment, rather than using the root user. In this method, the username and password for the non-root user are configured through environment variables or Secrets. The Doris container's auxiliary services will automatically create the user in the database, set the password, and grant the necessary Node_priv permission. After deployment, Doris Operator will use the newly created non-root username and password to manage the cluster nodes.
Using environment variables:
To configure a non-root user, you can set the username and password using environment variables in the DorisCluster resource:
spec:
adminUser:
name: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}Here, ${DB_ADMIN_USER} is the newly created username, and ${DB_ADMIN_PASSWD} is the password set for the newly created username.
Using Secret: To securely manage the username and password, you can use a Kubernetes Secret for basic authentication.
a. Configure the required secretstringData:
username: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}Here, ${DB_ADMIN_USER} is the newly created username, and ${DB_ADMIN_PASSWD} is the password set for the newly created username.
Deploy the Secret to the Kubernetes cluster by running:kubectl -n ${namespace} apply -f ${secretFileName}.yamlHere, ${namespace} is the namespace where the DorisCluster resource needs to be deployed, and ${secretFileName} is the file name of the Secret to be deployed.
b. Configure the DorisCluster resource
Update the DorisCluster resource according to the following format:
spec:
authSecret: ${secretName}Here, ${secretName} is the name of the deployed Basic authentication Secret.
After deployment, please set the root password. Doris Operator will switch to using the automatically newly created username and password to manage the nodes. Please avoid deleting the automatically created user.
Setting the root user password after cluster deploymentβ
After deploying the Doris cluster and setting the root user's password, it's essential to create a management user with the necessary Node_priv permission to allow Doris Operator to automatically manage the cluster nodes. Using the root user for this purpose is not recommended. Instead, please refer to the User Creation and Permission Assignment Section to create a new user and grant Node_priv permission.
Step 1: Create a user with Node_priv permissionβ
First, connect to the Doris database using the MySQL protocol, then create a new user with the required permissions:
CREATE USER '${DB_ADMIN_USER}' IDENTIFIED BY '${DB_ADMIN_PASSWD}';
- ${DB_ADMIN_USER}: The name of the user you wish to create.
- ${DB_ADMIN_PASSWD}: The password for the newly created user.
Step 2: Grant Node_priv permission to the new userβ
Grant the Node_priv permission to the newly created user:
GRANT NODE_PRIV ON *.*.* TO ${DB_ADMIN_USER};
${DB_ADMIN_USER}: The username you created in the previous step.
For more details on creating users, setting passwords, and granting permissions, refer to the CREATE-USER section.
Step 3: Configure DorisClusterβ
Using environment variables
Directly configure the new userβs name and password in the DorisCluster resource:
spec:
adminUser:
name: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}Here, ${DB_ADMIN_USER} is the newly created username, and ${DB_ADIC_PASSWD} is the password set for the newly created user.
Using Secret To securely manage the username and password, you can use Kubernetes Secrets.
a. Create the required secret
Create a Basic Authentication Secret for the new user:stringData:
username: ${DB_ADMIN_USER}
password: ${DB_ADMIN_PASSWD}Here, ${DB_ADMIN_USER} is the newly created username, and ${DB_ADMIN_PASSWD} is the password set for the newly created username.
Deploy the Secret to the Kubernetes cluster with:kubectl -n ${namespace} apply -f ${secretFileName}.yamlHere, ${namespace} is the namespace where the DorisCluster resource needs to be deployed, and ${secretFileName} is the file name of the Secret to be deployed.
b. Update the DorisCluster resource
Once the Secret is deployed, update the DorisCluster resource to specify the Secret:spec:
authSecret: ${secretName}Here, ${secretName} is the name of the deployed Basic authentication Secret.
After setting the root password and configuring the new username and password for managing nodes after deployment, the existing services will be restarted once in a rolling manner.
