How-to: Install Cloudera Navigator Encrypt 3.7.0 on SUSE 11 SP2 and SP3

Original post can be found at: hhttp://blog.cloudera.com/blog/2015/04/how-to-install-cloudera-navigator-encrypt-3-7-0-on-suse-11-sp2-and-sp3/

--------------------------------------------------------------------------------------------------------------

How-to: Install Cloudera Navigator Encrypt 3.7.0 on SUSE 11 SP2 and SP3

• by Alex Gonzalez
• April 30, 2015
• no comments

Installing Cloudera Navigator Encrypt on SUSE is a one-off process, but we have you covered with this how-to.

Cloudera Navigator Encrypt, which is integrated with Cloudera Navigator governance software, provides massively scalable, high-performance encryption for critical Apache Hadoop data. It leverages industry-standard AES-256 encryption and provides a transparent layer between the application and filesystem. Navigator Encrypt also includes process-based access controls, allowing authorized Hadoop processes to access encrypted data, while simultaneously preventing admins or super-users like root from accessing data that they don’t need to see.

Navigator Encrypt is distributed in two different packages: the kernel module, and the binaries (cli commands) and configuration files. Current supported distributions are debian-7-x64, rhel-5-x64, rhel-6-x64, sles-11-x64, ubuntu-12.04-x64, and ubuntu-14.04-x64. As SUSE has a specific way to build and distribute RPMs for any external kernel module, this post explains how to install Navigator Encrypt 3.7.0 specifically on SLES 11 SP2 and SP3.

Understanding KMPs

For nearly all platforms, the traditional way to install Navigator Encrypt and its kernel module is to issue:

1	zypper | apt-get | yum install navencrypt

or any package manager equivalent. In these cases, the Navigator Encrypt kernel module uses dkms to build the kernel module at installation time.

This strategy doesn’t work with SUSE, however, which doesn’t support dkms and which handles external kernel modules in a unique manner. Because the process to build the kernel module manually is tedious, the easiest way to install the kernel module is by distributing it already built.

Fortunately, SUSE provides a build tool (openSUSE Build Service, or OBS) that creates RPM packages containing the pre-built kernel module; this tool is free and can be found at build.opensuse.org. A SUSE package created with this tool is called a kernel module package (KMP). (To learn more about how to build KMPs, see the openSUSE build service user guide.)

For KMP names, SUSE recommends using a naming convention based on the company name and a short package name (example: cloudera-zncryptfs-kmp-default-3.4.2_3.0.13_0.27-15.1.x86_64.rpm). To clarify which packages belong to SP2 and SP3, Cloudera has renamed the KMP by adding “SPx” to the package name, as in:cloudera-zncryptfs-kmp-SP2-default-3.4.2_3.0.13_0.27-15.1.x86_64.rpm.

KMPs are designed to maintain compatibility among all kernel versions for a specific SUSE version (SP2, SP3, etc.). SUSE assures us that if there is a kernel upgrade the kABI symbols will not change; those symbols will have the same symbol version (checksum) for all the kernels supported for a specific SUSE Version (SP2, for example). Thus the same installed kernel module will work after the upgrade without the need to rebuild or upgrade it.

A Navigator Encrypt kernel module only needs to be re-installed when there is an upgrade from SP2 to SP3. The reason for that re-install is that the SP2 cloudera-zncryptfs kernel module is incompatible with SP3—instead, you would need to install the SP3 cloudera-zncryptfs KMP.

Navigator Encrypt for SUSE doesn’t have an implicit dependency on the zncrypt-kernel-module anymore, so it has to be installed independently and based on the kernel where it is going to run. Cloudera packages are named to make it easy to know which version to use; for example, the package cloudera-zncryptfs-kmp-SP2-default-3.4.2_3.0.13_0.27-15.1.x86_64.rpm corresponds to SP2 and cloudera-zncryptfs-kmp-SP3-default-3.4.2_3.0.76_0.11-10.2.x86_64.rpm corresponds to SP3.

SUSE also maintains a list of supported kernels and their versions that you can use to verify compatibility between the KMP version and your installed kernel. Just select the service pack that interests you and then click on the “Kernel:” drop-down list to see all the kernels. (Note: the latest SP3 kernel update used slightly different numbers for i586 vs. x86_64 architectures. The update released for i586 was 3.0.101-0.42.1, and the update released for x86_64 was 3.0.101-0.46.1. This is why you see both in the list. Anyway, for an SP3 kernel x86_x64, you will never see a 3.0.101-0.42.1 version. Navigator Encrypt only supports x86_64.)

Cloudera is a SUSE partner and thus cloudera-zncryptfs is part of the Solid Driver Program, ensuring kernel driver compatibility. To check if the SUSE kernel is tainted, look at the variable:

1 2	#cat /proc/sys/kernel/tainted   0

where 0 means the kernel is not tainted. However, because cloudera-zncryptfs is a supported kernel module, a tainted kernel is tagged with a specific value:

1 2	#cat /proc/sys/kernel/tainted<   2847453646

(To learn more about a tainted kernel here.)

When looking at the kernel module info, you will also see that it has a tag identifying the support as external to SUSE (“supported:  external”).

1 2 3 4 5 6 7 8 9 10 11 12 13

# modinfo zncryptfs.ko filename:    zncryptfs.ko license:     GPL v2 description: zncryptfs (v3.4.2-0) author:      Sergio Pena srcversion:  6C5F956ACF58A518FF5DAC9 depends:        supported:   external vermagic:    3.0.101-0.46-default SMP mod_unload modversions parm:        zncryptfs_stats_enabled:Enable data statistics (int) parm:        zncryptfs_acl_cache_size:Set ACL cache size (int) parm:        zncryptfs_acl_verbose:Display more information on an access denied (int) parm:        zncryptfs_debug:Display debug information (int)

Currently, Navigator Encrypt supports SUSE 11 SP2 and SP3. (SLES 11 SP1 is not supported, nor is SLES 12.) The Cloudera stable repo for SUSE/OpenSUSE can be found at here.

Here is a list of cloudera-zncryptfs KMPs built for SP2:

cloudera-zncryptfs-kmp-SP2-default-3.4.2_3.0.13_0.27-15.1.x86_64.rpm
cloudera-zncryptfs-kmp-SP2-xen-3.4.2_3.0.13_0.27-15.1.x86_64.rpm    
cloudera-zncryptfs-kmp-SP2-ec2-3.4.2_3.0.13_0.27-15.1.x86_64.rpm    

And here is a list of cloudera-zncryptfs KMPs built for SP3:

cloudera-zncryptfs-kmp-SP3-default-3.4.2_3.0.76_0.11-10.2.x86_64.rpm
cloudera-zncryptfs-kmp-SP3-xen-3.4.2_3.0.76_0.11-10.2.x86_64.rpm 
cloudera-zncryptfs-kmp-SP3-ec2-3.4.2_3.0.76_0.11-10.2.x86_64.rpm

What flavor is your kernel? It mostly depends on your hardware. Learn more about kernel flavors here.

Installation Process

Identify the cloudera-zncryptfs KMPs that you will install for SP2 or SP3. You also need to identify the flavor.

Add the cloudera archive as specified in the Navigator Encrypt user guide:

1 2 3 4 5 6 7 8 9 10

# vi /etc/zypp/repos.d/cloudera.repo   [cloudera_stable] name=SLES $releasever - cloudera.com baseurl=https://USER:PASSWORD@archive.gazzang.com/sles/stable/11 enabled=1 gpgcheck=1 gpgkey=http://archive.gazzang.com/gpg_gazzang.asc    # sudo rpm --import http://archive.gazzang.com/gpg_gazzang.asc

In this example, we are installing Navigator Encrypt for SLES 11 SP3. Let’s install its corresponding KMP:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

#zypper install https://archive.gazzang.com/sles/stable/11/Packages/cloudera-zncryptfs-kmp-SP3-default-3.4.2_3.0.76_0.11-14.13.x86_64.rpm Refreshing service 'nu_novell_com'. Loading repository data... Reading installed packages... Resolving package dependencies...   The following package is going to be upgraded:   cloudera-zncryptfs-kmp-default   The following package is not supported by its vendor:   cloudera-zncryptfs-kmp-SP3-default   1 package to upgrade. Overall download size: 265.0 KiB. No additional space will be used or freed after the operation. Continue? [y/n/? shows all options] (y): Retrieving package cloudera-zncryptfs-kmp-SP3-default-3.4.2_3.0.76_0.11-14.13.x86_64 (1/1), 265.0 KiB (1.5 MiB unpacked) Retrieving package cloudera-zncryptfs-kmp-SP3-default-3.4.2_3.0.76_0.11-14.13.x86_64 (1/1), 265.0 KiB (1.5 MiB unpacked) Installing: cloudera-zncryptfs-kmp-SP3-default-3.4.2_3.0.76_0.11-14.13 [done]

(Note: The previous command-line example is for the build revision number 14.13. That number might change, so please check the stable repo for the newest build.)

zncryptfs.ko is installed at /lib/modules/3.0.76-0.11-default/updates/zncryptfs.ko and it becomes a weak-update of your current kernel module.

Current kernel module in this example is:

1 2	# uname -r 3.0.101-0.46-default

The weak-update has now a symlink to the kernel module installed:

1 2	# ll /lib/modules/3.0.101-0.46-default/weak-updates/updates/zncryptfs.ko lrwxrwxrwx 1 root root 53 Feb 17 09:17 /lib/modules/3.0.101-0.46-default/weak-updates/updates/zncryptfs.ko -> /lib/modules/3.0.76-0.11-default/updates/zncryptfs.ko

This is a good moment to check for the modinfo of our installed kernel module:

1 2 3 4 5 6 7 8 9 10 11 12 13

# modinfo /lib/modules/3.0.101-0.46-default/weak-updates/updates/zncryptfs.ko filename:       /lib/modules/3.0.101-0.46-default/weak-updates/updates/zncryptfs.ko license:        GPL v2 description:    zncryptfs (v3.4.2-0) author:         Sergio Pena srcversion:     6C5F956ACF58A518FF5DAC9 depends: supported:      external vermagic:       3.0.76-0.11-default SMP mod_unload modversions parm:           zncryptfs_stats_enabled:Enable data statistics (int) parm:           zncryptfs_acl_cache_size:Set ACL cache size (int) parm:           zncryptfs_acl_verbose:Display more information on an access denied (int) parm:           zncryptfs_debug:Display debug information (int)

Our module is now ready to work on our installed kernel. Next, we can install the Navigator Encrypt binaries:

1	#zypper install navencrypt -y

You can register Navigator Encrypt against a Key Trustee server:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

# navencrypt register -s keytrustee.server.net -o ORGANIZATION -a AUTH_CODE Choose MASTER key type: 1) Passphrase (single) 2) Passphrase (dual) 3) RSA private key Select: 1 Type MASTER passphrase: Verify MASTER passphrase:   Registering navencrypt v3.6.0 (r44)...   * Registering keytrustee GPG keys on 'keytrustee.server.net'... * Uploading MASTER key... * Uploading CONTROL content... * Creating control file...   Navencrypt is now registered.

SUSE has a flag that allows external kernel modules to load. Set this flag to 1 as specified in the user guide:

1 2 3 4 5 6 7 8 9 10 11 12

# vi /etc/modprobe.d/unsupported-modules   # # Every kernel module has a flag 'supported'. If this flag is not set loading # this module will taint your kernel. You will not get much help with a kernel # problem if your kernel is marked as tainted. In this case you firstly have # to avoid loading of unsupported modules. # # Setting allow_unsupported_modules 1 enables loading of unsupported modules # by modprobe, setting allow_unsupported_modules 0 disables it. This can # be overridden using the --allow-unsupported-modules command line switch. allow_unsupported_modules 1

If you don’t do that, you won’t be able to prepare any mount point, and a message like the following will appear:

1 2 3

# navencrypt-prepare /mnt/t1 /mnt/t1 The Navigator Encrypt kernel module is marked as unsupported on this kernel. Please set allow_unsupported_modules to 1 in /etc/modprobe.d/unsupported-modules

Then, prepare a first mount point:

1 2 3 4 5 6 7 8 9 10 11 12 13 14

# navencrypt-prepare /mnt/t1 /mnt/t1 Type MASTER passphrase:   Encryption Type:  eCryptfs Cipher:           aes Key Size:         256 Random Interface: OpenSSL Filesystem:       ext3 Options:             Verifying MASTER key against KeyTrustee (wait a moment)   ... OK Generation Encryption Keys with OpenSSL                   ... OK Registering Encryption Keys (wait a moment)               ... OK Mounting /mnt/t1                                          ... OK

Verify that it is actually mounted:

1 2 3 4

# mount … (rw,ecryptfs_sig=b3fc17166dc9f34c,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_enable_filename_crypto=n) suse:~ #

A quick encryption test adding a universal rule can be done:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

# mkdir encrypted   # vi encrypted/file   # navencrypt-move encrypt  @test encrypted/file /mnt/t1 Type MASTER passphrase:   Size to encrypt: 4 KB Moving from: '/root/encrypted/file' Moving to:   '/mnt/t1/test/root/encrypted/file' 100% [=======================================================>] [       18  B]   Done. # cat encrypted/file cat: encrypted/file: Permission denied   # navencrypt acl --add --rule="ALLOW @* * *" Type MASTER passphrase: 1 rule(s) were added   # cat encrypted/file encrypted content   # navencrypt-move decrypt  encrypted/file Type MASTER passphrase:   Size to decrypt: 12 KB Moving from: '/mnt/t1/test/root/encrypted/file' Moving to:   '/root/encrypted/file' 100% [=======================================================>] [       18  B]   Done.   # /etc/init.d/navencrypt-mount restart Stopping navencrypt directories * Umounting /mnt/t1 ...                                                                                                                                                                          done * Unloading module ...                                                                                                                                                                           done Starting navencrypt directories * Mounting /mnt/t1 ...                                                                                                                                                                           done suse:~ #

Congratulations, you have just installed Navigator Encrypt on SLES 11 SP3!

Alex Gonzalez is a Software Engineer at Cloudera.

P.D. You can have yor own miniature f