HADOOP-15456. create base image for running secure ozone cluster. Contributed by Ajay Kumar.

Dockerfile

@@ -18,11 +18,12 @@ FROM openjdk:8-jdk
 RUN apt-get update && apt-get install -y jq curl python sudo && apt-get clean
 RUN wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64
 RUN chmod +x /usr/local/bin/dumb-init
-
+RUN mkdir -p /etc/security/keytabs && chmod -R a+wr /etc/security/keytabs 
 ENV JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/
 ENV PATH $PATH:/opt/hadoop/bin
 
-
+RUN apt-get install -y jsvc
+ENV JSVC_HOME=/usr/bin
 
 RUN addgroup --gid 1000 hadoop
 RUN adduser --disabled-password --gecos "" --uid 1000 hadoop --gid 100 --home /opt/hadoop

scripts/krb5.conf

@@ -0,0 +1,41 @@
+##
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+##
+
+[logging]
+default = FILE:/var/log/krb5libs.log
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_canonicalize_hostname = false
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_realm = EXAMPLE.COM
+
+[realms]
+ EXAMPLE.COM = {
+  kdc = SERVER
+  admin_server = SERVER
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM

scripts/starter.sh

@@ -24,12 +24,43 @@ sudo chmod o+rwx /data
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 $DIR/envtoconf.py --destination /opt/hadoop/etc/hadoop
+echo "Setting up environment!"
 
 if [ -n "$SLEEP_SECONDS" ]; then
    echo "Sleeping for $SLEEP_SECONDS seconds"
    sleep $SLEEP_SECONDS
 fi
 
+if [ -n "$KERBEROS_ENABLED" ]; then
+	echo "Setting up kerberos!!"
+	KERBEROS_SERVER=${KERBEROS_SERVER:-krb5}
+	ISSUER_SERVER=${ISSUER_SERVER:-$KERBEROS_SERVER\:8081}
+	echo "KDC ISSUER_SERVER => $ISSUER_SERVER"
+
+	while true
+	do
+	  STATUS=$(curl -s -o /dev/null -w '%{http_code}' http://$ISSUER_SERVER/keytab/test/test)
+	  if [ $STATUS -eq 200 ]; then
+		echo "Got 200, KDC service ready!!"
+		break
+	  else
+		echo "Got $STATUS :( KDC service not ready yet..."
+	  fi
+	  sleep 5
+	done
+
+	export HOST_NAME=`hostname -f`
+	for NAME in ${KERBEROS_KEYTABS}; do
+	   echo "Download $NAME/$HOSTNAME@EXAMPLE.COM keytab file to $CONF_DIR/$NAME.keytab"
+	   wget http://$ISSUER_SERVER/keytab/$HOST_NAME/$NAME -O $CONF_DIR/$NAME.keytab
+	   KERBEROS_ENABLED=true
+	done
+
+	cat $DIR/krb5.conf |  sed "s/SERVER/$KERBEROS_SERVER/g" | sudo tee /etc/krb5.conf
+fi
+
+#To avoid docker volume permission problems
+sudo chmod o+rwx /data
 
 if [ -n "$ENSURE_NAMENODE_DIR" ]; then
    CLUSTERID_OPTS=""
@@ -41,14 +72,12 @@ if [ -n "$ENSURE_NAMENODE_DIR" ]; then
         fi
 fi
 
-
 if [ -n "$ENSURE_STANDBY_NAMENODE_DIR" ]; then
    if [ ! -d "$ENSURE_STANDBY_NAMENODE_DIR" ]; then
       /opt/hadoop/bin/hdfs namenode -bootstrapStandby
     fi
 fi
 
-
 if [ -n "$ENSURE_SCM_INITIALIZED" ]; then
    if [ ! -f "$ENSURE_SCM_INITIALIZED" ]; then
       /opt/hadoop/bin/ozone scm -init
@@ -80,5 +109,4 @@ if [ -n "$ENSURE_KSM_INITIALIZED" ]; then
    fi
 fi
 
-
 $@