Deploy with Docker

Docker makes it easy to deploy the Manager and servers that make up an Imply cluster. If you are new to deploying Imply with Docker, see the Imply Manager Quickstart to get started.

Requirements

Imply Manager requires the following software:

• Docker Engine 18.09


Newer versions of Docker and Kubernetes are supported, but may not have been validated.

We strongly recommend deploying Imply Manager on a Linux host to avoid virtualization overhead. Running the manager on an OSX host is suitable for the quickstart but not recommended for actual deployments. Windows hosts are not supported.

Image repository

Imply Manager is provided as a pair of Docker images available on Docker Hub. There is one image for the manager container, which includes the coordination services and manager application, and another image for the agent containers, which become the nodes of one or more Druid clusters. At this time, a deployment will always have a single manager and multiple agents. Support for running multiple managers for high availability will be offered in the near future.

The images are available in the imply/manager and imply/agent Docker Hub repositories.

Configuring the manager container

The recommended way to configure the manager container is to create a configuration file that can be passed to the container using the --env-file Docker run argument. The remainder of this documentation will assume this file is named env.list.

Mandatory properties

The following items are required:

IMPLY_MANAGER_LICENSE_KEY={license_key}

IMPLY_MANAGER_STORE_TYPE=mysql
IMPLY_MANAGER_STORE_HOST={mysql_hostname}
IMPLY_MANAGER_STORE_PORT={mysql_port}
IMPLY_MANAGER_STORE_USER={mysql_user}
IMPLY_MANAGER_STORE_PASSWORD={mysql_password}
IMPLY_MANAGER_STORE_DATABASE=imply_manager

The database name (IMPLY_MANAGER_STORE_DATABASE) should not contain any spaces or dashes.

The Imply Manager application and the Druid clusters require an external MySQL database, version 5.7.21 or later. Ensure that this database will be reachable from the manager container and all agent containers.

You will also require a valid license key, which can be obtained by contacting a representative at Imply.

Optional properties

Druid clusters require:

• an external ZooKeeper ensemble
• an external metadata store (only MySQL is supported)
• a deep storage location (S3, HDFS, Azure, GCS, or local file system is supported; local file system only makes sense if you are mounting a volume backed by a Docker volume driver that manages writing to a resilient distributed storage)

You can provide default values for these external dependencies so that they don't need to be specified at cluster creation time.

To do so, add parameters as shown by the following example to your env.list file. Supply values appropriate for your external systems.

imply_defaults_zkType=external
imply_defaults_zkHosts={zk-host-1}:2181,{zk-host-2}:2181,{zk-host-3}:2181
imply_defaults_zkBasePath=imply

imply_defaults_metadataStorageType=mysql
imply_defaults_metadataStorageHost={mysql_hostname}
imply_defaults_metadataStoragePort={mysql_port}
imply_defaults_metadataStorageUser={mysql_user}
imply_defaults_metadataStoragePassword={mysql_password}

imply_defaults_deepStorageType={'s3' | 'hdfs' | 'azure' | 'google' | 'local'}
imply_defaults_deepStoragePath={storage_path} # e.g., "s3://{bucket}/{prefix}", azure://{container_name}/{prefix}, OR
                                              # gs://{bucket}/{path}, etc
imply_defaults_deepStorageUser={account_name} # i.e., {s3_access_key} OR {azure_account_name}
imply_defaults_deepStoragePassword={account_password} # i.e., {s3_secret_key} OR {azure_password} OR {google_json_key}

Configuring the agent containers

The agent containers only require a single configuration - setting the environment variable IMPLY_MANAGER_HOST to the hostname of the manager container. The agent will register with the manager and will pull any additional configurations that are required.

It is important that IMPLY_MANAGER_HOST be a name that is resolvable and routable from the agent containers. Appropriate values to use here depends on what Docker networking configuration you plan to use. For Linux-host deployments not utilizing a container orchestration system (Kubernetes, Docker Swarm, etc.), running a single container per host and starting the container with the --network host configuration is a common setup. In this case, IMPLY_MANAGER_HOST would be the externally addressable name or address of the host machine running the manager container. Note that --network host is not a supported option on OSX. See the Networking section for suggestions on how to run the container in OSX.

Running the container

Networking

Your Docker run command will vary based on the networking configuration chosen. Note the following important ports:

• Ports which should be externally exposed on the manager container:
  • 9097 (Imply Manager application)
• Ports which should be externally exposed on agent containers that will run as Imply query nodes:
  • 9095 (Pivot application)
  • 8888 (router service, which provides access to the Druid API and the Druid Console)

For proper cluster coordination, the manager and agent containers should be able to talk to each other. In most default networking configurations, containers can talk to each other unrestricted. If you need to allow access on specific ports, the ones used for cluster coordination are:

• Manager: 9998 and 9999 (cluster coordination services)
• Agent/Master: 8081 (coordinator), 8090 (overlord)
• Agent/Data: 8083 (historical), 8091 (middle manager), 8100-8200 (indexing workers)
• Agent/Query: 8082 (broker), 8888 (router)

Host networking (Linux only)

The recommended deployment strategy if you are not using a container orchestration system and you are using a Linux host is to use host networking. In this configuration, the container will use the host's network stack, which will provide the best performance as there is no need for packets to be routed to a container's separate network stack. You would access the Imply Manager on port 9097 of the host system.

Do not run multiple containers using host networking on a single host. You will encounter port conflicts and the agents will fail to properly register with the manager.

User-defined bridge

On a non-Linux host, you are unable to use host networking since the containers do not run natively on the host but run in a virtual machine. The recommended alternative is to use a user-defined bridge network. To create a bridge network, run:

docker network create imply

You will then be able to use this network when running containers by specifying --network imply and will be able to address a container from other containers by its container name.

Volumes

Your Docker run command will also vary depending on if you plan to use Docker volumes or bind mounts. Note that by default, Docker runs containers on the host's primary storage device, which may not have sufficient space, particularly for Imply data nodes. You can either configure Docker to move these containers to a secondary device on the host, or use volumes/binds to mount another location inside the container. By default, Imply writes temporary files, logs, and caches to the /mnt directory, so this is a good path to mount a larger volume. See the Docker volume documentation for more information.

Docker Run

Host network example (Linux only)

As an example, running the manager and agent using host networking, with a bind mount on /mnt, and using a configuration file named env.list would look like this. The commands must be run on different host machines:

docker run --rm --network host --env-file env.list --mount type=bind,source=/mnt,target=/mnt imply/manager

docker run --rm --network host -e "IMPLY_MANAGER_HOST=imply-manager" --mount type=bind,source=/mnt,target=/mnt imply/agent

User-defined network example

As another example, running the manager and agent using a user-defined network named imply with a configuration file named env.list and the IMPLY_MANAGER_HOST property set to match a manager container name of 'imply-manager' would look like this:

docker run --rm --network imply --name imply-manager -p 9097:9097 --env-file env.list imply/manager

docker run --rm --network imply -p 9095 -p 8888 -e "IMPLY_MANAGER_HOST=imply-manager" imply/agent

Once the manager container is running, you can access the Imply Manager application at http://<managerHost>:9097

Security

TLS

See the TLS Docs for information on how to generate certificates and general TLS information.

Docker

By default the manager looks for the certificate files in the following locations:

• Signing certificate: /run/secrets/imply-ca.crt
• Signing key: /run/secrets/imply-ca.key

To enable TLS with Docker the certificates should be passed as volumes to Docker.

To run the manager providing the certificates as volumes the command would look like:

docker run --rm --network host --name imply-manager --env-file env.list -v path/to/ca.crt:/run/secrets/imply-ca.crt -v path/to/ca.key:/run/secrets/imply-ca.key imply/manager

And to provide the certificate to the agent:

docker run --rm --network host -e "IMPLY_MANAGER_HOST=imply-manager" -v path/to/ca.crt:/run/secrets/imply-ca.crt imply/agent

When the containers start you should see TLS: Enabled in the logs.

Docker Swarm

When using Docker Swarm we can use Docker secrets. To create the secret, use the following command:

docker create secret imply-ca.crt path/to/ca.crt
docker create secret imply-ca.key path/to/ca.crt

Then we can create the service and allow it access to the secret as follows:

docker service create --name imply-manager --env-file env.list --secret imply-ca.crt --secret imply-ca.key imply/manager
docker service create --name imply-agent -e "IMPLY_MANAGER_HOST=imply-manager" --secret imply-ca.crt imply/agent

You can verify that TLS was successfully enabled by running:

docker service logs imply-manager

And verify that TLS: Enabled shows in the logs.

Authentication

See the Authentication Docs for information on enabling authentication will affect your cluster.

Docker

By default the manager looks for the authentication token in the following location:

/run/secrets/imply-auth-token

This file should contain one line, the shared secret to use. To create this file you could use the following command:

echo "supersecret" > path/to/auth-token

Creating the authentication token in this way will leave the token in your history and is meant as an example only. Consider creating this file with an editor and ensure the permissions are as restricted as possible to keep it safe.

To enable authentication with Docker the authentication token should be passed as volumes to Docker.

To run the manager providing the authentication token as a volume the command would look like:

docker run --rm --network host --name imply-manager --env-file env.list -v path/to/auth-token:/run/secrets/imply-auth-token imply/manager

And to provide the authentication token to the agent:

docker run --rm --network host -e "IMPLY_MANAGER_HOST=imply-manager" -v path/to/auth-token:/run/secrets/imply-auth-token imply/agent

When the containers start you should see Authentication: Enabled in the logs.

Docker Swarm

When using Docker Swarm we can use Docker secrets. To create the secret you can use the following command:

echo "supersecret" | docker create secret imply-auth-token -

Passing the authentication token in this way to agent will leave the token in your history and is meant as an example only. Please consult the Docker secrets documentation for secure ways to create the secret.

Then we can create the service and allow it access to the secret by us a command like:

docker service create --name imply-manager --env-file env.list --secret imply-auth-token imply/manager
docker service create --name imply-agent -e "IMPLY_MANAGER_HOST=imply-manager" --secret imply-auth-token imply/agent

You can verify that authentication was successfully enabled by running:

docker service logs imply-manager

And verify that Authentication: Enabled shows in the logs.

Adding custom user files

Custom user files can be pushed by the manager to the nodes of the Imply cluster by specifying them in the Setup / Advanced Config section of the manager. These files can be written to the following locations:

• User files (/opt/imply/user)
• Druid's classpath
• as a Hadoop dependency

Additionally, these files can be processed as follows:

• None
• Requires unpacking (extracts using tar -x)
• Is executable (sets chmod +x)

There are two ways to make these files available to the manager:

• Make them available via HTTP(S) and provide the URL
• Make them available to the manager locally and reference them using the manager:/// scheme

To make the files available to the manager locally, they will need to be placed in the /mnt/var/user directory inside the manager container. There are two ways to do this:

• Use a command like docker cp to copy the files from the host machine into the container
• Use a bind mount or volume driver to mount the device containing the custom files at /mnt/var/user. If using a bind mount during docker run, the argument would look similar to:

--mount type=bind,source=/myfiles,target=/mnt/var/user

Once the files are available in that directory, reference them using the manager:/// scheme. As an example:

• File: /mnt/var/user/hdfs-site.xml -> Manager path: manager:///hdfs-site.xml

Manually Creating the Metadata Databases

Imply Manager automatically attempts to create the databases it needs if they do not exist. There is one database for the Manager and one database for each Imply cluster.

If the provided user does not have authorization to create these databases, you should create them manually prior to running the application. Both Druid and the Imply Manager expect a database with a 'utf8mb4' default character set.

An example statement to create the manager database is as follow:

CREATE SCHEMA `imply_manager` DEFAULT CHARACTER SET utf8mb4;