Deployment Guide (preview)

Image repository

Imply Manager is provided as a pair of Docker images available on Docker Hub. There is one image for the manager container which includes the coordination services and manager application, and another image for the agent containers which become the nodes of one or more Druid clusters. At this time, a deployment will always have a single manager and multiple agents. Support for running multiple managers for high availability will be offered in the near future.

The images are available in the imply/onprem-manager and imply/onprem-agent Docker Hub repositories. These are private repositories, and you will need to provide your Docker ID to Imply in order to gain access.

Configuring the manager container

The recommended way to configure the manager container is to create a configuration file that can be passed to the container using the --env-file Docker run argument. The remainder of this documentation will assume this file is named env.list.

Mandatory properties

The following items are required:

IMPLY_MANAGER_LICENSE_KEY={license_key}

IMPLY_MANAGER_STORE_TYPE=mysql
IMPLY_MANAGER_STORE_HOST={mysql_hostname}
IMPLY_MANAGER_STORE_PORT={mysql_port}
IMPLY_MANAGER_STORE_USER={mysql_user}
IMPLY_MANAGER_STORE_PASSWORD={mysql_password}
IMPLY_MANAGER_STORE_DATABASE=imply_manager

Note: The database name (IMPLY_MANAGER_STORE_DATABASE) should not contain any spaces or dashes.

The Imply Manager application and the Druid clusters require an external MySQL database, version 5.7.21 or later. Ensure that this database will be reachable from the manager container and all agent containers.

You will also require a valid license key, which can be obtained by contacting a representative at Imply.

Optional properties

Druid clusters require:

You can provide default values for these external dependencies so that they don't need to be specified at cluster creation time. To do so, provide the following parameters in the env.list file:

imply_defaults_zkType=external
imply_defaults_zkHosts={zk-host-1}:2181,{zk-host-2}:2181,{zk-host-3}:2181
imply_defaults_zkBasePath=imply

imply_defaults_metadataStorageType=mysql
imply_defaults_metadataStorageHost={mysql_hostname}
imply_defaults_metadataStoragePort={mysql_port}
imply_defaults_metadataStorageUser={mysql_user}
imply_defaults_metadataStoragePassword={mysql_password}

imply_defaults_deepStorageType={'s3' / 'hdfs' / 'local'}
imply_defaults_deepStorageBaseLocation=s3://{bucket}/{prefix} # s3
# imply_defaults_deepStorageBaseLocation=hdfs://{namenode_host}:8020/{prefix} # hdfs
# imply_defaults_deepStorageBaseLocation=/mnt/var/druid/storage # local

# Not necessary if providing your credentials elsewhere, e.g. using an EC2 instance role
# imply_defaults_deepStorageS3AccessKey={s3_access_key}
# imply_defaults_deepStorageS3SecretKey={s3_secret_key}

Configuring the agent containers

The agent containers only require a single configuration - setting the environment variable IMPLY_MANAGER_HOST to the hostname of the manager container. The agent will register with the manager and will pull any additional configurations that are required.

It is important that IMPLY_MANAGER_HOST be a name that is resolvable and routable from the agent containers. Appropriate values to use here depends on what Docker networking configuration you plan to use. For Linux-host deployments not utilizing a container orchestration system (Kubernetes, Docker Swarm, etc.), running a single container per host and starting the container with the --network host configuration is a common setup. In this case, IMPLY_MANAGER_HOST would be the externally addressable name or address of the host machine running the manager container. Note that --network host is not a supported option on OSX. See the Networking section for suggestions on how to run the container in OSX.

Running the container

Networking

Your Docker run command will vary based on the networking configuration chosen. Note the following important ports:

For proper cluster coordination, the manager and agent containers should be able to talk to each other. In most default networking configurations, containers can talk to each other unrestricted. If you need to allow access on specific ports, the ones used for cluster coordination are:

Host networking (Linux only)

The recommended deployment strategy if you are not using a container orchestration system and you are using a Linux host is to use host networking. In this configuration, the container will use the host's network stack, which will provide the best performance as there is no need for packets to be routed to a container's separate network stack. You would access the Imply Manager on port 9097 of the host system.

Note: Do not run multiple containers using host networking on a single host. You will encounter port conflicts and the agents will fail to properly register with the manager.

User-defined bridge

On a non-Linux host, you are unable to use host networking since the containers do not run natively on the host but run in a virtual machine. The recommended alternative is to use a user-defined bridge network. To create a bridge network, run:

docker network create imply

You will then be able to use this network when running containers by specifying --network imply and will be able to address a container from other containers by its container name.

Volumes

Your Docker run command will also vary depending on if you plan to use Docker volumes or bind mounts. Note that by default, Docker runs containers on the host's primary storage device, which may not have sufficient space, particularly for Imply data nodes. You can either configure Docker to move these containers to a secondary device on the host, or use volumes/binds to mount another location inside the container. By default, Imply writes temporary files, logs, and caches to the /mnt directory, so this is a good path to mount a larger volume. See the Docker volume documentation for more information.

Docker Run

Host network example (Linux only)

As an example, running the manager and agent using host networking, with a bind mount on /mnt, and using a configuration file named env.list would look like this. The commands must be run on different host machines:

docker run --rm --network host --env-file env.list --mount type=bind,source=/mnt,target=/mnt imply/onprem-manager
docker run --rm --network host -e "IMPLY_MANAGER_HOST=imply-manager" --mount type=bind,source=/mnt,target=/mnt imply/onprem-agent

User-defined network example

As another example, running the manager and agent using a user-defined network named imply with a configuration file named env.list and the IMPLY_MANAGER_HOST property set to match a manager container name of 'imply-manager' would look like this:

docker run --rm --network imply --name imply-manager -p 9097:9097 --env-file env.list imply/onprem-manager
docker run --rm --network imply -p 9095 -p 8888 -e "IMPLY_MANAGER_HOST=imply-manager" imply/onprem-agent

Once the manager container is running, you can access the Imply Manager application at http://<managerHost>:9097

Security

TLS

The manager can be configured to automatically generate certificates for the agents and itself by providing a signing certificate and key. This will allow the secure communication of the manager with the agents, the agents with each other, and users with the system. The key and certificate should be provided to the manager to generate the keys for itself and the agents. The agent will get the certificate only to validate the generated certificates.

Enabling, disabling or updating your certificates will require a restart of any running clusters. You will be notified in the manager that a certificate change has been detected and prompted to restart. You should plan the changes around maintenance windows as it will require an outage.

This ca.crt should be trusted/installed in browsers connecting to the manager or Druid so that they can be validated and the https:// scheme used for all web requests.

Ports

When TLS is enabled Druid will use different ports by default as well as require the https:// schema for all web requests. By default these ports are the default port for the service increased by 200. Note that Pivot and the manager still run on the same port. See the table below for some examples:

Service Default Port TLS Port
Imply Manager 9097 9097
Pivot 9095 9095
Router 8888 9088
Overlord 8090 8290

Review the Druid Configuration reference for more defaults.

Generating a CA certificate and key

To generate a CA certificate and key you can use the following command:

openssl req -x509 -new -nodes -keyout ca.key -out ca.crt -days 365

When executing the command you will be prompted to fill in the information for the certificate. For example:

Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Burlingame
Organization Name (eg, company) []:Imply Data, Inc
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Imply Manager CA
Email Address []:

These values are just an example and should be filled in with your own values. Once this is completed a new certificate and key that are valid for 1 year will be generated. If you want a longer or shorter expiry update the -days argument. For more information please consult the OpenSSL Documentation.

Trusting your CA

Mac OS

Double-clicking the ca.crt file will add it to your Keychain as a trusted certificate. For more information you can consult the Keychain Access User Guide.

Windows

To add the certificate on windows we will perform the following steps.

  1. Right-click the ca.crt and select Install Certificate. This will launch the Certificate Import Wizard.
  2. SelectLocal Machine for the Storage Location and select Next.
  3. Browse to Trusted Root Certification Authorities for where to place it.
  4. Click next and review the changes to be made before selecting finish.
  5. Restart your browser.

For managed environments the certificate can be installed as part of a Group Policy.

Docker

By default the manager looks for the certificate files in the following locations:

The signing certificate: /run/secrets/imply-ca.crt

The signing key: /run/secrets/imply-ca.key

To enable TLS with Docker the certificates should be passed as volumes to Docker.

To run the manager providing the certificates as volumes the command would look like:

docker run --rm --network host --name imply-manager --env-file env.list -v path/to/ca.crt:/run/secrets/imply-ca.crt -v path/to/ca.key:/run/secrets/imply-ca.key imply/onprem-manager

And to provide the certificate to the agent:

docker run --rm --network host -e "IMPLY_MANAGER_HOST=imply-manager" -v path/to/ca.crt:/run/secrets/imply-ca.crt imply/onprem-agent

When the containers start you should see TLS: Enabled in the logs.

Docker Swarm

When using Docker Swarm we can use Docker secrets. To create the secret you can use the following command:

docker create secret imply-ca.crt path/to/ca.crt
docker create secret imply-ca.key path/to/ca.crt

Then we can create the service and allow it access to the secret by us a command like:

docker service create --name imply-manager --env-file env.list --secret imply-ca.crt --secret imply-ca.key imply/onprem-manager
docker service create --name imply-agent -e "IMPLY_MANAGER_HOST=imply-manager" --secret imply-ca.crt imply/onprem-agent

You can verify that TLS was successfully enabled by running:

docker service logs imply-manager

And verify that TLS: Enabled shows in the logs.

Kubernetes via Helm

When using Kubernetes we can use Kubernetes secrets. To create the secret containing the certificate and key using the following command:

kubectl create secret tls imply-ca --key path/to/ca.key --cert path/to/ca.crt

Now we will modify the imply/values.yaml to enable TLS. Uncomment the section:

security:
  ...
  # tls:
  #   secretName: imply-ca

Now we can start or update the deployment. For more information on deploying to Helm review the Kubernetes Quickstart.

You can verify that TLS was successfully enabled by running:

kubectl logs -lapp.kubernetes.io/name=imply-manager --tail=10000

And verify that TLS: Enabled shows in the logs.

Authentication

Authentication can be enabled to allow the manager to communicate with the agents in an authenticated manner. It will also enable Druid and Pivot authentication to secure the entire deployment. This should be used in conjunction with TLS as the tokens are sent in plain text.

We will use the token supersecret in the following examples, but a different token should be generated and stored securely.

Druid

When authentication is enabled by providing a token to the manager and agents, it also enables Druid authentication by default. For more information on Druid authentication review https://druid.apache.org/docs/latest/design/auth.html.

When Druid Authentication is enabled you can find the credentials in the manager under the API tab.

Pivot

When authentication is enabled by providing a token to the manager and agents, it also enables Pivot authentication by default. For more information on Pivot user modes review userMode configuration.

Pivot will be configured to use native-users. The default credentials can be found in the userMode configuration link above.

Docker

By default the manager looks for the authentication token in the following location:

/run/secrets/imply-auth-token

This file should contain one line, the shared secret to use. To create this file you could use the following command:

echo "supersecret" > path/to/auth-token

Note: Creating the authentication token in this way will leave the token in your history and is meant as an example only. Consider creating this file with an editor and ensure the permissions are as restricted as possible to keep it safe.

To enable authentication with Docker the authentication token should be passed as volumes to Docker.

To run the manager providing the authentication token as a volume the command would look like:

docker run --rm --network host --name imply-manager --env-file env.list -v path/to/auth-token:/run/secrets/imply-auth-token imply/onprem-manager

And to provide the authentication token to the agent:

docker run --rm --network host -e "IMPLY_MANAGER_HOST=imply-manager" -v path/to/auth-token:/run/secrets/imply-auth-token imply/onprem-agent

When the containers start you should see Authentication: Enabled in the logs.

Docker Swarm

When using Docker Swarm we can use Docker secrets. To create the secret you can use the following command:

echo "supersecret" | docker create secret imply-auth-token -

Passing the authentication token in this way to agent will leave the token in your history and is meant as an example only. Please consult the Docker secrets documentation for secure ways to create the secret.

Then we can create the service and allow it access to the secret by us a command like:

docker service create --name imply-manager --env-file env.list --secret imply-auth-token imply/onprem-manager
docker service create --name imply-agent -e "IMPLY_MANAGER_HOST=imply-manager" --secret imply-auth-token imply/onprem-agent

You can verify that authentication was successfully enabled by running:

docker service logs imply-manager

And verify that Authentication: Enabled shows in the logs.

Kubernetes via Helm

When using Kubernetes we can use Kubernetes secrets. To create the secret containing the authentication token using the following command:

kubectl create secret generic imply-auth-token --from-literal="auth-token=supersecret"

Passing the authentication token in this way to agent will leave the token in your history and is meant as an example only. Please consult the Kubernetes secrets documentation for secure ways to create the secret.

Now we will modify the imply/values.yaml to enable authentication. Uncomment the section:

security:
  ...
  # auth:
  #   secretName: imply-auth-token

Now we can start or update the deployment. For more information on deploying to Helm review the Kubernetes Quickstart.

You can verify that authentication was successfully enabled by running:

kubectl logs -lapp.kubernetes.io/name=imply-manager --tail=10000

And verify that Authentication: Enabled shows in the logs.

Additional topics

Adding custom user files

Custom user files can be pushed by the manager to the nodes of the Imply cluster by specifying them in the Setup / Advanced Config section of the manager. These files can be written to the following locations:

Additionally, these files can be processed as follows:

There are two ways to make these files available to the manager:

To make the files available to the manager locally, they will need to be placed in the /mnt/var/user directory inside the manager container. There are two ways to do this:

--mount type=bind,source=/myfiles,target=/mnt/var/user

Once the files are available in that directory, reference them using the manager:/// scheme. As an example:

Manually Creating the Metadata Databases

Imply Manager will automatically attempt to create the required databases if they do not exist. There is one database for the manager application and one database for each Imply cluster. In the case that the provided user does not have authorization to create these databases, you should create them manually prior to running the application. Both Druid and the Imply Manager expect a database with a 'utf8mb4' default character set. An example statement to create the manager database:

CREATE SCHEMA `imply_manager` DEFAULT CHARACTER SET utf8mb4;
Overview

Tutorial

Deploy

Manage Data

Query Data

Visualize

Configure

Special UI Features

Imply Manager

Misc