Impala Load Balancing with Amazon Elastic Load Balancer

In a previous post, we explained how to configure a proxy server to provide load balancing for the Impala daemon. The proxy software used was HAproxy, a free, open source load balancer. This post will demonstrate how to use Amazon’s Elastic Load Balancer (ELB) to perform Impala load balancing when running in Amazon’s Elastic Compute Cloud (EC2).

Details

Similar to HAproxy, an Elastic Load Balancer is a reverse proxy that will take incoming TCP connections and distribute them amongst a set of EC2 instances. This is done partly for fault tolerance and partly for load distribution. Cloudera’s Using Impala through a Proxy for High Availability details how load balancing applies to part of Impala.

To summarize, the proxy will allow us to configure our Impala clients (Hue, Tableau, etc) with a single hostname and port. This well-known hostname will not have to be changed out if there were to be a failure of one or multiple Impala daemons. It will also distribute the load of running a query’s coordinator processing amongst the Impala daemons.

The steps we will take to set up the Impala load balancer are:

  1. Configure security groups.
  2. Create the ELB.
  3. Configure the ELB.
  4. Add instances to the ELB.
  5. Test the ELB.
  6. Configure Impala.

Requirements

The following examples require that you have the AWS CLI software installed and configured on your system. This can be on your Windows, Mac, or Linux workstation/laptop or on a Linux host running elsewhere. Spinning up an EC2 instance running Amazon Linux might be the fastest way to get the tools.

Of course, you will need an AWS account and IAM privileges to create both the security groups and the ELB.

Implementation

The following code is run in a shell (bash or cmd.exe) on the system with the AWS CLI tools.

First, we will need to name the cluster that is running the Impala service. This will be used to name the ELB and security groups. Then, we will create some variables that will hold the ID numbers of existing AWS infrastructure. Lastly, we use an additional variable named $OPTS for general AWS CLI options we may need.

We will have to look up the VPC ID, the ID of the subnet where we will be deploying the load balancer, and the instance IDs of the Hadoop cluster workers that are running the Impala Daemon. The ELB can reside in the same subnet as the Hadoop cluster or it can be placed in a separate subnet. It is advisable to keep the ELB in the same Availability Zone as the cluster. (You are deploying your Hadoop cluster instances to the same AZ, right?)

CLNAME=Cluster1
VPCID=""
SUBNETID=""
INSTANCES=""
#OPTS="--profile default --region us-west2"

If you have tagged your objects appropriately, you can use aws ec2 describe-* to look them up programmatically. These are examples. Your environment will be different.

# Return the VPCID of the VPC named "Cluster1".
VPCID=$(aws $OPTS ec2 describe-vpcs --output text --query 'Vpcs[*].VpcId' \
  --filter Name=tag:Name,Values="${CLNAME}")

# Return the SUBNETID of the subnet named "Cluster1 Private subnet 0".
SUBNETID=$(aws $OPTS ec2 describe-subnets --output text \
  --query 'Subnets[*].SubnetId' \
  --filter Name=tag:Name,Values="${CLNAME} Private subnet 0")

# Return the instance IDs of instances tagged "env=Cluster1" and "type=worker".
INSTANCES=$(aws $OPTS ec2 describe-instances --output text \
  --query 'Reservations[*].Instances[*].InstanceId' \
  --filters "Name=tag:env,Values=${CLNAME}" Name=tag:type,Values=worker)

Step 1

Second, we will define new security groups. The first group will allow client initiated traffic to reach the ELB. This should be locked down to something smaller than “everything” (0.0.0.0/0) especially if you have your cluster on the big, bad Internet.
The second group will allow the ELB to reach the Impala daemons running on the Hadoop cluster worker nodes.

echo "Allow Impala connections from clients to the load balancer."
FRONTEND=$(aws $OPTS ec2 create-security-group --output text --vpc-id $VPCID \
  --group-name "${CLNAME} Impala FE" --description "Impala Front-End Traffic")
aws $OPTS ec2 authorize-security-group-ingress --group-id $FRONTEND \
  --protocol tcp --port 21000 --cidr 0.0.0.0/0
aws $OPTS ec2 authorize-security-group-ingress --group-id $FRONTEND \
  --protocol tcp --port 21050 --cidr 0.0.0.0/0

echo "Allow Impala connections from the load balancer to the cluster."
BACKEND=$(aws $OPTS ec2 create-security-group --output text --vpc-id $VPCID \
  --group-name "${CLNAME} Impala BE" --description "Impala Back-End Traffic")
aws $OPTS ec2 authorize-security-group-ingress --group-id $BACKEND \
  --protocol tcp --port 21000 --source-group $FRONTEND
aws $OPTS ec2 authorize-security-group-ingress --group-id $BACKEND \
  --protocol tcp --port 21050 --source-group $FRONTEND

Then we will add each EC2 instance to the new $BACKEND security group.

for INSTANCEID in $INSTANCES; do
  GROUPID=$(aws $OPTS ec2 describe-instance-attribute --instance-id $INSTANCEID \
    --attribute groupSet --output text --query 'Groups[*].GroupId')
  aws $OPTS ec2 modify-instance-attribute --instance-id $INSTANCEID \
    --groups $GROUPID $BACKEND
done

Step 2

Next we get to the meat of this post: creating the load balancer. We will create an ELB with the name “elb-impala-Cluster1” and tell it to listen on ports 21000/TCP and 21050/TCP. The ELB will reside on subnet $SUBNETID and be a member of the security group $FRONTEND. This ELB will be internal/private and will not be available on the Internet. You can change this with the --scheme argument.

aws $OPTS elb create-load-balancer \
  --load-balancer-name elb-impala-${CLNAME} \
  --listeners \
  "Protocol=TCP,LoadBalancerPort=21000,InstanceProtocol=TCP,InstancePort=21000" \
  "Protocol=TCP,LoadBalancerPort=21050,InstanceProtocol=TCP,InstancePort=21050" \
  --subnets $SUBNETID \
  --security-groups $FRONTEND \
  --scheme internal

Step 3

After creation, we will modify some of the ELB configuration. This command will modify the Connection Idle Timeout value to 3600 seconds. It will also set up logging to go to a previously created S3 bucket named “Cluster1-logs” where files prefixed with “Cluster1-Impala” will be written every 60 minutes.

aws $OPTS elb modify-load-balancer-attributes \
  --load-balancer-name elb-impala-${CLNAME} \
  --load-balancer-attributes \
  AccessLog={Enabled=true,S3BucketName=${CLNAME}-logs,EmitInterval=60,S3BucketPrefix=${CLNAME}-Impala,ConnectionSettings={IdleTimeout=3600}

Further modifications to the ELB will add a health check for the ELB to determine if individual instances are available. The ELB will connect to port 21000/TCP every 30 seconds to test if the instance application is listening. The individual checks will timeout after 5 seconds with no response. The instance will be considered to have failed after two failed checks. The instance will return to a healthy status after five successful checks.

aws $OPTS elb configure-health-check \
  --load-balancer-name elb-impala-${CLNAME} \
  --health-check \
  Target=TCP:21000/png,Interval=30,Timeout=5,UnhealthyThreshold=2,HealthyThreshold=5

Step 4

Finally, we will attach the Hadoop worker instances to the ELB and load balancing will begin to be available.

aws $OPTS elb register-instances-with-load-balancer \
  --load-balancer-name elb-impala-${CLNAME} \
  --instances $INSTANCES

Lets not forget to look up the all-important DNS name that we will be using to talk to the ELB. We will use this to configure our client applications and for impala-shell.

ELBDNSNAME=$(aws $OPTS elb describe-load-balancers --load-balancer-names \
  elb-impala-${CLNAME} --output text --query 'LoadBalancerDescriptions[*].DNSName')
echo "*** SAVE ME ***"
echo "ELBDNSNAME : ${ELBDNSNAME}"
ELBDNSNAME=${ELBDNSNAME}

Testing

Step 5

We will test our implementation to confirm that it works to our expectation.

for (( i = 0 ; i < 10; i++ )); do
  impala-shell -i ${ELBDNSNAME} -q 'SELECT pid();' 2>&1 | grep Coordinator:
done

You should get output similar to the following which shows that we are connecting to a new coordinator each time:

Query submitted at: 2017-06-23 19:53:00 (Coordinator: http://ip-10-30-1-35.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-4.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-46.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-33.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-10.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:01 (Coordinator: http://ip-10-30-1-35.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:02 (Coordinator: http://ip-10-30-1-4.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:02 (Coordinator: http://ip-10-30-1-46.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:02 (Coordinator: http://ip-10-30-1-33.ec2.internal:25000)
Query submitted at: 2017-06-23 19:53:02 (Coordinator: http://ip-10-30-1-10.ec2.internal:25000)

Configure Impala

Step 6

Technically, there is nothing you need to configure in Impala. At least not on an insecure (non-Kerberized) cluster. You do need to tell other applications in your Hadoop distribution about the load balancer.

From Cloudera’s Using Impala through a Proxy for High Availability:

On systems managed by Cloudera Manager, on the page Impala > Configuration > Impala Daemon Default Group, specify a value for the Impala Daemons Load Balancer field. Specify the address of the load balancer in host:port format. This setting lets Cloudera Manager route all appropriate Impala-related operations through the proxy server.

Security

Since we at Clairvoyant tend to do a lot of security-enabled Hadoop deployments, it makes sense to describe how to get TLS enabled on the ELB.

Amazon has a service called AWS Certificate Manager. This service lets you provision a CA-signed TLS certificate onto the ELB with very little effort and will automatically update the certificate for you before it expires.

First we will request a certificate. Set the variable $DNAME to the name of the fully qualified domain name that you are using for the certificate. Then we will add tags so that we can provide a simple name.

DNAME=

ARN=$(aws $OPTS acm request-certificate --domain-name $DNAME \
  --subject-alternative-names $ELBDNSNAME --output text)
aws $OPTS acm add-tags-to-certificate --certificate-arn $ARN --tags \
  Name=tag:Name,Values="${CLNAME}"

At this point, the certificate is not yet issued. Emails have been sent to the domain contacts for approval of the request. Once the request is approved, we can continue with assigning the certificate to the ELB. We can list the certificates and watch to see if it has been approved. If there is any output to this command, it means the request has been approved by the domain owner.

aws $OPTS acm list-certificates --certificate-statuses ISSUED --output text \
  | grep $ARN

Lastly, we will modify the ELB from TCP mode to SSL mode and tell it to use the TLS certificate on ports 21000/TCP and 21050/TCP.

aws $OPTS delete-load-balancer-listeners \
  --load-balancer-name elb-impala-${CLNAME} --load-balancer-ports 21000
aws $OPTS elb create-load-balancer-listeners \
  --load-balancer-name elb-impala-${CLNAME} \
  --listeners \
  "Protocol=SSL,LoadBalancerPort=21000,InstanceProtocol=SSL,InstancePort=21000,SSLCertificateId=${ARN}"

aws $OPTS delete-load-balancer-listeners \
  --load-balancer-name elb-impala-${CLNAME} --load-balancer-ports 21050
aws $OPTS elb create-load-balancer-listeners \
  --load-balancer-name elb-impala-${CLNAME} \
  --listeners \
  "Protocol=SSL,LoadBalancerPort=21050,InstanceProtocol=SSL,InstancePort=21050,SSLCertificateId=${ARN}"

You should now have an Amazon-signed TLS certificate protecting your ELB traffic. To confirm, run the following command and look for something like issuer= /C=US/O=Amazon/OU=Server CA 1B/CN=Amazon.

openssl s_client -connect ${ELBDNSNAME}:21000 -nbio /dev/null \
  | openssl x509 -noout -issuer

Thats it. Happy load balancing!

Fixing an AWS EC2 Instance Boot Up Issue

Background

We recently had a problem with one of our AWS EC2 Instances after shutting it down, making some configuration changes and starting it back up. We were unable to SSH onto the machines despite the fact that the machine came up OK (we would keep getting a Connection Refused error). We reviewed the Security Group settings, Network Settings, reverted our configuration changes, made sure we were pointing to the correct IP address and much more, but we still couldn’t SSH onto the machine.

Upon viewing the system logs, we noticed that one of the disk volumes failed to be mounted onto the machine. It was an Instance Store drive that apparently was remounted onto the machine after restarting it under a different device name. This prevented the boot up from completing, which as a result prevented the sshd daemon from being started up to allow us to SSH onto the machine. With us not being able to SSH onto the machine to effect repairs we were left dead in the water. But we eventually figured a way to allow us to view the file system and make the necessary changes to fix the issue, which is described in this blog post.

In our case it was an issue with the /etc/fstab that caused us to have to follow these steps, but there are other cases where these steps can also benefit you. For example, if you mistakingly configured sshd not to start on startup of the machine or if something else failed to run during boot up which prevented the sshd daemon from starting up.

High Level Process

To resolve this, we’re going to basically unmount the bad machines root file system, mount it to a healthy machine so we can explore the file system and fix the issue, and then remount it back to the original instance.

Step by Step Process

Setup

Suppose we have our EC2 instance (call it prod-instance) which has booted up ok, but we’re unable to SSH onto.

Setup

Steps

  1. Loin to the AWS Web Console
  2. Stop the prod-instance instance
  3. Detach the root EBS volume from the prod-instance
    1. Select the prod-instance EC2 instance in the AWS console and view the content in the “Description” tab in the window bellow the instance list
    2. Search for the “Root device” field
    3. Click on the link next to it
      • It should look something like this: /dev/xvda
      • A dialog box will pop up
        Block Device Modal
    4. Take a note of the EBS ID
      • For the bellow the steps bellow, assume the EBS ID is vol-0c7bf2325c6ab485b
    5. Click on the EBS ID link
      • This will take you to a new list with information on that EBS Volume
        Available Volumes
    6. Make sure the EBS Volume vol-0c7bf2325c6ab485b is selected and click Actions -> Detach Volume
      Attached Volume Actions
    7. If you would like to abort this and reattach the volume, Jump to step #15
  4. Create a brand new micro instance that you’re able to SSH into and let it startup. We’ll call it maintenance-instance.
    • Make sure that its in the same Region and Availability Zone of the machine you detached the root volume from. Volumes cannot switch between availability zones.
    • Note: Be sure you can SSH onto the machine before proceeding forward
      ssh -i {pem_file} {username}@{ec2_host_or_ip}
       Prod Instance Stopped
  5. Mount the prod-instance‘s old root EBS volume to the maintenance-instance as an additional drive
    1. Click on the “Volumes” link on the left side of the AWS EC2 Web Console under ELASTIC BLOCK STORE
    2. Search for the EBS Volume you detached (vol-0c7bf2325c6ab485b). It will also be listed as having the State “available” (as opposed to “in-use”).
      Volume available
    3. Select the volume and click Actions -> Attach Volume
      Detached Volume Actions
    4. This will open a modal
      Attach Volume
    5. Search for your the maintenance-instance and click on the entry
      Instance Added to Attach Volume
      • By clicking on the entry it will put in a default value into the Device field. If it doesn’t, you can put in the value /dev/sdf.
    6. Click Attach
    7. Note: You do not need to stop or restart maintenance-instance before or after attaching the instance. 
  6. SSH onto the maintenance-instance
  7. Login as root
    sudo su
  8. Check the disk to ensure that the prod-instance‘s old root EBS volume is available and get the device name
    1. Run the following command to get information about what volumes are currently mounted (which should only be the default root volume at this point)
      df -h
      • This will produce a result like this:
        Filesystem Size Used Avail Use% Mounted on
        devtmpfs 488M 64K 488M 1% /dev
        tmpfs 498M 0 498M 0% /dev/shm
        /dev/xvda1 7.8G 981M 6.7G 13% /
      • What this tells you is that there is one main drive called /dev/xvda1 which is the root volume of the maintenance-instance. Thus we can ignore this device name.
    2. Run the following command to find out what the device name is of the volume we want to effect repairs on
      lsblk
      • This will produce a result like this:
        NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
        xvda 202:0 0 8G 0 disk
        └─xvda1 202:1 0 8G 0 part /
        xvdf 202:80 0 8G 0 disk
        └─xvdf1 202:81 0 8G 0 part
      • What this tells you, is that there are 2 main disks attached, each with one partition. We’ve already found out that the xvda device is the original root volume of the maintenance-instance, so by process of elimination xvdf is the disk we mounted onto the machine and want to effect repairs on.
    3. Get the device name of the volume you mounted onto the machine
      1. In our case, based off the output above, the device name is: /dev/xvdf1 (which is the partition of that disk)
      2. Note: you may have noticed the device name also available in the AWS console under the Description of the machine and under the Block devices section. However, the value provided in the AWS console isn’t always the same as the one you will see when using the fdisk or lsblk command, so therefore you shouldn’t use this value. Use the one provided in the fdisk or lsblk command.
  9. Create the directory that you want to mount the volume to (this can be named and placed wherever you would like)
    mkdir /badvolume
  10. Mount the drives partition to the directory
    mount /dev/xvdf1 /badvolume
  11. Explore the file system and make the necessary change you would like to it
    • Change directory to the newly mounted file system
      cd /badvolume
    • Note: In our case, since we were dealing with a mounting issue, we had to modify the /etc/fstab file to prevent the machine from trying to mount the volume that was failing. Since theprod-instance‘s root volume was mounted onto the /badvolume directory, the fstab file that we need to fix is at /badvolume/etc/fstab.
      • We simply commented out the bad entry and then moved on
    • When you have completed your repairs, move onto the next step
  12. Unmount the drive from the machine
    umount /badvolume
  13. Switch back to the AWS Web Console
  14. Detach the vol-0c7bf2325c6ab485b volume from the maintenance-instance
    1. Click on the “Volumes” link on the left side of the AWS Web Console under ELASTIC BLOCK STORE
    2. Search for the EBS Volume you detached (vol-0c7bf2325c6ab485b). It will also be listed as having the State “in-use”.
    3. Select the volume and click Actions -> Detach Volume
      Attached Volume Actions
  15. Re-Attach the vol-0c7bf2325c6ab485b volume to the prod-instance as the root volume
    1. Click on the “Volumes” link on the left side of the AWS Web Console under ELASTIC BLOCK STORE
    2. Search for the EBS Volume you detached (vol-0c7bf2325c6ab485b). It will also be listed as having the State “available”.
    3. Select the volume and click Actions -> Attach Volume
      Detached Volume Actions
    4. This will open a modal
      Attach Volume
    5. Search for your the prod-instance
    6. Set the Device as the root volume with the value: /dev/xvda
      Instance Added to Attach Volume
    7. Click Attach
  16. Restart the prod-instance
  17. Test SSH’ing onto the prod-instance
  18. If you’re still having issues connecting to the prod-instance then check the system logs of the machine to debug the problem and, if necessary, repeat these steps to fix the issue with the drive.
  19. When you’re all done you can terminate the maintenance-instance