Cluster actions

Anton Vasilev

This article describes the actions available for the ADB ES cluster in the ADCM UI.

Overview

You can find cluster actions on the Clusters page.

The Clusters page
The Clusters page

Refer to ADCM documentation for an overview of the Clusters page and common actions.

The Actions column shows icons for managing the cluster:

  • actions default dark actions default light — opens the drop-down list that offers actions to manage the cluster.

    Open a list of available cluster actions
    Open a list of available cluster actions

  • upgrade default — indicates whether a new version of a bundle is available and allows you to upgrade the cluster.

  • delete default — deletes information about the cluster from ADCM (it does not remove ADB ES or make any changes to hosts that belong to the cluster).

IMPORTANT

When upgrading ADB ES, follow the order:

  1. Upgrade an ADB ES cluster.

  2. Upgrade agents on the ADB side (see the Reinstall service action for ADBC agents and ADBM agents).

A set of cluster actions (available after clicking actions default dark actions default light) depends on the current ADB ES cluster status.

Available actions depending on the ADB ES status
Status Condition Available actions

created

The ADB ES cluster was created via ADCM, but not installed yet

installed

The ADB ES cluster was successfully installed via ADCM

For information on the Precheck and Install actions, see Install a cluster. The actions for an installed cluster are described below.

Check

The Check action verifies that all hosts, components, and services are configured according to the ADB ES cluster requirements (similarly to what the Precheck action does). Additionally, it checks the status of each ADB ES service.

Reconfigure Vault integration

The Reconfigure Vault integration action is used to apply changes to the Vault integration parameters. These parameters are available on the Configuration tab of the cluster page and allow you to store secrets of ADB ES services in HashiCorp Vault.

IMPORTANT

  • Before editing Vault integration parameters, ensure that Vault is installed and configured.

  • Each time you edit and save parameters in the Vault integration section, run the cluster action Reconfigure Vault integration.

  • Currently, Vault can be used to store authentication parameters of ADB Control and ADBM.

Manage SSL

Configures and enables SSL for the entire ADB ES cluster. In the window that opens, select SSL configuration to enable SSL and configure the parameters described below.

IMPORTANT

After you enable or disable SSL in ADB ES, run the Reconfigure and restart action of the ADBC agents and ADBM agents services in the corresponding ADB clusters integrated with the current ADB ES cluster.
Parameter Description

Verify system endpoints' certificates

Enables verification of system endpoint certificates. When using this option with self-signed certificates, make sure that you added the root and intermediate CA certificates to the OS trusted root certificate stores. In order to use the Verify system endpoints' certificates option with your own certificates, for proper verification, add the ADB Control IP address to the CN field of the san.cnf file (SAN) and exclude DNS from the alt_names section (leave only the IP address)

Postgres server certificate path

Path to the PostgreSQL certificate file (in PEM format). Required file permissions: 640, owner and group: postgres:postgres. The field is only available for the internal type of the Database service

Postgres server private key path

Path to the PostgreSQL private key file (in PEM format). Required file permissions: 600, owner and group: postgres:postgres. The field is only available for the internal type of the Database service

clickhouse ca certificate path

Path to the root CA certificate for ClickHouse (in PEM format). Required file permissions: 640, owner and group: clickhouse:clickhouse. The field is only available for the internal type of the Clickhouse service

clickhouse server certificate path

Path to the ClickHouse server certificate file (in PEM format). Required file permissions: 640, owner and group: clickhouse:clickhouse. The field is only available for the internal type of the Clickhouse service

clickhouse server private key path

Path to the ClickHouse server private key file (in PEM format). Required file permissions: 600, owner and group: clickhouse:clickhouse. The field is only available for the internal type of the Clickhouse service

Server truststore path

Path to the truststore for server-side Java components — ADB Control and AD Eureka (for ADBM, see requirements below). Format: PKCS #12. Required owner and group: adcc:adcc

Server truststore password

Password that was set for the server truststore specified in Server truststore path

Server keystore path

Path to the keystore for server-side Java components (ADB Control, AD Eureka). Format: PKCS #12. Required owner and group: adcc:adcc

Server keystore password

Password that was set for the server keystore specified in Server keystore path

Agent truststore path

Path to the truststore for ADBC/ADBM agents (on the ADB hosts). Format: PKCS #12. Required owner and group: gpadmin:gpadmin

Agent truststore password

Password that was set for the agents truststore specified in Agent truststore path

Agents keystore path

Path to the keystore for agents. Format: PKCS #12. Required owner and group: gpadmin:gpadmin

Agents keystore password

Password that was set for the agents keystore specified in Agents keystore path
The Manage SSL window
The Manage SSL window

Certificate requirements

When creating certificates, the requirements are as follows:

  • If ADB Control and AD Eureka are installed on separate hosts, the absolute paths to the keystore and truststore files must be identical on both hosts. You then specify these paths in Server keystore path and Server truststore path.

  • The file owners (listed above) must have read access to every directory in the path to the truststore and keystore files.

  • For ADBM, additional configuration is required.

  • The Manage SSL cluster action doesn’t apply to external databases. If you use them, import their certificates to the truststore specified in Server truststore path.

Configure SSL for ADBM

If you use ADBM, take the following steps to enable SSL for it:

  1. Open the ADBM service configuration.

  2. Expand the Backend parameters → ADBM server app environment key-value section.

  3. Using Add property, add two properties.

    Property name Value Value example

    ADBM_CORE_SSL_KEY_STORE

    Path to a keystore file prefixed by file:. Required owner and group: adbm:adbm

    file:/opt/adbm/ssl/keystore.p12

    ADBM_CORE_SSL_TRUST_STORE

    Path to a truststore file prefixed by file:. Required owner and group: adbm:adbm

    file:/opt/adbm/ssl/truststore.p12

  4. Click Save to save the configuration.

IMPORTANT

Do not run the Reconfigure & Restart action to apply the configuration, just save it. These properties are applied when you run the Manage SSL cluster action.
Configure SSL for ADBM
Configure SSL for ADBM

Check results

If the Manage SSL action completed successfully, the ADB ES components start interacting over SSL. The web servers will require TLS, so to access the web interfaces of the services, use https while entering their addresses:

  • ADB Control: https://<ADB Control UI IP address>:8890

  • AD Eureka: https://<AD Eureka IP address>:8761

  • Clickhouse: https://<Clickhouse IP address>:8443 (when SSL is disabled, the 8123 port is used instead)

You can also check that TLS is used in PostgreSQL. For example, for internal ADPG databases, connect to adcc or adbm:

$ sudo su - postgres
$ psql -p 5433 -d adcc

As a result, the TLS version is shown indicating that encrypted connections are used between the database and clients:

psql (16.3)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)
Type "help" for help.

adcc=#

Reinstall

The Reinstall action reinstalls the ADB ES cluster.

Reinstall statuschecker

The Reinstall statuschecker action reconfigures and restarts the statuschecker for all cluster services. Use this action when migrating a cluster to a new ADCM server.

Start

The Start action starts all services in the ADB ES cluster.

After you select the action, a dialog box opens where you can set the value for the Apply services configs from ADCM option. Enable this option to apply all changes made in the configurations of the services. Otherwise, the services will just start without applying the changes.

The Start window
The Start window

Stop

Stops all services of the ADB ES cluster.

Found a mistake? Seleсt text and press Ctrl+Enter to report it