Nifi-install-config-白红宇

Nifi-install-config

阅读量：4932 次

发布时间：2019-06-11

本文共 4989 字，大约阅读时间需要 16 分钟。

Nifi

install nifi

wget http://mirrors.tuna.tsinghua.edu.cn/apache/nifi/1.3.0/nifi-1.3.0-bin.tar.gztar -zvxf nifi-1.3.0-bin.tar.gz

config

At a minimum, we recommend editing the nifi.properties file and entering a password for the nifi.sensitive.props.key

cd nifi-1.3.0/confvim nifi.properties

打开文件后，找到nifi.sensitive.props.key配置选项（在vim编辑器下使用查找指令：/nifi.sensitive.props.key）

# security properties #nifi.sensitive.props.key=howtoinstallnifi.sensitive.props.key.protected=nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSLnifi.sensitive.props.provider=BCnifi.sensitive.props.additional.keys=

start

From the /bin directory, execute the following commands by typing ./nifi.sh :

start: starts NiFi in the backgroundstop: stops NiFi that is running in the backgroundstatus: provides the current status of NiFirun: runs NiFi in the foreground and waits for a Ctrl-C to initiate shutdown of NiFiinstall: installs NiFi as a service that can then be controlled via    service nifi start    service nifi stop    service nifi status

Configuration Best Practices

Increase the number of TCP socket ports available

This is particularly important if your flow will be setting up and tearing down a large number of sockets in small period of time.

sudo sysctl -w net.ipv4.ip_local_port_range="10000 65000"

Set how long sockets stay in a TIMED_WAIT state when closed

You don’t want your sockets to sit and linger too long given that you want to be able to quickly setup and teardown new sockets. It is a good idea to read more about it but to adjust do something like

sudo sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait="1"

Tell Linux you never want NiFi to swap

Swapping is fantastic for some applications. It isn’t good for something like NiFi that always wants to be running. To tell Linux you’d like swapping off you can edit /etc/sysctl.conf to add the following line

vm.swappiness = 0

TLS Generation Toolkit

Standalone

wget http://mirrors.tuna.tsinghua.edu.cn/apache/nifi/1.3.0/nifi-toolkit-1.3.0-bin.tar.gztar -zxvf nifi-toolkit-1.3.0-bin.tar.gz

Standalone — generates the certificate authority, keystores, truststores, and nifi.properties files in one command.
Standalone mode is invoked by running ./bin/tls-toolkit.sh standalone -h which prints the usage information along with descriptions of options that can be specified.

cd nifi-toolkit-1.3.0./bin/tls-toolkit.sh standalone -h

The most common options to specify are:

-n,--hostnames The comma-separated list of hostnames that you’d like to generate certificates for. It can be specified multiple times. Range and instance patterns are supported. See below for details.

-C,--clientCertDn The DN that you’d like to generate a client certificate for. It can be specified multiple times.

-f,--nifiPropertiesFile The base nifi.properties file that the tool will update for each host.

-o,--outputDirectory The directory to use for the resulting Certificate Authority files and NiFi configurations. A subdirectory will be made for each host.

Hostname Patterns:
- Create 4 sets of keystore, truststore, nifi.properties for localhost along with a client certificate with the given DN:bin/tls-toolkit.sh standalone -n 'localhost(4)' -C 'CN=username,OU=NIFI'
- Create keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains:bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain'
- Create 2 sets of keystore, truststore, nifi.properties for 10 NiFi hostnames in each of 4 subdomains along with a client certificate with the given DN:bin/tls-toolkit.sh standalone -n 'nifi[01-10].subdomain[1-4].domain(2)' -C 'CN=username,OU=NIFI'

Client/Server

Server

The CA server is invoked by running ./bin/tls-toolkit server -h prints the usage information along with descriptions of options that can be specified.

-f,--configJson The location of the json config (written after first run)

-F,--useConfigJson Loads all relevant configuration from the config json (configJson is the only other argument necessary)

-t,--token The token used to prevent man in the middle attacks (this should be a long, random value and needs to be known when invoking the client)

-D,--dn The DN for the CA

ClientThe

client can be used to request new Certificates from the CA. The client utility generates a keypair and Certificate Signing Request (CSR) and sends the CSR to the Certificate Authority. The client is invoked by running ./bin/tls-toolkit.sh client -h which prints the usage information along with descriptions of options that can be specified.

-f,--configJson The json config file

-c,--certificateAuthorityHostname The hostname of the CA

-D,--DN The DN for the CSR (and Certificate)

-t,--token The token used to prevent man in the middle attacks (this should be a long, random value and needs to be the same one used to start the CA server)