the trustAnchors parameter must be non-empty when submitting spark job to k8s

1/8/2019

I am following https://spark.apache.org/docs/2.3.1/running-on-kubernetes.html. I run ./bin/spark-submit --class com.poc.Job --master k8s://10.189.176.130:6443 --deploy-mode cluster --conf spark.kubernetes.container.image=cr.vip.com/me/test:latest --conf spark.kubernetes.driver.pod.name=spark-job-driver --driver-java-options "-Djavax.net.ssl.trustStore=/usr/jdk1.8.0_131/jre/lib/security/cacerts" local:///opt/spark/examples/spark-streaming-1.0-SNAPSHOT-jar-with-dependencies.jar --batch-interval 10 --job-type TEST --consumer-brokers xxx --consumer-topic yyy --group-id zzz --client-id 50e3bf9 --es-index items --es-type json --param spark.cores.max=3 spark.es.nodes=10.23.12.2 spark.es.port=9200 spark.es.index.auto.create=true > log.txt to submit the spark job to k8s cluster.

I got Env variables of the driver pod:

Environment variables:
SPARK_DRIVER_MEMORY: 1g
SPARK_DRIVER_CLASS: com.poc.Job
SPARK_DRIVER_ARGS: --batch-interval 10 --job-type TEST --consumer-brokers xxx --consumer-topic yyy --group-id zzz --client-id 7150e3bf9 --es-index items --es-type json --param spark.cores.max=3 spark.es.nodes=10.23.12.2 spark.es.port=9200 spark.es.index.auto.create=true
SPARK_DRIVER_BIND_ADDRESS: (v1:status.podIP)
SPARK_MOUNTED_CLASSPATH: /opt/spark/examples/spark-streaming-1.0-SNAPSHOT-jar-with-dependencies.jar:/opt/spark/examples/spark-streaming-1.0-SNAPSHOT-jar-with-dependencies.jar
SPARK_JAVA_OPT_0: -Dspark.driver.host=spark-1546966297642-driver-svc.default.svc
SPARK_JAVA_OPT_1: -Dspark.submit.deployMode=cluster
SPARK_JAVA_OPT_2: -Dspark.driver.blockManager.port=7079
...
SPARK_JAVA_OPT_11: -Djavax.net.ssl.trustStore=/usr/jdk1.8.0_131/jre/lib/security/cacerts

I modified the docker file. And there is /usr/jdk1.8.0_131/jre/lib/security/cacerts in the docker image:

bash-4.4# cd /usr/jdk1.8.0_131/jre/lib/security/
bash-4.4# ls -al
total 124
drwxr-xr-x    2 root     root          4096 Jan  8 16:44 .
drwxr-xr-x    3 root     root          4096 Jan  8 16:44 ..
-rw-r--r--    1 root     root        116377 Jan  8 14:25 cacerts

But I got the following error:

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1921)
    at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1904)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1420)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)

Why? Any comments welcomed. Thanks

-- BAE
apache-spark
docker
java
kubernetes
scala

0 Answers