From 622318492586068b189495b5b37841be4bf31951 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Wa=C5=9B?= <jan.was@starburstdata.com>
Date: Fri, 8 Sep 2023 15:15:22 +0200
Subject: [PATCH] Add HDP3 image with KMS

---
 testing/hdp3.1-hive-kerberized-kms/Dockerfile |  38 ++++++
 .../files/etc/hadoop-kms/conf/core-site.xml   |   9 ++
 .../files/etc/hadoop-kms/conf/kms-acls.xml    |  35 +++++
 .../files/etc/hadoop-kms/conf/kms-site.xml    |  29 +++++
 .../files/etc/hadoop-kms/conf/passwordfile    |   1 +
 .../files/etc/hadoop/conf/core-site.xml       |  80 ++++++++++++
 .../files/etc/hadoop/conf/hdfs-site.xml       | 123 ++++++++++++++++++
 .../files/etc/hadoop/conf/taskcontroller.cfg  |   5 +
 .../files/etc/hive/conf/hive-site.xml         | 116 +++++++++++++++++
 .../files/etc/hive/conf/hiveserver2-site.xml  |  16 +++
 .../files/etc/supervisord.d/kms.conf          |   9 ++
 .../files/root/setup_kms.sh                   |  65 +++++++++
 12 files changed, 526 insertions(+)
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/Dockerfile
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/core-site.xml
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-acls.xml
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-site.xml
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/passwordfile
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/core-site.xml
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/hdfs-site.xml
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/taskcontroller.cfg
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hive/conf/hive-site.xml
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/hive/conf/hiveserver2-site.xml
 create mode 100644 testing/hdp3.1-hive-kerberized-kms/files/etc/supervisord.d/kms.conf
 create mode 100755 testing/hdp3.1-hive-kerberized-kms/files/root/setup_kms.sh

diff --git a/testing/hdp3.1-hive-kerberized-kms/Dockerfile b/testing/hdp3.1-hive-kerberized-kms/Dockerfile
new file mode 100644
index 00000000..1b25fd32
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/Dockerfile
@@ -0,0 +1,38 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM testing/hdp3.1-hive-kerberized:unlabelled
+ARG ADDPRINC_ARGS="-maxrenewlife \"10 days\" +allow_renewable"
+
+# Install KMS
+ARG HADOOP_VERSION=3.1.4
+ARG HADOOP_BINARY_PATH=https://archive.apache.org/dist/hadoop/common/hadoop-$HADOOP_VERSION/hadoop-$HADOOP_VERSION.tar.gz
+RUN curl -fLsS -o /tmp/hadoop.tar.gz --url $HADOOP_BINARY_PATH && \
+    tar xzf /tmp/hadoop.tar.gz --directory /opt && mv /opt/hadoop-$HADOOP_VERSION /opt/hadoop
+
+# COPY CONFIGURATION
+COPY ./files /
+COPY ./files/etc/hadoop-kms/conf /opt/hadoop/etc/hadoop/
+
+# add users and group for testing purposes
+RUN set -xeu && \
+    for username in alice bob charlie; do \
+        groupadd "${username}_group" && \
+        useradd -g "${username}_group" "${username}" && \
+        /usr/sbin/kadmin.local -q "addprinc ${ADDPRINC_ARGS} -randkey ${username}/hadoop-master@LABS.TERADATA.COM" && \
+        /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hive/conf/${username}.keytab ${username}/hadoop-master"; \
+    done && \
+    echo OK
+
+RUN /root/setup_kms.sh
+
+CMD supervisord -c /etc/supervisord.conf
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/core-site.xml b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/core-site.xml
new file mode 100644
index 00000000..ddf829a1
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/core-site.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+<configuration>
+
+    <property>
+        <name>fs.defaultFS</name>
+        <value>hdfs://hadoop-master:9000</value>
+    </property>
+
+</configuration>
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-acls.xml b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-acls.xml
new file mode 100644
index 00000000..0a31b900
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-acls.xml
@@ -0,0 +1,35 @@
+<configuration>
+     <!--
+    org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType from hadoop-kms-2.6.0-cdh5.13.1-classes.jar
+        ALL,
+        READ,
+        MANAGEMENT,
+        GENERATE_EEK,
+        DECRYPT_EEK;
+        -->
+     <property>
+        <name>default.key.acl.ALL</name> <!-- not sure this is valid for default ACL -->
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>default.key.acl.MANAGEMENT</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>default.key.acl.READ</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>default.key.acl.GENERATE_EEK</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>default.key.acl.DECRYPT_EEK</name>
+        <value>*</value>
+    </property>
+
+</configuration>
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-site.xml b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-site.xml
new file mode 100644
index 00000000..52ee4b51
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-site.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<configuration>
+
+    <property>
+        <name>hadoop.kms.key.provider.uri</name>
+        <value>jceks://file@/${user.home}/kms.keystore</value>
+    </property>
+
+    <property>
+        <name>hadoop.kms.authentication.type</name>
+        <value>kerberos</value>
+    </property>
+
+    <property>
+        <name>hadoop.kms.authentication.kerberos.keytab</name>
+        <value>/etc/hadoop/conf/HTTP.keytab</value>
+    </property>
+
+    <property>
+        <name>hadoop.kms.authentication.kerberos.principal</name>
+        <value>HTTP/hadoop-master</value>
+    </property>
+
+    <property>
+        <name>hadoop.kms.authentication.kerberos.name.rules</name>
+        <value>DEFAULT</value>
+    </property>
+
+</configuration>
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/passwordfile b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/passwordfile
new file mode 100644
index 00000000..7d8381bf
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/passwordfile
@@ -0,0 +1 @@
+abc1234
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/core-site.xml b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/core-site.xml
new file mode 100644
index 00000000..f1b1a01b
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/core-site.xml
@@ -0,0 +1,80 @@
+<?xml version="1.0"?>
+<configuration>
+
+    <property>
+        <name>fs.defaultFS</name>
+        <value>hdfs://hadoop-master:9000</value>
+    </property>
+
+    <property>
+        <name>fs.permissions.umask-mode</name>
+        <value>000</value>
+    </property>
+
+    <!-- HTTPFS proxy user setting -->
+    <property>
+        <name>hadoop.proxyuser.httpfs.hosts</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.httpfs.groups</name>
+        <value>*</value>
+    </property>
+
+    <!-- Hive impersonation -->
+    <property>
+        <name>hadoop.proxyuser.hive.hosts</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.hive.groups</name>
+        <value>*</value>
+    </property>
+
+    <!-- Hdfs impersonation -->
+    <property>
+        <name>hadoop.proxyuser.hdfs.groups</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.hdfs.hosts</name>
+        <value>*</value>
+    </property>
+
+    <!-- Trino impersonation -->
+    <property>
+        <name>hadoop.proxyuser.presto-server.groups</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.presto-server.hosts</name>
+        <value>*</value>
+    </property>
+
+    <!-- Enable authentication -->
+    <property>
+        <name>hadoop.security.authentication</name>
+        <value>kerberos</value>
+    </property>
+
+    <property>
+        <name>hadoop.security.authorization</name>
+        <value>true</value>
+    </property>
+
+    <!-- KMS -->
+    <property>
+        <name>hadoop.security.key.provider.path</name>
+        <value>kms://http@hadoop-master:9600/kms</value>
+    </property>
+
+    <property>
+        <name>dfs.encryption.key.provider.uri</name>
+        <value>kms://http@hadoop-master:9600/kms</value>
+    </property>
+
+</configuration>
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/hdfs-site.xml b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/hdfs-site.xml
new file mode 100644
index 00000000..185d814f
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/hdfs-site.xml
@@ -0,0 +1,123 @@
+<?xml version="1.0"?>
+<!--
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  ~
+  -->
+<configuration>
+
+    <property>
+        <name>dfs.namenode.name.dir</name>
+        <value>/var/lib/hadoop-hdfs/cache/name/</value>
+    </property>
+
+    <property>
+        <name>dfs.datanode.data.dir</name>
+        <value>/var/lib/hadoop-hdfs/cache/data/</value>
+    </property>
+
+    <property>
+        <name>fs.viewfs.mounttable.hadoop-viewfs.link./default</name>
+        <value>hdfs://hadoop-master:9000/user/hive/warehouse</value>
+    </property>
+
+    <!-- General HDFS security config -->
+    <property>
+        <name>dfs.block.access.token.enable</name>
+        <value>true</value>
+    </property>
+
+    <!-- NameNode security config -->
+    <property>
+        <name>dfs.namenode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value>
+        <!-- path to the HDFS keytab -->
+    </property>
+
+    <property>
+        <name>dfs.namenode.kerberos.principal</name>
+        <value>hdfs/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <property>
+        <name>dfs.namenode.kerberos.internal.spnego.principal</name>
+        <value>HTTP/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <!-- Secondary NameNode security config -->
+    <property>
+        <name>dfs.secondary.namenode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value>
+        <!-- path to the HDFS keytab -->
+    </property>
+
+    <property>
+        <name>dfs.secondary.namenode.kerberos.principal</name>
+        <value>hdfs/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <property>
+        <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>
+        <value>HTTP/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <!-- DataNode security config -->
+    <property>
+        <name>dfs.datanode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value>
+        <!-- path to the HDFS keytab -->
+    </property>
+
+    <property>
+        <name>dfs.datanode.kerberos.principal</name>
+        <value>hdfs/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <!-- WebHDFS security config -->
+    <property>
+        <name>dfs.webhdfs.enabled</name>
+        <value>true</value>
+    </property>
+
+    <!-- Web Authentication config -->
+    <property>
+        <name>dfs.web.authentication.kerberos.principal</name>
+        <value>HTTP/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <property>
+        <name>dfs.web.authentication.kerberos.keytab</name>
+        <value>/etc/hadoop/conf/HTTP.keytab</value>
+        <!-- path to the HTTP keytab -->
+    </property>
+
+    <property>
+        <name>ignore.secure.ports.for.testing</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>dfs.http.policy</name>
+        <value>HTTP_ONLY</value>
+    </property>
+
+    <property>
+        <name>dfs.namenode.acls.enabled</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>dfs.permissions</name>
+        <value>true</value>
+    </property>
+
+</configuration>
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/taskcontroller.cfg b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/taskcontroller.cfg
new file mode 100644
index 00000000..2384a21e
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/taskcontroller.cfg
@@ -0,0 +1,5 @@
+hadoop.log.dir=/var/log/hadoop-mapreduce
+mapreduce.tasktracker.group=mapred
+banned.users=mapred,bin
+min.user.id=0
+allowed.system.users=nobody,hive
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hive/conf/hive-site.xml b/testing/hdp3.1-hive-kerberized-kms/files/etc/hive/conf/hive-site.xml
new file mode 100644
index 00000000..4e1ab443
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hive/conf/hive-site.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0"?>
+<configuration>
+
+    <property>
+        <name>javax.jdo.option.ConnectionURL</name>
+        <value>jdbc:mysql://localhost/metastore</value>
+    </property>
+
+    <property>
+        <name>javax.jdo.option.ConnectionDriverName</name>
+        <value>com.mysql.jdbc.Driver</value>
+    </property>
+
+    <property>
+        <name>javax.jdo.option.ConnectionUserName</name>
+        <value>root</value>
+    </property>
+
+    <property>
+        <name>javax.jdo.option.ConnectionPassword</name>
+        <value>root</value>
+    </property>
+
+    <property>
+        <name>datanucleus.autoCreateSchema</name>
+        <value>false</value>
+    </property>
+
+    <property>
+        <name>datanucleus.fixedDatastore</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>datanucleus.autoStartMechanism</name>
+        <value>SchemaTable</value>
+    </property>
+
+    <property>
+        <name>hive.security.authorization.createtable.owner.grants</name>
+        <value>ALL</value>
+    </property>
+
+    <property>
+        <name>hive.users.in.admin.role</name>
+        <value>hdfs,hive</value>
+    </property>
+
+    <!-- Enable authentication -->
+    <property>
+        <name>hive.server2.authentication</name>
+        <value>KERBEROS</value>
+    </property>
+
+    <property>
+        <name>hive.server2.enable.impersonation</name>
+        <value>false</value>
+    </property>
+
+    <property>
+        <name>hive.server2.authentication.kerberos.principal</name>
+        <value>hive/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <property>
+        <name>hive.server2.authentication.kerberos.keytab</name>
+        <value>/etc/hive/conf/hive.keytab</value>
+    </property>
+
+    <property>
+        <name>hive.metastore.sasl.enabled</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>hive.metastore.kerberos.keytab.file</name>
+        <value>/etc/hive/conf/hive.keytab</value>
+    </property>
+
+    <property>
+        <name>hive.metastore.kerberos.principal</name>
+        <value>hive/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <property>
+        <!-- https://community.hortonworks.com/content/supportkb/247055/errorjavalangunsupportedoperationexception-storage.html -->
+        <name>metastore.storage.schema.reader.impl</name>
+        <value>org.apache.hadoop.hive.metastore.SerDeStorageSchemaReader</value>
+    </property>
+
+    <property>
+        <name>hive.support.concurrency</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>hive.compactor.initiator.on</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>hive.compactor.worker.threads</name>
+        <value>1</value>
+    </property>
+
+    <property>
+        <name>hive.txn.manager</name>
+        <value>org.apache.hadoop.hive.ql.lockmgr.DbTxnManager</value>
+    </property>
+
+    <property>
+        <name>hive.metastore.disallow.incompatible.col.type.changes</name>
+        <value>false</value>
+    </property>
+
+</configuration>
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/hive/conf/hiveserver2-site.xml b/testing/hdp3.1-hive-kerberized-kms/files/etc/hive/conf/hiveserver2-site.xml
new file mode 100644
index 00000000..520cd41d
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/hive/conf/hiveserver2-site.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<configuration>
+
+    <!-- Disable embedded Metastore -->
+    <property>
+        <name>hive.metastore.uris</name>
+        <value>thrift://localhost:9083</value>
+    </property>
+
+    <!-- Enable authentication -->
+    <property>
+        <name>hive.security.authenticator.manager</name>
+        <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
+    </property>
+
+</configuration>
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/etc/supervisord.d/kms.conf b/testing/hdp3.1-hive-kerberized-kms/files/etc/supervisord.d/kms.conf
new file mode 100644
index 00000000..0e94b344
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/etc/supervisord.d/kms.conf
@@ -0,0 +1,9 @@
+[program:kms]
+environment=HADOOP_KEYSTORE_PASSWORD="abc1234"
+command=/opt/hadoop/sbin/kms.sh run
+autostart=true
+autorestart=true
+redirect_stderr=true
+##### stdout_logfile=/var/log/hadoop-kms/kms.log
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
diff --git a/testing/hdp3.1-hive-kerberized-kms/files/root/setup_kms.sh b/testing/hdp3.1-hive-kerberized-kms/files/root/setup_kms.sh
new file mode 100755
index 00000000..84cd69e6
--- /dev/null
+++ b/testing/hdp3.1-hive-kerberized-kms/files/root/setup_kms.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -xeuo pipefail
+
+function retry() {
+  END=$(($(date +%s) + 600))
+
+  while (( $(date +%s) < $END )); do
+    set +e
+    "$@"
+    EXIT_CODE=$?
+    set -e
+
+    if [[ ${EXIT_CODE} == 0 ]]; then
+      break
+    fi
+    sleep 5
+  done
+
+  return ${EXIT_CODE}
+}
+
+supervisord -c /etc/supervisord.conf &
+
+retry kinit -kt /etc/hadoop/conf/hdfs.keytab hdfs/hadoop-master@LABS.TERADATA.COM
+retry hdfs dfsadmin -safemode leave
+
+retry kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master@LABS.TERADATA.COM
+while ! beeline -n hive -e "SELECT 1"; do
+    echo "Waiting for HiveServer2 ..."
+    sleep 10s
+done
+
+# the default directory must be empty before enabling encryption
+hiveUrl="jdbc:hive2://hadoop-master:10000/default;principal=hive/hadoop-master@LABS.TERADATA.COM"
+beeline -u "$hiveUrl" -e "drop schema information_schema cascade; drop schema sys cascade;"
+hadoop fs -rm -f -r /user/hive/warehouse/.Trash
+
+retry kinit -kt /etc/hadoop/conf/hdfs.keytab hdfs/hadoop-master@LABS.TERADATA.COM
+hadoop key create key1 -size 256
+hdfs crypto -createZone -keyName key1 -path /user/hive/warehouse
+hdfs crypto -listZones
+
+# Create `information_schema` and `sys` schemas in Hive
+retry kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master@LABS.TERADATA.COM
+/usr/hdp/current/hive-client/bin/schematool -userName hive -metaDbType mysql -dbType hive \
+    -url "$hiveUrl" -driver org.apache.hive.jdbc.HiveDriver \
+    -initSchema
+
+su -s /bin/bash hdfs -c 'kinit -kt /etc/hadoop/conf/hdfs.keytab hdfs/hadoop-master@LABS.TERADATA.COM'
+for username in alice bob charlie; do
+    su -s /bin/bash hdfs -c "/usr/bin/hadoop fs -mkdir /user/$username"
+    su -s /bin/bash hdfs -c "/usr/bin/hadoop fs -chown $username /user/$username"
+done
+
+supervisorctl stop all
+pkill -F /var/run/supervisord.pid
+wait
+
+# Purge Kerberos credential cache of root user
+kdestroy
+
+find /var/log -type f -name \*.log -printf "truncate %p\n" -exec truncate --size 0 {} \; && \
+# Purge /tmp, this includes credential caches of other users
+find /tmp -mindepth 1 -maxdepth 1 -exec rm -rf {} +