Ao
Developer Tools Azure

Apache Ozone on Ubuntu 24.04 on Azure User Guide

| Product: Apache Ozone on Ubuntu 24.04 LTS on Azure

Overview

Apache Ozone is the scalable, distributed object store for Hadoop and cloud-native workloads. It exposes both an S3-compatible API and an HDFS-compatible (ofs) API over a single namespace that scales to billions of objects. The cloudimg image installs Ozone 1.4.1 as a single-VM all-roles cluster: the Ozone Manager (OM), the Storage Container Manager (SCM), one Datanode, the Recon management UI and the S3 Gateway all run on one Azure VM, so a single VM gives you a fully functional Ozone cluster for development, testing, single-tenant object storage and proof-of-concept workloads with no multi-node cluster to stand up. All Ozone services bind to loopback; the Recon management UI is fronted by an nginx reverse proxy on TCP 80 with HTTP Basic auth, and a unique administrator password and per-VM S3 credentials are generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • Apache Ozone 1.4.1 (Apache-2.0) as a single-VM all-roles cluster (OM + SCM + Datanode + Recon + S3 Gateway)
  • OpenJDK 17
  • A dedicated 50 GiB Azure data disk at /var/lib/ozone holding the OM and SCM metadata, the HDDS datanode container data and the Recon database — separate from the OS disk and re-provisioned with every VM
  • All Ozone services bound to 127.0.0.1 (OM 9862/9874, SCM 9860/9863/9876, Datanode 9882, Recon 9888, S3 Gateway 9878)
  • nginx reverse proxy on :80 with HTTP Basic auth in front of the Recon management UI, plus an unauthenticated /health endpoint
  • Per-VM admin password and per-VM S3 access key and secret generated at first boot, in a root-only file
  • ozone-scm, ozone-om, ozone-datanode, ozone-recon, ozone-s3g and nginx as systemd units, enabled and active
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B4ms (4 vCPU / 16 GiB RAM) is a good starting point — Ozone runs five JVMs and is memory hungry. NSG inbound: allow 22/tcp from your management network and 80/tcp from the users who reach the Recon UI (front port 80 with TLS for public exposure — see Enabling HTTPS).

Step 1 — Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Apache Ozone by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated 50 GiB data disk on the Disks tab, then Review + create -> Create.

Step 2 — Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name ozone \
  --image <marketplace-image-urn> \
  --size Standard_B4ms \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name ozone --port 80 --priority 1010

Step 3 — Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 — Confirm the services are running

systemctl is-active ozone-scm.service ozone-om.service ozone-datanode.service ozone-recon.service ozone-s3g.service nginx.service

All six services report active.

Apache Ozone and nginx services on Ubuntu 24.04

Step 5 — Confirm the gateway answers

The nginx reverse proxy serves an unauthenticated /health endpoint for liveness checks and fronts the Ozone Recon management UI behind HTTP Basic auth:

curl -s -o /dev/null -w 'health endpoint -> HTTP %{http_code}\n' http://127.0.0.1/health
curl -s -o /dev/null -w 'Recon UI (no auth) -> HTTP %{http_code}\n' http://127.0.0.1/

The /health endpoint returns HTTP 200; the Recon UI returns HTTP 401 until you supply the per-VM credentials.

Ozone version and S3 gateway status

Step 6 — Retrieve your admin password and S3 credentials

The administrator password and the per-VM S3 access key and secret are generated uniquely on the first boot of your VM and written to a root-only file:

sudo grep -E '^OZONE_(ADMIN|S3)_' /root/ozone-credentials.txt

OZONE_ADMIN_USER is admin and OZONE_ADMIN_PASSWORD is the password that protects the Recon management UI. OZONE_S3_ACCESS_KEY and OZONE_S3_SECRET_KEY are the credentials for the loopback S3 gateway.

Per-VM admin password and Recon UI auth round-trip

Step 7 — Open the Recon management UI

The Recon UI sits behind nginx HTTP Basic auth. Read the per-VM password into a shell variable and confirm a wrong password is rejected while the real one returns the UI. Run the password-bearing request with your own password substituted in — for example, to fetch the UI with the credentials from Step 6:

curl -s -o /dev/null -w '%{http_code}\n' -u admin:<OZONE_ADMIN_PASSWORD> http://127.0.0.1/

A wrong password returns HTTP 401; the correct one returns HTTP 200 (the Recon overview page). In a browser, open http://<vm-public-ip>/ and sign in as admin with the password from Step 6.

Ozone Recon overview and datanodes

Step 8 — Create a volume, bucket and key with the ozone shell

Ozone organises objects as volume / bucket / key. The ozone sh command-line creates them and puts and gets keys. Run it as the ozone service user:

echo "hello ozone" | sudo -u ozone tee /tmp/demo.txt
sudo -u ozone /opt/ozone/bin/ozone sh volume create /demovol
sudo -u ozone /opt/ozone/bin/ozone sh bucket create /demovol/demobucket
sudo -u ozone /opt/ozone/bin/ozone sh key put /demovol/demobucket/demokey /tmp/demo.txt
sudo -u ozone /opt/ozone/bin/ozone sh key list /demovol/demobucket
sudo -u ozone /opt/ozone/bin/ozone sh key get /demovol/demobucket/demokey /tmp/demo-out.txt

key list shows demokey and key get writes the object back to /tmp/demo-out.txt, confirming the data plane round-trips end to end.

Ozone Recon pipelines and containers

Step 9 — Use the S3 gateway

Ozone exposes the same namespace over an S3-compatible API on the gateway (loopback 127.0.0.1:9878). From your workstation, open an SSH tunnel to the gateway and point the AWS CLI at it with the per-VM S3 credentials from Step 6:

ssh -L 9878:127.0.0.1:9878 azureuser@<vm-public-ip>

Then, in another terminal on your workstation, with OZONE_S3_ACCESS_KEY and OZONE_S3_SECRET_KEY exported as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY:

aws --endpoint http://localhost:9878 s3 ls

The S3 gateway lists the buckets that back your Ozone volumes, so existing S3 tooling works unchanged against Ozone.

Ozone Recon buckets view

Step 10 — Review datanodes, pipelines and keys in Recon

The Recon UI (Step 7) is the management console for the cluster. The Datanodes view lists the in-VM datanode, its capacity and the containers it holds; the Pipelines view shows the single write pipeline (factor ONE for a single datanode); and the Buckets / keys views list every volume, bucket and object with its size and replication.

Ozone Recon key and object listing

Confirm the Ozone version

/opt/ozone/bin/ozone version 2>/dev/null | head -3

Enabling HTTPS

For production, terminate TLS at nginx with a real domain pointed at the VM's public IP. Install certbot and request a certificate (replace the domain):

sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.example.com

Backup and maintenance

All Ozone data — the OM and SCM metadata, the HDDS datanode containers and the Recon database — lives on the dedicated data disk at /var/lib/ozone. Snapshot that disk in Azure to back up your store, and keep the OS patched with sudo apt update && sudo apt upgrade. Ozone restarts cleanly with sudo systemctl restart ozone-scm ozone-om ozone-datanode ozone-recon ozone-s3g nginx. For larger datasets, resize the data disk in the Azure portal and grow the filesystem.

Support

This image is backed by 24/7 cloudimg support. Contact us by email and chat for help with volume and bucket design, the ozone shell, the S3 gateway, replication tuning, scaling, TLS and backups.

All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.