排查 Azure HDInsight 中的群集创建失败问题Troubleshoot cluster creation failures with Azure HDInsight

以下问题是导致群集创建失败的最常见根本原因:The following issues are most common root causes for cluster creation failures:

  • 权限问题Permission issues
  • 资源策略限制Resource policy restrictions
  • 防火墙Firewalls
  • 资源锁Resource locks
  • 不支持的组件版本Unsupported component versions
  • 存储帐户名称限制Storage account name restrictions
  • 服务中断Service outages

权限问题Permissions issues

如果使用的是 Azure Data Lake Storage Gen2 并收到错误 AmbariClusterCreationFailedErrorCode(“Internal server error occurred while processing the request. Please retry the request or contact support.”),请打开 Azure 门户,转到你的存储帐户,并在访问控制 (IAM) 下确保“存储 Blob 数据参与者”或“存储 Blob 数据所有者”角色已经为该订阅的“用户分配的托管标识”分配了访问权限 。If you are using Azure Data Lake Storage Gen2, and receive the error AmbariClusterCreationFailedErrorCode: "Internal server error occurred while processing the request. Please retry the request or contact support.", open the Azure portal, go to your Storage account, and under Access Control (IAM), ensure that the Storage Blob Data Contributor or the Storage Blob Data Owner role has Assigned access to the User assigned managed identity for the subscription. 有关详细说明,请参阅在 Data Lake Storage Gen2 上设置托管标识的权限See Set up permissions for the managed identity on the Data Lake Storage Gen2 for detailed instructions.

如果使用 Azure 存储,请确保创建群集期间存储帐户名称有效。If using Azure Storage, ensure that storage account name is valid during the cluster creation.

资源策略限制Resource policy restrictions

基于订阅的 Azure 策略可能会拒绝创建公共 IP 地址。Subscription-based Azure policies can deny the creation of public IP addresses. 创建 HDInsight 群集需要两个公共 IP。HDInsight cluster creation requires two public IPs.

一般情况下,以下策略可能会影响群集创建:In general, the following policies can impact cluster creation:

  • 阻止在订阅中创建 IP 地址和负载均衡器的策略。Policies preventing creation of IP Address & Load balancers within the subscription.
  • 阻止创建存储帐户的策略。Policy preventing creation of storage account.
  • 阻止删除网络资源(IP 地址/负载均衡器)的策略。Policy preventing deletion of networking resources (IP Address /Load Balancers).

防火墙Firewalls

虚拟网络或存储帐户中的防火墙可能会拒绝与 HDInsight 管理 IP 地址通信。Firewalls on your virtual network or storage account can deny communication with HDInsight management IP addresses.

允许来自下表中所述 IP 地址的流量。Allow traffic from the IP addresses in the table below.

源 IP 地址Source IP address 目标Destination 方向Direction
168.61.49.99168.61.49.99 *:443*:443 入站Inbound
23.99.5.23923.99.5.239 *:443*:443 入站Inbound
168.61.48.131168.61.48.131 *:443*:443 入站Inbound
138.91.141.162138.91.141.162 *:443*:443 入站Inbound

另外,添加特定于创建群集的区域的 IP 地址。Also add the IP addresses specific to the region where the cluster is created. 有关每个 Azure 区域的地址列表,请参阅 HDInsight 管理 IP 地址See HDInsight management IP addresses for a listing of the addresses for each Azure region.

如果使用 Express Route 或自己的自定义 DNS 服务器,请参阅规划 Azure HDInsight 的虚拟网络 - 连接多个网络If you are using an express route or your own custom DNS server, see Plan a virtual network for Azure HDInsight - connecting multiple networks.

资源锁Resources locks

确保虚拟网络和资源组中没有锁Ensure that there are no locks on your virtual network and resource group. 如果资源组被锁定,则无法创建或删除群集。Clusters cannot be created or deleted if the resource group is locked.

不支持的组件版本Unsupported component versions

确保在解决方案中使用受支持版本的 Azure HDInsight 和任何 Apache Hadoop 组件Ensure that you are using a supported version of Azure HDInsight and any Apache Hadoop components in your solution.

存储帐户名称限制Storage account name restrictions

存储帐户名称不能超过 24 个字符,且不能包含特殊字符。Storage account names cannot be more than 24 characters and cannot contain a special character. 这些限制也适用于存储帐户中的默认容器名称。These restrictions also apply to the default container name in the storage account.

其他命名限制也适用于群集创建。Other naming restrictions also apply for cluster creation. 有关详细信息,请参阅群集名称限制See Cluster name restrictions, for more information.

服务中断Service outages

请检查 Azure 状态是否存在任何潜在的中断或服务问题。Check Azure status for any potential outages or service issues.

后续步骤Next steps