mirror of
https://github.com/bitnami/containers.git
synced 2026-02-10 21:27:26 +08:00
[bitnami/zookeeper] Release 3.9.4-debian-12-r1 (#85823)
Signed-off-by: Bitnami Bot <bitnami.bot@broadcom.com>
This commit is contained in:
Bitnami Bot
@@ -7,7 +7,7 @@ ARG DOWNLOADS_URL="downloads.bitnami.com/files/stacksmith"
|
||||
ARG TARGETARCH
|
||||
|
||||
LABEL org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \
|
||||
org.opencontainers.image.created="2025-08-29T22:37:50Z" \
|
||||
org.opencontainers.image.created="2025-09-04T09:34:59Z" \
|
||||
org.opencontainers.image.description="Application packaged by Broadcom, Inc." \
|
||||
org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/zookeeper/README.md" \
|
||||
org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/zookeeper" \
|
||||
@@ -29,7 +29,7 @@ RUN --mount=type=secret,id=downloads_url,env=SECRET_DOWNLOADS_URL \
|
||||
DOWNLOADS_URL=${SECRET_DOWNLOADS_URL:-${DOWNLOADS_URL}} ; \
|
||||
mkdir -p /tmp/bitnami/pkg/cache/ ; cd /tmp/bitnami/pkg/cache/ || exit 1 ; \
|
||||
COMPONENTS=( \
|
||||
"wait-for-port-1.0.10-0-linux-${OS_ARCH}-debian-12" \
|
||||
"wait-for-port-1.0.10-1-linux-${OS_ARCH}-debian-12" \
|
||||
"jre-11.0.28-12-0-linux-${OS_ARCH}-debian-12" \
|
||||
"zookeeper-3.9.4-0-linux-${OS_ARCH}-debian-12" \
|
||||
) ; \
|
||||
@@ -53,7 +53,7 @@ COPY rootfs /
|
||||
RUN /opt/bitnami/scripts/zookeeper/postunpack.sh
|
||||
ENV APP_VERSION="3.9.4" \
|
||||
BITNAMI_APP_NAME="zookeeper" \
|
||||
IMAGE_REVISION="0"
|
||||
IMAGE_REVISION="1"
|
||||
|
||||
EXPOSE 2181 2888 3888 8080
|
||||
|
||||
|
||||
@@ -71,10 +71,8 @@ zookeeper_validate() {
|
||||
is_boolean_yes "$ZOO_ENABLE_ADMIN_SERVER" && check_conflicting_ports ZOO_PORT_NUMBER ZOO_PROMETHEUS_METRICS_PORT_NUMBER ZOO_ADMIN_SERVER_PORT_NUMBER
|
||||
|
||||
# ZooKeeper client-server authentication validations
|
||||
if is_boolean_yes "$ALLOW_ANONYMOUS_LOGIN"; then
|
||||
warn "You have set the environment variable ALLOW_ANONYMOUS_LOGIN=${ALLOW_ANONYMOUS_LOGIN}. For safety reasons, do not use this flag in a production environment."
|
||||
elif ! is_boolean_yes "$ZOO_ENABLE_AUTH"; then
|
||||
print_validation_error "The ZOO_ENABLE_AUTH environment variable does not configure authentication. Set the environment variable ALLOW_ANONYMOUS_LOGIN=yes to allow unauthenticated users to connect to ZooKeeper."
|
||||
if is_boolean_yes "$ZOO_ENABLE_AUTH" && is_boolean_yes $ZOO_FIPS_MODE; then
|
||||
print_validation_error "The ZOO_ENABLE_AUTH environment variable configures authentication using SASL/Digest-MD5 which is incompatible with FIPS. Set the environment variable ZOO_FIPS_MODE=no to disable FIPS in ZooKeeper."
|
||||
fi
|
||||
|
||||
# ZooKeeper server-server authentication validations
|
||||
@@ -211,6 +209,7 @@ zookeeper_generate_conf() {
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" autopurge.snapRetainCount "$ZOO_AUTOPURGE_RETAIN_COUNT"
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" 4lw.commands.whitelist "$ZOO_4LW_COMMANDS_WHITELIST"
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" maxSessionTimeout "$ZOO_MAX_SESSION_TIMEOUT"
|
||||
zookeeper_export_jvmflags "-Dzookeeper.fips-mode=$(is_boolean_yes "$ZOO_FIPS_MODE" && echo true || echo false)"
|
||||
# Set log level
|
||||
if [ -f "${ZOO_CONF_DIR}/logback.xml" ]; then
|
||||
# Zookeeper 3.8+
|
||||
@@ -253,16 +252,20 @@ zookeeper_generate_conf() {
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" serverCnxnFactory org.apache.zookeeper.server.NettyServerCnxnFactory
|
||||
[[ -n "$ZOO_TLS_CLIENT_KEYSTORE_PASSWORD" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.keyStore.password "$ZOO_TLS_CLIENT_KEYSTORE_PASSWORD"
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" ssl.keyStore.location "$ZOO_TLS_CLIENT_KEYSTORE_FILE"
|
||||
[[ -n "$ZOO_TLS_CLIENT_KEYSTORE_TYPE" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.keyStore.type "$ZOO_TLS_CLIENT_KEYSTORE_TYPE"
|
||||
[[ -n "$ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.trustStore.password "$ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD"
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" ssl.trustStore.location "$ZOO_TLS_CLIENT_TRUSTSTORE_FILE"
|
||||
[[ -n "$ZOO_TLS_CLIENT_TRUSTSTORE_TYPE" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.trustStore.type "$ZOO_TLS_CLIENT_TRUSTSTORE_TYPE"
|
||||
fi
|
||||
if is_boolean_yes "$ZOO_TLS_QUORUM_ENABLE"; then
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" sslQuorum true
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.clientAuth "$ZOO_TLS_QUORUM_CLIENT_AUTH"
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" serverCnxnFactory org.apache.zookeeper.server.NettyServerCnxnFactory
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.keyStore.location "$ZOO_TLS_QUORUM_KEYSTORE_FILE"
|
||||
[[ -n "$ZOO_TLS_QUORUM_KEYSTORE_TYPE" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.keyStore.type "$ZOO_TLS_QUORUM_KEYSTORE_TYPE"
|
||||
[[ -n "$ZOO_TLS_QUORUM_KEYSTORE_PASSWORD" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.keyStore.password "$ZOO_TLS_QUORUM_KEYSTORE_PASSWORD"
|
||||
zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.trustStore.location "$ZOO_TLS_QUORUM_TRUSTSTORE_FILE"
|
||||
[[ -n "$ZOO_TLS_QUORUM_TRUSTSTORE_TYPE" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.trustStore.type "$ZOO_TLS_QUORUM_TRUSTSTORE_TYPE"
|
||||
[[ -n "$ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.trustStore.password "$ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD"
|
||||
fi
|
||||
zookeeper_configure_from_environment_variables
|
||||
|
||||
@@ -48,22 +48,26 @@ zookeeper_env_vars=(
|
||||
ZOO_PRE_ALLOC_SIZE
|
||||
ZOO_SNAPCOUNT
|
||||
ZOO_HC_TIMEOUT
|
||||
ZOO_FIPS_MODE
|
||||
ZOO_TLS_CLIENT_ENABLE
|
||||
ZOO_TLS_PORT_NUMBER
|
||||
ZOO_TLS_CLIENT_KEYSTORE_FILE
|
||||
ZOO_TLS_CLIENT_KEYSTORE_TYPE
|
||||
ZOO_TLS_CLIENT_KEYSTORE_PASSWORD
|
||||
ZOO_TLS_CLIENT_TRUSTSTORE_FILE
|
||||
ZOO_TLS_CLIENT_TRUSTSTORE_TYPE
|
||||
ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD
|
||||
ZOO_TLS_CLIENT_AUTH
|
||||
ZOO_TLS_QUORUM_ENABLE
|
||||
ZOO_TLS_QUORUM_KEYSTORE_FILE
|
||||
ZOO_TLS_QUORUM_KEYSTORE_TYPE
|
||||
ZOO_TLS_QUORUM_KEYSTORE_PASSWORD
|
||||
ZOO_TLS_QUORUM_TRUSTSTORE_FILE
|
||||
ZOO_TLS_QUORUM_TRUSTSTORE_TYPE
|
||||
ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD
|
||||
ZOO_TLS_QUORUM_CLIENT_AUTH
|
||||
JVMFLAGS
|
||||
ZOO_HEAP_SIZE
|
||||
ALLOW_ANONYMOUS_LOGIN
|
||||
ZOO_ENABLE_AUTH
|
||||
ZOO_CLIENT_USER
|
||||
ZOO_SERVER_USERS
|
||||
@@ -131,19 +135,24 @@ export ZOO_MAX_SESSION_TIMEOUT="${ZOO_MAX_SESSION_TIMEOUT:-40000}"
|
||||
export ZOO_PRE_ALLOC_SIZE="${ZOO_PRE_ALLOC_SIZE:-65536}"
|
||||
export ZOO_SNAPCOUNT="${ZOO_SNAPCOUNT:-100000}"
|
||||
export ZOO_HC_TIMEOUT="${ZOO_HC_TIMEOUT:-5}"
|
||||
export ZOO_FIPS_MODE="${ZOO_FIPS_MODE:-yes}"
|
||||
|
||||
# ZooKeeper TLS settings
|
||||
export ZOO_TLS_CLIENT_ENABLE="${ZOO_TLS_CLIENT_ENABLE:-false}"
|
||||
export ZOO_TLS_PORT_NUMBER="${ZOO_TLS_PORT_NUMBER:-3181}"
|
||||
export ZOO_TLS_CLIENT_KEYSTORE_FILE="${ZOO_TLS_CLIENT_KEYSTORE_FILE:-}"
|
||||
export ZOO_TLS_CLIENT_KEYSTORE_TYPE="${ZOO_TLS_CLIENT_KEYSTORE_TYPE:-}"
|
||||
export ZOO_TLS_CLIENT_KEYSTORE_PASSWORD="${ZOO_TLS_CLIENT_KEYSTORE_PASSWORD:-}"
|
||||
export ZOO_TLS_CLIENT_TRUSTSTORE_FILE="${ZOO_TLS_CLIENT_TRUSTSTORE_FILE:-}"
|
||||
export ZOO_TLS_CLIENT_TRUSTSTORE_TYPE="${ZOO_TLS_CLIENT_TRUSTSTORE_TYPE:-}"
|
||||
export ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD="${ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD:-}"
|
||||
export ZOO_TLS_CLIENT_AUTH="${ZOO_TLS_CLIENT_AUTH:-need}"
|
||||
export ZOO_TLS_QUORUM_ENABLE="${ZOO_TLS_QUORUM_ENABLE:-false}"
|
||||
export ZOO_TLS_QUORUM_KEYSTORE_FILE="${ZOO_TLS_QUORUM_KEYSTORE_FILE:-}"
|
||||
export ZOO_TLS_QUORUM_KEYSTORE_TYPE="${ZOO_TLS_QUORUM_KEYSTORE_TYPE:-}"
|
||||
export ZOO_TLS_QUORUM_KEYSTORE_PASSWORD="${ZOO_TLS_QUORUM_KEYSTORE_PASSWORD:-}"
|
||||
export ZOO_TLS_QUORUM_TRUSTSTORE_FILE="${ZOO_TLS_QUORUM_TRUSTSTORE_FILE:-}"
|
||||
export ZOO_TLS_QUORUM_TRUSTSTORE_TYPE="${ZOO_TLS_QUORUM_TRUSTSTORE_TYPE:-}"
|
||||
export ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD="${ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD:-}"
|
||||
export ZOO_TLS_QUORUM_CLIENT_AUTH="${ZOO_TLS_QUORUM_CLIENT_AUTH:-need}"
|
||||
|
||||
@@ -152,7 +161,6 @@ export JVMFLAGS="${JVMFLAGS:-}"
|
||||
export ZOO_HEAP_SIZE="${ZOO_HEAP_SIZE:-1024}"
|
||||
|
||||
# Client-server authentication
|
||||
export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}"
|
||||
export ZOO_ENABLE_AUTH="${ZOO_ENABLE_AUTH:-no}"
|
||||
export ZOO_CLIENT_USER="${ZOO_CLIENT_USER:-}"
|
||||
export ZOO_SERVER_USERS="${ZOO_SERVER_USERS:-}"
|
||||
|
||||
@@ -201,22 +201,26 @@ docker-compose up -d
|
||||
| `ZOO_PRE_ALLOC_SIZE` | Block size for transaction log file. | `65536` |
|
||||
| `ZOO_SNAPCOUNT` | The number of transactions recorded in the transaction log before a snapshot can be taken (and the transaction log rolled). | `100000` |
|
||||
| `ZOO_HC_TIMEOUT` | Timeout for the Zookeeper healthcheck script (in seconds). | `5` |
|
||||
| `ZOO_FIPS_MODE` | Enable FIPS compatibility mode in ZooKeeper | `yes` |
|
||||
| `ZOO_TLS_CLIENT_ENABLE` | Enable TLS for client communication. | `false` |
|
||||
| `ZOO_TLS_PORT_NUMBER` | Zookeeper TLS port. | `3181` |
|
||||
| `ZOO_TLS_CLIENT_KEYSTORE_FILE` | KeyStore file. | `nil` |
|
||||
| `ZOO_TLS_CLIENT_KEYSTORE_TYPE` | KeyStore file type. | `nil` |
|
||||
| `ZOO_TLS_CLIENT_KEYSTORE_PASSWORD` | KeyStore file password. | `nil` |
|
||||
| `ZOO_TLS_CLIENT_TRUSTSTORE_FILE` | TrustStore file. | `nil` |
|
||||
| `ZOO_TLS_CLIENT_TRUSTSTORE_TYPE` | TrustStore file type. | `nil` |
|
||||
| `ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD` | TrustStore file password. | `nil` |
|
||||
| `ZOO_TLS_CLIENT_AUTH` | Specifies options to authenticate TLS connections from clients. Available values are: `none`, `want`, `need`. | `need` |
|
||||
| `ZOO_TLS_QUORUM_ENABLE` | Enable TLS for quorum communication. | `false` |
|
||||
| `ZOO_TLS_QUORUM_KEYSTORE_FILE` | KeyStore file. | `nil` |
|
||||
| `ZOO_TLS_QUORUM_KEYSTORE_TYPE` | KeyStore file type. | `nil` |
|
||||
| `ZOO_TLS_QUORUM_KEYSTORE_PASSWORD` | KeyStore file password. | `nil` |
|
||||
| `ZOO_TLS_QUORUM_TRUSTSTORE_FILE` | TrustStore file. | `nil` |
|
||||
| `ZOO_TLS_QUORUM_TRUSTSTORE_TYPE` | TrustStore file type. | `nil` |
|
||||
| `ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD` | TrustStore file password. | `nil` |
|
||||
| `ZOO_TLS_QUORUM_CLIENT_AUTH` | Specifies options to authenticate TLS connections from clients. Available values are: `none`, `want`, `need`. | `need` |
|
||||
| `JVMFLAGS` | Default JVMFLAGS for the ZooKeeper process. | `nil` |
|
||||
| `ZOO_HEAP_SIZE` | Size in MB for the Java Heap options (Xmx and XMs). This env var is ignored if Xmx an Xms are configured via `JVMFLAGS`. | `1024` |
|
||||
| `ALLOW_ANONYMOUS_LOGIN` | If set to true, Allow to accept connections from unauthenticated users | `no` |
|
||||
| `ZOO_ENABLE_AUTH` | Enable ZooKeeper auth. It uses SASL/Digest-MD5. | `no` |
|
||||
| `ZOO_CLIENT_USER` | User that will use ZooKeeper clients to auth. | `nil` |
|
||||
| `ZOO_SERVER_USERS` | Comma, semicolon or whitespace separated list of user to be created. | `nil` |
|
||||
@@ -326,12 +330,17 @@ be able to login.
|
||||
> Note: Authentication is enabled using the CLI tool `zkCli.sh`. Therefore, it's necessary to set
|
||||
`ZOO_CLIENT_USER` and `ZOO_CLIENT_PASSWORD` environment variables too.
|
||||
|
||||
As SASL/Digest-MD5 is not compatible with FIPS, it's mandatory to disable "fips-mode" in Apache ZooKeeper.
|
||||
|
||||
> Note: If fips-mode is required in your environment, you should deploy Apache ZooKeeper using a different auth mechanism like TLS.
|
||||
|
||||
```console
|
||||
docker run -it -e ZOO_ENABLE_AUTH=yes \
|
||||
-e ZOO_SERVER_USERS=user1,user2 \
|
||||
-e ZOO_SERVER_PASSWORDS=pass4user1,pass4user2 \
|
||||
-e ZOO_CLIENT_USER=user1 \
|
||||
-e ZOO_CLIENT_PASSWORD=pass4user1 \
|
||||
-e ZOO_FIPS_MODE=no \
|
||||
bitnami/zookeeper
|
||||
```
|
||||
|
||||
@@ -347,9 +356,22 @@ services:
|
||||
- ZOO_SERVER_PASSWORDS=pass4user1,pass4user2
|
||||
- ZOO_CLIENT_USER=user1
|
||||
- ZOO_CLIENT_PASSWORD=pass4user1
|
||||
- ZOO_FIPS_MODE=no
|
||||
...
|
||||
```
|
||||
|
||||
### Start Apache ZooKeeper with TLS
|
||||
|
||||
```console
|
||||
docker run --name zookeeper \
|
||||
-v /path/to/zookeeper.keystore.jks:/bitnami/zookeeper/certs/zookeeper.keystore.jks:ro
|
||||
-v /path/to/zookeeper.truststore.jks:/bitnami/zookeeper/certs/zookeeper.truststore.jks:ro
|
||||
-e ZOO_TLS_CLIENT_ENABLE=yes \
|
||||
-e ZOO_TLS_CLIENT_KEYSTORE_FILE=/bitnami/zookeeper/certs/zookeeper.keystore.jks \
|
||||
-e ZOO_TLS_CLIENT_TRUSTSTORE_FILE=/bitnami/zookeeper/certs/zookeeper.truststore.jks \
|
||||
bitnami/zookeeper:latest
|
||||
```
|
||||
|
||||
### Setting up an Apache ZooKeeper ensemble
|
||||
|
||||
An Apache ZooKeeper (<https://zookeeper.apache.org/doc/r3.1.2/zookeeperAdmin.html>) cluster can easily be setup with the Bitnami Apache ZooKeeper Docker image using the following environment variables:
|
||||
@@ -460,19 +482,6 @@ services:
|
||||
- ZOO_SERVERS=zookeeper1:2888:3888,zookeeper2:2888:3888,0.0.0.0:2888:3888
|
||||
```
|
||||
|
||||
### Start Apache ZooKeeper with TLS
|
||||
|
||||
```console
|
||||
docker run --name zookeeper \
|
||||
-v /path/to/domain.key:/bitnami/zookeeper/certs/domain.key:ro
|
||||
-v /path/to/domain.crs:/bitnami/zookeeper/certs/domain.crs:ro
|
||||
-e ALLOW_EMPTY_PASSWORD=yes \
|
||||
-e ZOO_TLS_CLIENT_ENABLE=yes \
|
||||
-e ZOO_TLS_CLIENT_KEYSTORE_FILE=/bitnami/zookeeper/certs/domain.key\
|
||||
-e ZOO_TLS_CLIENT_TRUSTSTORE_FILE=/bitnami/zookeeper/certs/domain.crs\
|
||||
bitnami/zookeeper:latest
|
||||
```
|
||||
|
||||
## Logging
|
||||
|
||||
The Bitnami Apache ZooKeeper Docker image sends the container logs to the `stdout`. To view the logs:
|
||||
|
||||
Reference in New Issue
Block a user