From 81010b9948e635ff41e861cad0462be44d06295c Mon Sep 17 00:00:00 2001 From: Bitnami Bot Date: Thu, 4 Sep 2025 11:46:14 +0200 Subject: [PATCH] [bitnami/zookeeper] Release 3.9.4-debian-12-r1 (#85823) Signed-off-by: Bitnami Bot --- bitnami/zookeeper/3.9/debian-12/Dockerfile | 6 +-- .../opt/bitnami/scripts/libzookeeper.sh | 11 ++++-- .../opt/bitnami/scripts/zookeeper-env.sh | 12 +++++- bitnami/zookeeper/README.md | 37 ++++++++++++------- 4 files changed, 43 insertions(+), 23 deletions(-) diff --git a/bitnami/zookeeper/3.9/debian-12/Dockerfile b/bitnami/zookeeper/3.9/debian-12/Dockerfile index be86aba91205..a447eacbf264 100644 --- a/bitnami/zookeeper/3.9/debian-12/Dockerfile +++ b/bitnami/zookeeper/3.9/debian-12/Dockerfile @@ -7,7 +7,7 @@ ARG DOWNLOADS_URL="downloads.bitnami.com/files/stacksmith" ARG TARGETARCH LABEL org.opencontainers.image.base.name="docker.io/bitnami/minideb:bookworm" \ - org.opencontainers.image.created="2025-08-29T22:37:50Z" \ + org.opencontainers.image.created="2025-09-04T09:34:59Z" \ org.opencontainers.image.description="Application packaged by Broadcom, Inc." \ org.opencontainers.image.documentation="https://github.com/bitnami/containers/tree/main/bitnami/zookeeper/README.md" \ org.opencontainers.image.source="https://github.com/bitnami/containers/tree/main/bitnami/zookeeper" \ @@ -29,7 +29,7 @@ RUN --mount=type=secret,id=downloads_url,env=SECRET_DOWNLOADS_URL \ DOWNLOADS_URL=${SECRET_DOWNLOADS_URL:-${DOWNLOADS_URL}} ; \ mkdir -p /tmp/bitnami/pkg/cache/ ; cd /tmp/bitnami/pkg/cache/ || exit 1 ; \ COMPONENTS=( \ - "wait-for-port-1.0.10-0-linux-${OS_ARCH}-debian-12" \ + "wait-for-port-1.0.10-1-linux-${OS_ARCH}-debian-12" \ "jre-11.0.28-12-0-linux-${OS_ARCH}-debian-12" \ "zookeeper-3.9.4-0-linux-${OS_ARCH}-debian-12" \ ) ; \ @@ -53,7 +53,7 @@ COPY rootfs / RUN /opt/bitnami/scripts/zookeeper/postunpack.sh ENV APP_VERSION="3.9.4" \ BITNAMI_APP_NAME="zookeeper" \ - IMAGE_REVISION="0" + IMAGE_REVISION="1" EXPOSE 2181 2888 3888 8080 diff --git a/bitnami/zookeeper/3.9/debian-12/rootfs/opt/bitnami/scripts/libzookeeper.sh b/bitnami/zookeeper/3.9/debian-12/rootfs/opt/bitnami/scripts/libzookeeper.sh index 51a2f1c347fd..f2caf03a0bab 100644 --- a/bitnami/zookeeper/3.9/debian-12/rootfs/opt/bitnami/scripts/libzookeeper.sh +++ b/bitnami/zookeeper/3.9/debian-12/rootfs/opt/bitnami/scripts/libzookeeper.sh @@ -71,10 +71,8 @@ zookeeper_validate() { is_boolean_yes "$ZOO_ENABLE_ADMIN_SERVER" && check_conflicting_ports ZOO_PORT_NUMBER ZOO_PROMETHEUS_METRICS_PORT_NUMBER ZOO_ADMIN_SERVER_PORT_NUMBER # ZooKeeper client-server authentication validations - if is_boolean_yes "$ALLOW_ANONYMOUS_LOGIN"; then - warn "You have set the environment variable ALLOW_ANONYMOUS_LOGIN=${ALLOW_ANONYMOUS_LOGIN}. For safety reasons, do not use this flag in a production environment." - elif ! is_boolean_yes "$ZOO_ENABLE_AUTH"; then - print_validation_error "The ZOO_ENABLE_AUTH environment variable does not configure authentication. Set the environment variable ALLOW_ANONYMOUS_LOGIN=yes to allow unauthenticated users to connect to ZooKeeper." + if is_boolean_yes "$ZOO_ENABLE_AUTH" && is_boolean_yes $ZOO_FIPS_MODE; then + print_validation_error "The ZOO_ENABLE_AUTH environment variable configures authentication using SASL/Digest-MD5 which is incompatible with FIPS. Set the environment variable ZOO_FIPS_MODE=no to disable FIPS in ZooKeeper." fi # ZooKeeper server-server authentication validations @@ -211,6 +209,7 @@ zookeeper_generate_conf() { zookeeper_conf_set "$ZOO_CONF_FILE" autopurge.snapRetainCount "$ZOO_AUTOPURGE_RETAIN_COUNT" zookeeper_conf_set "$ZOO_CONF_FILE" 4lw.commands.whitelist "$ZOO_4LW_COMMANDS_WHITELIST" zookeeper_conf_set "$ZOO_CONF_FILE" maxSessionTimeout "$ZOO_MAX_SESSION_TIMEOUT" + zookeeper_export_jvmflags "-Dzookeeper.fips-mode=$(is_boolean_yes "$ZOO_FIPS_MODE" && echo true || echo false)" # Set log level if [ -f "${ZOO_CONF_DIR}/logback.xml" ]; then # Zookeeper 3.8+ @@ -253,16 +252,20 @@ zookeeper_generate_conf() { zookeeper_conf_set "$ZOO_CONF_FILE" serverCnxnFactory org.apache.zookeeper.server.NettyServerCnxnFactory [[ -n "$ZOO_TLS_CLIENT_KEYSTORE_PASSWORD" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.keyStore.password "$ZOO_TLS_CLIENT_KEYSTORE_PASSWORD" zookeeper_conf_set "$ZOO_CONF_FILE" ssl.keyStore.location "$ZOO_TLS_CLIENT_KEYSTORE_FILE" + [[ -n "$ZOO_TLS_CLIENT_KEYSTORE_TYPE" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.keyStore.type "$ZOO_TLS_CLIENT_KEYSTORE_TYPE" [[ -n "$ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.trustStore.password "$ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD" zookeeper_conf_set "$ZOO_CONF_FILE" ssl.trustStore.location "$ZOO_TLS_CLIENT_TRUSTSTORE_FILE" + [[ -n "$ZOO_TLS_CLIENT_TRUSTSTORE_TYPE" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.trustStore.type "$ZOO_TLS_CLIENT_TRUSTSTORE_TYPE" fi if is_boolean_yes "$ZOO_TLS_QUORUM_ENABLE"; then zookeeper_conf_set "$ZOO_CONF_FILE" sslQuorum true zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.clientAuth "$ZOO_TLS_QUORUM_CLIENT_AUTH" zookeeper_conf_set "$ZOO_CONF_FILE" serverCnxnFactory org.apache.zookeeper.server.NettyServerCnxnFactory zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.keyStore.location "$ZOO_TLS_QUORUM_KEYSTORE_FILE" + [[ -n "$ZOO_TLS_QUORUM_KEYSTORE_TYPE" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.keyStore.type "$ZOO_TLS_QUORUM_KEYSTORE_TYPE" [[ -n "$ZOO_TLS_QUORUM_KEYSTORE_PASSWORD" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.keyStore.password "$ZOO_TLS_QUORUM_KEYSTORE_PASSWORD" zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.trustStore.location "$ZOO_TLS_QUORUM_TRUSTSTORE_FILE" + [[ -n "$ZOO_TLS_QUORUM_TRUSTSTORE_TYPE" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.trustStore.type "$ZOO_TLS_QUORUM_TRUSTSTORE_TYPE" [[ -n "$ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD" ]] && zookeeper_conf_set "$ZOO_CONF_FILE" ssl.quorum.trustStore.password "$ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD" fi zookeeper_configure_from_environment_variables diff --git a/bitnami/zookeeper/3.9/debian-12/rootfs/opt/bitnami/scripts/zookeeper-env.sh b/bitnami/zookeeper/3.9/debian-12/rootfs/opt/bitnami/scripts/zookeeper-env.sh index 41ee3a073200..d4344ed4e03b 100644 --- a/bitnami/zookeeper/3.9/debian-12/rootfs/opt/bitnami/scripts/zookeeper-env.sh +++ b/bitnami/zookeeper/3.9/debian-12/rootfs/opt/bitnami/scripts/zookeeper-env.sh @@ -48,22 +48,26 @@ zookeeper_env_vars=( ZOO_PRE_ALLOC_SIZE ZOO_SNAPCOUNT ZOO_HC_TIMEOUT + ZOO_FIPS_MODE ZOO_TLS_CLIENT_ENABLE ZOO_TLS_PORT_NUMBER ZOO_TLS_CLIENT_KEYSTORE_FILE + ZOO_TLS_CLIENT_KEYSTORE_TYPE ZOO_TLS_CLIENT_KEYSTORE_PASSWORD ZOO_TLS_CLIENT_TRUSTSTORE_FILE + ZOO_TLS_CLIENT_TRUSTSTORE_TYPE ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD ZOO_TLS_CLIENT_AUTH ZOO_TLS_QUORUM_ENABLE ZOO_TLS_QUORUM_KEYSTORE_FILE + ZOO_TLS_QUORUM_KEYSTORE_TYPE ZOO_TLS_QUORUM_KEYSTORE_PASSWORD ZOO_TLS_QUORUM_TRUSTSTORE_FILE + ZOO_TLS_QUORUM_TRUSTSTORE_TYPE ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD ZOO_TLS_QUORUM_CLIENT_AUTH JVMFLAGS ZOO_HEAP_SIZE - ALLOW_ANONYMOUS_LOGIN ZOO_ENABLE_AUTH ZOO_CLIENT_USER ZOO_SERVER_USERS @@ -131,19 +135,24 @@ export ZOO_MAX_SESSION_TIMEOUT="${ZOO_MAX_SESSION_TIMEOUT:-40000}" export ZOO_PRE_ALLOC_SIZE="${ZOO_PRE_ALLOC_SIZE:-65536}" export ZOO_SNAPCOUNT="${ZOO_SNAPCOUNT:-100000}" export ZOO_HC_TIMEOUT="${ZOO_HC_TIMEOUT:-5}" +export ZOO_FIPS_MODE="${ZOO_FIPS_MODE:-yes}" # ZooKeeper TLS settings export ZOO_TLS_CLIENT_ENABLE="${ZOO_TLS_CLIENT_ENABLE:-false}" export ZOO_TLS_PORT_NUMBER="${ZOO_TLS_PORT_NUMBER:-3181}" export ZOO_TLS_CLIENT_KEYSTORE_FILE="${ZOO_TLS_CLIENT_KEYSTORE_FILE:-}" +export ZOO_TLS_CLIENT_KEYSTORE_TYPE="${ZOO_TLS_CLIENT_KEYSTORE_TYPE:-}" export ZOO_TLS_CLIENT_KEYSTORE_PASSWORD="${ZOO_TLS_CLIENT_KEYSTORE_PASSWORD:-}" export ZOO_TLS_CLIENT_TRUSTSTORE_FILE="${ZOO_TLS_CLIENT_TRUSTSTORE_FILE:-}" +export ZOO_TLS_CLIENT_TRUSTSTORE_TYPE="${ZOO_TLS_CLIENT_TRUSTSTORE_TYPE:-}" export ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD="${ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD:-}" export ZOO_TLS_CLIENT_AUTH="${ZOO_TLS_CLIENT_AUTH:-need}" export ZOO_TLS_QUORUM_ENABLE="${ZOO_TLS_QUORUM_ENABLE:-false}" export ZOO_TLS_QUORUM_KEYSTORE_FILE="${ZOO_TLS_QUORUM_KEYSTORE_FILE:-}" +export ZOO_TLS_QUORUM_KEYSTORE_TYPE="${ZOO_TLS_QUORUM_KEYSTORE_TYPE:-}" export ZOO_TLS_QUORUM_KEYSTORE_PASSWORD="${ZOO_TLS_QUORUM_KEYSTORE_PASSWORD:-}" export ZOO_TLS_QUORUM_TRUSTSTORE_FILE="${ZOO_TLS_QUORUM_TRUSTSTORE_FILE:-}" +export ZOO_TLS_QUORUM_TRUSTSTORE_TYPE="${ZOO_TLS_QUORUM_TRUSTSTORE_TYPE:-}" export ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD="${ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD:-}" export ZOO_TLS_QUORUM_CLIENT_AUTH="${ZOO_TLS_QUORUM_CLIENT_AUTH:-need}" @@ -152,7 +161,6 @@ export JVMFLAGS="${JVMFLAGS:-}" export ZOO_HEAP_SIZE="${ZOO_HEAP_SIZE:-1024}" # Client-server authentication -export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" export ZOO_ENABLE_AUTH="${ZOO_ENABLE_AUTH:-no}" export ZOO_CLIENT_USER="${ZOO_CLIENT_USER:-}" export ZOO_SERVER_USERS="${ZOO_SERVER_USERS:-}" diff --git a/bitnami/zookeeper/README.md b/bitnami/zookeeper/README.md index ab5dc18f0959..fa137f0c71ae 100644 --- a/bitnami/zookeeper/README.md +++ b/bitnami/zookeeper/README.md @@ -201,22 +201,26 @@ docker-compose up -d | `ZOO_PRE_ALLOC_SIZE` | Block size for transaction log file. | `65536` | | `ZOO_SNAPCOUNT` | The number of transactions recorded in the transaction log before a snapshot can be taken (and the transaction log rolled). | `100000` | | `ZOO_HC_TIMEOUT` | Timeout for the Zookeeper healthcheck script (in seconds). | `5` | +| `ZOO_FIPS_MODE` | Enable FIPS compatibility mode in ZooKeeper | `yes` | | `ZOO_TLS_CLIENT_ENABLE` | Enable TLS for client communication. | `false` | | `ZOO_TLS_PORT_NUMBER` | Zookeeper TLS port. | `3181` | | `ZOO_TLS_CLIENT_KEYSTORE_FILE` | KeyStore file. | `nil` | +| `ZOO_TLS_CLIENT_KEYSTORE_TYPE` | KeyStore file type. | `nil` | | `ZOO_TLS_CLIENT_KEYSTORE_PASSWORD` | KeyStore file password. | `nil` | | `ZOO_TLS_CLIENT_TRUSTSTORE_FILE` | TrustStore file. | `nil` | +| `ZOO_TLS_CLIENT_TRUSTSTORE_TYPE` | TrustStore file type. | `nil` | | `ZOO_TLS_CLIENT_TRUSTSTORE_PASSWORD` | TrustStore file password. | `nil` | | `ZOO_TLS_CLIENT_AUTH` | Specifies options to authenticate TLS connections from clients. Available values are: `none`, `want`, `need`. | `need` | | `ZOO_TLS_QUORUM_ENABLE` | Enable TLS for quorum communication. | `false` | | `ZOO_TLS_QUORUM_KEYSTORE_FILE` | KeyStore file. | `nil` | +| `ZOO_TLS_QUORUM_KEYSTORE_TYPE` | KeyStore file type. | `nil` | | `ZOO_TLS_QUORUM_KEYSTORE_PASSWORD` | KeyStore file password. | `nil` | | `ZOO_TLS_QUORUM_TRUSTSTORE_FILE` | TrustStore file. | `nil` | +| `ZOO_TLS_QUORUM_TRUSTSTORE_TYPE` | TrustStore file type. | `nil` | | `ZOO_TLS_QUORUM_TRUSTSTORE_PASSWORD` | TrustStore file password. | `nil` | | `ZOO_TLS_QUORUM_CLIENT_AUTH` | Specifies options to authenticate TLS connections from clients. Available values are: `none`, `want`, `need`. | `need` | | `JVMFLAGS` | Default JVMFLAGS for the ZooKeeper process. | `nil` | | `ZOO_HEAP_SIZE` | Size in MB for the Java Heap options (Xmx and XMs). This env var is ignored if Xmx an Xms are configured via `JVMFLAGS`. | `1024` | -| `ALLOW_ANONYMOUS_LOGIN` | If set to true, Allow to accept connections from unauthenticated users | `no` | | `ZOO_ENABLE_AUTH` | Enable ZooKeeper auth. It uses SASL/Digest-MD5. | `no` | | `ZOO_CLIENT_USER` | User that will use ZooKeeper clients to auth. | `nil` | | `ZOO_SERVER_USERS` | Comma, semicolon or whitespace separated list of user to be created. | `nil` | @@ -326,12 +330,17 @@ be able to login. > Note: Authentication is enabled using the CLI tool `zkCli.sh`. Therefore, it's necessary to set `ZOO_CLIENT_USER` and `ZOO_CLIENT_PASSWORD` environment variables too. +As SASL/Digest-MD5 is not compatible with FIPS, it's mandatory to disable "fips-mode" in Apache ZooKeeper. + +> Note: If fips-mode is required in your environment, you should deploy Apache ZooKeeper using a different auth mechanism like TLS. + ```console docker run -it -e ZOO_ENABLE_AUTH=yes \ -e ZOO_SERVER_USERS=user1,user2 \ -e ZOO_SERVER_PASSWORDS=pass4user1,pass4user2 \ -e ZOO_CLIENT_USER=user1 \ -e ZOO_CLIENT_PASSWORD=pass4user1 \ + -e ZOO_FIPS_MODE=no \ bitnami/zookeeper ``` @@ -347,9 +356,22 @@ services: - ZOO_SERVER_PASSWORDS=pass4user1,pass4user2 - ZOO_CLIENT_USER=user1 - ZOO_CLIENT_PASSWORD=pass4user1 + - ZOO_FIPS_MODE=no ... ``` +### Start Apache ZooKeeper with TLS + +```console +docker run --name zookeeper \ + -v /path/to/zookeeper.keystore.jks:/bitnami/zookeeper/certs/zookeeper.keystore.jks:ro + -v /path/to/zookeeper.truststore.jks:/bitnami/zookeeper/certs/zookeeper.truststore.jks:ro + -e ZOO_TLS_CLIENT_ENABLE=yes \ + -e ZOO_TLS_CLIENT_KEYSTORE_FILE=/bitnami/zookeeper/certs/zookeeper.keystore.jks \ + -e ZOO_TLS_CLIENT_TRUSTSTORE_FILE=/bitnami/zookeeper/certs/zookeeper.truststore.jks \ + bitnami/zookeeper:latest +``` + ### Setting up an Apache ZooKeeper ensemble An Apache ZooKeeper () cluster can easily be setup with the Bitnami Apache ZooKeeper Docker image using the following environment variables: @@ -460,19 +482,6 @@ services: - ZOO_SERVERS=zookeeper1:2888:3888,zookeeper2:2888:3888,0.0.0.0:2888:3888 ``` -### Start Apache ZooKeeper with TLS - -```console -docker run --name zookeeper \ - -v /path/to/domain.key:/bitnami/zookeeper/certs/domain.key:ro - -v /path/to/domain.crs:/bitnami/zookeeper/certs/domain.crs:ro - -e ALLOW_EMPTY_PASSWORD=yes \ - -e ZOO_TLS_CLIENT_ENABLE=yes \ - -e ZOO_TLS_CLIENT_KEYSTORE_FILE=/bitnami/zookeeper/certs/domain.key\ - -e ZOO_TLS_CLIENT_TRUSTSTORE_FILE=/bitnami/zookeeper/certs/domain.crs\ - bitnami/zookeeper:latest -``` - ## Logging The Bitnami Apache ZooKeeper Docker image sends the container logs to the `stdout`. To view the logs: