Last active
September 16, 2019 09:01
-
-
Save fdeantoni/529fb4b8b7555b41b7f15643983fe7fb to your computer and use it in GitHub Desktop.
Docker entrypoint file to launch NiFi in clustered mode with SSL enabled
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [[ "$1" = 'nifi' ]]; then | |
scripts_dir='/opt/nifi/scripts' | |
[[ -f "${scripts_dir}/common.sh" ]] && . "${scripts_dir}/common.sh" | |
# Override JVM memory settings | |
if [[ ! -z "${NIFI_JVM_HEAP_INIT}" ]]; then | |
prop_replace 'java.arg.2' "-Xms${NIFI_JVM_HEAP_INIT}" ${nifi_bootstrap_file} | |
fi | |
if [[ ! -z "${NIFI_JVM_HEAP_MAX}" ]]; then | |
prop_replace 'java.arg.3' "-Xmx${NIFI_JVM_HEAP_MAX}" ${nifi_bootstrap_file} | |
fi | |
if [[ ! -z "${NIFI_JVM_DEBUGGER}" ]]; then | |
uncomment "java.arg.debug" ${nifi_bootstrap_file} | |
fi | |
: ${HOST="$(hostname)"} # this environment variable is provided by marathon, if not, use hostname | |
: ${NIFI_BASE_DIR="/opt/nifi"} | |
: ${NIFI_HOME="${NIFI_BASE_DIR}/nifi-current"} | |
: ${NIFI_AUTH="none"} | |
if [[ "${NIFI_AUTH}" == "tls" ]]; then | |
: ${NIFI_WEB_HTTPS_PORT="8443"} | |
: ${NIFI_WEB_HTTPS_HOST="${HOST}"} | |
: ${NIFI_CERTS_DIR="/etc/certs"} | |
: ${NIFI_KEYSTORE_FILE="${HOST}.p12"} | |
: ${NIFI_KEYSTORE_TYPE="PKCS12"} | |
: ${NIFI_KEYSTORE_PASSWORD="${HOST}"} | |
: ${NIFI_KEYSTORE_KEY_PASSWORD="${NIFI_KEYSTORE_PASSWORD}"} | |
: ${NIFI_TRUSTSTORE_FILE="nifi-trust.jks"} | |
: ${NIFI_TRUSTSTORE_TYPE="JKS"} | |
: ${NIFI_TRUSTSTORE_PASSWORD="${HOST}"} | |
# Disable HTTP and enable HTTPS | |
prop_replace 'nifi.web.http.port' '' | |
prop_replace 'nifi.web.http.host' '' | |
prop_replace 'nifi.web.https.port' "${NIFI_WEB_HTTPS_PORT}" | |
prop_replace 'nifi.web.https.host' "${NIFI_WEB_HTTPS_HOST}" | |
prop_replace 'nifi.security.keystore' "${NIFI_CERTS_DIR}/${NIFI_KEYSTORE_FILE}" | |
prop_replace 'nifi.security.keystoreType' "${NIFI_KEYSTORE_TYPE}" | |
prop_replace 'nifi.security.keystorePasswd' "${NIFI_KEYSTORE_PASSWORD}" | |
prop_replace 'nifi.security.keyPasswd' "${NIFI_KEYSTORE_KEY_PASSWORD}" | |
prop_replace 'nifi.security.truststore' "${NIFI_CERTS_DIR}/${NIFI_TRUSTSTORE_FILE}" | |
prop_replace 'nifi.security.truststoreType' "${NIFI_TRUSTSTORE_TYPE}" | |
prop_replace 'nifi.security.truststorePasswd' "${NIFI_TRUSTSTORE_PASSWORD}" | |
prop_replace 'nifi.remote.input.secure' 'true' | |
prop_replace 'nifi.cluster.protocol.is.secure' 'true' | |
# Check if the user has specified a nifi.web.proxy.host setting and handle appropriately | |
: ${NIFI_WEB_PROXY_HOST=""} | |
if [[ -z "${NIFI_WEB_PROXY_HOST}" ]]; then | |
echo 'NIFI_WEB_PROXY_HOST was not set but NiFi is configured to run in a secure mode. The NiFi UI may be inaccessible if using port mapping.' | |
else | |
prop_replace 'nifi.web.proxy.host' "${NIFI_WEB_PROXY_HOST}" | |
fi | |
# Establish initial user and an associated admin identity | |
: ${NIFI_ADMIN_IDENTITY="CN=NiFi Admin, O=Acme Corp"} | |
sed -i -e 's|<property name="Initial Admin Identity"></property>|<property name="Initial Admin Identity">'"${NIFI_ADMIN_IDENTITY}"'</property>|' ${NIFI_HOME}/conf/authorizers.xml | |
# Set the node identities | |
: ${NIFI_NODE_IDENTITIES=${HOST}} | |
if [[ -n "${NIFI_NODE_IDENTITIES}" ]]; then | |
echo "Processing cluster nodes $NIFI_NODE_IDENTITIES" | |
nodes=($(echo "$NIFI_NODE_IDENTITIES" | tr ',' '\n')) | |
touch nodes.txt | |
printf " <property name=\"Initial User Identity 0\">${NIFI_ADMIN_IDENTITY}</property>\n" > users.txt | |
for i in "${!nodes[@]}" | |
do | |
printf " <property name=\"Node Identity $((i+1))\">CN=${nodes[$i]}, O=ESP</property>\n" >> nodes.txt | |
printf " <property name=\"Initial User Identity $((i+1))\">CN=${nodes[$i]}, O=Acme Corp</property>\n" >> users.txt | |
done | |
cat nodes.txt | |
sed -i -e '/<property name="Node Identity 1"><\/property>/{r nodes.txt' -e 'd}' ${NIFI_HOME}/conf/authorizers.xml | |
sed -i -e '/<property name="Initial User Identity 1"><\/property>/{r users.txt' -e 'd}' ${NIFI_HOME}/conf/authorizers.xml | |
fi | |
else | |
: ${NIFI_WEB_HTTP_PORT="8443"} | |
: ${NIFI_WEB_HTTP_HOST="${HOST}"} | |
prop_replace 'nifi.web.http.port' "${NIFI_WEB_HTTP_PORT}" | |
prop_replace 'nifi.web.http.host' "${NIFI_WEB_HTTP_HOST}" | |
prop_replace 'nifi.remote.input.secure' 'false' | |
fi | |
: ${NIFI_REMOTE_INPUT_HOST="${HOST}"} | |
: ${NIFI_REMOTE_INPUT_SOCKET_PORT="10000"} | |
prop_replace 'nifi.remote.input.host' "${NIFI_REMOTE_INPUT_HOST}" | |
prop_replace 'nifi.remote.input.socket.port' "${NIFI_REMOTE_INPUT_SOCKET_PORT}" | |
: ${NIFI_VARIABLE_REGISTRY_PROPERTIES=""} | |
: ${NIFI_CLUSTER_IS_NODE="false"} | |
: ${NIFI_CLUSTER_ADDRESS="${HOST}"} | |
: ${NIFI_CLUSTER_NODE_PROTOCOL_PORT=""} | |
: ${NIFI_CLUSTER_NODE_PROTOCOL_THREADS="10"} | |
: ${NIFI_CLUSTER_NODE_PROTOCOL_MAX_THREADS="50"} | |
: ${NIFI_ZK_CONNECT_STRING=""} | |
: ${NIFI_ZK_ROOT_NODE="/nifi"} | |
: ${NIFI_ELECTION_MAX_WAIT="5 mins"} | |
: ${NIFI_ELECTION_MAX_CANDIDATES=""} | |
: ${NIFI_WEB_PROXY_CONTEXT_PATH=""} | |
prop_replace 'nifi.variable.registry.properties' "${NIFI_VARIABLE_REGISTRY_PROPERTIES}" | |
prop_replace 'nifi.cluster.is.node' "${NIFI_CLUSTER_IS_NODE}" | |
prop_replace 'nifi.cluster.node.address' "${NIFI_CLUSTER_ADDRESS}" | |
prop_replace 'nifi.cluster.node.protocol.port' "${NIFI_CLUSTER_NODE_PROTOCOL_PORT}" | |
prop_replace 'nifi.cluster.node.protocol.threads' "${NIFI_CLUSTER_NODE_PROTOCOL_THREADS}" | |
prop_replace 'nifi.cluster.node.protocol.max.threads' "${NIFI_CLUSTER_NODE_PROTOCOL_MAX_THREADS}" | |
prop_replace 'nifi.zookeeper.connect.string' "${NIFI_ZK_CONNECT_STRING}" | |
prop_replace 'nifi.zookeeper.root.node' "${NIFI_ZK_ROOT_NODE}" | |
prop_replace 'nifi.cluster.flow.election.max.wait.time' "${NIFI_ELECTION_MAX_WAIT}" | |
prop_replace 'nifi.cluster.flow.election.max.candidates' "${NIFI_ELECTION_MAX_CANDIDATES}" | |
prop_replace 'nifi.web.proxy.context.path' "${NIFI_WEB_PROXY_CONTEXT_PATH}" | |
. "${scripts_dir}/update_cluster_state_management.sh" | |
cat ${NIFI_HOME}/conf/nifi.properties | |
printf "\n---" | |
cat ${NIFI_HOME}/conf/authorizers.xml | |
printf "\n---" | |
# Continuously provide logs so that 'docker logs' can produce them | |
tail -F "${NIFI_HOME}/logs/nifi-app.log" & | |
"${NIFI_HOME}/bin/nifi.sh" run & | |
nifi_pid="$!" | |
trap "echo Received trapped signal, beginning shutdown...;" KILL TERM HUP INT EXIT; | |
echo NiFi running with PID ${nifi_pid}. | |
wait ${nifi_pid} | |
fi | |
exec "$@" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment