mirror of
https://github.com/ClickHouse/ClickHouse.git
synced 2024-12-13 09:52:38 +00:00
344d648cab
As it turns out, docker does not pass through the sysctls, so adjust this for know users of unprivileged ports (>32K): - HDFS - kafka Signed-off-by: Azat Khuzhin <a.khuzhin@semrush.com>
62 lines
2.8 KiB
YAML
62 lines
2.8 KiB
YAML
version: '2.3'
|
|
|
|
services:
|
|
kafka_kerberized_zookeeper:
|
|
image: confluentinc/cp-zookeeper:5.2.0
|
|
# restart: always
|
|
hostname: kafka_kerberized_zookeeper
|
|
environment:
|
|
ZOOKEEPER_SERVER_ID: 1
|
|
ZOOKEEPER_CLIENT_PORT: 2181
|
|
ZOOKEEPER_SERVERS: "kafka_kerberized_zookeeper:2888:3888"
|
|
KAFKA_OPTS: "-Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_jaas.conf -Djava.security.krb5.conf=/etc/kafka/secrets/krb.conf -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider -Dsun.security.krb5.debug=true"
|
|
volumes:
|
|
- ${KERBERIZED_KAFKA_DIR}/secrets:/etc/kafka/secrets
|
|
- /dev/urandom:/dev/random
|
|
depends_on:
|
|
- kafka_kerberos
|
|
security_opt:
|
|
- label:disable
|
|
|
|
kerberized_kafka1:
|
|
image: confluentinc/cp-kafka:5.2.0
|
|
# restart: always
|
|
hostname: kerberized_kafka1
|
|
ports:
|
|
- ${KERBERIZED_KAFKA_EXTERNAL_PORT:-19092}:${KERBERIZED_KAFKA_EXTERNAL_PORT:-19092}
|
|
environment:
|
|
KAFKA_LISTENERS: OUTSIDE://:19092,UNSECURED_OUTSIDE://:19093,UNSECURED_INSIDE://0.0.0.0:${KERBERIZED_KAFKA_EXTERNAL_PORT}
|
|
KAFKA_ADVERTISED_LISTENERS: OUTSIDE://kerberized_kafka1:19092,UNSECURED_OUTSIDE://kerberized_kafka1:19093,UNSECURED_INSIDE://localhost:${KERBERIZED_KAFKA_EXTERNAL_PORT}
|
|
# KAFKA_LISTENERS: INSIDE://kerberized_kafka1:9092,OUTSIDE://kerberized_kafka1:19092
|
|
# KAFKA_ADVERTISED_LISTENERS: INSIDE://localhost:9092,OUTSIDE://kerberized_kafka1:19092
|
|
KAFKA_ADVERTISED_HOST_NAME: kerberized_kafka1
|
|
KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: GSSAPI
|
|
KAFKA_SASL_ENABLED_MECHANISMS: GSSAPI
|
|
KAFKA_SASL_KERBEROS_SERVICE_NAME: kafka
|
|
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: OUTSIDE:SASL_PLAINTEXT,UNSECURED_OUTSIDE:PLAINTEXT,UNSECURED_INSIDE:PLAINTEXT,
|
|
KAFKA_INTER_BROKER_LISTENER_NAME: OUTSIDE
|
|
KAFKA_BROKER_ID: 1
|
|
KAFKA_ZOOKEEPER_CONNECT: "kafka_kerberized_zookeeper:2181"
|
|
KAFKA_LOG4J_LOGGERS: "kafka.controller=INFO,kafka.producer.async.DefaultEventHandler=INFO,state.change.logger=INFO"
|
|
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
|
|
KAFKA_OPTS: "-Djava.security.auth.login.config=/etc/kafka/secrets/broker_jaas.conf -Djava.security.krb5.conf=/etc/kafka/secrets/krb.conf -Dsun.security.krb5.debug=true"
|
|
volumes:
|
|
- ${KERBERIZED_KAFKA_DIR:-}/secrets:/etc/kafka/secrets
|
|
- /dev/urandom:/dev/random
|
|
depends_on:
|
|
- kafka_kerberized_zookeeper
|
|
- kafka_kerberos
|
|
security_opt:
|
|
- label:disable
|
|
sysctls:
|
|
net.ipv4.ip_local_port_range: '55000 65535'
|
|
|
|
kafka_kerberos:
|
|
image: clickhouse/kerberos-kdc:${DOCKER_KERBEROS_KDC_TAG:-latest}
|
|
hostname: kafka_kerberos
|
|
volumes:
|
|
- ${KERBERIZED_KAFKA_DIR}/secrets:/tmp/keytab
|
|
- ${KERBERIZED_KAFKA_DIR}/../../kerberos_image_config.sh:/config.sh
|
|
- /dev/urandom:/dev/random
|
|
ports: [88, 749]
|