UNCLASSIFIED

Skip to content

GitLab

Commit 1ee75e97 authored by sean.melissari's avatar sean.melissari
Browse files

add labels

parent 8ad4ae7f
Pipeline #104979 passed with stage
in 10 seconds
Hide whitespace changes
Inline Side-by-side
Showing with 36 additions and 145 deletions
Dockerfile
View file @ 1ee75e97
...@@ -6,7 +6,6 @@ FROM apache/nifi:1.12.1 as base ...@@ -6,7 +6,6 @@ FROM apache/nifi:1.12.1 as base
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
ENV NIFI_VERSION=1.12.1 ENV NIFI_VERSION=1.12.1
ENV NIFI_BASE_DIR=/opt/nifi ENV NIFI_BASE_DIR=/opt/nifi
ENV NIFI_HOME=${NIFI_BASE_DIR}/nifi-current ENV NIFI_HOME=${NIFI_BASE_DIR}/nifi-current
...@@ -24,8 +23,6 @@ COPY xmlstarlet.rpm /xmlstarlet.rpm ...@@ -24,8 +23,6 @@ COPY xmlstarlet.rpm /xmlstarlet.rpm
RUN groupadd -g 1000 nifi && \ RUN groupadd -g 1000 nifi && \
useradd -r -u 1000 -m -g nifi nifi && \ useradd -r -u 1000 -m -g nifi nifi && \
chown nifi:0 ${HOME} && \
chmod g=u ${HOME} && \
dnf update -y && \ dnf update -y && \
dnf install -y libxslt procps-ng && \ dnf install -y libxslt procps-ng && \
rpm -i --nosignature /xmlstarlet.rpm && \ rpm -i --nosignature /xmlstarlet.rpm && \
...@@ -37,10 +34,14 @@ RUN groupadd -g 1000 nifi && \ ...@@ -37,10 +34,14 @@ RUN groupadd -g 1000 nifi && \
COPY --chown=nifi:nifi --from=base ${NIFI_BASE_DIR} ${NIFI_BASE_DIR} COPY --chown=nifi:nifi --from=base ${NIFI_BASE_DIR} ${NIFI_BASE_DIR}
COPY --chown=nifi:nifi nifi.properties ${NIFI_HOME}/conf/nifi.properties COPY --chown=nifi:nifi nifi.properties ${NIFI_HOME}/conf/nifi.properties
COPY scripts/ ${NIFI_BASE_DIR}/scripts/ COPY --chown=nifi:nifi scripts/ ${NIFI_BASE_DIR}/scripts/
RUN chmod +x ${NIFI_BASE_DIR}/scripts/*.sh RUN chmod +x ${NIFI_BASE_DIR}/scripts/*.sh && \
chmod -R go-rwx ${NIFI_BASE_DIR} && \
echo "#!/bin/sh\n" > $NIFI_HOME/bin/nifi-env.sh
USER ${USER}
WORKDIR ${NIFI_HOME}
VOLUME ${NIFI_LOG_DIR} \ VOLUME ${NIFI_LOG_DIR} \
${NIFI_HOME}/conf \ ${NIFI_HOME}/conf \
...@@ -53,9 +54,6 @@ VOLUME ${NIFI_LOG_DIR} \ ...@@ -53,9 +54,6 @@ VOLUME ${NIFI_LOG_DIR} \
# Web HTTP(s) & Socket Site-to-Site Ports # Web HTTP(s) & Socket Site-to-Site Ports
EXPOSE 8080 8443 10000 8000 EXPOSE 8080 8443 10000 8000
USER ${USER}
WORKDIR ${NIFI_HOME}
HEALTHCHECK --start-period=60s \ HEALTHCHECK --start-period=60s \
CMD /opt/nifi/nifi-current/bin/nifi.sh status CMD /opt/nifi/nifi-current/bin/nifi.sh status
......
hardening_manifest.yaml
View file @ 1ee75e97
...@@ -20,20 +20,20 @@ args: ...@@ -20,20 +20,20 @@ args:
labels: labels:
org.opencontainers.image.title: "nifi" org.opencontainers.image.title: "nifi"
## Human-readable description of the software packaged in the image ## Human-readable description of the software packaged in the image
# org.opencontainers.image.description: "FIXME" org.opencontainers.image.description: "NiFi is an easy to use, powerful, and reliable system to process and distribute data."
## License(s) under which contained software is distributed ## License(s) under which contained software is distributed
# org.opencontainers.image.licenses: "FIXME" org.opencontainers.image.licenses: "Apache-2.0"
## URL to find more information on the image ## URL to find more information on the image
# org.opencontainers.image.url: "FIXME" org.opencontainers.image.url: "https://nifi.apache.org"
## Name of the distributing entity, organization or individual ## Name of the distributing entity, organization or individual
# org.opencontainers.image.vendor: "FIXME" org.opencontainers.image.vendor: "Apache"
org.opencontainers.image.version: "1.12.1" org.opencontainers.image.version: "1.12.1"
## Keywords to help with search (ex. "cicd,gitops,golang") ## Keywords to help with search (ex. "cicd,gitops,golang")
# mil.dso.ironbank.image.keywords: "FIXME" mil.dso.ironbank.image.keywords: "dataflow,processing"
## This value can be "opensource" or "commercial" ## This value can be "opensource" or "commercial"
# mil.dso.ironbank.image.type: "FIXME" mil.dso.ironbank.image.type: "opensource"
## Product the image belongs to for grouping multiple images ## Product the image belongs to for grouping multiple images
# mil.dso.ironbank.product.name: "FIXME" mil.dso.ironbank.product.name: "NiFi"
# List of resources to make available to the offline build context # List of resources to make available to the offline build context
resources: resources:
...@@ -51,15 +51,8 @@ resources: ...@@ -51,15 +51,8 @@ resources:
value: af986793a515d500ab2d35f8d2aecd656e764504b789b66d7e1a0b727a124c44 value: af986793a515d500ab2d35f8d2aecd656e764504b789b66d7e1a0b727a124c44
# List of project maintainers # List of project maintainers
# FIXME: Fill in the following details for the current container owner in the whitelist
# FIXME: Include any other vendor information if applicable
maintainers: maintainers:
- email: "melissari_sean@bah.com" - name: "Sean Melissari"
# # The name of the current container owner username: "sean.melissari"
# name: "FIXME" email: "melissari_sean@bah.com"
# # The gitlab username of the current container owner cht_member: true
# username: "FIXME"
# cht_member: true # FIXME: Uncomment if the maintainer is a member of CHT
# - name: "FIXME"
# username: "FIXME"
# email: "FIXME"
nifi.properties
View file @ 1ee75e97
...@@ -61,27 +61,22 @@ nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE ...@@ -61,27 +61,22 @@ nifi.h2.url.append=;LOCK_TIMEOUT=25000;WRITE_DELAY=0;AUTO_SERVER=FALSE
nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository nifi.flowfile.repository.implementation=org.apache.nifi.controller.repository.WriteAheadFlowFileRepository
nifi.flowfile.repository.wal.implementation=org.apache.nifi.wali.SequentialAccessWriteAheadLog nifi.flowfile.repository.wal.implementation=org.apache.nifi.wali.SequentialAccessWriteAheadLog
nifi.flowfile.repository.directory=./flowfile_repository nifi.flowfile.repository.directory=./flowfile_repository
nifi.flowfile.repository.partitions=256 nifi.flowfile.repository.checkpoint.interval=20 secs
nifi.flowfile.repository.checkpoint.interval=2 mins
nifi.flowfile.repository.always.sync=false nifi.flowfile.repository.always.sync=false
nifi.flowfile.repository.encryption.key.provider.implementation= nifi.flowfile.repository.encryption.key.provider.implementation=
nifi.flowfile.repository.encryption.key.provider.location= nifi.flowfile.repository.encryption.key.provider.location=
nifi.flowfile.repository.encryption.key.id= nifi.flowfile.repository.encryption.key.id=
nifi.flowfile.repository.encryption.key= nifi.flowfile.repository.encryption.key=
nifi.flowfile.repository.retain.orphaned.flowfiles=true
nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager nifi.swap.manager.implementation=org.apache.nifi.controller.FileSystemSwapManager
nifi.queue.swap.threshold=20000 nifi.queue.swap.threshold=20000
nifi.swap.in.period=5 sec
nifi.swap.in.threads=1
nifi.swap.out.period=5 sec
nifi.swap.out.threads=4
# Content Repository # Content Repository
nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository nifi.content.repository.implementation=org.apache.nifi.controller.repository.FileSystemRepository
nifi.content.claim.max.appendable.size=1 MB nifi.content.claim.max.appendable.size=1 MB
nifi.content.claim.max.flow.files=100
nifi.content.repository.directory.default=./content_repository nifi.content.repository.directory.default=./content_repository
nifi.content.repository.archive.max.retention.period=12 hours nifi.content.repository.archive.max.retention.period=7 days
nifi.content.repository.archive.max.usage.percentage=50% nifi.content.repository.archive.max.usage.percentage=50%
nifi.content.repository.archive.enabled=true nifi.content.repository.archive.enabled=true
nifi.content.repository.always.sync=false nifi.content.repository.always.sync=false
...@@ -93,7 +88,6 @@ nifi.content.repository.encryption.key= ...@@ -93,7 +88,6 @@ nifi.content.repository.encryption.key=
# Provenance Repository Properties # Provenance Repository Properties
nifi.provenance.repository.implementation=org.apache.nifi.provenance.WriteAheadProvenanceRepository nifi.provenance.repository.implementation=org.apache.nifi.provenance.WriteAheadProvenanceRepository
nifi.provenance.repository.debug.frequency=1_000_000
nifi.provenance.repository.encryption.key.provider.implementation= nifi.provenance.repository.encryption.key.provider.implementation=
nifi.provenance.repository.encryption.key.provider.location= nifi.provenance.repository.encryption.key.provider.location=
nifi.provenance.repository.encryption.key.id= nifi.provenance.repository.encryption.key.id=
...@@ -101,9 +95,9 @@ nifi.provenance.repository.encryption.key= ...@@ -101,9 +95,9 @@ nifi.provenance.repository.encryption.key=
# Persistent Provenance Repository Properties # Persistent Provenance Repository Properties
nifi.provenance.repository.directory.default=./provenance_repository nifi.provenance.repository.directory.default=./provenance_repository
nifi.provenance.repository.max.storage.time=24 hours nifi.provenance.repository.max.storage.time=30 days
nifi.provenance.repository.max.storage.size=1 GB nifi.provenance.repository.max.storage.size=10 GB
nifi.provenance.repository.rollover.time=30 secs nifi.provenance.repository.rollover.time=10 mins
nifi.provenance.repository.rollover.size=100 MB nifi.provenance.repository.rollover.size=100 MB
nifi.provenance.repository.query.threads=2 nifi.provenance.repository.query.threads=2
nifi.provenance.repository.index.threads=2 nifi.provenance.repository.index.threads=2
...@@ -132,16 +126,15 @@ nifi.components.status.repository.buffer.size=1440 ...@@ -132,16 +126,15 @@ nifi.components.status.repository.buffer.size=1440
nifi.components.status.snapshot.frequency=1 min nifi.components.status.snapshot.frequency=1 min
# Site to Site properties # Site to Site properties
nifi.remote.input.host= nifi.remote.input.host=f3a79f73876d
nifi.remote.input.secure=false nifi.remote.input.secure=false
nifi.remote.input.socket.port= nifi.remote.input.socket.port=10000
nifi.remote.input.http.enabled=true nifi.remote.input.http.enabled=true
nifi.remote.input.http.transaction.ttl=30 sec nifi.remote.input.http.transaction.ttl=30 sec
nifi.remote.contents.cache.expiration=30 secs nifi.remote.contents.cache.expiration=30 secs
# web properties # # web properties #
nifi.web.war.directory=./lib nifi.web.http.host=f3a79f73876d
nifi.web.http.host=
nifi.web.http.port=8080 nifi.web.http.port=8080
nifi.web.http.network.interface.default= nifi.web.http.network.interface.default=
nifi.web.https.host= nifi.web.https.host=
...@@ -152,6 +145,9 @@ nifi.web.jetty.threads=200 ...@@ -152,6 +145,9 @@ nifi.web.jetty.threads=200
nifi.web.max.header.size=16 KB nifi.web.max.header.size=16 KB
nifi.web.proxy.context.path=/ib-nifi/ nifi.web.proxy.context.path=/ib-nifi/
nifi.web.proxy.host= nifi.web.proxy.host=
nifi.web.max.content.size=
nifi.web.max.requests.per.second=30000
nifi.web.should.send.server.version=true
# security properties # # security properties #
nifi.sensitive.props.key= nifi.sensitive.props.key=
...@@ -168,6 +164,7 @@ nifi.security.truststore= ...@@ -168,6 +164,7 @@ nifi.security.truststore=
nifi.security.truststoreType= nifi.security.truststoreType=
nifi.security.truststorePasswd= nifi.security.truststorePasswd=
nifi.security.user.authorizer=managed-authorizer nifi.security.user.authorizer=managed-authorizer
nifi.security.allow.anonymous.authentication=false
nifi.security.user.login.identity.provider= nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url= nifi.security.ocsp.responder.url=
nifi.security.ocsp.responder.certificate= nifi.security.ocsp.responder.certificate=
...@@ -210,11 +207,12 @@ nifi.security.user.knox.audiences= ...@@ -210,11 +207,12 @@ nifi.security.user.knox.audiences=
# cluster common properties (all nodes must have same values) # # cluster common properties (all nodes must have same values) #
nifi.cluster.protocol.heartbeat.interval=5 sec nifi.cluster.protocol.heartbeat.interval=5 sec
nifi.cluster.protocol.heartbeat.missable.max=8
nifi.cluster.protocol.is.secure=false nifi.cluster.protocol.is.secure=false
# cluster node properties (only configure for cluster nodes) # # cluster node properties (only configure for cluster nodes) #
nifi.cluster.is.node=false nifi.cluster.is.node=false
nifi.cluster.node.address= nifi.cluster.node.address=f3a79f73876d
nifi.cluster.node.protocol.port= nifi.cluster.node.protocol.port=
nifi.cluster.node.protocol.threads=10 nifi.cluster.node.protocol.threads=10
nifi.cluster.node.protocol.max.threads=50 nifi.cluster.node.protocol.max.threads=50
...@@ -229,14 +227,14 @@ nifi.cluster.flow.election.max.candidates= ...@@ -229,14 +227,14 @@ nifi.cluster.flow.election.max.candidates=
# cluster load balancing properties # # cluster load balancing properties #
nifi.cluster.load.balance.host= nifi.cluster.load.balance.host=
nifi.cluster.load.balance.port=6342 nifi.cluster.load.balance.port=6342
nifi.cluster.load.balance.connections.per.node=4 nifi.cluster.load.balance.connections.per.node=1
nifi.cluster.load.balance.max.thread.count=8 nifi.cluster.load.balance.max.thread.count=8
nifi.cluster.load.balance.comms.timeout=30 sec nifi.cluster.load.balance.comms.timeout=30 sec
# zookeeper properties, used for cluster management # # zookeeper properties, used for cluster management #
nifi.zookeeper.connect.string= nifi.zookeeper.connect.string=
nifi.zookeeper.connect.timeout=3 secs nifi.zookeeper.connect.timeout=10 secs
nifi.zookeeper.session.timeout=3 secs nifi.zookeeper.session.timeout=10 secs
nifi.zookeeper.root.node=/nifi nifi.zookeeper.root.node=/nifi
# Zookeeper properties for the authentication scheme used when creating acls on znodes used for cluster management # Zookeeper properties for the authentication scheme used when creating acls on znodes used for cluster management
......
scripts/common.sh 100644 → 100755
View file @ 1ee75e97
File mode changed from 100644 to 100755
scripts/secure.sh 100644 → 100755
View file @ 1ee75e97
File mode changed from 100644 to 100755
scripts/start.sh 100644 → 100755
View file @ 1ee75e97
File mode changed from 100644 to 100755
scripts/toolkit.sh 100644 → 100755
View file @ 1ee75e97
...@@ -15,105 +15,6 @@ ...@@ -15,105 +15,6 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
scripts_dir='/opt/nifi/scripts'
[ -f "${scripts_dir}/common.sh" ] && . "${scripts_dir}/common.sh"
# Override JVM memory settings
if [ ! -z "${NIFI_JVM_HEAP_INIT}" ]; then
prop_replace 'java.arg.2' "-Xms${NIFI_JVM_HEAP_INIT}" ${nifi_bootstrap_file}
fi
if [ ! -z "${NIFI_JVM_HEAP_MAX}" ]; then
prop_replace 'java.arg.3' "-Xmx${NIFI_JVM_HEAP_MAX}" ${nifi_bootstrap_file}
fi
if [ ! -z "${NIFI_JVM_DEBUGGER}" ]; then
uncomment "java.arg.debug" ${nifi_bootstrap_file}
fi
# Establish baseline properties
prop_replace 'nifi.web.http.port' "${NIFI_WEB_HTTP_PORT:-8080}"
prop_replace 'nifi.web.http.host' "${NIFI_WEB_HTTP_HOST:-$HOSTNAME}"
prop_replace 'nifi.remote.input.host' "${NIFI_REMOTE_INPUT_HOST:-$HOSTNAME}"
prop_replace 'nifi.remote.input.socket.port' "${NIFI_REMOTE_INPUT_SOCKET_PORT:-10000}"
prop_replace 'nifi.remote.input.secure' 'false'
# Set nifi-toolkit properties files and baseUrl
"${scripts_dir}/toolkit.sh"
prop_replace 'baseUrl' "http://${NIFI_WEB_HTTP_HOST:-$HOSTNAME}:${NIFI_WEB_HTTP_PORT:-8080}" ${nifi_toolkit_props_file}
prop_replace 'nifi.variable.registry.properties' "${NIFI_VARIABLE_REGISTRY_PROPERTIES:-}"
prop_replace 'nifi.cluster.is.node' "${NIFI_CLUSTER_IS_NODE:-false}"
prop_replace 'nifi.cluster.node.address' "${NIFI_CLUSTER_ADDRESS:-$HOSTNAME}"
prop_replace 'nifi.cluster.node.protocol.port' "${NIFI_CLUSTER_NODE_PROTOCOL_PORT:-}"
prop_replace 'nifi.cluster.node.protocol.threads' "${NIFI_CLUSTER_NODE_PROTOCOL_THREADS:-10}"
prop_replace 'nifi.cluster.node.protocol.max.threads' "${NIFI_CLUSTER_NODE_PROTOCOL_MAX_THREADS:-50}"
prop_replace 'nifi.zookeeper.connect.string' "${NIFI_ZK_CONNECT_STRING:-}"
prop_replace 'nifi.zookeeper.root.node' "${NIFI_ZK_ROOT_NODE:-/nifi}"
prop_replace 'nifi.cluster.flow.election.max.wait.time' "${NIFI_ELECTION_MAX_WAIT:-5 mins}"
prop_replace 'nifi.cluster.flow.election.max.candidates' "${NIFI_ELECTION_MAX_CANDIDATES:-}"
prop_replace 'nifi.web.proxy.context.path' "${NIFI_WEB_PROXY_CONTEXT_PATH:-}"
# Set analytics properties
prop_replace 'nifi.analytics.predict.enabled' "${NIFI_ANALYTICS_PREDICT_ENABLED:-false}"
prop_replace 'nifi.analytics.predict.interval' "${NIFI_ANALYTICS_PREDICT_INTERVAL:-3 mins}"
prop_replace 'nifi.analytics.query.interval' "${NIFI_ANALYTICS_QUERY_INTERVAL:-5 mins}"
prop_replace 'nifi.analytics.connection.model.implementation' "${NIFI_ANALYTICS_MODEL_IMPLEMENTATION:-org.apache.nifi.controller.status.analytics.models.OrdinaryLeastSquares}"
prop_replace 'nifi.analytics.connection.model.score.name' "${NIFI_ANALYTICS_MODEL_SCORE_NAME:-rSquared}"
prop_replace 'nifi.analytics.connection.model.score.threshold' "${NIFI_ANALYTICS_MODEL_SCORE_THRESHOLD:-.90}"
. "${scripts_dir}/update_cluster_state_management.sh"
# Check if we are secured or unsecured
case ${AUTH} in
tls)
echo 'Enabling Two-Way SSL user authentication'
. "${scripts_dir}/secure.sh"
;;
ldap)
echo 'Enabling LDAP user authentication'
# Reference ldap-provider in properties
prop_replace 'nifi.security.user.login.identity.provider' 'ldap-provider'
. "${scripts_dir}/secure.sh"
. "${scripts_dir}/update_login_providers.sh"
;;
*)
if [ ! -z "${NIFI_WEB_PROXY_HOST}" ]; then
echo 'NIFI_WEB_PROXY_HOST was set but NiFi is not configured to run in a secure mode. Will not update nifi.web.proxy.host.'
fi
;;
esac
# Continuously provide logs so that 'docker logs' can produce them
"${NIFI_HOME}/bin/nifi.sh" run &
nifi_pid="$!"
tail -F --pid=${nifi_pid} "${NIFI_HOME}/logs/nifi-app.log" &
trap 'echo Received trapped signal, beginning shutdown...;./bin/nifi.sh stop;exit 0;' TERM HUP INT;
trap ":" EXIT
echo NiFi running with PID ${nifi_pid}.
wait ${nifi_pid}
nifi@ade64fede7e3:/opt/nifi/scripts$ cat toolkit.sh
#!/bin/sh -e
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
cat <<EOT > ${nifi_toolkit_props_file} cat <<EOT > ${nifi_toolkit_props_file}
baseUrl= baseUrl=
keystore= keystore=
...@@ -128,3 +29,4 @@ EOT ...@@ -128,3 +29,4 @@ EOT
cat <<EOT > ${HOME}/.nifi-cli.config cat <<EOT > ${HOME}/.nifi-cli.config
nifi.props=${nifi_toolkit_props_file} nifi.props=${nifi_toolkit_props_file}
EOT
scripts/update_cluster_state_management.sh 100644 → 100755
View file @ 1ee75e97
File mode changed from 100644 to 100755
scripts/update_login_providers.sh 100644 → 100755
View file @ 1ee75e97
File mode changed from 100644 to 100755
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED