小贝子编程

docker compose zookeeper kafka-错误cnxn.saslServer为空:cnxn对象没有正



我正在尝试使用docker-compose来启动zk/kafka。

docker-compose.yml

version: '2'
services:
zookeeper-1:
image: confluentinc/cp-zookeeper:6.1.4
environment:
ZOOKEEPER_SERVER_ID: 1
ZOOKEEPER_CLIENT_PORT: 2181
ZOOKEEPER_TICK_TIME: 2000
ZOOKEEPER_INIT_LIMIT: 10
ZOOKEEPER_SYNC_LIMIT: 5
ZOOKEEPER_DATADIR_AUTOCREATE: "false"
ZOOKEEPER_MAX_CLIENT_CNXNS: 60
ZOOKEEPER_AUTOPURGE_SNAP_RETAIN_COUNT: 12
ZOOKEEPER_AUTOPURGE_PURGE_INTERVAL: 168
ZOOKEEPER_ADMIN_ENABLE_SERVER: "false"
ZOOKEEPER_SERVER_1: zookeeper-1:12881:13881
ZOOKEEPER_AUTH_PROVIDER_1: org.apache.zookeeper.server.auth.SASLAuthenticationProvider
ZOOKEEPER_REQUIRE_CLIENT_AUTH_SCHEME: sasl
ZOOKEEPER_JAAS_LOGIN_RENEW: 3600000
ZOOKEEPER_SECURE_CLIENT_PORT: 12181
ZOOKEEPER_AUTH_PROVIDER_X509: org.apache.zookeeper.server.auth.X509AuthenticationProvider
ZOOKEEPER_SERVER_CNXN_FACTORY: org.apache.zookeeper.server.NettyServerCnxnFactory
ZOOKEEPER_SSL_PROTOCOL: TLSv1.2      
ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/truststore.jks
ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: password
ZOOKEEPER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/zookeeper.server1.keystore.jks
ZOOKEEPER_SSL_KEYSTORE_PASSWORD: password
ZOOKEEPER_SSL_CLIENT_AUTH: none
KAFKA_OPTS: "-Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_jaas.conf"
ports:
- 12181:12181
volumes:
- /var/ssl:/etc/kafka/secrets
kafka-1:
image: confluentinc/cp-kafka:latest
depends_on:
- zookeeper-1
ports:
- 29092:9092
volumes:
- /var/ssl:/etc/kafka/secrets
environment:
KAFKA_BROKER_ID: 1
KAFKA_ADVERTISED_LISTENERS: SASL_SSL://kafka-1:9092
KAFKA_NUM_PARTITIONS: 4
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 2
KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 2
KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 2
KAFKA_AUTO_CREATE_TOPICS_ENABLE: "false"
KAFKA_ZOOKEEPER_CONNECT: zookeeper-1:12181
KAFKA_ZOOKEEPER_CLIENT_CNXN_SOCKET: org.apache.zookeeper.ClientCnxnSocketNetty
KAFKA_ZOOKEEPER_SSL_CLIENT_ENABLE: "true"
KAFKA_ZOOKEEPER_SSL_PROTOCOL: TLSv1.2
KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/truststore.jks
KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: password
KAFKA_ZOOKEEPER_SET_ACL: "false"
KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SASL_SSL
KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
KAFKA_SASL_ENABLED_MECHANISMS: PLAIN
KAFKA_SSL_CLIENT_AUTH: none
KAFKA_SSL_KEYSTORE_FILENAME: kafka.server1.keystore.jks
KAFKA_SSL_KEYSTORE_CREDENTIALS: keystore_credentials
KAFKA_SSL_KEY_CREDENTIALS: keystore_credentials
KAFKA_SSL_TRUSTSTORE_FILENAME: truststore.jks
KAFKA_SSL_TRUSTSTORE_CREDENTIALS: keystore_credentials
KAFKA_SSL_ENABLED_PROTOCOLS: TLSv1.2

KAFKA_OPTS: "-Djava.security.auth.login.config=/etc/kafka/secrets/kafka_server_jaas.conf"

SSL/TLS

#!/usr/bin/env bash
export DIR=/var/ssl
export PASSWORD=password
export DNS=localhost
echo subjectAltName=DNS:$DNS,DNS:zookeeper-1,DNS:kafka-1 > openssl.cnf
openssl req -x509 -new -sha256 -newkey rsa:2048 -keyout CA.key -days 7300 -out CA.crt -subj "/CN=$DNS" -passout pass:$PASSWORD
keytool -keystore truststore.jks -alias CA -importcert -file CA.crt -storepass $PASSWORD -noprompt
openssl req -new -sha256 -newkey rsa:2048 -keyout zookeeper.server${instance}.key -subj "/CN=$DNS" -out zookeeper.server${instance}.csr -passout pass:$PASSWORD
openssl x509 -req -extfile openssl.cnf -in zookeeper.server${instance}.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out zookeeper.server${instance}.crt -days 7300 -sha256 -passin pass:$PASSWORD
openssl pkcs12 -export -in zookeeper.server${instance}.crt -inkey zookeeper.server${instance}.key -out zookeeper.server${instance}.p12 -name zookeeper.server${instance} -CAfile CA.crt -caname CA -passin pass:$PASSWORD -passout pass:$PASSWORD
keytool -importkeystore -deststorepass $PASSWORD -destkeypass $PASSWORD -destkeystore zookeeper.server${instance}.keystore.jks -srckeystore zookeeper.server${instance}.p12 -srcstoretype pkcs12 -srcstorepass $PASSWORD -alias zookeeper.server${instance}
keytool -keystore zookeeper.server${instance}.keystore.jks -alias CA -importcert -file CA.crt -storepass $PASSWORD -noprompt
openssl req -new -sha256 -newkey rsa:2048 -keyout kafka.server${instance}.key -subj "/CN=$DNS" -out kafka.server${instance}.csr -passout pass:$PASSWORD
openssl x509 -req -extfile openssl.cnf -in kafka.server${instance}.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out kafka.server${instance}.crt -days 7300 -sha256 -passin pass:$PASSWORD
openssl pkcs12 -export -in kafka.server${instance}.crt -inkey kafka.server${instance}.key -out kafka.server${instance}.p12 -name kafka.server${instance} -CAfile CA.crt -caname CA -passin pass:$PASSWORD -passout pass:$PASSWORD
keytool -importkeystore -deststorepass $PASSWORD -destkeypass $PASSWORD -destkeystore kafka.server${instance}.keystore.jks -srckeystore kafka.server${instance}.p12 -srcstoretype pkcs12 -srcstorepass $PASSWORD -alias kafka.server${instance}
keytool -keystore kafka.server${instance}.keystore.jks -alias CA -importcert -file CA.crt -storepass $PASSWORD -noprompt
echo -n password > /var/ssl/keystore_credentials

kafka_server_jaas.conf

KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="kafka_broker_admin"
password="password"
user_kafka_broker_admin="password"
user_zookeeper="password"
};
Client {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="zookeeper"
password="password";
};

zookeeper_jaas.conf

Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_zookeeper="password";
};

命令

docker-compose up -d

错误

zookeeper-1_1 |〔2022-01-17 12:30:34845〕绑定到端口的信息0.0.0.0/0.0.0.0:2181(org.apache.zookeeper.server.NetyServerCnxnFactory(
zookeeper-1_1|[2022-01-17 12:30:34886]绑定到端口2181的INFO(org.apache.jookeeper.server.NetySServerCnxnFactor(
zookeeper_1_1|[2022-01-17 12:30:34893]INFO-zookeeper.snapshotSizeFactor=0.33(org.apache.zookeeper.server.ZKDatabase(
zookeeper-1_1|[2022-01-17 12:30:34894]信息快照:0x0到/var/lib/zookeeper/data/version-2/snapshot。0(org.apache.zookeeper.server.persistence.FileTxnSnapLog(
zookeeper-1_1|[2022-01-17 12:30:34895]信息快照:0x0到/var/lib/zookeeper/data/version-2/快照。0
(org.apache.zookeeper.server.persistence.FileTxnSnapLog(zookeeper-1_1|[2022-01-17 12:30:34901]INFO PrepRequestProcessor(sid:0(已启动,reconfigEnabled=false(org.apache.zookeeper.server.PrepRequestProcessor(
zookeeper-1_1|[2022-01-17 12:30:34903]INFO zookeepeper.client.portUnification=false(org.apache.zookeeper.server.NetyServerCnxnFactory(
zookeeper-1_1|[2022-01-17 12:30:34938]信息使用org.apache.zookeeper.server.NetyServer CnxnFactory作为服务器连接工厂(org.apache.zookeeper.server.ServerCnxnFactorycheckIntervalMs=60000 maxPerMinute=10000(org.apache.zookeeper.server.ContainerManager(
zookeeper-1_1|[2022-01-17 12:30:38480]信息正在创建新的日志文件:log.1(org.apache.jookeeper.server.persistence.FileTxnLog(
zookeeper_1_1|[201022-01-7 12:30:38493]错误cnxn.saslServer为空:cnxn对象未正确初始化其saslServer。(org.apache.zookeeper.server.ZooKeeperServer(

我配置了什么或做错了什么?谢谢

在澄清了您的需求后,我发现有三件事需要解决:

  1. /etc/kafka/secrets/zookeeper.server1.keystore.jks应该是/etc/kafka/secrets/zookeeper.server.keystore.jks,因为TLS/SSL脚本会生成该名称
  2. 动物园管理员密钥库也是如此
  3. 启动时,它请求一个名为keystore_credentials的额外文件。只需在里面创建password(您的jks密码(

我仍然有一个问题,但似乎是你得到的错误:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common

这似乎与您的SSL脚本更相关

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium