From 0250c686a45ff3e2e166c5fd689848d039d8d962 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 15 Jan 2025 17:24:46 +0100 Subject: [PATCH 01/15] always use simpleAuth (temp approach) --- assembly/src/docker/entrypoint.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh index ad6ce1cf715..685ee4c5dc7 100755 --- a/assembly/src/docker/entrypoint.sh +++ b/assembly/src/docker/entrypoint.sh @@ -19,16 +19,18 @@ ################################################################################ # Transport/connection security -if [ -n "${ACTIVEMQ_CONNECTION_USER}" ]; then +#if [ -n "${ACTIVEMQ_CONNECTION_USER}" ]; then if [ -f "${ACTIVEMQ_HOME}/conf/connection.security.enabled" ]; then echo "ActiveMQ Connection Security enabled" else echo "Enabling ActiveMQ Connection Security" - sed -i "s/activemq.username=system/activemq.username=${ACTIVEMQ_CONNECTION_USER}/" ${ACTIVEMQ_HOME}/conf/credentials.properties - sed -i "s/activemq.password=manager/activemq.password=${ACTIVEMQ_CONNECTION_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/credentials.properties + #sed -i "s/activemq.username=system/activemq.username=${ACTIVEMQ_CONNECTION_USER}/" ${ACTIVEMQ_HOME}/conf/credentials.properties + #sed -i "s/activemq.password=manager/activemq.password=${ACTIVEMQ_CONNECTION_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/credentials.properties + sed -i "s/activemq.username=system//" ${ACTIVEMQ_HOME}/conf/credentials.properties + sed -i "s/activemq.password=manager//" ${ACTIVEMQ_HOME}/conf/credentials.properties read -r -d '' REPLACE << END - + @@ -42,7 +44,7 @@ END sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml touch "${ACTIVEMQ_HOME}/conf/connection.security.enabled" fi -fi +#fi # JMX security if [ -n "${ACTIVEMQ_JMX_USER}" ]; then From 87d4489bfb564f5275211b15e0f75c4378a68b24 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 15 Jan 2025 17:25:26 +0100 Subject: [PATCH 02/15] move simpleAuth params to env vars --- assembly/src/docker/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index e5092d1a9aa..1dbd6e329e6 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -25,8 +25,12 @@ ENV ACTIVEMQ_CONF $ACTIVEMQ_HOME/conf ENV ACTIVEMQ_OPTS_MEMORY -Xms64M -Xmx1G ENV ACTIVEMQ_EXEC exec ENV PATH $PATH:$ACTIVEMQ_HOME/bin +ENV ACTIVEMQ_CONNECTION_ANONYMOUS true +ENV ACTIVEMQ_CONNECTION_USER system +ENV ACTIVEMQ_CONNECTION_PASSWORD manager + # Make the Web console accesible from outside the container -ENV ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 +ENV ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD -Dactivemq.anonymous.enabled=$ACTIVEMQ_CONNECTION_ANONYMOUS #WORKDIR $ACTIVEMQ_HOME # activemq_dist can point to a directory or a tarball on the local system From 80cf55945c5c01f02b26228644699ff29c36d9e0 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Wed, 15 Jan 2025 17:38:57 +0100 Subject: [PATCH 03/15] remove anon auth properties as anonymousAccessAllowed do not lookup properties --- assembly/src/docker/Dockerfile | 3 +-- assembly/src/docker/entrypoint.sh | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index 1dbd6e329e6..84912091b08 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -25,12 +25,11 @@ ENV ACTIVEMQ_CONF $ACTIVEMQ_HOME/conf ENV ACTIVEMQ_OPTS_MEMORY -Xms64M -Xmx1G ENV ACTIVEMQ_EXEC exec ENV PATH $PATH:$ACTIVEMQ_HOME/bin -ENV ACTIVEMQ_CONNECTION_ANONYMOUS true ENV ACTIVEMQ_CONNECTION_USER system ENV ACTIVEMQ_CONNECTION_PASSWORD manager # Make the Web console accesible from outside the container -ENV ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD -Dactivemq.anonymous.enabled=$ACTIVEMQ_CONNECTION_ANONYMOUS +ENV ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD #WORKDIR $ACTIVEMQ_HOME # activemq_dist can point to a directory or a tarball on the local system diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh index 685ee4c5dc7..2773f63ef8a 100755 --- a/assembly/src/docker/entrypoint.sh +++ b/assembly/src/docker/entrypoint.sh @@ -30,7 +30,7 @@ sed -i "s/activemq.password=manager//" ${ACTIVEMQ_HOME}/conf/credentials.properties read -r -d '' REPLACE << END - + From 723eb16df8acd3ab071521d8bc3b8da472b3a20c Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 16 Jan 2025 10:27:55 +0100 Subject: [PATCH 04/15] move SimpleAuth plugin config to multistage build --- assembly/src/docker/Dockerfile | 41 ++++++++++++++++++++++--------- assembly/src/docker/entrypoint.sh | 28 --------------------- 2 files changed, 29 insertions(+), 40 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index 84912091b08..a48cbcac5d3 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -15,6 +15,30 @@ # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ +FROM debian:bookworm-slim AS amq_tpl +ENV DEBIAN_FRONTEND=noninteractive +# activemq_dist can point to a directory or a tarball on the local system +ARG activemq_dist=NOT_SET +# deploy ActiveMQ distribution +ADD $activemq_dist / +RUN mv /apache-activemq-* /apache-activemq +WORKDIR /apache-activemq +RUN apt-get update && apt-get install xmlstarlet -y +RUN xmlstarlet ed -L \ + -N d='http://www.springframework.org/schema/beans' \ + -N a='http://activemq.apache.org/schema/core' \ + -d '//comment()' \ + -d '/d:beans/d:bean[@class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"]/d:property[@name="locations"]' \ + -s '/d:beans/a:broker' -t elem -n plugins \ + -s '/d:beans/a:broker/plugins' -t elem -n simpleAuthenticationPlugin \ + -s '/d:beans/a:broker/plugins/simpleAuthenticationPlugin' -t elem -n users \ + -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin' -t attr -name anonymousAccessAllowed -v true \ + -s '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users' -t elem -n authenticationUser \ + -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -n username -v '${activemq.username}' \ + -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -name password -v '${activemq.password}' \ + -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -name groups -v '${activemq.groups}' \ + conf/activemq.xml +RUN rm conf/credentials.properties && touch conf/credentials.properties FROM eclipse-temurin:17-jre @@ -25,23 +49,16 @@ ENV ACTIVEMQ_CONF $ACTIVEMQ_HOME/conf ENV ACTIVEMQ_OPTS_MEMORY -Xms64M -Xmx1G ENV ACTIVEMQ_EXEC exec ENV PATH $PATH:$ACTIVEMQ_HOME/bin -ENV ACTIVEMQ_CONNECTION_USER system -ENV ACTIVEMQ_CONNECTION_PASSWORD manager +ENV ACTIVEMQ_CONNECTION_USER=system +ENV ACTIVEMQ_CONNECTION_GROUPS=users +ENV ACTIVEMQ_CONNECTION_PASSWORD=manager # Make the Web console accesible from outside the container -ENV ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD +ENV ACTIVEMQ_OPTS='$ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.groups=$ACTIVEMQ_CONNECTION_GROUPS -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD' #WORKDIR $ACTIVEMQ_HOME -# activemq_dist can point to a directory or a tarball on the local system -ARG activemq_dist=NOT_SET - COPY entrypoint.sh /usr/local/bin/entrypoint.sh - -# Install build dependencies and activemq -ADD $activemq_dist $ACTIVEMQ_INSTALL_PATH -RUN set -x && \ - cp -r $ACTIVEMQ_INSTALL_PATH/apache-activemq-* $ACTIVEMQ_HOME && \ - rm -r $ACTIVEMQ_INSTALL_PATH/apache-activemq-* +COPY --from=amq_tpl /apache-activemq $ACTIVEMQ_INSTALL_PATH/apache-activemq EXPOSE 8161 61616 5672 61613 1883 61614 1099 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh index 2773f63ef8a..efd2cf89d0b 100755 --- a/assembly/src/docker/entrypoint.sh +++ b/assembly/src/docker/entrypoint.sh @@ -18,34 +18,6 @@ # limitations under the License. ################################################################################ -# Transport/connection security -#if [ -n "${ACTIVEMQ_CONNECTION_USER}" ]; then - if [ -f "${ACTIVEMQ_HOME}/conf/connection.security.enabled" ]; then - echo "ActiveMQ Connection Security enabled" - else - echo "Enabling ActiveMQ Connection Security" - #sed -i "s/activemq.username=system/activemq.username=${ACTIVEMQ_CONNECTION_USER}/" ${ACTIVEMQ_HOME}/conf/credentials.properties - #sed -i "s/activemq.password=manager/activemq.password=${ACTIVEMQ_CONNECTION_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/credentials.properties - sed -i "s/activemq.username=system//" ${ACTIVEMQ_HOME}/conf/credentials.properties - sed -i "s/activemq.password=manager//" ${ACTIVEMQ_HOME}/conf/credentials.properties - read -r -d '' REPLACE << END - - - - - - - - -END - REPLACE=${REPLACE//$\\/$} - REPLACE=${REPLACE//\//\\\/} - REPLACE=$(echo $REPLACE | tr '\n' ' ') - sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml - touch "${ACTIVEMQ_HOME}/conf/connection.security.enabled" - fi -#fi - # JMX security if [ -n "${ACTIVEMQ_JMX_USER}" ]; then if [ -f "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" ]; then From cdc6bd0d7e97fd737319d92382fe0444c0edd578 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 16 Jan 2025 18:39:37 +0100 Subject: [PATCH 05/15] toggle jmx context from env var --- assembly/src/docker/Dockerfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index a48cbcac5d3..a7d5a0f793c 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -38,6 +38,11 @@ RUN xmlstarlet ed -L \ -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -name password -v '${activemq.password}' \ -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -name groups -v '${activemq.groups}' \ conf/activemq.xml +RUN xmlstarlet ed -L \ + -N d='http://www.springframework.org/schema/beans' \ + -N a='http://activemq.apache.org/schema/core' \ + -u '/d:beans/a:broker/a:managementContext/a:managementContext/@createConnector' -v '${activemq.jmx.enabled}' \ + conf/activemq.xml RUN rm conf/credentials.properties && touch conf/credentials.properties FROM eclipse-temurin:17-jre @@ -52,9 +57,10 @@ ENV PATH $PATH:$ACTIVEMQ_HOME/bin ENV ACTIVEMQ_CONNECTION_USER=system ENV ACTIVEMQ_CONNECTION_GROUPS=users ENV ACTIVEMQ_CONNECTION_PASSWORD=manager +ENV ACTIVEMQ_JMX_ENABLED=false # Make the Web console accesible from outside the container -ENV ACTIVEMQ_OPTS='$ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.groups=$ACTIVEMQ_CONNECTION_GROUPS -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD' +ENV ACTIVEMQ_OPTS='$ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.groups=$ACTIVEMQ_CONNECTION_GROUPS -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD -Dactivemq.jmx.enabled=$ACTIVEMQ_JMX_ENABLED' #WORKDIR $ACTIVEMQ_HOME COPY entrypoint.sh /usr/local/bin/entrypoint.sh From 9a3345dc2fd8cd59f10f24c9e9a7cfb739b1fdd0 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Thu, 16 Jan 2025 20:48:14 +0100 Subject: [PATCH 06/15] set jmx auth at guild time (to avoid the need to write to container fs) --- assembly/src/docker/Dockerfile | 8 ++++++++ assembly/src/docker/entrypoint.sh | 27 +++++---------------------- 2 files changed, 13 insertions(+), 22 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index a7d5a0f793c..1e29715f53f 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -17,8 +17,11 @@ ################################################################################ FROM debian:bookworm-slim AS amq_tpl ENV DEBIAN_FRONTEND=noninteractive +ARG JMX_USER +ARG JMX_PASSWORD # activemq_dist can point to a directory or a tarball on the local system ARG activemq_dist=NOT_SET + # deploy ActiveMQ distribution ADD $activemq_dist / RUN mv /apache-activemq-* /apache-activemq @@ -43,6 +46,10 @@ RUN xmlstarlet ed -L \ -N a='http://activemq.apache.org/schema/core' \ -u '/d:beans/a:broker/a:managementContext/a:managementContext/@createConnector' -v '${activemq.jmx.enabled}' \ conf/activemq.xml +RUN if [ -n $JMX_USER ]; then \ + sed -i "s/admin/${JMX_USER}/" conf/jmx.access && \ + sed -i "s/admin activemq/${JMX_USER} ${JMX_PASSWORD}/" conf/jmx.password; \ + fi RUN rm conf/credentials.properties && touch conf/credentials.properties FROM eclipse-temurin:17-jre @@ -58,6 +65,7 @@ ENV ACTIVEMQ_CONNECTION_USER=system ENV ACTIVEMQ_CONNECTION_GROUPS=users ENV ACTIVEMQ_CONNECTION_PASSWORD=manager ENV ACTIVEMQ_JMX_ENABLED=false +ENV JMX_USER=$JMX_USER # Make the Web console accesible from outside the container ENV ACTIVEMQ_OPTS='$ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.groups=$ACTIVEMQ_CONNECTION_GROUPS -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD -Dactivemq.jmx.enabled=$ACTIVEMQ_JMX_ENABLED' diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh index efd2cf89d0b..3ebaa8e6f2e 100755 --- a/assembly/src/docker/entrypoint.sh +++ b/assembly/src/docker/entrypoint.sh @@ -19,29 +19,12 @@ ################################################################################ # JMX security -if [ -n "${ACTIVEMQ_JMX_USER}" ]; then - if [ -f "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" ]; then - echo "JMX Security already enabled" - else - echo "Enabling ActiveMQ JMX security" - read -r -d '' REPLACE << END - - - - -END - REPLACE=${REPLACE//\//\\\/} - REPLACE=${REPLACE//$\\/$} - REPLACE=$(echo $REPLACE | tr '\n' ' ') - sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml - sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.access - sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.password - if [ -n "${ACTIVEMQ_JMX_PASSWORD}" ]; then - sed -i "s/\ activemq/\ ${ACTIVEMQ_JMX_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/jmx.password - fi - touch "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" - fi +if [ -n $ACTIVEMQ_JMX_USER ]; then + ACTIVEMQ_SUNJMX_START="-Dcom.sun.management.jmxremote.authenticate=true" + ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_HOME}/conf/jmxremote.password" + ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_HOME}/conf/jmxremote.access" fi +export ACTIVEMQ_SUNJMX_START # WebConsole security if [ -n "${ACTIVEMQ_WEB_USER}" ]; then From e1a5b7982d1be701432b30b533b687929c00bd11 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 10:47:49 +0100 Subject: [PATCH 07/15] run as non root user --- assembly/src/docker/Dockerfile | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index 1e29715f53f..da2ab9805bb 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -15,14 +15,15 @@ # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ -FROM debian:bookworm-slim AS amq_tpl -ENV DEBIAN_FRONTEND=noninteractive ARG JMX_USER ARG JMX_PASSWORD + +FROM debian:bookworm-slim AS amq_tpl +ENV DEBIAN_FRONTEND=noninteractive # activemq_dist can point to a directory or a tarball on the local system ARG activemq_dist=NOT_SET -# deploy ActiveMQ distribution +# Prepare ActiveMQ distribution ADD $activemq_dist / RUN mv /apache-activemq-* /apache-activemq WORKDIR /apache-activemq @@ -50,10 +51,15 @@ RUN if [ -n $JMX_USER ]; then \ sed -i "s/admin/${JMX_USER}/" conf/jmx.access && \ sed -i "s/admin activemq/${JMX_USER} ${JMX_PASSWORD}/" conf/jmx.password; \ fi -RUN rm conf/credentials.properties && touch conf/credentials.properties +RUN rm conf/credentials.properties && touch conf/credentials.properties && \ + mkdir tmp && \ + chmod -R g+w data tmp FROM eclipse-temurin:17-jre +ARG ACTIVEMQ_USERNAME=activemq +ARG ACTIVEMQ_GROUPNAME=activemq + # ActiveMQ environment variables ENV ACTIVEMQ_INSTALL_PATH /opt ENV ACTIVEMQ_HOME $ACTIVEMQ_INSTALL_PATH/apache-activemq @@ -71,9 +77,13 @@ ENV JMX_USER=$JMX_USER ENV ACTIVEMQ_OPTS='$ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.groups=$ACTIVEMQ_CONNECTION_GROUPS -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD -Dactivemq.jmx.enabled=$ACTIVEMQ_JMX_ENABLED' #WORKDIR $ACTIVEMQ_HOME +RUN groupadd --system ${ACTIVEMQ_GROUPNAME} && \ + useradd -l --system -g ${ACTIVEMQ_GROUPNAME} -d ${ACTIVEMQ_HOME} -s /bin/false ${ACTIVEMQ_USERNAME} + COPY entrypoint.sh /usr/local/bin/entrypoint.sh -COPY --from=amq_tpl /apache-activemq $ACTIVEMQ_INSTALL_PATH/apache-activemq +COPY --from=amq_tpl --chown=:${ACTIVEMQ_GROUPNAME} /apache-activemq $ACTIVEMQ_INSTALL_PATH/apache-activemq +USER ${ACTIVEMQ_USERNAME} EXPOSE 8161 61616 5672 61613 1883 61614 1099 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] CMD ["activemq", "console"] From ca6954dd3521ce43e001dee76f433c3c5c3b54d5 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 10:51:03 +0100 Subject: [PATCH 08/15] make linter happy --- assembly/src/docker/Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index da2ab9805bb..43b3dea34da 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -61,12 +61,12 @@ ARG ACTIVEMQ_USERNAME=activemq ARG ACTIVEMQ_GROUPNAME=activemq # ActiveMQ environment variables -ENV ACTIVEMQ_INSTALL_PATH /opt -ENV ACTIVEMQ_HOME $ACTIVEMQ_INSTALL_PATH/apache-activemq -ENV ACTIVEMQ_CONF $ACTIVEMQ_HOME/conf -ENV ACTIVEMQ_OPTS_MEMORY -Xms64M -Xmx1G -ENV ACTIVEMQ_EXEC exec -ENV PATH $PATH:$ACTIVEMQ_HOME/bin +ENV ACTIVEMQ_INSTALL_PATH=/opt +ENV ACTIVEMQ_HOME=$ACTIVEMQ_INSTALL_PATH/apache-activemq +ENV ACTIVEMQ_CONF=$ACTIVEMQ_HOME/conf +ENV ACTIVEMQ_OPTS_MEMORY="-Xms64M -Xmx1G" +ENV ACTIVEMQ_EXEC=exec +ENV PATH=$PATH:$ACTIVEMQ_HOME/bin ENV ACTIVEMQ_CONNECTION_USER=system ENV ACTIVEMQ_CONNECTION_GROUPS=users ENV ACTIVEMQ_CONNECTION_PASSWORD=manager From ee2c9b6e8d28f5ee812e489ca06ca5a267a7ca7f Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 13:40:08 +0100 Subject: [PATCH 09/15] reintroduce runtime jmx auth config --- assembly/src/docker/Dockerfile | 13 +++++++------ assembly/src/docker/entrypoint.sh | 24 +++++++++++++++++++----- 2 files changed, 26 insertions(+), 11 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index 43b3dea34da..0ca2b14d04f 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -15,16 +15,17 @@ # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ +FROM debian:bookworm-slim AS amq_tpl +# activemq_dist can point to a directory or a tarball on the local system +ARG activemq_dist=NOT_SET ARG JMX_USER ARG JMX_PASSWORD -FROM debian:bookworm-slim AS amq_tpl ENV DEBIAN_FRONTEND=noninteractive -# activemq_dist can point to a directory or a tarball on the local system -ARG activemq_dist=NOT_SET # Prepare ActiveMQ distribution ADD $activemq_dist / + RUN mv /apache-activemq-* /apache-activemq WORKDIR /apache-activemq RUN apt-get update && apt-get install xmlstarlet -y @@ -47,16 +48,16 @@ RUN xmlstarlet ed -L \ -N a='http://activemq.apache.org/schema/core' \ -u '/d:beans/a:broker/a:managementContext/a:managementContext/@createConnector' -v '${activemq.jmx.enabled}' \ conf/activemq.xml -RUN if [ -n $JMX_USER ]; then \ +RUN if [ -n "$JMX_USER" ]; then \ sed -i "s/admin/${JMX_USER}/" conf/jmx.access && \ sed -i "s/admin activemq/${JMX_USER} ${JMX_PASSWORD}/" conf/jmx.password; \ fi RUN rm conf/credentials.properties && touch conf/credentials.properties && \ mkdir tmp && \ - chmod -R g+w data tmp + chmod -R g+w conf data tmp FROM eclipse-temurin:17-jre - +ARG JMX_USER ARG ACTIVEMQ_USERNAME=activemq ARG ACTIVEMQ_GROUPNAME=activemq diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh index 3ebaa8e6f2e..5d1db5c4c63 100755 --- a/assembly/src/docker/entrypoint.sh +++ b/assembly/src/docker/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -x ################################################################################ # Licensed to the Apache Software Foundation (ASF) under one @@ -19,12 +19,26 @@ ################################################################################ # JMX security -if [ -n $ACTIVEMQ_JMX_USER ]; then +if [ -n "$JMX_USER" -o -n"$ACTIVEMQ_JMX_USER" ]; then ACTIVEMQ_SUNJMX_START="-Dcom.sun.management.jmxremote.authenticate=true" - ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_HOME}/conf/jmxremote.password" - ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_HOME}/conf/jmxremote.access" + ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_HOME}/conf/jmx.password" + ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_HOME}/conf/jmx.access" + export ACTIVEMQ_SUNJMX_START +fi + +if [ -n "${ACTIVEMQ_JMX_USER}" ]; then + if [ -f "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" ]; then + echo "JMX Security already enabled" + else + echo "Enabling ActiveMQ JMX security" + sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.access + sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.password + if [ -n "${ACTIVEMQ_JMX_PASSWORD}" ]; then + sed -i "s/\ activemq/\ ${ACTIVEMQ_JMX_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/jmx.password + fi + touch "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" + fi fi -export ACTIVEMQ_SUNJMX_START # WebConsole security if [ -n "${ACTIVEMQ_WEB_USER}" ]; then From 3fb641f71dcd173c64a87eb9aeee8dfa90146d71 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 14:06:57 +0100 Subject: [PATCH 10/15] allow buiding image that do not write logs to container fs --- assembly/src/docker/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index 0ca2b14d04f..bf05f60722e 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -20,6 +20,7 @@ FROM debian:bookworm-slim AS amq_tpl ARG activemq_dist=NOT_SET ARG JMX_USER ARG JMX_PASSWORD +ARG LOG_TO_FS=true ENV DEBIAN_FRONTEND=noninteractive @@ -52,6 +53,9 @@ RUN if [ -n "$JMX_USER" ]; then \ sed -i "s/admin/${JMX_USER}/" conf/jmx.access && \ sed -i "s/admin activemq/${JMX_USER} ${JMX_PASSWORD}/" conf/jmx.password; \ fi +RUN if [ "$LOG_TO_FS" = "false" ]; then \ + sed -ri "s/^appender\.(logfile|auditlog).*//g" conf/log4j2.properties; \ + fi RUN rm conf/credentials.properties && touch conf/credentials.properties && \ mkdir tmp && \ chmod -R g+w conf data tmp From 59db1d6af3af14d0d0d6ab517390fb67fea4c0f4 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 18:03:26 +0100 Subject: [PATCH 11/15] allow configuring web auth at build time and fix it for AMQ5 --- assembly/src/docker/Dockerfile | 20 ++++++++++++++++++-- assembly/src/docker/entrypoint.sh | 11 +++++++++-- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index bf05f60722e..672ed4b3380 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -20,6 +20,8 @@ FROM debian:bookworm-slim AS amq_tpl ARG activemq_dist=NOT_SET ARG JMX_USER ARG JMX_PASSWORD +ARG ACTIVEMQ_WEB_DEFAULT_USER=admin +ARG ACTIVEMQ_WEB_DEFAULT_PASSWORD=admin ARG LOG_TO_FS=true ENV DEBIAN_FRONTEND=noninteractive @@ -34,7 +36,6 @@ RUN xmlstarlet ed -L \ -N d='http://www.springframework.org/schema/beans' \ -N a='http://activemq.apache.org/schema/core' \ -d '//comment()' \ - -d '/d:beans/d:bean[@class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"]/d:property[@name="locations"]' \ -s '/d:beans/a:broker' -t elem -n plugins \ -s '/d:beans/a:broker/plugins' -t elem -n simpleAuthenticationPlugin \ -s '/d:beans/a:broker/plugins/simpleAuthenticationPlugin' -t elem -n users \ @@ -49,12 +50,23 @@ RUN xmlstarlet ed -L \ -N a='http://activemq.apache.org/schema/core' \ -u '/d:beans/a:broker/a:managementContext/a:managementContext/@createConnector' -v '${activemq.jmx.enabled}' \ conf/activemq.xml +# Configure default web console authentication for ActiveMQ 5.x and 6.x +RUN if [ -n "$ACTIVEMQ_WEB_DEFAULT_USER" ]; then \ + sed -i "s/admin=/${ACTIVEMQ_WEB_DEFAULT_USER}=/g" conf/users.properties; \ + sed -i "s/=admin/=${ACTIVEMQ_WEB_DEFAULT_USER}/g" conf/groups.properties; \ + fi; \ + if [ -n "$ACTIVEMQ_WEB_DEFAULT_PASSWORD" ]; then \ + sed -i "s/=admin/=${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/g" conf/users.properties; \ + fi; \ + if [ -f conf/jetty-realm.properties ]; then \ + sed -i "s/admin: admin/${ACTIVEMQ_WEB_DEFAULT_USER}: ${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/" conf/jetty-realm.properties; \ + fi RUN if [ -n "$JMX_USER" ]; then \ sed -i "s/admin/${JMX_USER}/" conf/jmx.access && \ sed -i "s/admin activemq/${JMX_USER} ${JMX_PASSWORD}/" conf/jmx.password; \ fi RUN if [ "$LOG_TO_FS" = "false" ]; then \ - sed -ri "s/^appender\.(logfile|auditlog).*//g" conf/log4j2.properties; \ + sed -ri "s/^(rootLogger\.)?appender(Ref)?\.(logfile|auditlog).*//g" conf/log4j2.properties; \ fi RUN rm conf/credentials.properties && touch conf/credentials.properties && \ mkdir tmp && \ @@ -64,6 +76,8 @@ FROM eclipse-temurin:17-jre ARG JMX_USER ARG ACTIVEMQ_USERNAME=activemq ARG ACTIVEMQ_GROUPNAME=activemq +ARG ACTIVEMQ_WEB_DEFAULT_USER=admin +ARG ACTIVEMQ_WEB_DEFAULT_PASSWORD=admin # ActiveMQ environment variables ENV ACTIVEMQ_INSTALL_PATH=/opt @@ -77,6 +91,8 @@ ENV ACTIVEMQ_CONNECTION_GROUPS=users ENV ACTIVEMQ_CONNECTION_PASSWORD=manager ENV ACTIVEMQ_JMX_ENABLED=false ENV JMX_USER=$JMX_USER +ENV ACTIVEMQ_WEB_DEFAULT_USER=$ACTIVEMQ_WEB_DEFAULT_USER +ENV ACTIVEMQ_WEB_DEFAULT_PASSWORD=$ACTIVEMQ_WEB_DEFAULT_PASSWORD # Make the Web console accesible from outside the container ENV ACTIVEMQ_OPTS='$ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.groups=$ACTIVEMQ_CONNECTION_GROUPS -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD -Dactivemq.jmx.enabled=$ACTIVEMQ_JMX_ENABLED' diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh index 5d1db5c4c63..c2d218a5caa 100755 --- a/assembly/src/docker/entrypoint.sh +++ b/assembly/src/docker/entrypoint.sh @@ -43,9 +43,16 @@ fi # WebConsole security if [ -n "${ACTIVEMQ_WEB_USER}" ]; then echo "Enabling ActiveMQ WebConsole security" - sed -i s/admin=/${ACTIVEMQ_WEB_USER}=/g ${ACTIVEMQ_HOME}/conf/users.properties + sed -i s/$ACTIVEMQ_WEB_DEFAULT_USER=/${ACTIVEMQ_WEB_USER}=/g ${ACTIVEMQ_HOME}/conf/users.properties if [ -n "${ACTIVEMQ_WEB_PASSWORD}" ]; then - sed -i s/=admin/=${ACTIVEMQ_WEB_PASSWORD}/g ${ACTIVEMQ_HOME}/conf/users.properties + sed -i s/=$ACTIVEMQ_WEB_DEFAULT_PASSWORD/=${ACTIVEMQ_WEB_PASSWORD}/g ${ACTIVEMQ_HOME}/conf/users.properties + fi + # ACTIVEMQ 5.x + if [ -f "${ACTIVEMQ_HOME}/conf/jetty-realm.properties" ]; then + sed -i "s/${ACTIVEMQ_WEB_DEFAULT_USER}: /${ACTIVEMQ_WEB_DEFAULT_USER}: /" ${ACTIVEMQ_HOME}/conf/jetty-realm.properties + if [ -n "${ACTIVEMQ_WEB_PASSWORD}" ]; then + sed -i "s/${ACTIVEMQ_WEB_DEFAULT_USER}: ${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/${ACTIVEMQ_WEB_USER}: ${ACTIVEMQ_WEB_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/jetty-realm.properties + fi fi fi From b7f12b65d9b735a423fc474251b8309f37ece578 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 18:52:04 +0100 Subject: [PATCH 12/15] remove added JMX auth config as it simply doesn't work --- assembly/src/docker/Dockerfile | 11 +++-------- assembly/src/docker/entrypoint.sh | 7 ------- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index 672ed4b3380..ac4f72a0ce7 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -18,8 +18,6 @@ FROM debian:bookworm-slim AS amq_tpl # activemq_dist can point to a directory or a tarball on the local system ARG activemq_dist=NOT_SET -ARG JMX_USER -ARG JMX_PASSWORD ARG ACTIVEMQ_WEB_DEFAULT_USER=admin ARG ACTIVEMQ_WEB_DEFAULT_PASSWORD=admin ARG LOG_TO_FS=true @@ -61,10 +59,6 @@ RUN if [ -n "$ACTIVEMQ_WEB_DEFAULT_USER" ]; then \ if [ -f conf/jetty-realm.properties ]; then \ sed -i "s/admin: admin/${ACTIVEMQ_WEB_DEFAULT_USER}: ${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/" conf/jetty-realm.properties; \ fi -RUN if [ -n "$JMX_USER" ]; then \ - sed -i "s/admin/${JMX_USER}/" conf/jmx.access && \ - sed -i "s/admin activemq/${JMX_USER} ${JMX_PASSWORD}/" conf/jmx.password; \ - fi RUN if [ "$LOG_TO_FS" = "false" ]; then \ sed -ri "s/^(rootLogger\.)?appender(Ref)?\.(logfile|auditlog).*//g" conf/log4j2.properties; \ fi @@ -73,7 +67,6 @@ RUN rm conf/credentials.properties && touch conf/credentials.properties && \ chmod -R g+w conf data tmp FROM eclipse-temurin:17-jre -ARG JMX_USER ARG ACTIVEMQ_USERNAME=activemq ARG ACTIVEMQ_GROUPNAME=activemq ARG ACTIVEMQ_WEB_DEFAULT_USER=admin @@ -90,7 +83,6 @@ ENV ACTIVEMQ_CONNECTION_USER=system ENV ACTIVEMQ_CONNECTION_GROUPS=users ENV ACTIVEMQ_CONNECTION_PASSWORD=manager ENV ACTIVEMQ_JMX_ENABLED=false -ENV JMX_USER=$JMX_USER ENV ACTIVEMQ_WEB_DEFAULT_USER=$ACTIVEMQ_WEB_DEFAULT_USER ENV ACTIVEMQ_WEB_DEFAULT_PASSWORD=$ACTIVEMQ_WEB_DEFAULT_PASSWORD @@ -104,6 +96,9 @@ RUN groupadd --system ${ACTIVEMQ_GROUPNAME} && \ COPY entrypoint.sh /usr/local/bin/entrypoint.sh COPY --from=amq_tpl --chown=:${ACTIVEMQ_GROUPNAME} /apache-activemq $ACTIVEMQ_INSTALL_PATH/apache-activemq +RUN chmod 600 ${ACTIVEMQ_HOME}/conf/jmx.password && \ + chown ${ACTIVEMQ_USERNAME}:${ACTIVEMQ_GROUPNAME} ${ACTIVEMQ_HOME}/conf/jmx.password + USER ${ACTIVEMQ_USERNAME} EXPOSE 8161 61616 5672 61613 1883 61614 1099 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh index c2d218a5caa..2c34bdb0a1d 100755 --- a/assembly/src/docker/entrypoint.sh +++ b/assembly/src/docker/entrypoint.sh @@ -19,13 +19,6 @@ ################################################################################ # JMX security -if [ -n "$JMX_USER" -o -n"$ACTIVEMQ_JMX_USER" ]; then - ACTIVEMQ_SUNJMX_START="-Dcom.sun.management.jmxremote.authenticate=true" - ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_HOME}/conf/jmx.password" - ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_HOME}/conf/jmx.access" - export ACTIVEMQ_SUNJMX_START -fi - if [ -n "${ACTIVEMQ_JMX_USER}" ]; then if [ -f "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" ]; then echo "JMX Security already enabled" From 5b9efdd46fb23327788b5dc3d8994b6c8a2e3b79 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 19:10:48 +0100 Subject: [PATCH 13/15] remove useless LOG_TO_FS --- assembly/src/docker/Dockerfile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile index ac4f72a0ce7..f6a7640bf2b 100644 --- a/assembly/src/docker/Dockerfile +++ b/assembly/src/docker/Dockerfile @@ -20,7 +20,6 @@ FROM debian:bookworm-slim AS amq_tpl ARG activemq_dist=NOT_SET ARG ACTIVEMQ_WEB_DEFAULT_USER=admin ARG ACTIVEMQ_WEB_DEFAULT_PASSWORD=admin -ARG LOG_TO_FS=true ENV DEBIAN_FRONTEND=noninteractive @@ -59,9 +58,6 @@ RUN if [ -n "$ACTIVEMQ_WEB_DEFAULT_USER" ]; then \ if [ -f conf/jetty-realm.properties ]; then \ sed -i "s/admin: admin/${ACTIVEMQ_WEB_DEFAULT_USER}: ${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/" conf/jetty-realm.properties; \ fi -RUN if [ "$LOG_TO_FS" = "false" ]; then \ - sed -ri "s/^(rootLogger\.)?appender(Ref)?\.(logfile|auditlog).*//g" conf/log4j2.properties; \ - fi RUN rm conf/credentials.properties && touch conf/credentials.properties && \ mkdir tmp && \ chmod -R g+w conf data tmp From a8cff13e36cac5df783087d7f2bf64e8aed1bcbd Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 19:11:18 +0100 Subject: [PATCH 14/15] cleanup --- assembly/src/docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh index 2c34bdb0a1d..e203e8ff7e1 100755 --- a/assembly/src/docker/entrypoint.sh +++ b/assembly/src/docker/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/bash -x +#!/bin/bash -e ################################################################################ # Licensed to the Apache Software Foundation (ASF) under one From ed75e96bc9a2794175b5277d679879f07a2c4ad9 Mon Sep 17 00:00:00 2001 From: Alexandre Chapellon Date: Fri, 17 Jan 2025 19:25:46 +0100 Subject: [PATCH 15/15] update doc --- assembly/src/docker/README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/assembly/src/docker/README.md b/assembly/src/docker/README.md index ae6edf645f3..c776bdb1fce 100644 --- a/assembly/src/docker/README.md +++ b/assembly/src/docker/README.md @@ -158,9 +158,13 @@ Edit the `docker-compose.yml` file to edit port settings. | Environment Variable | Description | |----------------------|-------------| -| `ACTIVEMQ_CONNECTION_USER` | Username to access transport connector on the broker (JMS, ...). If not set, no user and password are required | +| `ACTIVEMQ_CONNECTION_USER` | Username to access transport connector on the broker (JMS, ...). If not set, no user and password are required. | | `ACTIVEMQ_CONNECTION_PASSWORD` | Password to access transport connector on the broker (JMS, ...). It should be used with `ACTIVEMQ_CONNECTION_USER`. | +| `ACTIVEMQ_CONNECTION_GROUPS` | Comma-separated list of groups to which the user belongs. | | `ACTIVEMQ_JMX_USER` | Username to access the JMX MBean server of the broker. If set, ActiveMQ accepts remote JMX connection, else, only local connection are allowed. | -| `ACTIVEMQ_JMX_PASSWORD` | Password to access the JMX MBean server of the broker. It should be used with `ACTIVEMQ_JMX_USER`/ | +| `ACTIVEMQ_JMX_PASSWORD` | Password to access the JMX MBean server of the broker. It should be used with `ACTIVEMQ_JMX_USER`. | +| `ACTIVEMQ_JMX_ENABLED` | Toggle ActiveMQ's JMX connector (without authentication). | +| `ACTIVEMQ_WEB_DEFAULT_USER` | Default username to access the ActiveMQ WebConsole (used at build time). | +| `ACTIVEMQ_WEB_DEFAULT_PASSWORD` | Default password to access the ActiveMQ WebConsole (used at build time). | | `ACTIVEMQ_WEB_USER` | Username to access the ActiveMQ WebConsole. | -| `ACTIVEMQ_WEB_PASSWORD` | Password to access the ActiveMQ WebConsole. | \ No newline at end of file +| `ACTIVEMQ_WEB_PASSWORD` | Password to access the ActiveMQ WebConsole. |