You are viewing documentation for an older version of Confluent Platform. For the latest, click here.

Docker Developer Guide

Image Design Overview

In this section we assume some prior knowledge of Docker and of how to write Dockerfiles. If you’d like to first on best practices for writing Dockerfiles, we recommend reviewing Docker’s best practices guide.

The Bootup Process

Upon startup, the entrypoint /etc/confluent/docker/run runs three executable scripts found in the /etc/confluent/docker. They are run in the following sequence:





The configure script does all the necessary configuration for each image. This includes the following:

  • Creating all configuration files and copying them to their proper location
  • Ensuring that mandatory configuration properties are present
  • Handling service discovery (if required)

Preflight Checks

The ensure scripts makes sure that all the prerequisites for launching the service are in place. This includes:

  • Ensure the configuration files are present and readable.
  • Ensure that you can write/read to the data directory. The directories need to be world writable.
  • Ensuring supporting services are in READY state. For example, ensure that ZK is ready before launching a Kafka broker.
  • Ensure supporting systems are configured properly. For example, make sure all topics required for C3 are created with proper replication, security and partition settings.

Launching the Process

The launch script runs the actual process. The script should ensure that :

  • The process is run with process id 1. Your script should use exec so the program takes over the shell process rather than running as a child process. This is so that your program will receive signals like SIGTERM directly rather than its parent shell process receiving them.
  • Log to stdout

Development Guidelines

We adhered to the following guidelines when developing these Docker bootup scripts:

  1. Make it Executable
  2. Fail Fast
  3. Fail with Good Error Messages
  4. Return 0 if success, 1 if fail


  1. Install Docker. Here we assume you are running on macOS. For instructions on installing Docker on Linux or Windows, please refer to the official Docker Machine documentation.

    brew install docker docker-machine
  2. Create a Docker Machine:

docker-machine create --driver virtualbox --virtualbox-memory 6000 confluent

This command will create a local environment but it is recommended that you create one on AWS. The builds are much faster and more predictable (virtualbox stops when you close the lid of the laptop and sometimes gets into a weird state). When choosing an instance type, m4.large is good choice. It has 2 vCPUs with 8GB RAM and costs around ~$88 monthly.

export INSTANCE_NAME=$USER-docker-machine
docker-machine create \
   --driver amazonec2 \
   --amazonec2-region us-west-2 \
   --amazonec2-instance-type m4.large \
   --amazonec2-root-size 100 \
   --amazonec2-ami ami-16b1a077 \
   --amazonec2-tags Name,$INSTANCE_NAME \
  1. Configure your terminal window to attach it to your new Docker Machine:

    eval $(docker-machine env confluent)

Building the Images

To get started, you can build all the Confluent Platform images as follows:

make build-debian

You can run build tests by running make test-build. Use this when you want to test the builds with a clean slate. This deletes all images and starts from scratch.

Running Tests

You’ll need to first install virtualenv: pip install virtualenv

cd cp-docker-images
make test-zookeeper
make test-kafka

To run a single test, you can do so with Python. In the following example, we run only the ConfigTest found in

venv/bin/py.test tests/ -v


Deleting All Docker Containers: During the development process, you’ll often need to delete and rebuild the Docker images. You can do so by running docker rm -f $(docker ps -a -q).

Make Targets

Delete all images tagged with label=io.confluent.docker.testing=true :


Delete all containers tagged with :


Tag images for the repository in DOCKER_REMOTE_REPOSITORY:


Push images to the private repository:


Push to the Docker hub:


Examples: Extending the Docker Images

You can extend the images to add or customize connectors, add new software, change the configuration management, and set up external service discovery. The following sections provide examples that show how do do this.


  1. Read the section on development to setup the development environment to build Docker images.
  2. Understand how the images are structured by reading the following docs:
    • image-structure describes the structure of the images
    • utility_scripts describes the utility scripts used in the images
  3. If you plan to contribute back to the project, see the contributing guidelines.

Adding Connectors or Software

Confluent provides two images for Kafka Connect:

  • The Kafka Connect Base image contains Kafka Connect and all of its dependencies. When started, it will run the Connect framework in distributed mode.
  • The Kafka Connect image extends the Kafka Connect Base image and includes several of the connectors supported by Confluent: JDBC, Elasticsearch, HDFS, S3, and JMS.

There are currently two ways to add new connectors to these images.

  • Use the cp-kafka-connect or cp-kafka-connect-base image as-is and add the connector JARs via volumes.
  • Build a new Docker image that has the new connectors installed. See the following examples.

Create a Docker Image containing Confluent Hub Connectors

This example shows how to use the Confluent Hub client to create a Docker image that extends from one of Confluent’s Kafka Connect images but which contains a custom set of connectors. This may be useful if you’d like to use a connector that isn’t contained in the cp-kafka-connect image, or if you’d like to keep the custom image lightweight and not include any connectors that you don’t plan to use.

  1. Add connectors from Confluent Hub.

  2. Choose an image to extend.

    Functionally, the cp-kafka-connect and the cp-kafka-connect-base images are identical. The only difference is that the cp-kafka-connect image already contains several of Confluent’s connectors, whereas the cp-kafka-connect-base image comes with none by default. The cp-kafka-connect-base image is shown in this example.

  3. Choose the connectors from Confluent Hub that you’d like to include in your custom image. Note that the remaining steps result in a custom image containing a MongoDB connector, a Microsoft Azure IoT Hub connector, and a Google BigQuery connector.

  4. Write a Dockerfile.

    FROM confluentinc/cp-kafka-connect-base:5.1.4
    RUN   confluent-hub install --no-prompt hpgrahsl/kafka-connect-mongodb:1.1.0 \
       && confluent-hub install --no-prompt microsoft/kafka-connect-iothub:0.6 \
       && confluent-hub install --no-prompt wepay/kafka-connect-bigquery:1.1.0
  5. Build the Dockerfile.

    docker build . -t my-custom-image:1.0.0

    The output from that command should resemble:

    Step 1/2 : FROM confluentinc/cp-kafka-connect-base
    ---> e0d92da57dc3
    Running in a "--no-prompt" mode
    Implicit acceptance of the license below:
    Apache 2.0
    Implicit confirmation of the question: You are about to install 'kafka-connect-bigquery' from WePay, as published on Confluent Hub.
    Downloading component BigQuery Sink Connector 1.1.0, provided by WePay from Confluent Hub and installing into /usr/share/confluent-hub-components
    Adding installation directory to plugin path in the following files:
    Removing intermediate container 48d4506b8a83
     ---> 496befc3d3f7
    Successfully built 496befc3d3f7
    Successfully tagged my-custom-image:1.0.0

    This results in an image named my-custom-image that contains the MongoDB, Azure IoT Hub, and BigQuery connectors, and which is capable of running any/all all of them via the Kafka Connect framework.

If you are using a docker-compose.yml file and the Confluent Hub client to build your Kafka environment, use the following properties to enable a connector.

  image: confluentinc/kafka-connect-datagen:0.2.0
    context: .
    dockerfile: Dockerfile-confluenthub

Create a Docker Image containing Local Connectors

This example shows how to create a Docker image that extends the cp-kafka-connect-base image to contain one or more local connectors. This is useful if you want to use your connectors instead of pulling connectors from Confluent Hub.

  1. Package your local connector in a zip file.

  2. Set up the Dockerfile as shown in the example below.

    FROM confluentinc/cp-kafka-connect-base:5.1.4
    COPY target/components/packages/ /tmp/
    RUN confluent-hub install --no-prompt /tmp/
  3. Build the Dockerfile.

    docker build . -t my-custom-image:1.0.0

Add Additional Software

This example shows how to add new software to an image. For example, you might want to extend the Kafka Connect client to include the MySQL JDBC driver. If this approach is used to add new connectors to an image, the connector JARs must be on the plugin.path or the CLASSPATH for the Connect framework.

  1. Write the Dockerfile.

    FROM confluentinc/cp-kafka-connect
    RUN curl -k -SL "${MYSQL_DRIVER_VERSION}.tar.gz" \
         | tar -xzf - -C /usr/share/java/kafka/ --strip-components=1 mysql-connector-java-5.1.39/mysql-connector-java-${MYSQL_DRIVER_VERSION}-bin.jar
  2. Build the image.

    docker build -t foo/mysql-connect:latest .


This approach can also be used to create images with your own Kafka Connect Plugins.

Change Configuration Management

This example shows how to change the configuration management. To accomplish this, you override the configure script to download the scripts from a URL.

For example, with the ZooKeeper image, you need the following Dockerfile and configure script. This example assumes that each property file is has a URL.


FROM confluentinc/cp-zookeeper

COPY include/etc/confluent/docker/configure /etc/confluent/docker/configure

Example Configure Script:

Location: include/etc/confluent/docker/configure

. /etc/confluent/docker/bash-config

# Ensure that URL locations are available.

# Ensure that the config location is writable.
dub path /etc/kafka/ writable

curl -XGET ZOOKEEPER_SERVER_ID_URL > /var/lib/zookeeper/data/myid

Build the image:

    docker build -t foo/zookeeper:latest .

Enter the command.

docker run \

Log to External Volumes

The images only expose volumes for data and security configuration. But you might want to write to external storage for some use cases. The following example shows how to write the Kafka authorizer logs to a volume for auditing.


FROM confluentinc/cp-kafka

# Make sure the log directory is world-writable
RUN echo "===> Creating authorizer logs dir ..." \
     && mkdir -p /var/log/kafka-auth-logs
     && chmod -R ag+w /var/log/kafka-auth-logs

VOLUME ["/var/lib/${COMPONENT}/data", "/etc/${COMPONENT}/secrets", "/var/log/kafka-auth-logs"]

COPY include/etc/confluent/ /etc/confluent/

Location: include/etc/confluent/

log4j.rootLogger={{ env["KAFKA_LOG4J_ROOT_LOGLEVEL"] | default('INFO') }}, stdout

log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n

log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n


{% set loggers = {
 'kafka': 'INFO',
 '$': 'WARN',
 'kafka.producer.async.DefaultEventHandler': 'DEBUG',
 'kafka.request.logger': 'WARN',
 'kafka.controller': 'TRACE',
 'kafka.log.LogCleaner': 'INFO',
 'state.change.logger': 'TRACE',
 'kafka.authorizer.logger': 'WARN, authorizerAppender'
 } -%}

{% if env['KAFKA_LOG4J_LOGGERS'] %}
{% set loggers = parse_log4j_loggers(env['KAFKA_LOG4J_LOGGERS'], loggers) %}
{% endif %}

Build the image.

docker build -t foo/kafka-auditable:latest .

Write Garbage Collection Logs to an External Volume

The following example shows how to log heap dumps and GC logs to an external volume. This is useful for debugging the Kafka image.


FROM confluentinc/cp-kafka

# Make sure the jvm log directory is world-writable
RUN echo "===> Creating jvm logs dir ..." \
     && mkdir -p /var/log/jvm-logs
     && chmod -R ag+w /var/log/jvm-logs

VOLUME ["/var/lib/${COMPONENT}/data", "/etc/${COMPONENT}/secrets", "/var/log/jvm-logs"]
  1. Build the image.

    docker build -t foo/kafka-verbose-jvm:latest .
  2. Enter the command.

    docker run \
        -e KAFKA_HEAP_OPTS="-Xmx256M -Xloggc:/var/log/jvm-logs/verbose-gc.log -verbose:gc -XX:+PrintGCDateStamps -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/jvm-logs" \

Use External Service Discovery

You can extend the images to support for any service discovery mechanism either by overriding relevant properties or by overriding the configure script as shown in Change Configuration Management.

The Docker images provide Mesos support by overriding relevant properties for Mesos service discovery. See debian/kafka-connect/includes/etc/confluent/docker/mesos-overrides for examples.

Use the Oracle JDK

The images ship with Azul Zulu OpenJDK. Due to licensing restrictions, we cannot bundle Oracle JDK, but we are testing on Zulu OpenJDK and do suggest it as a viable alternative. If you are required to use Oracle’s version, you can follow the steps below to modify the images to include Oracle JDK instead of Zulu OpenJDK.

  1. Change the base image to install Oracle JDK instead of Zulu OpenJDK by updating debian/base/Dockerfile.
FROM debian:jessie


LABEL io.confluent.docker=true

# Python

# Confluent

# Zulu

# Replace the following lines for Zulu OpenJDK...
&& echo "Installing Zulu OpenJDK ${ZULU_OPENJDK_VERSION}" \
&& apt-key adv --keyserver hkp:// --recv-keys 0x219BD9C9 \
&& echo "deb stable  main" >> /etc/apt/sources.list.d/zulu.list \
&& apt-get -qq update \
&& apt-get -y install zulu-${ZULU_OPENJDK_VERSION} \
&& rm -rf /var/lib/apt/lists/* \

# ...with the following lines for Oracle JDK
&& echo "===> Adding webupd8 repository for Oracle JDK..."  \
&& echo "deb trusty main" | tee /etc/apt/sources.list.d/webupd8team-java.list \
&& echo "deb-src trusty main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list \
&& apt-key adv --keyserver --recv-keys EEA14886 \
&& apt-get update \
&& echo "===> Installing Oracle JDK 8 ..."   \
&& echo debconf shared/accepted-oracle-license-v1-1 select true | debconf-set-selections \
&& echo debconf shared/accepted-oracle-license-v1-1 seen true | debconf-set-selections \
&& DEBIAN_FRONTEND=noninteractive  apt-get install -y --force-yes \
                 oracle-java8-installer \
                 oracle-java8-set-default  \
                 ca-certificates \
&& rm -rf /var/cache/oracle-jdk8-installer \
&& apt-get clean && rm -rf /tmp/* /var/lib/apt/lists/* \
  1. Rebuild all the images.
make build-debian

Utility Scripts

Given the dependencies between the various Confluent Platform components (e.g. ZK required for Kafka, Kafka and ZK required for Schema Registry, etc.), it is sometimes necessary to be able to check the status of different services. The following utilities are used during the bootup sequence of the images and in the testing framework.

Docker Utility Belt (dub)

  1. Template
usage: dub template [-h] input output

Generate template from env vars.

positional arguments:
  input       Path to template file.
  output      Path of output file.
  1. ensure
usage: dub ensure [-h] name

Check if env var exists.

positional arguments:
  name        Name of env var.
  1. wait
usage: dub wait [-h] host port timeout

wait for network service to appear.

positional arguments:
  host        Host.
  port        Host.
  timeout     timeout in secs.
  1. path
usage: dub path [-h] path {writable,readable,executable,exists}

Check for path permissions and existence.

positional arguments:
  path                  Full path.
  {writable,readable,executable,exists} One of [writable, readable, executable, exists].
  1. path-wait
usage: dub path-wait [-h] path timeout

Wait for a path to exist.

positional arguments:
  path        Full path.
  timeout     Time in secs to wait for the path to exist.

optional arguments:
  -h, --help  show this help message and exit

Confluent Platform Utility Belt (cub)

  1. zk-ready

Used for checking if ZooKeeper is ready.

usage: cub zk-ready [-h] connect_string timeout retries wait

Check if ZK is ready.

positional arguments:
  connect_string  ZooKeeper connect string.
  timeout         Time in secs to wait for service to be ready.
  retries         No of retries to check if leader election is complete.
  wait            Time in secs between retries
  1. kafka-ready

Used for checking if Kafka is ready.

usage: cub kafka-ready [-h] (-b BOOTSTRAP_BROKER_LIST | -z ZOOKEEPER_CONNECT)
                 [-c CONFIG] [-s SECURITY_PROTOCOL]
                 expected_brokers timeout

Check if Kafka is ready.

positional arguments:
expected_brokers      Minimum number of brokers to wait for
timeout               Time in secs to wait for service to be ready.

optional arguments:
-h, --help            show this help message and exit
                      List of bootstrap brokers.
                      ZooKeeper connect string.
-c CONFIG, --config CONFIG
                      Path to config properties file (required when security
                      is enabled).
                      Security protocol to use when multiple listeners are
  1. sr-ready

Used for checking if Schema Registry is ready. If you have multiple Schema Registry nodes, you may need to check their availability individually.

usage: cub sr-ready [-h] host port timeout

positional arguments:
  host  Hostname for Schema Registry.
  port     Port for Schema Registry.
  timeout   Time in secs to wait for service to be ready.
  1. kr-ready

Used for checking if the REST Proxy is ready. If you have multiple REST Proxy nodes, you may need to check their availability individually.

usage: cub kr-ready [-h] host port timeout

positional arguments:
  host  Hostname for REST Proxy.
  port     Port for REST Proxy.
  timeout         Time in secs to wait for service to be ready.

Client Properties

The following properties may be configured when using the kafka-ready utility described above.


A list of host/port pairs to use for establishing the initial connection to the Kafka cluster. The client will make use of all servers irrespective of which servers are specified here for bootstrapping&mdash;this list only impacts the initial hosts used to discover the full set of servers. This list should be in the form <code>host1:port1,host2:port2,…</code>. Since these servers are just used for the initial connection to discover the full cluster membership (which may change dynamically), this list need not contain the full set of servers (you may want more than one, though, in case a server is down).

  • Type: list
  • Default:
  • Importance: high

The password of the private key in the key store file. This is optional for client.

  • Type: password
  • Importance: high

The location of the key store file. This is optional for client and can be used for two-way authentication for client.

  • Type: string
  • Importance: high

The store password for the key store file.This is optional for client and only needed if ssl.keystore.location is configured.

  • Type: password
  • Importance: high

The location of the trust store file.

  • Type: string
  • Importance: high

The password for the trust store file.

  • Type: password
  • Importance: high

The Kerberos principal name that Kafka runs as. This can be defined either in Kafka’s JAAS config or in Kafka’s config.

  • Type: string
  • Importance: medium

SASL mechanism used for client connections. This may be any mechanism for which a security provider is available. GSSAPI is the default mechanism.

  • Type: string
  • Default: “GSSAPI”
  • Importance: medium

Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL.

  • Type: string
  • Default: “PLAINTEXT”
  • Importance: medium

The list of protocols enabled for SSL connections.

  • Type: list
  • Default: [TLSv1.2, TLSv1.1, TLSv1]
  • Importance: medium

The file format of the key store file. This is optional for client.

  • Type: string
  • Default: “JKS”
  • Importance: medium

The SSL protocol used to generate the SSLContext. Default setting is TLS, which is fine for most cases. Allowed values in recent JVMs are TLS, TLSv1.1 and TLSv1.2. SSL, SSLv2 and SSLv3 may be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities.

  • Type: string
  • Default: “TLS”
  • Importance: medium

The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.

  • Type: string
  • Importance: medium

The file format of the trust store file.

  • Type: string
  • Default: “JKS”
  • Importance: medium

Kerberos kinit command path.

  • Type: string
  • Default: “/usr/bin/kinit”
  • Importance: low

Login thread sleep time between refresh attempts.

  • Type: long
  • Default: 60000
  • Importance: low

Percentage of random jitter added to the renewal time.

  • Type: double
  • Default: 0.05
  • Importance: low

Login thread will sleep until the specified window factor of time from last refresh to ticket’s expiry has been reached, at which time it will try to renew the ticket.

  • Type: double
  • Default: 0.8
  • Importance: low

A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol.By default all the available cipher suites are supported.

  • Type: list
  • Importance: low

The endpoint identification algorithm to validate server hostname using server certificate.

  • Type: string
  • Importance: low

The algorithm used by key manager factory for SSL connections. Default value is the key manager factory algorithm configured for the Java Virtual Machine.

  • Type: string
  • Default: “SunX509”
  • Importance: low

The algorithm used by trust manager factory for SSL connections. Default value is the trust manager factory algorithm configured for the Java Virtual Machine.

  • Type: string
  • Default: “PKIX”
  • Importance: low