Confluence ¶

Overview ¶

Confluence Server is where you create, organise and discuss work with your team. Capture the knowledge that's too often lost in email inboxes and shared network drives in Confluence - where it's easy to find, use, and update. Give every team, project, or department its own space to create the things they need, whether it's meeting notes, product requirements, file lists, or project plans, you can get more done in Confluence.

This Docker container makes it easy to get an instance of Confluence up and running.

Learn more about Confluence Server: https://www.atlassian.com/software/confluence

You can find the repository with the Dockerfile at https://bitbucket.org/atlassian-docker/docker-atlassian-confluence-server

DockerHub repository: https://hub.docker.com/r/atlassian/confluence

Use docker version >= 20.10.10

Quick Start ¶

For the directory in the environmental variable CONFLUENCE_HOME that is used to store Confluence data (amongst other things) we recommend mounting a host directory as a data volume:

Additionally, if running Confluence in Data Center mode it is required that a shared filesystem is mounted. The mountpoint (inside the container) can be configured with CONFLUENCE_SHARED_HOME.

Start Atlassian Confluence Server:

docker run -v /data/your-confluence-home:/var/atlassian/application-data/confluence --name="confluence" -d -p 8090:8090 -p 8091:8091 atlassian/confluence

Please ensure your container has the necessary resources allocated to it. We recommend 2GiB of memory allocated to accommodate the application server. See Supported Platforms for further information.

Configuring Confluence ¶

This Docker image is intended to be configured from its environment; the provided information is used to generate the application configuration files from templates. This allows containers to be repeatably created and destroyed on-the-fly, as required in advanced cluster configurations. Most aspects of the deployment can be configured in this manner; the necessary environment variables are documented below. However, if your particular deployment scenario is not covered by these settings, it is possible to override the provided templates with your own; see the section Advanced Configuration below.

Verbose container entrypoint logging ¶

During the startup process of the container, various operations and checks are performed to ensure that the application is configured correctly and ready to run. To help in troubleshooting and to provide transparency into this process, you can enable verbose logging. The VERBOSE_LOGS environment variable enables detailed debug messages to the container's log, offering insights into the actions performed by the entrypoint script.

• VERBOSE_LOGS (default: false)

Set to true to enable detailed debug messages during the container initialization.

Memory / Heap Size ¶

If you need to override Confluence Server's default memory allocation, you can control the minimum heap (Xms) and maximum heap (Xmx) via the below environment variables.

• JVM_MINIMUM_MEMORY (default: 1024m)

The minimum heap size of the JVM

• JVM_MAXIMUM_MEMORY (default: 1024m)

The maximum heap size of the JVM

• JVM_RESERVED_CODE_CACHE_SIZE (default: 256m)

  The reserved code cache size of the JVM

Tomcat and Reverse Proxy Settings ¶

If Confluence is run behind a reverse proxy server (e.g. a load-balancer or nginx server), then you need to specify extra options to make Confluence aware of the setup. They can be controlled via the below environment variables.

• ATL_PROXY_NAME (default: NONE)

The reverse proxy's fully qualified hostname. CATALINA_CONNECTOR_PROXYNAME is also supported for backwards compatability.

• ATL_PROXY_PORT (default: NONE)

The reverse proxy's port number via which Confluence is accessed. CATALINA_CONNECTOR_PROXYPORT is also supported for backwards compatability.

• ATL_TOMCAT_PORT (default: 8090)

The port for Tomcat/Confluence to listen on. Depending on your container deployment method this port may need to be [exposed and published][docker-expose].

• ATL_TOMCAT_SCHEME (default: http)

The protocol via which Confluence is accessed. CATALINA_CONNECTOR_SCHEME is also supported for backwards compatability.

• ATL_TOMCAT_SECURE (default: false)

Set 'true' if ATL_TOMCAT_SCHEME is 'https'. CATALINA_CONNECTOR_SECURE is also supported for backwards compatability.

• ATL_TOMCAT_CONTEXTPATH (default: NONE)

The context path the application is served over. CATALINA_CONTEXT_PATH is also supported for backwards compatability.

• ATL_TOMCAT_ACCESS_LOG (default: false [version < 7.11.0] and true [version >=7.11.0])

Whether to enable Tomcat access logging; set to true to enable. NOTE: These logs are written to the Container internal volume by default (under /opt/atlassian/confluence/logs/); these are rotated but not removed, and will grow indefinitely. If you enable this functionality it is recommended that you map the directory to a volume and perform log ingestion/cleanup with external tools.

• ATL_TOMCAT_REQUESTATTRIBUTESENABLED

Checks for the existence of request attributes (typically set by the RemoteIpValve and similar) that should be used to override the values returned by the request for remote address, remote host, server port and protocol. This property is usually combined with ATL_TOMCAT_TRUSTEDPROXIES and ATL_TOMCAT_INTERNALPROXIES to show IP address of the remote host instead of the load balancer's. If not declared, the default value of false will be used.

• ATL_TOMCAT_TRUSTEDPROXIES

A list of IP addresses separated by a pipe character e.g. 10.0.9.6|10.0.9.32.
Trusted proxies that appear in the remoteIpHeader will be trusted and will appear in the proxiesHeader value. By adding a list of Trusted Proxies, Confluence will remove the load balancers' IP addresses from Confluence's view of the incoming connection. This could be desired in a clustered load balancer architecture where the load balancer address changes depending on which node proxies the connection. If not specified, no trusted proxies will be trusted.

• ATL_TOMCAT_INTERNALPROXIES

A list of IP addresses separated by a pipe character e.g. 10.0.9.6|10.0.9.32.
Trusted proxies that appear in the remoteIpHeader will be trusted and will not appear in the proxiesHeader value. By adding a list of Internal Proxies, Confluence will remove the load balancers' IP addresses from Confluence's view of the incoming connection. This could be desired in a clustered load balancer architecture where the load balancer address changes depending on which node proxies the connection. If not specified, no internal proxies will be trusted.

The following Tomcat/Catalina options are also supported. For more information, see https://tomcat.apache.org/tomcat-7.0-doc/config/index.html.

• ATL_TOMCAT_MGMT_PORT (default: 8000)
• ATL_TOMCAT_MAXTHREADS (default: 48)
• ATL_TOMCAT_MINSPARETHREADS (default: 10)
• ATL_TOMCAT_CONNECTIONTIMEOUT (default: 20000)
• ATL_TOMCAT_ENABLELOOKUPS (default: false)
• ATL_TOMCAT_PROTOCOL (default: org.apache.coyote.http11.Http11NioProtocol)
• ATL_TOMCAT_REDIRECTPORT (default: 8443)
• ATL_TOMCAT_ACCEPTCOUNT (default: 10)
• ATL_TOMCAT_DEBUG (default: 0)
• ATL_TOMCAT_URIENCODING (default: UTF-8)
• ATL_TOMCAT_MAXHTTPHEADERSIZE (default: 8192)

Access Log Settings ¶

You can set the maximum number of days for access logs to be retained before being deleted. The default value of -1 means never delete old files.

• ATL_TOMCAT_ACCESS_LOGS_MAXDAYS (default: -1)

JVM configuration ¶

If you need to pass additional JVM arguments to Confluence such as specifying a custom trust store, you can add them via the below environment variable

• JVM_SUPPORT_RECOMMENDED_ARGS

Additional JVM arguments for Confluence.

For additional settings that can be supplied, see: Recognized System Properties

Confluence-specific settings ¶

• ATL_AUTOLOGIN_COOKIE_AGE (default: 1209600; two weeks, in seconds)

The maximum time a user can remain logged-in with 'Remember Me'.

• CONFLUENCE_HOME

The confluence home directory. This may be on an mounted volume; if so it should be writable by the user confluence. See note below about UID mappings.

• ATL_LUCENE_INDEX_DIR

The directory where Lucene search indexes should be stored. Defaults to index under the Confluence home directory.

• ATL_LICENSE_KEY (from Confluence 7.9 onwards)

The Confluence license string. Providing this will remove the need to supply it through the web startup screen.

• use with caution CONFLUENCE_LOG_STDOUT [true, false] (from Confluence 7.9 onwards)

Prior to Confluence version 7.9.0, the log files are always stored in the logs folder in Confluence home. From version 7.9.0, the logs can be printed directly to the stdout and don't use the file at all. This makes it possible to fetch the log messages via docker logs <CONTAINER_ID>. In this setup we recommend using some log aggregation tooling (e.g. AWS Cloudwatch or ELK stack).

Beware, if enabled, the support ZIP produced by the Troubleshooting and Support plugin doesn't contain the application logs.

Database configuration ¶

It is optionally possible to configure the database from the environment, avoiding the need to do so through the web startup screen.

The following variables are all must all be supplied if using this feature:

• ATL_JDBC_URL

The database URL; this is database-specific. It is allowed to use & in the URL which will be automatically converted to &.

• ATL_JDBC_USER

The database user to connect as.

• ATL_JDBC_PASSWORD

The password for the database user.

• ATL_DB_TYPE

The type of database; valid supported values are:

• mssql
• mysql
• oracle12c (Confluence 7.3.0 or earlier only)
• oracle (Confluence 7.3.1 or later only. Compatible with Oracle 12c and Oracle 19c)
• postgresql

For more information see the Database JDBC Drivers page.

Optional database settings ¶

• ATL_JDBC_SECRET_CLASS

Encryption class for the database password. Depending on the secret class, the value of ATL_JDBC_PASSWORD will differ. Defaults to plaintext.

Starting from 8.6 AWS SecretsManager is supported.

For non-clustered Confluence, manually edit jdbc.password.decrypter.classname and hibernate.connection.password properties as instructed by step 5 of official documentation, then restart container.

For clustered Confluence, set this property while making sure environment variables in cluster configuration are kept intact as well. Example:

docker run -v /data/your-confluence-home:/var/atlassian/application-data/confluence \
--name="confluence" -d -p 8090:8090 -p 8091:8091 \
-e ATL_JDBC_SECRET_CLASS='com.atlassian.secrets.store.aws.AwsSecretsManagerStore' \
-e ATL_JDBC_PASSWORD='{"region": "us-east-1", "secretId": "mysecret", "secretPointer": "/password"}' \
-e ATL_CLUSTER_RELATED_VARIABLES='variable-value' \
atlassian/confluence

The following variables are for the database connection pool, and are optional.

• ATL_DB_POOLMINSIZE (default: 20)
• ATL_DB_POOLMAXSIZE (default: 100)
• ATL_DB_TIMEOUT (default: 30)
• ATL_DB_IDLETESTPERIOD (default: 100)
• ATL_DB_MAXSTATEMENTS (default: 0)
• ATL_DB_VALIDATE (default: false)
• ATL_DB_ACQUIREINCREMENT (default: 1)
• ATL_DB_VALIDATIONQUERY (default: "select 1")
• ATL_DB_PROVIDER_CLASS (default: com.atlassian.confluence.impl.hibernate.DelegatingHikariConnectionProvider)
• ATL_DB_CONNECTION_AUTOCOMMIT (default false)
• ATL_DB_CONNECTION_ISOLATION (default 2)
• ATL_DB_DATASOURCE_HIKARI_REGISTER_MBEANS (default true)

Data Center configuration ¶

This docker image can be run as part of a Data Center cluster. You can specify the following properties to start Confluence as a Data Center node, instead of manually configuring a cluster. See Installing Confluence Data Center for more information.

Cluster configuration ¶

Confluence Data Center allows clustering via various methods. For more information on the setting for each type see this page.

NOTE: The underlying network should be set-up to support the Confluence clustering type you are using. How to do this depends on the container management technology, and is beyond the scope of this documentation.

Common cluster settings ¶

• ATL_CLUSTER_TYPE

The cluster type. Setting this effectively enables clustering. Valid values are aws, multicast, and tcp_ip.

• ATL_CLUSTER_NAME

The cluster name; this should be common across all nodes.

• ATL_PRODUCT_HOME_SHARED

The location of the shared home directory for all Confluence nodes. Note: This must be real shared filesystem that is mounted inside the container. Additionally, see the note about UIDs.

• ATL_CLUSTER_TTL

The time-to-live for cluster packets. Primarily of use in multicast clusters.

• ATL_CLUSTER_INTERFACE

The network interface Confluence will use to communicate between nodes. Auto-detected by default. Override interface if Confluence has selected the wrong one.

AWS cluster settings ¶

The following should be populated from the AWS environment.

• ATL_HAZELCAST_NETWORK_AWS_IAM_ROLE
• ATL_HAZELCAST_NETWORK_AWS_IAM_REGION
• ATL_HAZELCAST_NETWORK_AWS_HOST_HEADER
• ATL_HAZELCAST_NETWORK_AWS_SECURITY_GROUP
• ATL_HAZELCAST_NETWORK_AWS_TAG_KEY
• ATL_HAZELCAST_NETWORK_AWS_TAG_VALUE

TCP cluster settings ¶

• ATL_CLUSTER_PEERS

A comma-separated list of peer IPs.

Multicast cluster settings ¶

• ATL_CLUSTER_ADDRESS

The multicast address the cluster will communicate on.

Container Configuration ¶

• ATL_FORCE_CFG_UPDATE (default: false)

The Docker entrypoint generates application configuration on first start; not all of these files are regenerated on subsequent starts. This is deliberate, to avoid race conditions or overwriting manual changes during restarts and upgrades. However in deployments where configuration is purely specified through the environment (e.g. Kubernetes) this behaviour may be undesirable; this flag forces an update of all generated files.

In Confluence the affected files are: confluence.cfg.xml

See the entrypoint code for the details of how configuration files are generated.

• SET_PERMISSIONS (default: true)

Define whether to set home directory permissions on startup. Set to false to disable this behaviour.

• ATL_UNSET_SENSITIVE_ENV_VARS (default: true)

Define whether to unset environment variables containing keywords 'PASS', 'SECRET' or 'TOKEN'. The unset function is executed in the entrypoint. Set to false if you want to allow passing sensitive environment variables to Confluence container.

• ATL_ALLOWLIST_SENSITIVE_ENV_VARS

Define a comma separated list of environment variables containing keywords 'PASS', 'SECRET' or 'TOKEN' to be ignored by the unset function which is executed in the entrypoint. The function uses ^ regex. For example, if you set ATL_ALLOWLIST_SENSITIVE_ENV_VARS="PATH_TO_SECRET_FILE", all variables starting with PATH_TO_SECRET_FILE will not be unset.

Advanced Configuration ¶

As mentioned at the top of this section, the settings from the environment are used to populate the application configuration on the container startup. However, in some cases you may wish to customise the settings in ways that are not supported by the environment variables above. In this case, it is possible to modify the base templates to add your own configuration. There are three main ways of doing this; modify our repository to your own image, build a new image from the existing one, or provide new templates at startup. We will briefly outline these methods here, but in practice how you do this will depend on your needs.

Building your own image ¶

• Clone the Atlassian repository at https://bitbucket.org/atlassian-docker/docker-atlassian-confluence-server/
• Modify or replace the Jinja templates under config; NOTE: The files must have the .j2 extensions. However you don't have to use template variables if you don't wish.
• Build the new image with e.g: docker build --tag my-confluence-image --build-arg CONFLUENCE_VERSION=6.x.x .
• Optionally push to a registry, and deploy.

Build a new image from the existing one ¶

• Create a new Dockerfile, which starts with the line e.g: FROM atlassian/confluence:latest.
• Use a COPY line to overwrite the provided templates.
• Build, push and deploy the new image as above.

Overwrite the templates at runtime ¶

There are two main ways of doing this:

• If your container is going to be long-lived, you can create it, modify the installed templates under /opt/atlassian/etc/, and then run it.
• Alternatively, you can create a volume containing your alternative templates, and mount it over the provided templates at runtime with --volume my-config:/opt/atlassian/etc/.

Shared directory and user IDs ¶

By default the Confuence application runs as the user confluence, with a UID and GID of 2002. Consequently this UID must have write access to the shared filesystem. If for some reason a different UID must be used, there are a number of options available:

• The Docker image can be rebuilt with a different UID.
• Under Linux, the UID can be remapped using user namespace remapping.

To preserve strict permissions for certain configuration files, this container starts as root to perform bootstrapping before running Confluence under a non-privileged user account. If you wish to start the container as a non-root user, please note that Tomcat configuration, and the bootstrapping of seraph-config.xml (SSO) & confluence-init.properties (overriding $CONFLUENCE_HOME) will be skipped and a warning will be logged. You may still apply custom configuration in this situation by mounting a custom file directly, e.g. by mounting your own server.xml file directly to /opt/atlassian/confluence/conf/server.xml

Database and Clustering bootstrapping will work as expected when starting this container as a non-root user.

Upgrade ¶

To upgrade to a more recent version of Confluence Server you can simply stop the Confluence container and start a new one based on a more recent image:

docker stop confluence
docker rm confluence
docker run ... (see above)

Backup ¶

For evaluating Confluence you can use the built-in database that will store its files in the Confluence Server home directory. In that case it is sufficient to create a backup archive of the directory on the host that is used as a volume (/data/your-confluence-home in the example above).

Confluence's automatic backup is currently supported in the Docker setup. You can also use the Production Backup Strategy approach if you're using an external database.

Read more about data recovery and backups: Site Backup and Restore

Shutdown ¶

Confluence allows a grace period of 20s for active operations to finish before termination. If sending a docker stop this should be taken into account with the --time flag.

Alternatively, the script /shutdown-wait.sh is provided, which will initiate a clean shutdown and wait for the process to complete. This is the recommended method for shutdown in environments which provide for orderly shutdown, e.g. Kubernetes via the preStop hook.

Versioning ¶

The latest tag matches the most recent official release of Atlassian Confluence Server. So atlassian/confluence:latest will use the newest stable version of Confluence Server available.

Alternatively, you can use a specific minor version of Confluence Server by using a version number tag: atlassian/confluence:7.13. This will install the latest 7.13.x version that is available.

We also publish docker images for our EAP releases (not supported for use in production). The tag for EAP releases is the EAP version. For example to get the 7.8.0-beta1 EAP release, use atlassian/confluence:7.8.0-beta1.

For example, atlassian/confluence:7.13-ubuntu-jdk11 will install the latest 7.13.x version with Eclipse Temurin OpenJDK 11.

Supported JDK versions and base images ¶

Atlassian Docker images are generated from the official Eclipse Temurin OpenJDK Docker images.

Starting from 8.5.6 UBI based tags are published as well. Tags are available in 2 formats: <version>-ubi9 and <version>-ubi9-jdk17.

The build pipeline pushes both JDK11 and JDK17 tags for Confluence versions ranging from 7.19 to 8.9. Starting from 9.0 only JDK17 tags are published. UBI based tags are JDK17 only.

The Docker images follow the Atlassian Support end-of-life policy; images for unsupported versions of the products remain available but will no longer receive updates or fixes.

Historically, we have also generated other versions of the images, including JDK8, Alpine, and 'slim' versions of the JDK. These legacy images still exist in Docker Hub, however they should be considered deprecated, and do not receive updates or fixes.

If for some reason you need a different version, see "Building your own image" above.

Migration to UBI ¶

If you have been mounting any files to ${JAVA_HOME} directory in eclipse-temurin based container, JAVA_HOME in UBI JDK17 container is set to /usr/lib/jvm/java-17.

Also, if you have been mounting and running any custom scripts in the container, UBI-based images may lack some tools and utilities that are available out of the box in eclipse-temurin tags. If that's the case, see Building your own image.

Supported architectures ¶

Currently, Confluence container images are built for the linux/amd64 and linux/arm64 target platforms. The Dockerfiles and support tooling have now had all architecture-specific components removed, so if necessary it is possible to build images for any platform supported by OCI-compliant container runtimes.

Building on the target architecture ¶

Note: This method is known to work on Mac M1 and AWS ARM64 machines, but has not been extensively tested.

The simplest method of getting a platform image is to build it on a target machine. The following assumes you have git and Docker installed. You will also need to know which version of Confluence you want to build; substitute CONFLUENCE_VERSION=x.x.x with your required version:

git clone --recurse-submodule https://bitbucket.org/atlassian-docker/docker-atlassian-confluence-server.git
cd docker-atlassian-confluence-server
docker build --tag my-image --build-arg CONFLUENCE_VERSION=x.x.x .

Troubleshooting ¶

These images include built-in scripts to assist in performing common JVM diagnostic tasks.

Thread dumps ¶

/opt/atlassian/support/thread-dumps.sh can be run via docker exec to easily trigger the collection of thread dumps from the containerized application. For example:

docker exec my_container /opt/atlassian/support/thread-dumps.sh

By default, this script will collect 10 thread dumps at 5 second intervals. This can be overridden by passing a custom value for the count and interval, by using -c / --count and -i / --interval respectively. For example, to collect 20 thread dumps at 3 second intervals:

docker exec my_container /opt/atlassian/support/thread-dumps.sh --count 20 --interval 3

Thread dumps will be written to $APP_HOME/thread_dumps/<date>.

Heap dump ¶

/opt/atlassian/support/heap-dump.sh can be run via docker exec to easily trigger the collection of a heap dump from the containerized application. For example:

docker exec my_container /opt/atlassian/support/heap-dump.sh

A heap dump will be written to $APP_HOME/heap.bin. If a file already exists at this location, use -f / --force to overwrite the existing heap dump file.

Manual diagnostics ¶

The jcmd utility is also included in these images and can be used by starting a bash shell in the running container:

docker exec -it my_container /bin/bash

Support ¶

For product support, go to support.atlassian.com.

You can also visit the Atlassian Data Center forum for discussion on running Atlassian Data Center products in containers.

Contribution ¶

See the contributing guideline if you are contributing from outside Atlassian.

Changelog ¶

For a detailed list of changes to the Docker image configuration see the Git commit history.

License ¶

Copyright © 2020 Atlassian Corporation Pty Ltd. Licensed under the Apache License, Version 2.0.