Known issues and limitations
If the hostname is greater than 64 characters, there will be issues with certificates. It is recommended to use a hostname shorter than 64 characters or use SANs for hostnames in the certificates.
The MarkLogic Docker image must be run in privileged mode. If the image is not run in this mode, many calls that use sudo in the startup script will fail because the required permissions are lacking. The image will also be unable to create a user with the required permissions.
The latest released version of CentOS 7 has known security vulnerabilities with respect to glib2 CVE-2016-3191, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191, glibc CVE-2019-1010022, pcre CVE-2015-8380, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394, and SQLite CVE-2019-5827. These libraries are included in the CentOS base image but, to-date, fixes are not available. Even though these libraries may be present in the base image that is used by MarkLogic Server, they are not used by MarkLogic Server itself. Becasue of this, there is no impact or mitigation required.
The latest released version of fluent/fluent-bit:2.2.2 has known security vulnerabilities with respect to libcom-err2 CVE-2022-1304, libgcrypt20 CVE-2021-33560, libgnutls30 CVE-2024-0567, libldap-2.4-2 CVE-2023-2953, libzstd1 CVE-2022-4899, and zlib1g CVE-2023-45853. These libraries are included in the Debian base image, but, to-date, fixes are not available. For libpq5 CVE-2024-0985, a future upgrade of the fluent-bit image will include the fix. Updates and mitigation strategies will be provided as soon as more information is available.
The latest released version of redhat/ubi9:9.3 has known security vulnerabilities with respect to setup tools GHSA-r9hx-vwmv-q579. A future upgrade of the Redhat ubi image should include the fix.
The security context
allowPrivilegeEscalation
is set toTRUE
by default in thevalues.yaml
file and cannot be changed to run the current MarkLogic container. Work is in progress to allow the MarkLogic container to run in "rootless" mode.The Readiness and Startup Probe are not compatible with HA deployment. These probes may fail if there is a Security database failover. As of the 1.0.2 Helm Chart release, the startup and readiness probes are disabled by default.