Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keycloak server in docker fails to start in standalone mode?

Well, as the title suggests, this is more of an issue record. I was trying to follow the instructions on this README file of Keycloak docker server images, but encountered a few blockers.

After pulling the image, below command to start a standalone instance failed.

docker run jboss/keycloak

The error stack trace:

-b 0.0.0.0
=========================================================================

  Using PostgreSQL database

=========================================================================

...

04:45:06,084 INFO  [io.smallrye.metrics] (MSC service thread 1-5) Converted [2] config entries and added [4] replacements
04:45:06,096 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 33) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "datasources"),
    ("data-source" => "KeycloakDS")
]) - failure description: "WFLYCTL0113: '' is an invalid value for parameter user-name. Values must have a minimum length of 1 characters"
...
Caused by: java.lang.RuntimeException: Failed to connect to database
    at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)
...
Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS -- service jboss.naming.context.java.jboss.datasources.KeycloakDS
    at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:106)
...

I was wondering how it uses a PostgreSQL database, and assumed it might spin up its own instance. But the error looks like it has a problem connecting to the database.

Changing to the embedded H2 DB made it work.

docker run -e DB_VENDOR="h2" --name docker-keycloak-h2 jboss/keycloak

The docker-entrypoint.sh file shows that it uses below logic to determine what DB to use.

if (getent hosts postgres &>/dev/null); then
        export DB_VENDOR="postgres"
...

And further down the flow, this change-database.cli file indicates that it's actually expecting a running PostgreSQL instance to use.

connection-url=jdbc:postgresql://${env.DB_ADDR:postgres}:${env.DB_PORT:5432}/${env.DB_DATABASE:keycloak}${env.JDBC_PARAMS:}

So I began wondering how PostgreSQL was chosen as a default initially. Executing below commands in a running Keycloak docker container revealed some interesting things.

[root@71961b81189c bin]# getent hosts postgres
69.172.201.153  postgres.mbox.com
[root@71961b81189c bin]# echo $?
0

Not sure what this postgres.mbox.com is but apparently it's not an expected PostgreSQL server to be resolved by getent. Not sure whether this is a recent linux issue either. The hosts entry in the Name Service Switch Configuration file /etc/nsswitch.conf looks like below inside the container.

hosts:      files dns myhostname

It is the dns data source that resolved postgres to postgres.mbox.com.


This is why the DB vendor determination logic failed which eventually caused the container failing to start. The instructions on this README file do not work as of the day this post is published.

Below are the working commands to start a Keycloak server in docker properly with PostgreSQL as the database.

docker network create keycloak-network

docker run -d --name postgres --net keycloak-network -e POSTGRES_DB=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password postgres

docker run --name docker-keycloak-postgres --net keycloak-network -e DB_USER=keycloak -e DB_PASSWORD=password jboss/keycloak
like image 387
Ruifeng Ma Avatar asked May 17 '19 05:05

Ruifeng Ma


People also ask

Why does Keycloak fail to start after deployment?

This is common in a deployment. Usually the Keycloak server is notified about the failed operation and will retry it, so from the user’s point of view, there is usually not any issue. If there are exceptions during startup of Keycloak server, like this:

How to pull the latest Docker image of Keycloak?

Firstly, it is worth mentioning that you can use either the docker command or podman to achieve the same results. We will use docker in this section. To pull the latest Docker Image of Keycloak you can run from the Command Line: On the other hand, you can pull and start Keycloak with a single command. Here is how to start it in development mode:

Can I run Keycloak in standalone clustered operation mode?

Any changes you make to this file while the server is running will not take effect and may even be overwritten by the server. Instead use the command line scripting or the web console of WildFly. See the WildFly 23 Documentation for more information. Standalone clustered operation mode is for when you want to run Keycloak within a cluster.

Where is the Keycloak standalone configuration file?

In the standalone operation mode, this file lives in …​/standalone/configuration/standalone.xml. This file is also used to configure non-infrastructure level things that are specific to Keycloak components. Any changes you make to this file while the server is running will not take effect and may even be overwritten by the server.


2 Answers

The problem no longer occurs now. I am voting to close the question.

like image 142
Ruifeng Ma Avatar answered Sep 26 '22 11:09

Ruifeng Ma


I ran into the same issue. As it turned out, the key to the solution was the missing parameter "DB_USER=keycloak".

The Application tried to authenticate against the database using the username ''. This was indicated by the first error message.

WFLYCTL0113: '' is an invalid value for parameter user-name

Possibly the 4.x and 5.0.0 versions set the default user name to "keycloak" which was no longer the case in 6.0.0.

After adding the parameter DB_USER=keycloak to the list of environment variables, keycloak started up without any problems.

like image 40
Mike Avatar answered Sep 25 '22 11:09

Mike