Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keycloak upgrade while running on docker

I'm planning to run my keycloak instance using docker (http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html) with simplest possible stack

  1. Docker image for keycloak itself, latest tag
  2. Mysql image for keycloak db with docker volume attached for persistance

The only question that I can't figure out now is how to upgrade keycloak to latest when they release new version and DB schema needs migration. They provide steps how to do migration (https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/MigrationFromOlderVersions.adoc) but I cannot figure out what steps should happen when your keycloak is containerized.

Any advice will be much appreciated.

like image 737
Alexey Avatar asked Dec 23 '17 23:12

Alexey


People also ask

Can I run Keycloak inside a docker container?

In this blog post, we are going to learn how to run Keycloak inside docker, using a dedicated PostgreSQL database also running in a docker container. This setup is mostly designed to be used in a development environment, but it is a good starting point for a production environment using a microservice architecture.

Why can’t I upgrade my Keycloak server?

The Keycloak server can be affected by this issue if it is using a H2, MariaDB, MySQL or PostgreSQL database. Before launching the upgrade, check if the server contains duplicated top level groups.

How do I use PostgreSQL as a database for Keycloak?

In our setup, we use PostgreSQL as a database for Keycloak to persist data such as users, clients or realms and replace the H2 database provided by default. We run our PostgreSQL instance in a Docker container, using the official PostgreSQL image provided on Docker Hub.

How do I use a different port for Keycloak?

To use a different port, such as port 8180, you can use the following command: docker run --rm --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8180:8180 -it quay.io/keycloak/keycloak:legacy -b 0.0.0.0 -Djboss.http.port=8180


1 Answers

DB migration

Keycloak comes with Liquibase for managing DB versions. What you have to do to upgrade your keycloak should be:

  • Backup your DB content and non-DB content (custom providers, themes, and so on).

  • Run docker again with a newer keycloak tag. Then, Liquibase will detect an older version of the DB and perform the necessary steps in order to have it updated. Remember you must provide keycloak with some user to grant DB altering permissions.

Config file migration

There's no automation for this task. If you haven't altered the configuration files, just run the new image. If you have edited them, you need to prepare them for the new version and run the image.

As I've got keycloak configured to run behind a reverse proxy and that needs to have custom configuration files, I wrote a Dockerfile to have my own keycloak docker image, with my own configuration wrapped:

FROM jboss/keycloak-mysql:2.4.0.Final
ADD standalone.xml /opt/jboss/keycloak/standalone/configuration
ADD standalone-ha.xml /opt/jboss/keycloak/standalone/configuration
CMD ["-b", "0.0.0.0"]

Provider, theme... migration

If you have implemented custom providers or other kind of things, you'll need to check their compatibility with the new version. Otherwise, you might need to rewrite them.


As a rule, using latest tag is generally a bad idea for production environments, for any image. There is the risk to have any developer/sysadmin running docker pull command and performing the updating process automatically, which I guess is not what you want. Better stick to fixed version numbers and perform updates yourself, having done the backups first.

See also:

  • Keycloak docker tags
like image 53
Xtreme Biker Avatar answered Oct 06 '22 07:10

Xtreme Biker