I'm planning to run my keycloak instance using docker (http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html) with simplest possible stack
The only question that I can't figure out now is how to upgrade keycloak to latest when they release new version and DB schema needs migration. They provide steps how to do migration (https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/MigrationFromOlderVersions.adoc) but I cannot figure out what steps should happen when your keycloak is containerized.
Any advice will be much appreciated.
In this blog post, we are going to learn how to run Keycloak inside docker, using a dedicated PostgreSQL database also running in a docker container. This setup is mostly designed to be used in a development environment, but it is a good starting point for a production environment using a microservice architecture.
The Keycloak server can be affected by this issue if it is using a H2, MariaDB, MySQL or PostgreSQL database. Before launching the upgrade, check if the server contains duplicated top level groups.
In our setup, we use PostgreSQL as a database for Keycloak to persist data such as users, clients or realms and replace the H2 database provided by default. We run our PostgreSQL instance in a Docker container, using the official PostgreSQL image provided on Docker Hub.
To use a different port, such as port 8180, you can use the following command: docker run --rm --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8180:8180 -it quay.io/keycloak/keycloak:legacy -b 0.0.0.0 -Djboss.http.port=8180
DB migration
Keycloak comes with Liquibase for managing DB versions. What you have to do to upgrade your keycloak should be:
Backup your DB content and non-DB content (custom providers, themes, and so on).
Run docker again with a newer keycloak tag. Then, Liquibase will detect an older version of the DB and perform the necessary steps in order to have it updated. Remember you must provide keycloak with some user to grant DB altering permissions.
Config file migration
There's no automation for this task. If you haven't altered the configuration files, just run the new image. If you have edited them, you need to prepare them for the new version and run the image.
As I've got keycloak configured to run behind a reverse proxy and that needs to have custom configuration files, I wrote a Dockerfile to have my own keycloak docker image, with my own configuration wrapped:
FROM jboss/keycloak-mysql:2.4.0.Final
ADD standalone.xml /opt/jboss/keycloak/standalone/configuration
ADD standalone-ha.xml /opt/jboss/keycloak/standalone/configuration
CMD ["-b", "0.0.0.0"]
Provider, theme... migration
If you have implemented custom providers or other kind of things, you'll need to check their compatibility with the new version. Otherwise, you might need to rewrite them.
As a rule, using latest tag is generally a bad idea for production environments, for any image. There is the risk to have any developer/sysadmin running docker pull
command and performing the updating process automatically, which I guess is not what you want. Better stick to fixed version numbers and perform updates yourself, having done the backups first.
See also:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With