Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keycloak Dev Service fails to start on rootless Docker setup #45940

Open
bonneval opened this issue Jan 29, 2025 · 10 comments · May be fixed by #45958
Open

Keycloak Dev Service fails to start on rootless Docker setup #45940

bonneval opened this issue Jan 29, 2025 · 10 comments · May be fixed by #45958
Labels
area/devservices area/keycloak kind/bug Something isn't working

Comments

@bonneval
Copy link

bonneval commented Jan 29, 2025
edited
Loading

Describe the bug

Keycloak Devservice fails to start with rootless docker with following error log.

2025-01-29 09:09:18,785 INFO [tc.qua.io/.0.6] (build-23) Creating container for image: quay.io/keycloak/keycloak:25.0.6
2025-01-29 09:09:18,794 INFO [tc.tes.11.0] (build-23) Creating container for image: testcontainers/ryuk:0.11.0
2025-01-29 09:09:18,866 INFO [tc.tes.11.0] (build-23) Container testcontainers/ryuk:0.11.0 is starting: 721e3e87dd739f95f37021e640a42046a74833cc1bf8a3507cc7916814c5163d
2025-01-29 09:09:19,109 INFO [tc.tes.11.0] (build-23) Container testcontainers/ryuk:0.11.0 started in PT0.314788777S
<====2025-01-29 09:09:19,151 INFO [tc.qua.io/.0.6] (build-23) Container quay.io/keycloak/keycloak:25.0.6 is starting: c25e849df4aa9d8c18ab05109bb46990bf18f961a50cad35247e10948dc428f6
<====2025-01-29 09:09:20,007 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: Changes detected in configuration. Updating the server image.
<====2025-01-29 09:09:20,023 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: Updating the configuration and installing your custom providers, if any. Please wait.
<====2025-01-29 09:09:25,079 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: 2025-01-29 08:09:25,078 INFO [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 4490msEXECUTING [10s]
2025-01-29 09:09:25,091 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: Server configuration updated and persisted. Run the following command to review the configuration:
2025-01-29 09:09:25,091 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak:
2025-01-29 09:09:25,091 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: kc.sh show-config
2025-01-29 09:09:25,092 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak:
2025-01-29 09:09:25,093 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: Next time you run the server, just run:
2025-01-29 09:09:25,093 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak:
2025-01-29 09:09:25,093 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: kc.sh start --http-enabled=true --hostname-strict=false --spi-user-profile-declarative-user-profile-config-file=/opt/keycloak/upconfig.json --optimized
2025-01-29 09:09:25,093 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak:
2025-01-29 09:09:26,144 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: ERROR: Unexpected error when starting the server in (production) mode
2025-01-29 09:09:26,144 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: ERROR: Failed to start quarkus
2025-01-29 09:09:26,144 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: ERROR: Failed to reaad default user profile configuration: /opt/keycloak/upconfig.json
2025-01-29 09:09:26,145 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: ERROR: /opt/keycloak/upconfig.json (Permission denied)
2025-01-29 09:09:26,145 INFO [io.qua.dev.key.KeycloakDevServicesProcessor] (docker-java-stream--1719331462) Keycloak: For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

It seems like the file permission of upconfig.json are not correct when copying the file to the container KeycloakDevServicesProcessor

drwxr-xr-x 1 keycloak root 4.0K Jan 29 08:10 .
drwxr-xr-x 1 root root 4.0K Sep 19 17:57 ..
drwxrwxr-x 3 keycloak root 4.0K Sep 19 17:53 bin
drwxrwxr-x 3 keycloak root 4.0K Sep 19 17:57 conf
drwxrwxr-x 2 keycloak root 4.0K Sep 19 17:57 data
drwxrwxr-x 1 keycloak root 4.0K Sep 19 17:53 lib
-rw-rw-r-- 1 keycloak root 12K Sep 19 17:43 LICENSE.txt
drwxrwxr-x 2 keycloak root 4.0K Sep 19 17:57 providers
-rw-rw-r-- 1 keycloak root 492 Sep 19 17:43 README.md
drwxrwxr-x 2 keycloak root 4.0K Sep 19 17:57 themes
-rw-r----- 1 5766578 20003 1.2K Jan 29 08:10 upconfig.json
-rw-rw-r-- 1 keycloak root 26 Sep 19 17:43 version.txt

5766578 is the UID of my local user.
When using docker without rootless setup the Keycloak Devservice starts like expected.

Expected behavior

Keycloak Devservice should start in a rootless docker setup

Actual behavior

Keycloak Devservice does not start in a rootless docker setup

How to Reproduce?

No response

Output of uname -a or ver

Ubuntu 22.04.1

Output of java -version

openjdk 21.0.5

Quarkus version or git rev

3.17.8

Build tool (ie. output of mvnw --version or gradlew --version)

Gradle 8.9

Additional information

No response
@bonneval bonneval added the kind/bug Something isn't working label Jan 29, 2025
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Jan 29, 2025

/cc @geoand (devservices), @pedroigor (keycloak), @sberyozkin (keycloak), @stuartwdouglas (devservices)

@sberyozkin
Copy link
Member

As a workaround, you can configure a custom start command like start --http-enabled=true --hostname-strict=false, avoiding copying the upconfig.json file, though this file can be very useful when testing OIDC web-app applications against Keycloak. And there could be other files that may have to copied to the container.

@cescoffier Do you know how to handle this case, right now I do withClasspathResourceMapping("/dev-service/upconfig.json", "/opt/keycloak/upconfig.json", BindMode.READ_ONLY);

@cescoffier
Copy link
Member

You may have to change the owner of the file when copying it.

@bonneval
Copy link
Author

Using following parameters the Keycloak container starts and the import of a realm file is working.
Not the perfect solution, but a good workaround.
Thanks for your help.

quarkus.keycloak.devservices.start-command=start --http-enabled=true --hostname-strict=false
quarkus.keycloak.devservices.realm-path=/home/USERNAME/realm-export.json

@sberyozkin
Copy link
Member

Thanks @cescoffier @bonneval, so I guess, we can use TestContainers API to run chown ? /opt/keycloak/upconfig.json but I honesty don't know what should ? be replaced with for it to work in the rooltless Docker container...

@bonneval
Copy link
Author

My guess would be:

chown keycloak:root /opt/keycloak/upconfig.json

Since all other Keycloak related files do have this permission in the container.

I could try this, but not sure how to test this locally

@sberyozkin sberyozkin linked a pull request Jan 29, 2025 that will close this issue
Draft
@sberyozkin
Copy link
Member

@bonneval Can you please experiment with #45958 when you get a chance ?

@sberyozkin
Copy link
Member

@bonneval Or if you can create a simple reproducer to save me some time on setting it up then I can test myself

@bonneval
Copy link
Author

I tried to reproduce the issue on a different laptop.
The issue was not reproducable there.
Differences to my setup:

  • Ubuntu 24.04
  • User with UID 1000 (default user id)

The file permission in the container for the upconfig.json was:

-rw-rw-r-- 1 keycloak 1000 1.2K Jan 29 08:10 upconfig.json

I see differences in the permission flags and the owning user.
I assume the issue is related to the local docker environment, so I`m not sure whats is required to reproduce the issue.

I will experiment with your code and will come back to you.

@bonneval
Copy link
Author

withCommand() will modifiy the startup command and is imho not the right to tool to solve the problem.

During my testing I came up with following code snippet:

private void addUpConfigResource() {
    if (Thread.currentThread().getContextClassLoader().getResource("/dev-service/upconfig.json") != null) {
        LOG.debug("Mapping the classpath /dev-service/upconfig.json resource to /opt/keycloak/upconfig.json");
        var mountableFile = MountableFile.forClasspathResource("/dev-service/upconfig.json", 0444);
        withCopyFileToContainer(mountableFile, "/opt/keycloak/upconfig.json");
    }
}

What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/devservices area/keycloak kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow to change the ownership of resources copied to Keycloak container sberyozkin/quarkus
3 participants
@cescoffier @sberyozkin @bonneval