我尝试在生产模式下部署Keycloak,这是我使用过的Dockerfile、docker build和docker run命令。
在部署keycloak之前,我已经创建了docker network和mysql database。
1.创建网络:
docker network create keycloak-network字符串
2.部署kc_mysql db(mysql数据库):
docker run -v /var/lib/docker/volumes/kc_mysql:/var/lib/mysql -p 3307:3306 --name kc_mysql -d --net keycloak-network -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=xxxx -e MYSQL_ROOT_PASSWORD=yyyy mysql型
然后我构建了docker image并运行container,
3. Dockerfile:
# Use the builder image to build with the necessary configurations
FROM quay.io/keycloak/keycloak:latest as builder
# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
ENV KC_FEATURES=token-exchange
# Configure a database vendor
ENV KC_DB=mysql
WORKDIR /opt/keycloak
# Build the configuration
RUN /opt/keycloak/bin/kc.sh build --cache=ispn
# Final image
FROM quay.io/keycloak/keycloak:latest
# Copy the built artifacts from the builder stage
COPY --from=builder /opt/keycloak/ /opt/keycloak/
ENV KC_DB=mysql
ENV KC_DB_URL=jdbc:mysql://kc_mysql:3306/keycloak
ENV KC_DB_USERNAME=yyyy
ENV KC_DB_PASSWORD=xxxx
ENV KC_HOSTNAME=localhost
# Set the entry point to start Keycloak
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]型
4. Docker build命令
docker build . -t mykeycloak型
5. Docker run命令
docker run -v /var/lib/docker/volumes/keycloak:/opt/keycloak/conf -v /etc/letsencrypt/live/abc.xyz.com:/etc/x509/https -e KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/privkey.pem -e KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/fullchain.pem --name mykeycloak -p 8443:8443 -d --net keycloak-network -e KEYCLOAK_ADMIN=admin-e KEYCLOAK_ADMIN_PASSWORD=admin mykeycloak start --optimized型
使用SSL证书。但是当我运行容器时,我得到了下面的日志。在日志的底部,我得到了与SSL证书相关的错误。
INFO [org.keycloak.common.Profile] (main) Preview features enabled: token-exchange
INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: localhost, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: false
WARN [io.quarkus.agroal.runtime.DataSources] (main) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 73276fc8-8609-4db5-a34a-73d73e92dbb1, name: 768a15960a95-45041
2023-11-14 04:30:29,649 WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1MB, but the OS only allocated 212.99KB
WARN [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25MB, but the OS only allocated 212.99KB
INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 768a15960a95-45041: no members discovered after 2004 ms: creating cluster as coordinator
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [768a15960a95-45041|0] (1) [768a15960a95-45041]
INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `768a15960a95-45041`, physical addresses are `[172.22.0.3:48009]`
WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 768a15960a95-45041, Site name: null
INFO [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: /etc/x509/https/fullchain.pem
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) Key material not provided to setup HTTPS. Please configure your keys/certificates or start the server in development mode.
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.型
正如我在许多地方看到的那样,我更改了证书位置/etc/letsencrypt/live/abc.xyz.com的权限
这些证书是;
drwxr-xr-x. 2 root user1 93 Nov 9 13:47 .
drwx--x--x. 3 root root 48 Nov 9 13:47 ..
lrwxrwxrwx. 1 root user1 44 Nov 9 13:47 cert.pem -> ../../archive/abc.xyz.com/cert1.pem
lrwxrwxrwx. 1 root user1 45 Nov 9 13:47 chain.pem -> ../../archive/abc.xyz.com/chain1.pem
lrwxrwxrwx. 1 root user1 49 Nov 9 13:47 fullchain.pem -> ../../archive/abc.xyz.lk/fullchain1.pem
lrwxrwxrwx. 1 root user1 47 Nov 9 13:47 privkey.pem -> ../../archive/abc.xyz.com/privkey1.pem
-rw-r--r--. 1 root user1 692 Nov 9 13:47 README型
我是用户1,但还有另一个用户user 2。现在我检查了root,user 1和user 2的证书权限。没有问题。
sudo -u user1 file ../../archive/abc.xyz.com/fullchain1.pem
../../archive/abc.xyz.com/fullchain1.pem: PEM certificate
sudo -u user2 file ../../archive/abc.xyz.com/fullchain1.pem
../../archive/abc.xyz.com/fullchain1.pem: PEM certificate型
但是这个错误存在。当我使用docker inspect检查时,我所有以前的docker镜像都有root用户<image_name>。
但是对于这个keycloak自定义docker镜像,user是1000(对于user 2)。
"Config": {
"Hostname": "768a15960a95",
"Domainname": "",
"User": "1000",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"8080/tcp": {},
"8443/tcp": {}
},
"Mounts": [
{
"Type": "bind",
"Source": "/var/lib/docker/volumes/keycloak",
"Destination": "/opt/keycloak/conf",
"Mode": "",
"RW": true,
"Propagation": "rslave"
},
{
"Type": "bind",
"Source": "/etc/letsencrypt/live/abc.xyz.com",
"Destination": "/etc/x509/https",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],型
主持;
grep 1000 /etc/passwd
>>user2
grep 1001 /etc/passwd
>>user1型
我在Dockerfile中尝试了关键字USER。USER root或USER 1001
但它没有改变用户在图像的或容器的用户。
我是user 1(1001)谁建立和运行keycloak容器,但这是不寻常的,有人能解释这里发生了什么,虽然权限设置为证书文件在主机,为什么keycloak容器不起来在生产模式.我如何运行keycloak避免错误(main) ERROR: /etc/x509/https/fullchain.pem.不使用证书,容器可以在开发模式下运行,使用start-dev没有问题。但我需要生产模式部署。
1条答案
按热度按时间qfe3c7zg1#
几天后,我就能找到这个问题的答案了。
首先我搬到码头作曲;
字符串
在这里,我已经把
HOSTNAME从localhost更改为我的真实的域名abc.xyz.com。我得到了与上面的问题相同的错误。问题似乎是我的主机上的权限问题。Docker用户没有使用
fullchain.pem的适当权限。现在在我的主机上尝试此命令。现在,以下是解决问题的步骤:
1.我在
development mode中部署了Keycloak型
start更改为start-dev,如下所示:*型
1.然后,容器正在运行,我检查了它是否是一个权限问题,对
/etc/x509/https/fullchain.pem文件使用了cat命令,如下所示。docker exec -it <keycloak_container_id> cat /etc/x509/https/fullchain.pem个回应:
型
现在,很明显,这个问题是一个权限问题。
1.然后我执行下面的命令,解决了权限问题。
chmod -R 644 /etc/letsencrypt/live/abc.xyz.com/fullchain.pem个1.我再次尝试在步骤(2)中使用相同的命令
docker exec -it <keycloak_container_id> cat /etc/x509/https/fullchain.pem回应:
型
1.问题解决了!!。现在执行
docker-compose down并取消注解上面注解的环境变量,然后将命令从start-dev更改为start或start --optimized1.现在,执行
docker-compose up。现在,Keycloak已成功地在production mode中运行。1.使用Docker logs -f检查日志<keycloak_container_id>
INFO [io.quarkus] (main) Keycloak 22.0.5 on JVM (powered by Quarkus 3.2.7.Final) started in 7.837s. Listening on: https://0.0.0.0:8443 INFO [io.quarkus] (main) Profile prod activated. INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, vertx]个**完成!!**现在您可以通过https://abc.xyz.com:8443访问Keycloak管理面板