[keycloak-user] Keycloak Clustering Issues

Marek Posolda mposolda at redhat.com
Wed Jan 28 09:55:36 EST 2015


If you enable debug logging for 
"org.keycloak.services.DefaultKeycloakSessionFactory" you should see in 
server log which providers are used? You should see "infinispan" for 
userSessions, realmCache and userCache providers. Am I understand 
correctly that you're using loadbalancer and keycloak servers are behind it?

Marek

On 28.1.2015 02:33, Raghu Prabhala wrote:
> Hi Marek - Need some more help from you. I have a cluster of two nodes 
> now and I see the below message on both the nodes after I utilized tcp 
> instead of udp.
>> Received new cluster view: [node1/keycloak|1] (2) [node1/keycloak, 
>> node2/keycloak]
>>
>> While testing the SAML IDP functionality using Spring SAML as service 
>> provider, I noticed that the session information on one node was not 
>> getting replicated on the second one (after successfully logging in 
>> with 1st node, I took it down and the second node redirected me to 
>> login page instead of picking up from where the first one left off)
>>
>> Tried to increase logging for INFINISPAN and JGroups in 
>> standalone.xml but didn't see any change in logs. Any suggestions on 
>> how I can figure out what is happening?
>>
>> Thanks,
>> Raghu
> ------------------------------------------------------------------------
> *From:* Raghu Prabhala <prabhalar at yahoo.com>
> *To:* Marek Posolda <mposolda at redhat.com>
> *Cc:* Keycloak-user <keycloak-user at lists.jboss.org>
> *Sent:* Friday, January 23, 2015 2:19 PM
> *Subject:* Re: [keycloak-user] Keycloak Clustering Issues
>
> Figured out the issue. Udp communication was not allowed. So switched 
> to "tcp". Updated the Jira 979 with the settings for tcp. Please 
> update your documentation so that it can benefit others
>
> Sent from my iPhone
>
>
>
> On Jan 19, 2015, at 11:02 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
> oops, sorry. The server-info page was added recently and it's not in 
> 1.1.Beta2. It would be available in 1.1.0.Final (or alternative is to 
> build keycloak from master).  Anyway, if you enable debug logging for 
> org.keycloak.services.DefaultKeycloakSessionFactory you should see in 
> server.log which providers are used and hence you should see 
> 'infinispan' for realmCache, userCache and userSessions.
>
> We also recently added "Troubleshooting" page to clustering docs, 
> which might help you to figure out what ports are needed 
> https://github.com/keycloak/keycloak/blob/master/docbook/reference/en/en-US/modules/clustering.xml#L222 
> . You can try to temporarily disable firewall and see if it helps with 
> cluster communication. Then you can figure more accurately which ports 
> you need to open.
>
> But generally we rely on infinispan/jgroups for cluster, so more info 
> about cluster config and switch between udp/tcp should be available in 
> their docs.
>
> Marek
>
> On 19.1.2015 13:32, prab rrrr wrote:
>> Hi Marek - Thanks for the below pointers. I believe my setup is good 
>> but probably the udp communication is blocked in my organization as I 
>> do not see the specific log you mentioned. Here are some of the log 
>> messages I see:
>>
>> Starting JGroups channel
>> Received new cluster view ... node 1     (no information about node2)
>> I will look at JGroups documentation to have the communication setup 
>> using tcp on a different port. Hopefully that would address the problem.
>>
>> I tried out the url you provided to verify the setup but it doesn't 
>> work - checked on two different setups. fyi - I am using 1.1Beta2 
>> version.
>>
>> Regards,
>> Raghu
>> ------------------------------------------------------------------------
>> *From:* Marek Posolda <mposolda at redhat.com> <mailto:mposolda at redhat.com>
>> *To:* prab rrrr <prabhalar at yahoo.com> <mailto:prabhalar at yahoo.com>; 
>> Keycloak-user <keycloak-user at lists.jboss.org> 
>> <mailto:keycloak-user at lists.jboss.org>
>> *Sent:* Monday, January 19, 2015 6:09 AM
>> *Subject:* Re: [keycloak-user] Keycloak Clustering Issues
>>
>> That's quite strange. I've just tested same scenario and works fine 
>> for me. If you do any change on user, the user is invalidated from 
>> cache on node-1 and this change about invalidation should be 
>> propagated to node-2 . As long as you have shared database, node-2 
>> should then retrieve newest data about shared user from database.
>>
>> I would suggest to try this:
>>
>> * Make sure that your infinispan cluster is correctly set. You can 
>> check it by seeing the message similar to this in server.log of both 
>> nodes: node_1 | 10:49:50,344 INFO 
>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] 
>> (Incoming-10,shared=udp) ISPN000094: Received new cluster view: 
>> [node1/keycloak|1] (2) [node1/keycloak, node2/keycloak]
>>
>> * Make sure that you enable "infinispan" as provider of realmCache 
>> and userCache and configured connectionsInfinispan . When you open 
>> admin console on any node like: 
>> http://node-1:8080/auth/admin/master/console/index.html#/server-info 
>> <http://localhost:8080/auth/admin/master/console/index.html#/server-info>
>>
>> you should see:
>> connectionsInfinispan default
>> realmCache infinispan
>> userCache infinispan
>> userSessions infinispan
>>
>> * If still seeing issues, you can try to enable trace logging for 
>> "org.keycloak.models.cache.infinispan" category.
>>
>> Hope this helps,
>> Marek
>>
>>
>> On 17.1.2015 04:32, prab rrrr wrote:
>>>
>>>
>>> Anyone noticed any issues with Infinispan? I saw a weird issue. 
>>> After setting up a cluster with two nodes, made some changes on 
>>> node-1 (created a user and changed the first name). While the user 
>>> appeared on node-2, the change to the first name didn't make it. 
>>> Restarting the node-2 didn't help either. Wondering if Infinispan is 
>>> preventing all the changes to be picked up from database. If so, 
>>> what settings would ensure that the data is consistent between the 
>>> nodes?
>>>
>>> Thanks,
>>> Raghu
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org  <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/e94b13fb/attachment-0001.html 


More information about the keycloak-user mailing list