[keycloak-user] Fwd: Keycloak 3.2.1 Final not working in cluster
mahendra sonawale
mahson1 at gmail.com
Thu Nov 9 06:34:21 EST 2017
Hello Simon,
yes, I did provide server IP into public interface as well as into private
interface..
in another reply I have been asked to check multicast
(You can look for the value in
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, it should be 0)
In our production linux env the value is 1 -- does that really affect??
and would that be the only cause?
Currently configuration are as below: (changed the ip to some random)
<interfaces>
<interface name="management">
<inet-address
value="${jboss.bind.address.management:127.0.0.1}" />
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:1.2.3.4}"
/>
</interface>
<interface name="private">
<inet-address
value="${jboss.bind.address.private:1.2.3.4}" />
</interface>
</interfaces>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="private"
port="${jboss.management.http.port:9990}" />
<socket-binding name="management-https" interface="private"
port="${jboss.management.https.port:9993}" />
<socket-binding name="ajp" port="${jboss.ajp.port:8009}" />
<socket-binding name="http" port="${jboss.http.port:8080}"
/>
<socket-binding name="https"
port="${jboss.https.port:8443}" />
<socket-binding name="proxy-https" port="443"/>
<socket-binding name="jgroups-mping" interface="public"
port="0"
multicast-address="${jboss.default.multicast.address:230.0.0.4}"
multicast-port="45700" />
<socket-binding name="jgroups-tcp" interface="public"
port="7600" />
<socket-binding name="jgroups-tcp-fd" interface="public"
port="57600" />
<socket-binding name="jgroups-udp" interface="public"
port="55200"
multicast-address="${jboss.default.multicast.address:230.0.0.4}"
multicast-port="45688" />
<socket-binding name="jgroups-udp-fd" interface="public"
port="54200" />
<socket-binding name="modcluster" port="0"
multicast-address="224.0.1.105"
multicast-port="23364" />
<socket-binding name="txn-recovery-environment" port="4712"
/>
<socket-binding name="txn-status-manager" port="4713" />
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25" />
</outbound-socket-binding>
</socket-binding-group>
On Thu, Nov 9, 2017 at 4:47 PM, Simon Payne <simonpayne58 at gmail.com> wrote:
> did you provide the machine ip address for the public interface when you
> start keycloak? i start my keycloak using /opt/jboss/keycloak/bin/standalone.sh
> -c standalone-ha.xml -b x.x.x.x
>
> On Thu, Nov 9, 2017 at 10:36 AM, mahendra sonawale <mahson1 at gmail.com>
> wrote:
>
>> Hello Simon,
>>
>> Thank you for the response.
>> yes, we are using proxy - APACHE HTTPD configuration PFB the same.
>> I tried to make the jpgroups public (kept the public interface IP as our
>> node server actual IP but no luck still the servers are logs are not
>> showing new cluster node.
>>
>> apache proxy configuration:
>>
>> -------------------------------------
>> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
>> LoadModule remoteip_module modules/mod_remoteip.so
>>
>> ProxyPreserveHost On
>> LimitRequestFieldSize 163840
>> LimitRequestLine 163840
>>
>> #<VirtualHost _default_:80>
>> ServerName rapid.gi-de.com:443
>> ErrorLog /opt<dir>/fiam_error_log
>> CustomLog /<dir>/fiam_access_log combined
>> LogLevel warn
>>
>> RequestHeader set X-Forwarded-Proto "https"
>>
>> <Proxy https://abc.ac-bc.com/* >
>> RewriteEngine on
>> RewriteCond %{REQUEST_FILENAME} !-f
>> RewriteCond %{REQUEST_FILENAME} !-d
>> # not rewrite css, js and images
>> RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png)$ [NC]
>> RewriteRule ^(.*)$ /auth [NC,L,QSA]
>> #Options -Indexes FollowSymLinks
>> AllowOverride None
>> Order allow,deny
>> Allow from all
>> </Proxy>
>>
>>
>> ProxyPass /auth http://<server IP>:8080/auth
>> ProxyPassReverse /auth http://<server IP>:8080/auth
>>
>> -------------------------------------------------
>>
>> PFB the logs: (tried to run the changes only on 2nd node)
>>
>> 2017-11-09 11:26:20,169 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-6) ISPN000094: Received new cluster view for channel
>> server: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,174 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-7) ISPN000094: Received new cluster view for channel
>> keycloak: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,174 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-5) ISPN000094: Received new cluster view for channel
>> hibernate: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,174 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-4) ISPN000094: Received new cluster view for channel
>> ejb: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,175 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-3) ISPN000094: Received new cluster view for channel
>> web: [muc1rapidv2s|0] (1) [muc1rapidv2s]
>> 2017-11-09 11:26:20,177 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
>> (MSC service thread 1-6) ISPN000079: Channel server local address is
>> muc1rapidv2s, physical addresses are *******
>>
>>
>> Please guide.
>>
>>
>> Thanks,
>> Mahendra Sonawale
>> Ph +91 9130775865 <+91%2091307%2075865>
>>
>> On Thu, Nov 9, 2017 at 3:16 PM, Simon Payne <simonpayne58 at gmail.com>
>> wrote:
>>
>>> hi, we have a similar setup which is working with 3.2.1.Final. we have
>>> since upgraded to 3.3.0.Final.
>>>
>>> I'm assuming that you are private interface because you are using a web
>>> proxy? however, to achieve what you need i think you may have to make the
>>> jgroups public interface. we have used tcp ping successfully in this way.
>>>
>>>
>>>
>>>
>>> On Thu, Nov 9, 2017 at 9:27 AM, mahendra sonawale <mahson1 at gmail.com>
>>> wrote:
>>>
>>>> Hi Team,
>>>>
>>>> We are facing similar problem where kelcloak is not running in cluster
>>>> and
>>>> giving the same error log as mentioned by Subash in jira.
>>>>
>>>> https://issues.jboss.org/browse/KEYCLOAK-5013
>>>>
>>>> I tried to use the private interface as suggested into the document but
>>>> still no luck.
>>>> am I missing anything else? CAN YOU please help?? I am using Keycloak -
>>>> Version 3.2.1.Final.
>>>> I have load balancer configured above 2 keycloak nodes (nodes are
>>>> running in
>>>> on different VMs)
>>>>
>>>> Start command :
>>>> nohup ./bin/standalone.sh --server-config=standalone-ha.xml -b
>>>> $HOSTNAME -u
>>>> 230.0.0.4 &
>>>>
>>>> HA configuration :
>>>> <interface name="private">
>>>> <inet-address value="$
>>>> {jboss.bind.address.private:(node1 IP address and on second node that
>>>> IP
>>>> address)}
>>>> " />
>>>> </interface>
>>>> </interfaces>
>>>> <socket-binding-group name="standard-sockets"
>>>> default-interface="public" port-offset="$
>>>> {jboss.socket.binding.port-offset:0}
>>>> ">
>>>> <socket-binding name="management-http" interface="private"
>>>> port="$
>>>> {jboss.management.http.port:9990}
>>>> " />
>>>> <socket-binding name="management-https" interface="private"
>>>> port="$
>>>> {jboss.management.https.port:9993}
>>>> " />
>>>> <socket-binding name="ajp" port="$
>>>> {jboss.ajp.port:8009}
>>>> " />
>>>> <socket-binding name="http" port="$
>>>> {jboss.http.port:8080}
>>>> " />
>>>> <socket-binding name="https" port="$
>>>> {jboss.https.port:8443}
>>>> " />
>>>> <socket-binding name="proxy-https" port="443"/>
>>>> <socket-binding name="jgroups-mping" interface="private"
>>>> port="0" multicast-address="$
>>>> {jboss.default.multicast.address:230.0.0.4}
>>>> "
>>>> multicast-port="45700" />
>>>> <socket-binding name="jgroups-tcp" interface="private"
>>>> port="7600" />
>>>> <socket-binding name="jgroups-tcp-fd" interface="private"
>>>> port="57600" />
>>>> <socket-binding name="jgroups-udp" interface="private"
>>>> port="55200" multicast-address="$
>>>> {jboss.default.multicast.address:230.0.0.4}
>>>> "
>>>> multicast-port="45688" />
>>>> <socket-binding name="jgroups-udp-fd" interface="private"
>>>> port="54200" />
>>>> <socket-binding name="modcluster" port="0"
>>>> multicast-address="224.0.1.105" multicast-port="23364" />
>>>> <socket-binding name="txn-recovery-environment" port="4712" />
>>>> <socket-binding name="txn-status-manager" port="4713" />
>>>> <outbound-socket-binding name="mail-smtp">
>>>> <remote-destination host="localhost" port="25" />
>>>> </outbound-socket-binding>
>>>> </socket-binding-group>
>>>> Log :
>>>> 2017-11-09 04:38:22,749 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-3) ISPN000094: Received new cluster view for channel hibernate:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,750 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,749 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-4) ISPN000094: Received new cluster view for channel ejb:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,750 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-7) ISPN000094: Received new cluster view for channel server:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,749 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-1) ISPN000094: Received new cluster view for channel web:
>>>> [keycloak2|0] (1) [keycloak2]
>>>> 2017-11-09 04:38:22,761 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-2) ISPN000079: Channel keycloak local address is keycloak2,
>>>> physical addresses are [**.**.**.**]
>>>> 2017-11-09 04:38:22,763 INFO
>>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC
>>>> service
>>>> thread 1-1) ISPN000079: Channel web local address is keycloak2, physical
>>>> addresses are [**.**.**.**]
>>>>
>>>>
>>>>
>>>> --
>>>> Sent from: http://keycloak-user.88327.x6.nabble.com/
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
More information about the keycloak-user
mailing list