Yes, that's needed. JGroups is by default bound to 127.0.0.1 and should in best practice be bound to a private secure network to limit access. See https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/multicast.html for more details.

On 21 September 2016 at 16:35, Muein Muzamil <shmuein+keycloak-dev@gmail.com> wrote:
Hi all,

I am trying to run KeyCloak in cluster mode with docker containers using standalone-ha.xml but for me containers are not joining the same infinispan cluster. 


I tried to follow following blog entry but not sure it is still valid. http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html


I was trying to follow this to run multiple docker containers in cluster with the latest images. But when I ran second keycloak container, I didn't see this container joining the 1st cluster. I was seeing this in the log for the second container.

[0m[0m12:31:56,385 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel keycloak: [saskeycloak-fbtit|0] (1) [saskeycloak-fbtit] 


To get it working I had to update private interface in standalone-ha.xml to use docker container's IP. 
 
<interface name="private">
    <!--<inet-address value="${jboss.bind.address.private:127.0.0.1}"/>-->
    <inet-address value="172.17.0.3" />
</interface>

Is that really needed or do we have a better way to get it working?

Regards,
Muein

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev