On Tue, 2018-07-10 at 09:55 -0300, Rafael Weingärtner wrote:
Hey Dmitry, thanks for the reply.
The alternative "JDBC_PING" looks promising. However, if I already
have a transit network that can be used to bind together all keycloak
replicas, I can "export/bind" the multicast ports of the containers
on the host, and then everything should work out of the box, right?
Sounds legit, but will require testing of course. I'd recommend that
you use omping [1] to test/troubleshoot multicast issues.
Another option is to set up L2 tunnel between the nodes (like n2n [2]
or even OpenVPN without encryption and compression), but obviously this
will be harder to maintain.
Good luck!
Dmitry
[1]
https://github.com/troglobit/omping
[2]
https://www.ntop.org/products/n2n/
On Tue, Jul 10, 2018 at 9:35 AM, Dmitry Telegin <dt(a)acutus.pro>
wrote:
> Hi Rafael,
>
> In Keycloak, clustering is implemented via Infinispan [1] (a
> distributed cache), which in turn uses JGroups [2] as a
> communication
> layer. By default, nodes use IP multicast for discovery (MPING in
> JGroups terminology). So as long as your nodes live in the same
> private
> network that supports multicast, you should be fine.
>
> If IP multicast is restricted (like e.g. on AWS), one can use
> alternate
> discovery methods like JDBC_PING (using shared database) or S3_PING
> (obviously, using S3).
>
> See Keycloak documentation on network setup for clustering [3], as
> well
> as Infinispan and JGroups docs on the same.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> [1]
http://infinispan.org
> [2]
http://www.jgroups.org
> [3]
https://www.keycloak.org/docs/latest/server_installation/index.
> html
> #_clustering
>
> On Sat, 2018-07-07 at 09:09 -0300, Rafael Weingärtner wrote:
> > Hello Keycloak communities,
> >
> > I am configuring Keycloak for production, and we will need to use
> it
> > in a
> > clustered fashion. I have read about the two possible deployment
> > scenarios
> > “Standalone clustered mode” and “domain clustered mode”. It
> seems
> > that
> > the “Standalone clustered mode” is the simpler one. Also, we
> will be
> > using
> > Docker to deploy Keycloak. Therefore, we will not have the burden
> of
> > managing configuration files manually. The update (configurations
> > and/or
> > Keycloak versions) should always be a matter of stopping and
> starting
> > a new
> > version of the Docker container.
> >
> > I have one doubt though. It seems pretty magical that to
> configure
> > Keycloak
> > in HA mode I only need to use “standalone-ha.xml”. How does the
> > discovery
> > process of nodes happen? I mean, are the replicates communicating
> > with each
> > other directly, or is everything via a shared database? Do I need
> to
> > expose
> > some specific port from my Keycloaks replicas to the network? Or
> only
> > the
> > standard 443/80 is enough?
> >
> > Thanks in advance for your help ;)
> >
> > --
> > Rafael Weingärtner
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>