[keycloak-user] Expose JGroups ports in Docker keycloak-ha-postgres

Alan Gibson alan.gibson at gmail.com
Tue Nov 8 09:06:41 EST 2016 

Hi Staffan,

We've got 3 clustered Keycloak nodes running in Docker with host (not
bridge) networking and managed by Mesos/Marathon. Cluster communications
run over UDP. We start them with the following command.

/opt/jboss/docker-entrypoint.sh
-Dkeycloak.migration.action={{keycloak_migration_action}}
-Dkeycloak.migration.provider={{keycloak_migration_provider}}
-Dkeycloak.migration.file={{keycloak_migration_file}}
-Dkeycloak.migration.strategy={{keycloak_migration_strategy}}
-Djboss.jgroups.stack={{keycloak_jgroups_stack}}
-Djboss.jgroups.udp.port={{keycloak_jgroups_udp_port}}
-Djboss.jgroups.udp.multicast.port={{keycloak_jgroups_udp_multicast_port}}
-Djboss.jgroups.udp.fd.port={{keycloak_jgroups_udp_fd_port}}
-Djboss.management.http.port=$PORT1 -Djboss.http.port=$PORT0
-Djboss.bind.address.private=$(hostname -i) -b 0.0.0.0 -bmanagement 0.0.0.0
--server-config standalone-ha.xml

keycloak_jgroups_stack: udp
keycloak_jgroups_udp_port: 5520
keycloak_jgroups_udp_multicast_port: 4568
keycloak_jgroups_udp_fd_port: 5420

The magic ingredient is using getting the jboss.bind.address.private
address from the shell with $(hostname -i). Note that this is definitely
not foolproof, so YMMV.

Br, Alan

On Tue, Nov 8, 2016 at 11:59 AM, Staffan <solsson at gmail.com> wrote:

> Hi,
>
> I've tried in different docker environments (compose, kubernetes,
> standalone) to get a HA setup running using https://hub.docker.com/r/
> jboss/keycloak-ha-postgres/.
>
> Keycloak nodes start, but are unaware of each other. I fail to reach the
> JGroups ports from any other container or host system. That is expected, as
> https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/v/2.3/topics/clustering/multicast.html
> advises you to configure jboss.bind.address.private.
>
> But when I try -Djboss.bind.address.private=0.0.0.0 there's an error
> during
> startup:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [UDP] /
> 0.0.0.0 is not a valid address on any local network interface
>     at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
> ChannelBuilder.java:80)
> Caused by: java.security.PrivilegedActionException:
> java.net.BindException:
> [UDP] /0.0.0.0 is not a valid address on any local network interface
>     at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
> WildFlySecurityManager.java:640)
> Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address
> on
> any local network interface
>     at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
>
> ... or if I switch to stack="tcp" in the jgroups subsystem:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [TCP] /
> 0.0.0.0 is not a valid address on any local network interface
>
> I guess this is a generic Wildfly topic, but I'm curious how the official
> Keycloak docker containers are tested. In a docker environment, what can we
> bind to other than 0.0.0.0 or 127.0.0.1? Is there a way to allow a
> "privileged action"?
>
> regards
> Staffan Olsson
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list