[keycloak-user] Keycloak-mysql Docker -- 2 issues

Jonathan D'Andries jonathandandries at gmail.com
Fri May 12 15:48:21 EDT 2017 

Two issues related to running keycloak-mysql:3.0.0.Final and mysql:5.7.18
in docker-compose, but that will likely have broader impact in certain
circumstances:

Issue #1. JBoss doesn't wait for mysql to be available, and it fails to
create a connection if mysql hasn’t come up yet (no retry). This is
especially problematic if you are trying to use docker-compose since
everything likes to start around the same time:

Error:

19:18:03,553 WARN
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(ServerService Thread Pool -- 50) IJ000604: Throwable while attempting
to get a new connection: null: javax.resource.ResourceException:
IJ031084: Unable to create connection

Workaround:

   - Need a custom Dockerfile to override the ENTRYPOINT definition to use
   a custom docker-entrypoint-waitforit.sh. And note that because we are
   changing ENTRYPOINT, we also need to redefine CMD.

Gist of the Dockerfile:

FROM jboss/keycloak-mysql:3.0.0.Final
COPY  docker-entrypoint-waitforit.sh wait-for-it.sh /
ENTRYPOINT ["/docker-entrypoint-waitforit.sh”]
CMD ["-b", "0.0.0.0"]

Gist of docker-entrypoint-waitforit.sh:

#!/bin/bash
/wait-for-it.sh mysql:3306 -t 60 -- /opt/jboss/docker-entrypoint.sh $@
exit $?

For wait-for-it.sh, see: https://github.com/vishnubob/wait-for-it or see:
https://github.com/jwilder/dockerize

Docker recommends this approach:
https://docs.docker.com/compose/startup-order/

Issue #2. When running in docker-compose, JBoss cannot connect to mysql
without some extra work. This issue seems to be related to running on the
project-specific default network that is setup by docker-compose.

Note that you don’t have this issue when running independent in docker:

docker run --name mysql -e MYSQL_DATABASE=keycloak -e
MYSQL_USER=keycloak -e MYSQL_PASSWORD=password -e
MYSQL_ROOT_PASSWORD=root_password -d mysql:5.7.18
# wait 30 seconds
docker run --name keycloak-standalone-test --link mysql:mysql -e
KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e
MYSQL_DATABASE=keycloak -e MYSQL_USERNAME=keycloak -e
MYSQL_PASSWORD=password -p "8080:8080"
jboss/keycloak-mysql:3.0.0.Final

Error when running in docker-compose:

19:24:04,072 ERROR [org.jboss.as.controller.management-operation]
(ServerService Thread Pool -- 27) WFLYCTL0013: Operation ("add")
failed - address: ([
    ("subsystem" => "datasources"),
    ("data-source" => "KeycloakDS")
]) - failure description: "WFLYCTL0211: Cannot resolve expression
'jdbc:mysql://${env.MYSQL_PORT_3306_TCP_ADDR}:${env.MYSQL_PORT_3306_TCP_PORT}/${env.MYSQL_DATABASE:keycloak}'”

Workarounds:

   1.

   Option-1: In docker-compose.yml for the keycloak service, define these
   environment variables:

   - MYSQL_PORT_3306_TCP_ADDR=mysql
   - MYSQL_PORT_3306_TCP_PORT=3306

   2.

   Option-2: run the keycloak and mysql services on the default “bridge”
   network:
   In the keycloak and mysql service definitions:

   network_mode: bridge

   Separately:

   networks:
    default:
      external:
        name: bridge


Bottom line question:

   - Why does JBoss behave differently when trying to connect to mysql on
   the global “bridge” network (works) vs the project-specific default network
   (fails)?


Jonathan

--
Jonathan D'Andries
http://www.linkedin.com/in/jonathandandries/

More information about the keycloak-user mailing list