[keycloak-user] Configuring Keycloak in Standalone Clustered Mode

Dmitry Telegin dt at acutus.pro
Tue Jul 10 09:21:13 EDT 2018


On Tue, 2018-07-10 at 09:55 -0300, Rafael Weingärtner wrote:
> Hey Dmitry, thanks for the reply.
> 
> The alternative "JDBC_PING" looks promising. However, if I already
> have a transit network that can be used to bind together all keycloak
> replicas, I can "export/bind" the multicast ports of the containers
> on the host, and then everything should work out of the box, right?

Sounds legit, but will require testing of course. I'd recommend that
you use omping [1] to test/troubleshoot multicast issues.

Another option is to set up L2 tunnel between the nodes (like n2n [2]
or even OpenVPN without encryption and compression), but obviously this
will be harder to maintain.

Good luck!
Dmitry

[1] https://github.com/troglobit/omping
[2] https://www.ntop.org/products/n2n/

> 
> On Tue, Jul 10, 2018 at 9:35 AM, Dmitry Telegin <dt at acutus.pro>
> wrote:
> > Hi Rafael,
> > 
> > In Keycloak, clustering is implemented via Infinispan [1] (a
> > distributed cache), which in turn uses JGroups [2] as a
> > communication
> > layer. By default, nodes use IP multicast for discovery (MPING in
> > JGroups terminology). So as long as your nodes live in the same
> > private
> > network that supports multicast, you should be fine.
> > 
> > If IP multicast is restricted (like e.g. on AWS), one can use
> > alternate
> > discovery methods like JDBC_PING (using shared database) or S3_PING
> > (obviously, using S3).
> > 
> > See Keycloak documentation on network setup for clustering [3], as
> > well
> > as Infinispan and JGroups docs on the same.
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > [1] http://infinispan.org
> > [2] http://www.jgroups.org
> > [3] https://www.keycloak.org/docs/latest/server_installation/index.
> > html
> > #_clustering
> > 
> > On Sat, 2018-07-07 at 09:09 -0300, Rafael Weingärtner wrote:
> > > Hello Keycloak communities,
> > > 
> > > I am configuring Keycloak for production, and we will need to use
> > it
> > > in a
> > > clustered fashion. I have read about the two possible deployment
> > > scenarios
> > > “Standalone clustered mode”  and “domain clustered mode”.  It
> > seems
> > > that
> > > the “Standalone clustered mode”  is the simpler one. Also, we
> > will be
> > > using
> > > Docker to deploy Keycloak. Therefore, we will not have the burden
> > of
> > > managing configuration files manually. The update (configurations
> > > and/or
> > > Keycloak versions) should always be a matter of stopping and
> > starting
> > > a new
> > > version of the Docker container.
> > > 
> > > I have one doubt though. It seems pretty magical that to
> > configure
> > > Keycloak
> > > in HA mode I only need to use “standalone-ha.xml”. How does the
> > > discovery
> > > process of nodes happen? I mean, are the replicates communicating
> > > with each
> > > other directly, or is everything via a shared database? Do I need
> > to
> > > expose
> > > some specific port from my Keycloaks replicas to the network? Or
> > only
> > > the
> > > standard 443/80 is enough?
> > > 
> > > Thanks in advance for your help ;)
> > > 
> > > --
> > > Rafael Weingärtner
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> 
> 


More information about the keycloak-user mailing list