[keycloak-user] Configuring Keycloak in Standalone Clustered Mode

Tue Jul 10 09:23:16 EDT 2018

Thanks for the feedback!
I will test with both. (i) Exporting the ports of the container and also
with (ii) JDBC_PING. Then, I will provide some feedback here.

Thanks again for the help ;)

On Tue, Jul 10, 2018 at 10:21 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> On Tue, 2018-07-10 at 09:55 -0300, Rafael Weingärtner wrote:
> > Hey Dmitry, thanks for the reply.
> >
> > The alternative "JDBC_PING" looks promising. However, if I already
> > have a transit network that can be used to bind together all keycloak
> > replicas, I can "export/bind" the multicast ports of the containers
> > on the host, and then everything should work out of the box, right?
>
> Sounds legit, but will require testing of course. I'd recommend that
> you use omping [1] to test/troubleshoot multicast issues.
>
> Another option is to set up L2 tunnel between the nodes (like n2n [2]
> or even OpenVPN without encryption and compression), but obviously this
> will be harder to maintain.
>
> Good luck!
> Dmitry
>
> [1] https://github.com/troglobit/omping
> [2] https://www.ntop.org/products/n2n/
>
> >
> > On Tue, Jul 10, 2018 at 9:35 AM, Dmitry Telegin <dt at acutus.pro>
> > wrote:
> > > Hi Rafael,
> > >
> > > In Keycloak, clustering is implemented via Infinispan [1] (a
> > > distributed cache), which in turn uses JGroups [2] as a
> > > communication
> > > layer. By default, nodes use IP multicast for discovery (MPING in
> > > JGroups terminology). So as long as your nodes live in the same
> > > private
> > > network that supports multicast, you should be fine.
> > >
> > > If IP multicast is restricted (like e.g. on AWS), one can use
> > > alternate
> > > discovery methods like JDBC_PING (using shared database) or S3_PING
> > > (obviously, using S3).
> > >
> > > See Keycloak documentation on network setup for clustering [3], as
> > > well
> > > as Infinispan and JGroups docs on the same.
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > [1] http://infinispan.org
> > > [2] http://www.jgroups.org
> > > [3] https://www.keycloak.org/docs/latest/server_installation/index.
> > > html
> > > #_clustering
> > >
> > > On Sat, 2018-07-07 at 09:09 -0300, Rafael Weingärtner wrote:
> > > > Hello Keycloak communities,
> > > >
> > > > I am configuring Keycloak for production, and we will need to use
> > > it
> > > > in a
> > > > clustered fashion. I have read about the two possible deployment
> > > > scenarios
> > > > “Standalone clustered mode”  and “domain clustered mode”.  It
> > > seems
> > > > that
> > > > the “Standalone clustered mode”  is the simpler one. Also, we
> > > will be
> > > > using
> > > > Docker to deploy Keycloak. Therefore, we will not have the burden
> > > of
> > > > managing configuration files manually. The update (configurations
> > > > and/or
> > > > Keycloak versions) should always be a matter of stopping and
> > > starting
> > > > a new
> > > > version of the Docker container.
> > > >
> > > > I have one doubt though. It seems pretty magical that to
> > > configure
> > > > Keycloak
> > > > in HA mode I only need to use “standalone-ha.xml”. How does the
> > > > discovery
> > > > process of nodes happen? I mean, are the replicates communicating
> > > > with each
> > > > other directly, or is everything via a shared database? Do I need
> > > to
> > > > expose
> > > > some specific port from my Keycloaks replicas to the network? Or
> > > only
> > > > the
> > > > standard 443/80 is enough?
> > > >
> > > > Thanks in advance for your help ;)
> > > >
> > > > --
> > > > Rafael Weingärtner
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
>

-- 
Rafael Weingärtner