When deploying my Keycloak to our Docker swarm, we get the following warning and error in the stack trace:
We are trying to deploy the keycloak SPI into the given volume. This works but keycloak can't write/ read into the volume.
10:13:05,350 INFO [org.jboss.modules] (main) JBoss Modules version 1.10.2.Final
10:13:06,057 INFO [org.jboss.msc] (main) JBoss MSC version 1.4.12.Final
10:13:06,069 INFO [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final
10:13:06,220 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 12.0.1 (WildFly Core 13.0.3.Final) starting
10:13:06,392 INFO [org.jboss.vfs] (MSC service thread 1-4) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
10:13:07,466 INFO [org.wildfly.security] (ServerService Thread Pool -- 22) ELY00001: WildFly Elytron version 1.13.1.Final
10:13:08,587 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
10:13:08,653 WARN [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) WFLYDS0039: /opt/jboss/keycloak/standalone/deployments is not writable
10:13:08,675 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) WFLYDS0042: Boot-time scan failed due to inaccessible deployment directory: /opt/jboss/keycloak/standalone/deployments
10:13:08,690 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 3) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
10:13:08,861 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
The errors WFLYDS0039 and WFLYDS0042 are the issue. We mounted the deployments folder to a docker volume on the server on the path: /srv/keycloak_providers When deploying the SPI I can see that the .JAR file can be found on the server in the path above.
Here is the keycloak docker-compose file:
version: "3.7"
services:
db:
image: mariadb
volumes:
- keycloak_db:/var/lib/mysql
environment:
MYSQL_DATABASE: keycloak
networks:
db:
aliases:
- mariadb
keycloak:
image: jboss/keycloak:12.0.1
environment:
- DB_ADDR=mariadb
- DB_PORT=3306
- DB_DATABASE=keycloak
- DB_VENDOR=mariadb
- PROXY_ADDRESS_FORWARDING=true
networks:
- public
- db
volumes:
- keycloak_themes:/opt/jboss/keycloak/themes
- keycloak_providers:/opt/jboss/keycloak/standalone/deployments/
networks:
db:
driver: overlay
public:
external: true
volumes:
keycloak_db:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_db
keycloak_themes:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_themes
keycloak_providers:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_providers
Keycloak server is run as the jboss user which has the uid/gid set to 1000. Make sure that user id 1000 has read/write permissions to that source folder /srv/keycloak_providers. The easiest solution is chmod -R 777 /srv/keycloak_providers from the host OS CLI. But you may need more safe permission configuration - just keep in mind uid 1000 must have read/write access + eventually also some user(s) from the host OS.
Of course it can be more complicated if Docker daemon/Keycloak container has configured uid remapping - there will be another uid on the scene.