search

ivangfr / keycloak-clustered

Keycloak-Clustered extends quay.io/keycloak/keycloak official Keycloak Docker image by adding JDBC_PING discovery protocol.
162 stars 57 forks source link

Keycloak clustering issue: No members discovered. #2

Closed prasad-sankey closed 3 years ago

prasad-sankey commented 4 years ago

Hi, currently I'am configuring the keycloak for the production. For this I want to run keycloak in cluster mode using TCPPING.

In this I have 2 AWS EC2 servers on which I'am running docker containers for keycloak using the image "ivanfranchin/keycloak-clustered".

I have also added the below environement variables in the docker configuration according to information given in this link https://www.keycloak.org/2019/05/keycloak-cluster-setup:

IP address of this host, please make sure this IP can be accessed by the other Keycloak instances

JGROUPS_DISCOVERY_EXTERNAL_IP=172.31.140.50

protocol

JGROUPS_DISCOVERY_PROTOCOL=TCPPING

IP and Port of all host

JGROUPS_DISCOVERY_PROPERTIES=initial_hosts="172.31.140.50[7600],172.31.140.62[7600]"

image

The problem is the two keycloak containers running on different host servers cannot discover each other. I have also opened up all ports between them for accessing on the AWS. Can you help me on this?

ivangfr commented 4 years ago

Hi @PrasadPingle thanks for sharing the problem. As soon as I have time, I will have a look at it.

ivangfr commented 4 years ago

@PrasadPingle Sorry, but I didn't have time to try to reproduce your issue yet. However, I have just released version 9.0.3 (latest). It contains a fix suggested by @petrtuma in TCPPING.cli script (see Issue #1). Maybe it helps. Could please you try? Thanks

karkaletsis commented 3 years ago

I have tried also running clustered keycloak but two keycloak instances can't be discovered

ivangfr commented 3 years ago

@karkaletsis, which discovery protocols have you tried, TCPPING or JDBC_PING?

karkaletsis commented 3 years ago

@ivangfr Ι am trying JDBC_PING. Actually now it seems a bit better as I see logs related to cluster. I had to expose also 7600 port. But it remains the issue that clusters don't appear in the keycloak console under realm-client-cluster.

ivangfr commented 3 years ago

@karkaletsis I've started keycloak-clustered locally using vagrant as explained here.

What do you mean about "clusters don't appear in the keycloak console under realm-client-cluster"? Could you please detail more about so that I can check it here.

karkaletsis commented 3 years ago

I f you fo the admin console to Clients -> Select a client -> Clusters Tab (this remains empty)

Screenshot 2020-12-04 at 1 52 04 PM
ivangfr commented 3 years ago

I've found this https://lists.jboss.org/pipermail/keycloak-user/2017-April/010424.html Looks like this Clustering is related to the Client (application) cluster and not Keycloak cluster.

karkaletsis commented 3 years ago

So, we assume that is ok as is? Do you know what can be checked in app except of having duplicate sessions (one from each instance when login by ip:port)?

ivangfr commented 3 years ago

As far as I know, there isn't a GUI feature to check whether a Keycloak clustering is working or not.

What I've been doing (besides verifying if the Keycloak instances are sharing sessions) is checking their logs, like the one below that shows a cluster is formed with 2 instances.

[org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb
[org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000078: Starting JGroups channel ejb
[org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [83b288075207|1] (2) [83b288075207, 5289cc17c558]
[org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [83b288075207|1] (2) [83b288075207, 5289cc17c558]
[org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000079: Channel ejb local address is 5289cc17c558, physical addresses are [10.0.0.12:7600]
[org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000079: Channel ejb local address is 5289cc17c558, physical addresses are [10.0.0.12:7600]
[org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb
[org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [83b288075207|1] (2) [83b288075207, 5289cc17c558]
[org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000078: Starting JGroups channel ejb
[org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [83b288075207|1] (2) [83b288075207, 5289cc17c558]
[org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000079: Channel ejb local address is 5289cc17c558, physical addresses are [10.0.0.12:7600]
[org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000079: Channel ejb local address is 5289cc17c558, physical addresses are [10.0.0.12:7600]
[org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000078: Starting JGroups channel ejb
[org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [83b288075207|1] (2) [83b288075207, 5289cc17c558]
karkaletsis commented 3 years ago

ok, great. Thanks!

karkaletsis commented 3 years ago

How you prepare the JDBC_PING.cli per version in order to make it work?

ivangfr commented 3 years ago

Usually, the JDBC_PING.cli is the same for all versions.