search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.73k stars 2.67k forks source link

DevServices for Keycloak fails to start on RHEL with enabled FIPS mode #23268

Closed fedinskiy closed 2 years ago

fedinskiy commented 2 years ago

Describe the bug

Method KeycloakDevServicesProcessor.startKeycloakContainer fails, when running on FIPS-enabled machine.

Expected behavior

DevServices for Keycloak should work on FIPS-enabled machine

Actual behavior

No response

How to Reproduce?

  1. Verify, that machine uses FIPS. 
    $ cat /proc/sys/crypto/fips_enabled
1
  2. Clone Quarkus quickstarts: git@github.com:quarkusio/quarkus-quickstarts.git
  3. Enter the folder cd quarkus-quickstarts/security-keycloak-authorization-quickstart
  4. Run mvn clean verify
  5. We will get an error, when starting container quay.io/keycloak/keycloak:15.0.2: 
    2022-01-28 13:42:09,087 ERROR [🐳 .io/.0.2]] (build-54) Log output from the failed container:
java.lang.RuntimeException: PBKDF2 algorithm not found

Apache Maven 3.8.3 (ff8e977a158738155dc465c6a97ffaf31982d739) Maven home: /opt/apache-maven-3.8.3 Java version: 11.0.13, vendor: Red Hat, Inc., runtime: /qa/tools/opt/x86_64/openjdk-11.0.13.0.8

Output of uname -a or ver

4.18.0-305.el8.x86_64

Output of java -version

11.0.13, vendor: Red Hat

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.6.3.Final

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.3 (ff8e977a158738155dc465c6a97ffaf31982d739)

Additional information

I tried to start different keycloak containers manually, and it looks like docker hub keycloak container works fine:

docker run quay.io/keycloak/keycloak:15.0.2 # fails, but without any mention of PDKF2
docker run jboss/keycloak:15.0.2 # works
quarkus-bot[bot] commented 2 years ago

/cc @pedroigor, @sberyozkin, @stuartwdouglas

sberyozkin commented 2 years ago

@fedinskiy Thanks for creating this issue. Interesting.

Can you please experiment a bit more with the latest Quarkus 2.7.0.Final release, which uses Keycloak-X 16.1.0 ?

If you'd like you can switch to the WildFly distro with

quarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:16.1.0

and similarly you can try the docker hub:

quarkus.keycloak.devservices.image-name=jboss/keycloak:16.1.0 or

quarkus.keycloak.devservices.image-name=jboss/keycloak-x:16.1.0

Please check what works and does not work for you now, it may have to become a Keycloak issue, CC @pedroigor @stianst

fedinskiy commented 2 years ago
  1. Newest Quarkus(mvn clean verify -Dquarkus.platform.version=2.7.0.Final): 
    2022-01-28 15:21:07,412 INFO  [🐳 .io/.1.0]] (build-63) Creating container for image: quay.io/keycloak/keycloak-x:16.1.0
2022-01-28 15:21:07,725 INFO  [🐳 .io/.1.0]] (build-63) Container quay.io/keycloak/keycloak-x:16.1.0 is starting: c3dfbfa6d1bdbb89cc170126550f18ab6346ca9700f3d048f476b344005cdea7
2022-01-28 15:22:08,499 ERROR [🐳 .io/.1.0]] (build-63) Could not start container: java.lang.IllegalStateException: Container exited with code 1
<...>
2022-01-28 15:22:08,535 ERROR [🐳 .io/.1.0]] (build-63) Log output from the failed container:
2022-01-28 15:21:13,604 INFO  [org.key.qua.run.hos.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin: <request>
2022-01-28 15:21:15,261 WARN  [org.inf.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2022-01-28 15:21:15,463 WARN  [org.inf.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2022-01-28 15:21:15,669 INFO  [org.inf.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2022-01-28 15:21:16,520 INFO  [org.inf.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.0.Final
2022-01-28 15:21:16,891 INFO  [org.inf.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2022-01-28 15:21:17,391 WARN  [org.jgr.pro.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2022-01-28 15:21:17,392 WARN  [org.jgr.pro.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB
2022-01-28 15:21:17,393 WARN  [org.jgr.pro.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2022-01-28 15:21:17,393 WARN  [org.jgr.pro.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB
2022-01-28 15:21:19,501 INFO  [org.jgr.pro.pbc.GMS] (keycloak-cache-init) c3dfbfa6d1bd-15478: no members discovered after 2056 ms: creating cluster as coordinator
2022-01-28 15:21:19,526 INFO  [org.inf.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [c3dfbfa6d1bd-15478|0] (1) [c3dfbfa6d1bd-15478]
2022-01-28 15:21:19,599 INFO  [org.inf.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `c3dfbfa6d1bd-15478`, physical addresses are `[172.17.0.3:40247]`
2022-01-28 15:21:20,033 INFO  [org.key.qua.run.sto.dat.liq.QuarkusJpaUpdaterProvider] (main) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml
2022-01-28 15:21:24,326 INFO  [org.key.con.inf.DefaultInfinispanConnectionProviderFactory] (main) Node name: c3dfbfa6d1bd-15478, Site name: null
2022-01-28 15:21:24,499 INFO  [org.key.services] (main) KC-SERVICES0050: Initializing master realm
2022-01-28 15:21:26,886 INFO  [org.inf.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
2022-01-28 15:21:27,080 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server using profile (prod)
2022-01-28 15:21:27,081 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) ERROR: Failed to generate keys
2022-01-28 15:21:27,081 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) ERROR: org.bouncycastle.util.io.pem.PemGenerationException: unknown object passed - can't encode.
2022-01-28 15:21:27,081 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) ERROR: unknown object passed - can't encode.
2022-01-28 15:21:27,081 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.
fedinskiy commented 2 years ago

WildFly distro(mvn clean verify -Dquarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:16.1.): 

2022-01-28 15:16:32,639 ERROR [🐳 .io/.1.0]] (build-48) Could not start container: java.lang.IllegalStateException: Container exited with code 1
    at org.testcontainers.containers.GenericContainer.tryStart(GenericContainer.java:497)
    <...>
    at org.jboss.threads.JBossThread.run(JBossThread.java:501)

2022-01-28 15:16:32,681 ERROR [🐳 .io/.1.0]] (build-48) Log output from the failed container:
java.lang.RuntimeException: PBKDF2 algorithm not found
fedinskiy commented 2 years ago

Dockerhub keycloak(mvn clean verify -Dquarkus.keycloak.devservices.image-name=jboss/keycloak:16.1.0):

2022-01-28 15:26:12,542 INFO  [🐳 .1.0]] (build-25) Creating container for image: jboss/keycloak:16.1.0
2022-01-28 15:26:12,849 INFO  [🐳 .1.0]] (build-25) Starting container with ID: 976e471cf632376838987cfbc8f39d5de03a9699c1bd71dfaeb649352ee7c368
2022-01-28 15:26:13,539 INFO  [🐳 .1.0]] (build-25) Container jboss/keycloak:16.1.0 is starting: 976e471cf632376838987cfbc8f39d5de03a9699c1bd71dfaeb649352ee7c368
2022-01-28 15:27:13,694 ERROR [🐳 .1.0]] (build-25) Could not start container: java.lang.IllegalStateException: Container exited with code 1
    at org.testcontainers.containers.GenericContainer.tryStart(GenericContainer.java:497)
<...>
2022-01-28 15:27:13,724 ERROR [🐳 .1.0]] (build-25) Log output from the failed container:
java.lang.RuntimeException: PBKDF2 algorithm not found
fedinskiy commented 2 years ago

Dockerhub keycloak-X(mvn clean verify -Dquarkus.keycloak.devservices.image-name=jboss/keycloak-x:16.1.0):

2022-01-28 15:32:01,542 INFO  [🐳 .1.0]] (build-34) Pulling docker image: jboss/keycloak-x:16.1.0. Please be patient; this may take some time but only needs to be done once.
2022-01-28 15:32:01,796 ERROR [com.git.doc.api.asy.ResultCallbackTemplate] (docker-java-stream--1851918019) Error during callback: com.github.dockerjava.api.exception.NotFoundException: Status 404: {"message":"pull access denied for jboss/keycloak-x, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}
fedinskiy commented 2 years ago

@sberyozkin I think, that's all. Basically, both keycloak images fail due to lack of PBKDF2 algorithm, keycloak-x on quay can not generate keys and keycloak-x on docker hub doesn't exist.

sberyozkin commented 2 years ago

@fedinskiy Thanks for these tests. Can you please do one more test, given that docker run jboss/keycloak:15.0.2 worked for you, can you try

mvn clean verify -Dquarkus.keycloak.devservices.image-name=jboss/keycloak:15.0.2 with Quarkus 2.7.0.Final ?

I think this is the issue with the image but this test should confirm that using testcontainers is not a problem

fedinskiy commented 2 years ago

Old dockerhub image and new Quarkus(mvn clean verify -Dquarkus.platform.version=2.7.0.Final -Dquarkus.keycloak.devservices.image-name=jboss/keycloak:15.0.2):

022-01-31 11:21:07,617 INFO  [io.qua.oid.dep.dev.key.KeycloakDevServicesProcessor] (build-31) Using WildFly powered Keycloak distribution
2022-01-31 11:21:07,632 INFO  [🐳 .0.2]] (build-31) Creating container for image: jboss/keycloak:15.0.2
2022-01-31 11:21:07,818 INFO  [🐳 .0.2]] (build-31) Container jboss/keycloak:15.0.2 is starting: 5d80e98631e5a712c70d7224c2819af781175936bd76af0c9a1f6cf0dcf8e8e1
2022-01-31 11:21:32,177 INFO  [🐳 .0.2]] (build-31) Container jboss/keycloak:15.0.2 started in PT24.557465S
2022-01-31 11:21:32,361 INFO  [io.qua.oid.dep.dev.key.KeycloakDevServicesProcessor] (build-31) Dev Services for Keycloak started.

If I am not mistaken, it's the only combination, where container started successfully.

sberyozkin commented 2 years ago

@fedinskiy Thanks very much, it helps to isolate. Let me find where exactly in Keycloak the issue should be created and I'll link to it here once it is done

sberyozkin commented 2 years ago

@fedinskiy FYI, please watch https://github.com/keycloak/keycloak-containers/issues/354

sberyozkin commented 2 years ago

@fedinskiy Please note the documented workaround from Stian in the https://github.com/keycloak/keycloak/issues/9916 description

sberyozkin commented 2 years ago

Closing it as it is a pure Keycloak issue, the same workaround which was implemented at https://github.com/quarkus-qe/quarkus-test-suite/pull/581/files can be support for DevServces for Keycloak with quarkus.keycloak.devservices.java-opts=-Dcom.redhat.fips=false