Closed fedinskiy closed 2 years ago
/cc @pedroigor, @sberyozkin, @stuartwdouglas
@fedinskiy Thanks for creating this issue. Interesting.
Can you please experiment a bit more with the latest Quarkus 2.7.0.Final
release, which uses Keycloak-X 16.1.0
?
If you'd like you can switch to the WildFly distro with
quarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:16.1.0
and similarly you can try the docker hub:
quarkus.keycloak.devservices.image-name=jboss/keycloak:16.1.0
or
quarkus.keycloak.devservices.image-name=jboss/keycloak-x:16.1.0
Please check what works and does not work for you now, it may have to become a Keycloak issue, CC @pedroigor @stianst
mvn clean verify -Dquarkus.platform.version=2.7.0.Final
):
2022-01-28 15:21:07,412 INFO [🐳 .io/.1.0]] (build-63) Creating container for image: quay.io/keycloak/keycloak-x:16.1.0
2022-01-28 15:21:07,725 INFO [🐳 .io/.1.0]] (build-63) Container quay.io/keycloak/keycloak-x:16.1.0 is starting: c3dfbfa6d1bdbb89cc170126550f18ab6346ca9700f3d048f476b344005cdea7
2022-01-28 15:22:08,499 ERROR [🐳 .io/.1.0]] (build-63) Could not start container: java.lang.IllegalStateException: Container exited with code 1
<...>
2022-01-28 15:22:08,535 ERROR [🐳 .io/.1.0]] (build-63) Log output from the failed container:
2022-01-28 15:21:13,604 INFO [org.key.qua.run.hos.DefaultHostnameProvider] (main) Hostname settings: FrontEnd: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin: <request>
2022-01-28 15:21:15,261 WARN [org.inf.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2022-01-28 15:21:15,463 WARN [org.inf.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2022-01-28 15:21:15,669 INFO [org.inf.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2022-01-28 15:21:16,520 INFO [org.inf.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan 'Triskaidekaphobia' 13.0.0.Final
2022-01-28 15:21:16,891 INFO [org.inf.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2022-01-28 15:21:17,391 WARN [org.jgr.pro.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2022-01-28 15:21:17,392 WARN [org.jgr.pro.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB
2022-01-28 15:21:17,393 WARN [org.jgr.pro.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2022-01-28 15:21:17,393 WARN [org.jgr.pro.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB
2022-01-28 15:21:19,501 INFO [org.jgr.pro.pbc.GMS] (keycloak-cache-init) c3dfbfa6d1bd-15478: no members discovered after 2056 ms: creating cluster as coordinator
2022-01-28 15:21:19,526 INFO [org.inf.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [c3dfbfa6d1bd-15478|0] (1) [c3dfbfa6d1bd-15478]
2022-01-28 15:21:19,599 INFO [org.inf.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `c3dfbfa6d1bd-15478`, physical addresses are `[172.17.0.3:40247]`
2022-01-28 15:21:20,033 INFO [org.key.qua.run.sto.dat.liq.QuarkusJpaUpdaterProvider] (main) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml
2022-01-28 15:21:24,326 INFO [org.key.con.inf.DefaultInfinispanConnectionProviderFactory] (main) Node name: c3dfbfa6d1bd-15478, Site name: null
2022-01-28 15:21:24,499 INFO [org.key.services] (main) KC-SERVICES0050: Initializing master realm
2022-01-28 15:21:26,886 INFO [org.inf.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
2022-01-28 15:21:27,080 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server using profile (prod)
2022-01-28 15:21:27,081 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) ERROR: Failed to generate keys
2022-01-28 15:21:27,081 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) ERROR: org.bouncycastle.util.io.pem.PemGenerationException: unknown object passed - can't encode.
2022-01-28 15:21:27,081 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) ERROR: unknown object passed - can't encode.
2022-01-28 15:21:27,081 ERROR [org.key.qua.run.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.
WildFly distro(mvn clean verify -Dquarkus.keycloak.devservices.image-name=quay.io/keycloak/keycloak:16.1.
):
2022-01-28 15:16:32,639 ERROR [🐳 .io/.1.0]] (build-48) Could not start container: java.lang.IllegalStateException: Container exited with code 1
at org.testcontainers.containers.GenericContainer.tryStart(GenericContainer.java:497)
<...>
at org.jboss.threads.JBossThread.run(JBossThread.java:501)
2022-01-28 15:16:32,681 ERROR [🐳 .io/.1.0]] (build-48) Log output from the failed container:
java.lang.RuntimeException: PBKDF2 algorithm not found
Dockerhub keycloak(mvn clean verify -Dquarkus.keycloak.devservices.image-name=jboss/keycloak:16.1.0
):
2022-01-28 15:26:12,542 INFO [🐳 .1.0]] (build-25) Creating container for image: jboss/keycloak:16.1.0
2022-01-28 15:26:12,849 INFO [🐳 .1.0]] (build-25) Starting container with ID: 976e471cf632376838987cfbc8f39d5de03a9699c1bd71dfaeb649352ee7c368
2022-01-28 15:26:13,539 INFO [🐳 .1.0]] (build-25) Container jboss/keycloak:16.1.0 is starting: 976e471cf632376838987cfbc8f39d5de03a9699c1bd71dfaeb649352ee7c368
2022-01-28 15:27:13,694 ERROR [🐳 .1.0]] (build-25) Could not start container: java.lang.IllegalStateException: Container exited with code 1
at org.testcontainers.containers.GenericContainer.tryStart(GenericContainer.java:497)
<...>
2022-01-28 15:27:13,724 ERROR [🐳 .1.0]] (build-25) Log output from the failed container:
java.lang.RuntimeException: PBKDF2 algorithm not found
Dockerhub keycloak-X(mvn clean verify -Dquarkus.keycloak.devservices.image-name=jboss/keycloak-x:16.1.0
):
2022-01-28 15:32:01,542 INFO [🐳 .1.0]] (build-34) Pulling docker image: jboss/keycloak-x:16.1.0. Please be patient; this may take some time but only needs to be done once.
2022-01-28 15:32:01,796 ERROR [com.git.doc.api.asy.ResultCallbackTemplate] (docker-java-stream--1851918019) Error during callback: com.github.dockerjava.api.exception.NotFoundException: Status 404: {"message":"pull access denied for jboss/keycloak-x, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}
@sberyozkin I think, that's all. Basically, both keycloak images fail due to lack of PBKDF2 algorithm, keycloak-x on quay can not generate keys and keycloak-x on docker hub doesn't exist.
@fedinskiy Thanks for these tests.
Can you please do one more test, given that docker run jboss/keycloak:15.0.2
worked for you, can you try
mvn clean verify -Dquarkus.keycloak.devservices.image-name=jboss/keycloak:15.0.2
with Quarkus 2.7.0.Final ?
I think this is the issue with the image but this test should confirm that using testcontainers
is not a problem
Old dockerhub image and new Quarkus(mvn clean verify -Dquarkus.platform.version=2.7.0.Final -Dquarkus.keycloak.devservices.image-name=jboss/keycloak:15.0.2
):
022-01-31 11:21:07,617 INFO [io.qua.oid.dep.dev.key.KeycloakDevServicesProcessor] (build-31) Using WildFly powered Keycloak distribution
2022-01-31 11:21:07,632 INFO [🐳 .0.2]] (build-31) Creating container for image: jboss/keycloak:15.0.2
2022-01-31 11:21:07,818 INFO [🐳 .0.2]] (build-31) Container jboss/keycloak:15.0.2 is starting: 5d80e98631e5a712c70d7224c2819af781175936bd76af0c9a1f6cf0dcf8e8e1
2022-01-31 11:21:32,177 INFO [🐳 .0.2]] (build-31) Container jboss/keycloak:15.0.2 started in PT24.557465S
2022-01-31 11:21:32,361 INFO [io.qua.oid.dep.dev.key.KeycloakDevServicesProcessor] (build-31) Dev Services for Keycloak started.
If I am not mistaken, it's the only combination, where container started successfully.
@fedinskiy Thanks very much, it helps to isolate. Let me find where exactly in Keycloak the issue should be created and I'll link to it here once it is done
@fedinskiy FYI, please watch https://github.com/keycloak/keycloak-containers/issues/354
@fedinskiy Please note the documented workaround from Stian in the https://github.com/keycloak/keycloak/issues/9916 description
Closing it as it is a pure Keycloak issue, the same workaround which was implemented at https://github.com/quarkus-qe/quarkus-test-suite/pull/581/files can be support for DevServces for Keycloak
with quarkus.keycloak.devservices.java-opts=-Dcom.redhat.fips=false
Describe the bug
Method KeycloakDevServicesProcessor.startKeycloakContainer fails, when running on FIPS-enabled machine.
Expected behavior
DevServices for Keycloak should work on FIPS-enabled machine
Actual behavior
No response
How to Reproduce?
git@github.com:quarkusio/quarkus-quickstarts.git
cd quarkus-quickstarts/security-keycloak-authorization-quickstart
mvn clean verify
quay.io/keycloak/keycloak:15.0.2
:Apache Maven 3.8.3 (ff8e977a158738155dc465c6a97ffaf31982d739) Maven home: /opt/apache-maven-3.8.3 Java version: 11.0.13, vendor: Red Hat, Inc., runtime: /qa/tools/opt/x86_64/openjdk-11.0.13.0.8
Output of
uname -a
orver
4.18.0-305.el8.x86_64
Output of
java -version
11.0.13, vendor: Red Hat
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.6.3.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)Apache Maven 3.8.3 (ff8e977a158738155dc465c6a97ffaf31982d739)
Additional information
I tried to start different keycloak containers manually, and it looks like docker hub keycloak container works fine: