由于无法访问部署目录,Keycloak 启动时扫描失败:/opt/jboss/keycloak/standalone/deployments
Keycloak Boot-time scan failed due to inaccessible deployment directory: /opt/jboss/keycloak/standalone/deployments
将我的 Keycloak 部署到我们的 Docker 群时,我们在堆栈跟踪中收到以下警告和错误:
我们正在尝试将 keycloak SPI 部署到给定的卷中。这有效,但 keycloak 无法写入/读取卷。
10:13:05,350 INFO [org.jboss.modules] (main) JBoss Modules version 1.10.2.Final
10:13:06,057 INFO [org.jboss.msc] (main) JBoss MSC version 1.4.12.Final
10:13:06,069 INFO [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final
10:13:06,220 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 12.0.1 (WildFly Core 13.0.3.Final) starting
10:13:06,392 INFO [org.jboss.vfs] (MSC service thread 1-4) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
10:13:07,466 INFO [org.wildfly.security] (ServerService Thread Pool -- 22) ELY00001: WildFly Elytron version 1.13.1.Final
10:13:08,587 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
10:13:08,653 WARN [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) WFLYDS0039: /opt/jboss/keycloak/standalone/deployments is not writable
10:13:08,675 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) WFLYDS0042: Boot-time scan failed due to inaccessible deployment directory: /opt/jboss/keycloak/standalone/deployments
10:13:08,690 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 3) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
10:13:08,861 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
错误 WFLYDS0039 和 WFLYDS0042 是问题所在。
我们将部署文件夹安装到路径上服务器上的 docker 卷:/srv/keycloak_providers
在部署 SPI 时,我可以看到在上述路径的服务器上可以找到 .JAR 文件。
这是 keycloak docker-compose 文件:
version: "3.7"
services:
db:
image: mariadb
volumes:
- keycloak_db:/var/lib/mysql
environment:
MYSQL_DATABASE: keycloak
networks:
db:
aliases:
- mariadb
keycloak:
image: jboss/keycloak:12.0.1
environment:
- DB_ADDR=mariadb
- DB_PORT=3306
- DB_DATABASE=keycloak
- DB_VENDOR=mariadb
- PROXY_ADDRESS_FORWARDING=true
networks:
- public
- db
volumes:
- keycloak_themes:/opt/jboss/keycloak/themes
- keycloak_providers:/opt/jboss/keycloak/standalone/deployments/
networks:
db:
driver: overlay
public:
external: true
volumes:
keycloak_db:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_db
keycloak_themes:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_themes
keycloak_providers:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_providers
Keycloak 服务器是 运行 作为 jboss
用户,uid/gid 设置为 1000
。确保用户 ID 1000 对该源文件夹 /srv/keycloak_providers
具有 read/write 权限。最简单的解决方案是 chmod -R 777 /srv/keycloak_providers
来自主机 OS CLI。但是您可能需要更安全的权限配置 - 请记住 uid 1000
必须具有 read/write 访问权限 + 最终还有来自主机 OS.
的一些用户
当然,如果Docker daemon/Keycloak容器已经配置了uid重映射,当然会更复杂——现场会有另一个uid。
将我的 Keycloak 部署到我们的 Docker 群时,我们在堆栈跟踪中收到以下警告和错误:
我们正在尝试将 keycloak SPI 部署到给定的卷中。这有效,但 keycloak 无法写入/读取卷。
10:13:05,350 INFO [org.jboss.modules] (main) JBoss Modules version 1.10.2.Final
10:13:06,057 INFO [org.jboss.msc] (main) JBoss MSC version 1.4.12.Final
10:13:06,069 INFO [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final
10:13:06,220 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 12.0.1 (WildFly Core 13.0.3.Final) starting
10:13:06,392 INFO [org.jboss.vfs] (MSC service thread 1-4) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
10:13:07,466 INFO [org.wildfly.security] (ServerService Thread Pool -- 22) ELY00001: WildFly Elytron version 1.13.1.Final
10:13:08,587 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
10:13:08,653 WARN [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) WFLYDS0039: /opt/jboss/keycloak/standalone/deployments is not writable
10:13:08,675 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) WFLYDS0042: Boot-time scan failed due to inaccessible deployment directory: /opt/jboss/keycloak/standalone/deployments
10:13:08,690 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 3) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
10:13:08,861 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
错误 WFLYDS0039 和 WFLYDS0042 是问题所在。 我们将部署文件夹安装到路径上服务器上的 docker 卷:/srv/keycloak_providers 在部署 SPI 时,我可以看到在上述路径的服务器上可以找到 .JAR 文件。
这是 keycloak docker-compose 文件:
version: "3.7"
services:
db:
image: mariadb
volumes:
- keycloak_db:/var/lib/mysql
environment:
MYSQL_DATABASE: keycloak
networks:
db:
aliases:
- mariadb
keycloak:
image: jboss/keycloak:12.0.1
environment:
- DB_ADDR=mariadb
- DB_PORT=3306
- DB_DATABASE=keycloak
- DB_VENDOR=mariadb
- PROXY_ADDRESS_FORWARDING=true
networks:
- public
- db
volumes:
- keycloak_themes:/opt/jboss/keycloak/themes
- keycloak_providers:/opt/jboss/keycloak/standalone/deployments/
networks:
db:
driver: overlay
public:
external: true
volumes:
keycloak_db:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_db
keycloak_themes:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_themes
keycloak_providers:
driver: local-persist
driver_opts:
mountpoint: /srv/keycloak_providers
Keycloak 服务器是 运行 作为 jboss
用户,uid/gid 设置为 1000
。确保用户 ID 1000 对该源文件夹 /srv/keycloak_providers
具有 read/write 权限。最简单的解决方案是 chmod -R 777 /srv/keycloak_providers
来自主机 OS CLI。但是您可能需要更安全的权限配置 - 请记住 uid 1000
必须具有 read/write 访问权限 + 最终还有来自主机 OS.
当然,如果Docker daemon/Keycloak容器已经配置了uid重映射,当然会更复杂——现场会有另一个uid。