4

I'm creating a custom Dockerfile with extensions for official keycloak docker image. I want to change web-context and add some custom providers. Here's my Dockerfile:

FROM jboss/keycloak:7.0.0

COPY startup-config.cli /opt/jboss/tools/cli/startup-config.cli

RUN /opt/jboss/keycloak/bin/jboss-cli.sh --connect --controller=localhost:9990 --file="/opt/jboss/tools/cli/startup-config.cli"

ENV KEYCLOAK_USER=admin
ENV KEYCLOAK_PASSWORD=admin

and startup-config.cli file:

/subsystem=keycloak-server/:write-attribute(name=web-context,value="keycloak/auth")
/subsystem=keycloak-server/:add(name=providers,value="module:module:x.y.z.some-custom-provider")

Bu unfortunately I receive such error:

The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: WFLYPRT0053: Could not connect to remote+http://localhost:9990. The connection failed: Connection refused
The command '/bin/sh -c /opt/jboss/keycloak/bin/jboss-cli.sh --connect --controller=localhost:9990 --file="/opt/jboss/tools/cli/startup-config.cli"' returned a non-zero code: 1

Is it a matter of invalid localhost? How should I refer to the management API?

Edit: I also tried with ENTRYPOINT instead of RUN, but the same error occurred during container initialization.

dev123
  • 477
  • 8
  • 20

2 Answers2

7

You are trying to have Wildfly load your custom config file at build-time here. The trouble is, that the Wildfly server is not running while the Dockerfile is building.

Wildfly actually already has you covered regarding automatically loading custom config, there is built in support for what you want to do. You simply need to put your config file in a "magic location" inside the image.

You need to drop your config file here:

/opt/jboss/startup-scripts/

So that your Dockerfile looks like this:

FROM jboss/keycloak:7.0.0

COPY startup-config.cli /opt/jboss/startup-scripts/startup-config.cli

ENV KEYCLOAK_USER=admin
ENV KEYCLOAK_PASSWORD=admin

Excerpt from the keycloak documentation:

Adding custom script using Dockerfile

A custom script can be added by creating your own Dockerfile:

FROM keycloak 
COPY custom-scripts/ /opt/jboss/startup-scripts/

Now you can simply start the image, and the built features in keycloak (Wildfly feature really) will go look for a config in that spedific directory, and then attempt to load it up.

Edit from comment with final solution:

While the original answer solved the issue with being able to pass configuration to the server at all, an issue remained with the content of the script. The following error was received when starting the container: 

=========================================================================
Executing cli script: /opt/jboss/startup-scripts/startup-config.cli
No connection to the controller.
=========================================================================

The issue turned out to be in the startup-config.cli script, where the jboss command embed-server was missing, needed to initiate a connection to the jboss instance. Also missing was the closing stop-embedded-server command. More about configuring jboss in this manner in the docs here: CHAPTER 8. EMBEDDING A SERVER FOR OFFLINE CONFIGURATION

The final script:

embed-server --std-out=echo
/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes,value=false)
/subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates,value=false)
stop-embedded-server
Andreas Lorenzen
  • 3,810
  • 1
  • 24
  • 26
  • You're right. But after adding the script to the `/opt/jboss/startup-scripts/`, following message is present in logs: `========================================================================= Executing cli script: /opt/jboss/startup-scripts/startup-config.cli No connection to the controller. ========================================================================= ` and the web-context has not changed. – dev123 Nov 19 '19 at 08:38
  • Can you try to make your config script as small as possible? What command do you use to start the docker image? – Andreas Lorenzen Nov 19 '19 at 08:43
  • `docker build -t custom-keycloak .` in Dockerfile directory and `docker run -p 8080:8080 {docker-image-hash}` – dev123 Nov 19 '19 at 09:04
  • hey @dev123. Have you found a solution? I am running into the same problem, while starting `keycloak` image through `docker-compose` and adding scripts using `volumes` – Piotrek Janus Jan 16 '20 at 13:52
  • Ok, I figured it out. my solution was to use `embede-server` command inside cli script: ```embed-server --std-out=echo /subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheThemes,value=false) /subsystem=keycloak-server/theme=defaults/:write-attribute(name=cacheTemplates,value=false) stop-embedded-server``` – Piotrek Janus Jan 16 '20 at 15:03
  • This is a good finding, thanks for sharing the solution. I believe that this may very well also apply for the original question. I will try to find some sovs to back it up. – Andreas Lorenzen Jan 16 '20 at 15:26
  • I added the latest findings to the answer, I hope you can accept it now? – Andreas Lorenzen Mar 26 '20 at 08:48
  • Thanks, this works fine but I still can't get to the admin page. Also both readiness and liveness probes fail. I set web-context to `mycontext/access-management` and the two probes are being configured as http GET to check `/mycontext/access-management`. When I do `curl http://localhost:8080/mycontext/access-management` inside the running container, I see `404` error. Anything I missed? – xbmono Jul 14 '21 at 02:04
1

WildFly management interfaces are not available when building the Docker image. Your only option is to start the CLI in embedded mode as discussed here Running CLI commands in WildFly Dockerfile. A more advanced approach consists in using the S2I installation scripts to trigger CLI commands.

Francesco Marchioni
  • 4,091
  • 1
  • 25
  • 40