使用Docker时无法加载Keycloak SPI提供程序和层 [英] Keycloak SPI Providers and layers not loading when using Docker

问题描述

我正在尝试使用一些自定义内容(例如，logback扩展名)设置docker映像，因此我有一些CLI脚本，如下所示:

I'm trying to setup a docker image with some custom things, such as a logback extension, so I have some CLI scripts, like this one:

/subsystem=logging: remove()
/extension=org.jboss.as.logging: remove()

/extension=com.custom.logback: add()
/subsystem=com.custom.logback: add()

我也有CLI脚本来配置数据源池，主题，在keycloak-server子系统上添加一些SPI，等等.我将这些脚本放在/opt/jboss/startup-scripts目录中.但是，当我创建容器时，效果并不理想.脚本未按预期加载，并且密钥库以错误开头，没有加载提供程序(例如，领域使用的密码策略).

I also have CLI scripts to configure datasource pool, themes, add some SPI on keycloak-server subsystem, etc. I put these script in the /opt/jboss/startup-scripts directory. However when I create the container the things does not works well. The scripts are not loaded as expected and keycloak start with error, not loading providers such as password policies used by the realms.

当我使用独立的Keycloak时，所有SPI提供程序都可以正常加载，如下所示:

When I'm using standalone Keycloak all SPI providers are loaded fine as log below:

2019-07-25 18:27:07.906 WARN  [org.keycloak.services] (ServerService Thread Pool -- 65) KC-SERVICES0047: custom-password-policy (com.custom.login.password.PasswordSecurityPolicyFactory) is implementing the internal SPI password-policy. This SPI is internal and may change without notice
2019-07-25 18:27:07.909 WARN  [org.keycloak.services] (ServerService Thread Pool -- 65) KC-SERVICES0047: custom-event (com.custom.event.KeycloakServerEventListenerProviderFactory) is implementing the internal SPI eventsListener. This SPI is internal and may change without notice
2019-07-25 18:27:08.026 WARN  [org.keycloak.services] (ServerService Thread Pool -- 65) KC-SERVICES0047: custom-mailer (com.custom.mail.MessageSenderProviderFactory) is implementing the internal SPI emailSender. This SPI is internal and may change without notice
2019-07-25 18:27:08.123 WARN  [org.keycloak.services] (ServerService Thread Pool -- 65) KC-SERVICES0047: custom-user-domain-verification (com.custom.login.domain.UserDomainVerificationFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice
2019-07-25 18:27:08.123 WARN  [org.keycloak.services] (ServerService Thread Pool -- 65) KC-SERVICES0047: custom-recaptcha-username-password (com.custom.login.domain.RecaptchaAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice

如果我将同一软件包与Docker一起使用，并以jboss/keycloak:6.0.1作为映像库，则不会加载提供程序.我用作模块，在$JBOSS_HOME/modules文件夹中添加并像下面的脚本一样进行配置:

If I use the same package with Docker, using jboss/keycloak:6.0.1 as image base, providers does not load. I'm using as modules, adding at $JBOSS_HOME/modules folder and configuring on like the script below:

/subsystem=keycloak-server/: write-attribute(name=providers,value=[classpath:${jboss.home.dir}/providers/*,module:com.custom.custom-keycloak-server])

/subsystem=keycloak-server/theme=defaults/: write-attribute(name=welcomeTheme,value=custom)
/subsystem=keycloak-server/theme=defaults/: write-attribute(name=modules,value=[com.custom.custom-keycloak-server])

/subsystem=keycloak-server/spi=emailSender/: add(default-provider=custom-mailer)

当我在容器内执行脚本时，一切都很好.

When I execute script inside container all woorks fine.

在构建自定义映像时，我尝试使用卷来映射提供程序的jar包，并复制jar，但是这些方法均无法正常工作.

I tried both using volume to map jar package with providers and copying jar when building custom image but none of these ways are working.

我正在使用jboss:keycloak:6.0.1 docker映像和Keycloak 6.0.1独立版本，将图层和模块放在相同的目录中.

I'm using jboss:keycloak:6.0.1 docker image and Keycloak 6.0.1 standalone, layers and modules put in same directories.

我做错了什么?将SPI提供程序与Docker一起使用或该映像不适合生产或此类需求的诀窍是什么?

What I doing wrong? What is the trick to use SPI provider with Docker or the image was not intended for production or this type of needs?

推荐答案

好的，我已经找到了发生这种情况的原因

OK, I've found why this happen

它来自opt/jboss/tools/docker-entrypoint.sh

#################
# Configuration #
#################

# If the server configuration parameter is not present, append the HA profile.
if echo "$@" | egrep -v -- '-c |-c=|--server-config |--server-config='; then
    SYS_PROPS+=" -c=standalone-ha.xml"
fi

它将以集群形式启动密钥斗篷，因为我认为他们认为独立生产不安全

it will launch the keycloak as a clustered, as I think they considered the standalone as not safe for production

独立运行模式仅在您要运行一种时才有用，并且 只有一个Keycloak服务器实例.它不适用于群集 部署和所有缓存都是非分布式的，并且仅限本地.它是 不建议您在生产中使用独立模式 有单点故障.如果您的独立模式服务器运行 下来，用户将无法登录.此模式实际上仅 有助于测试驾驶和使用Keycloak的功能 引用

Standalone operating mode is only useful when you want to run one, and only one Keycloak server instance. It is not usable for clustered deployments and all caches are non-distributed and local-only. It is not recommended that you use standalone mode in production as you will have a single point of failure. If your standalone mode server goes down, users will not be able to log in. This mode is really only useful to test drive and play with the features of Keycloak Blockquote

要保持独立模式"，请覆盖图像以将属性-c standalone.xml添加为参数:

To keep the 'standalone mode', override the image to add the property -c standalone.xml as parameters:

CMD ["-b", "0.0.0.0", "-c", "standalone.xml"]

这篇关于使用Docker时无法加载Keycloak SPI提供程序和层的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！