Keycloak does not work with Docker read_only: true

Describe the bug

Keycloak crashes and fails to start when running the Docker image with read_only and tmpfs parameters.

...
read_only: true
tmpfs:
- /tmp
...

The following error is thrown:

sed: couldn't open temporary file /opt/jboss/keycloak/bin/seduHoQM0: Read-only file system

Version

= 16.1.1

Expected behavior

Keycloak runs with read_only and tmpfs parameters.

Actual behavior

Keycloak crashes during startup.

How to Reproduce?

docker-compose.yml

version: '3'

volumes:
  postgres_data:
      driver: local

services:
  postgres:
    image: postgres
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
  keycloak:
    image: quay.io/keycloak/keycloak:16.1.1
    environment:
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres
      DB_DATABASE: keycloak
      DB_USER: keycloak
      DB_SCHEMA: public
      DB_PASSWORD: password
    read_only: true
    tmpfs:
    - /tmp
    ports:
      - 8080:8080
    depends_on:
      - postgres

Run:

docker-compose up

Anything else?

Is there a way to set the directory where the temporary files are created?

Issue Analytics

State:
Created a year ago
Reactions:4
Comments:7 (2 by maintainers)

Top GitHub Comments

1reaction

Zipunrarcommented, Sep 5, 2022

Just found that issue, while searching for a solution for the same problem. This is needed for deployment of keycloak in kubernetes for my company, because we have a policy that any deployment must be rootless and read-only (excepted mounted PVCs). So this is keeping me from using keycloak at the moment.

0reactions

arahlfcommented, Dec 2, 2022

Running into this as well. I had previously gotten Keycloak to work on read only K8S via a custom Dockerfile, a /tmp dir volume mount, and a handful of symlinks/overrides created in the Dockerfile to trick it into writing to the mounted tmp directory.

I’m in the process of trying to upgrade to 20.0.1 and running into a similar (but different) issue trying to get it to work on a read only FS. I’ve managed to get it working locally for the moment with the --read-only flag via Docker run (will try with K8S next) by overriding one of the jar files. I could get the server to start up, but the first time loading a page it would then fail and I could see various exceptions like this in stdout:

2022-12-02 15:25:28,917 WARN  [org.keycloak.services] (executor-thread-1) KC-SERVICES0075: Failed to get theme request: java.lang.RuntimeException: Temporary directory /opt/keycloak/bin/../data/tmp does not exist and it was not possible to create it.

	at org.keycloak.quarkus.runtime.integration.QuarkusPlatform.getTmpDirectory(QuarkusPlatform.java:167)
	at org.keycloak.encoding.GzipResourceEncodingProviderFactory.initCacheDir(GzipResourceEncodingProviderFactory.java:70)
	at org.keycloak.encoding.GzipResourceEncodingProviderFactory.create(GzipResourceEncodingProviderFactory.java:29)
	at org.keycloak.encoding.GzipResourceEncodingProviderFactory.create(GzipResourceEncodingProviderFactory.java:18)
	at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:282)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:166)
	at com.sun.proxy.$Proxy50.getProvider(Unknown Source)
	at org.keycloak.encoding.ResourceEncodingHelper.getResourceEncodingProvider(ResourceEncodingHelper.java:14)
	at org.keycloak.services.resources.ThemeResource.getResource(ThemeResource.java:65)

I even tried my symlink override trick on that directory but it didn’t work, seemingly because Java’s isDirectory() method might not work on symlinks: https://github.com/keycloak/keycloak/blob/release/20.0/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/QuarkusPlatform.java#L151-L160

Next, I tried building Keycloak from source and updated that method so that in the presence of a new env variable I added (e.g. KC_TMP_DIR) it would then use that instead, and I have that configured in my container to use the mounted /tmp directory. I then compiled that, grabbed the updated jar, and included that override as part of my Dockerfile. This seems to work, but obviously is a pretty ugly hack 😃

For the moment though it seems to be working now (though I wouldn’t be surprised if I bump into another issue at some point).

Top Results From Across the Web

Problem running Keycloak on Docker container #5310 - GitHub

I can't run Keycloak on browser using localhost , after running my docker container, here's my docker-compose.yml file.

Problem enabling Keycloak read-only user attributes

I can exec into the docker instance and check the configuration using jboss-cli.sh. But the end user can freely edit myUserAttribute using ...

Server Administration Guide - Keycloak

Keycloak is a single sign on solution for web apps and RESTful web services. The goal of Keycloak is to make security simple...

jboss/keycloak - Docker Image - Docker Hub

When running Keycloak behind a proxy, you will need to enable proxy address forwarding. docker run -e PROXY_ADDRESS_FORWARDING=true jboss/keycloak. Setting up ...

Keycloak - codecentric - Artifact Hub

Parameter Description Default fullnameOverride Optionally override the fully qualified name "" nameOverride Optionally override the name "" replicas The number of replicas to create 1