Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add securityContext.fsGroup. #13798

Merged
merged 2 commits into from
Jul 15, 2019
Merged

Add securityContext.fsGroup. #13798

merged 2 commits into from
Jul 15, 2019

Conversation

monaka
Copy link
Member

@monaka monaka commented Jul 9, 2019
edited
Loading

Signed-off-by: Masaki Muranaka monaka@monami-ya.com

What does this PR do?

Sets securityContext.fsGroup to 1000.
Since recent versions of Keycloak in eclipse/che-keycloak runs under user jboss
(uid/gid == 1000/1000), not the super user.
So Keycloak will be failed to boot up without fsGroup.

What issues does this PR fix or reference?

refs #13625

@monaka
Add securityContext.fsGroup.
9be91bb 
Since recent versions of Keycloak in `eclipse/che-keycloak` runs under user `jboss`
(uid/gid == 1000/1000). So Keycloak will be failed to boot up without `fsGroup`.
@monaka monaka requested a review from l0rd as a code owner July 9, 2019 00:54
@che-bot
Copy link
Contributor

che-bot commented Jul 9, 2019

Can one of the admins verify this patch?

@che-bot
Copy link
Contributor

che-bot commented Jul 9, 2019

Can one of the admins verify this patch?

@musienko-maxim
Copy link
Contributor

Can one of the admins verify this PR?

@monaka monaka added the kind/bug Outline of a bug - must adhere to the bug report template. label Jul 9, 2019
@monaka
Copy link
Member Author

monaka commented Jul 9, 2019

I can't say about deployments by Openshift as its permission strategy may differ from the vanilla K8s.

@mkuznyetsov
Copy link
Contributor

mkuznyetsov commented Jul 9, 2019
edited
Loading

@monaka
I believe that the issue with Keycloak container failure is the users lacking file writing permissions to the /scripts directory (as I described here #13625 (comment))
so setting fsGroup:1000 doesn't seem to fix that, but rather fsGroup:0 does

@skabashnyuk
Copy link
Contributor

skabashnyuk commented Jul 9, 2019
edited
Loading

@l0rd @davidfestal I'm not sure that suggested changes are safe and secure to do. What is your opinion?
From another hand both kind of old https://github.com/helm/charts/blob/master/stable/keycloak/values.yaml#L29-L32
and kind of new helm charts https://github.com/codecentric/helm-charts/blob/master/charts/keycloak/values.yaml#L47-L48 has the same values for securityContext.fsGroup

@monaka
Copy link
Member Author

monaka commented Jul 10, 2019
edited
Loading

@mkuznyetsov I don't think so.
AFAIK, fsGroup will effect both processes and volumes in the container.
All volumes will be fixed their file group permission to 1000 before mounting if securityContext.fsGroup was set to 1000.

On the other hand, setting the value to 0 means applying permission as root.

I'm not sure but there may be better to choice the another approach on Openshift.
And I believe fsGroup > 0 is the better on the vanilla K8s.

@rhopp
Copy link
Contributor

rhopp commented Jul 10, 2019

I've just tried this... I didn't use helm charts, but I used che-operator to deploy che on minikube. To be more specific, I used chectl from this PR to do the deployment: che-incubator/chectl#179

Anyway... keycloak deployment failed with the same reasons described here. Then I tried to edit deployment (using kubectl) - I've added the fsGroup, as @monaka did in this PR, but this didn't do the job for me. I had to also add .spec.template.spec.containers[0].securityContext.runAsUser: 1000. Keycloak was then able to start and deployment continued.

@davidfestal
Copy link
Contributor

In fact after looking back into the Dockerfile, it seems to me that simply adding runAsUser: 1000 in the k8s deployment (either with helm charts of the operator) might be the way to go, since the /scripts folder is created as the jboss (= 1000) user, and only the group is changed later on.

@mkuznyetsov @l0rd wdyt ?

@l0rd
Copy link
Contributor

l0rd commented Jul 10, 2019

If runAsUser fix the problem on vanilla k8s let's do that. On OpenShfit we can't use runAsUser though because the container will be started as arbitrary user.

@monaka
Copy link
Member Author

monaka commented Jul 10, 2019
edited
Loading

@davidfestal AFAIK, runAsUser just set uid of processes. and all volumes will be mounted owner:group 0:0 (default). So it won't fix the issue if I have no misunderstanding.

@l0rd I'm not sure as I'm not Openshift specialist. But I guess this issue isn't occurred on there. Each process will be accessible to volumes with default parameters if all processes in the container have gid 0 by default. So I think we can concentrate to Helm only.

@rhopp Even though I can't suppose why runAsUser is required on your vanilla K8s environment, it will be harmless to set runAsUser to 1000 (and also runAsGroup to 1000).

@l0rd
Copy link
Contributor

l0rd commented Jul 10, 2019

@monaka yes we do not have this problem on OpenShift / Operator but only on Kubernetes / Helm. I was just worried that, to fix the problem on Kubernetes / Helm, we may introduce a regression on OpenShift (c.f. "either with helm charts or the operator" in this comment).

@monaka
Copy link
Member Author

monaka commented Jul 11, 2019
edited
Loading

@l0rd Ah, I see what you want to say.
I checked Dockerfile and how about this fix?

USER root
RUN chown -R jboss /scripts && \
    chgrp -R 0 /scripts && \
    chmod -R g+rwX /scripts

USER jboss

On vanilla K8s, processes in the container can read/write in /scripts by the uid jboss permission.
On Openshift, they can read/write there by the gid 0 permission.

And it may be enough:

- RUN chgrp -R 0 /scripts && \
+ RUN chown -R jboss:0 /scripts && \

@skabashnyuk
Copy link
Contributor

skabashnyuk commented Jul 11, 2019
edited
Loading

Just to sum up ideas.
What if we set in helm chart.

  securityContext:
    runAsUser: 1000
    fsGroup: 1000
    runAsNonRoot: true

and in Dockerfile

USER root
RUN chgrp -R 0 /scripts && \
    chmod -R g+rwX /scripts

USER 1000

replace with

USER root
RUN chown -R jboss /scripts && \
    chgrp -R 0 /scripts && \
    chmod -R g+rwX /scripts

USER jboss

or

USER root
RUN chown -R jboss:0 /scripts && \
    chgrp -R 0 /scripts && \
    chmod -R g+rwX /scripts

USER jboss

@davidfestal
Copy link
Contributor

I was also about to propose the same change in Dockerfile as @skabashnyuk :

USER root
RUN chown -R jboss /scripts && \   // <------ this chown line was added
    chgrp -R 0 /scripts && \
    chmod -R g+rwX /scripts

USER jboss

Then it seems that with this change in Dockerfile, changes in the keycloak helm chart can be reduced to:

securityContext:
    runAsUser: 1000

Isn't it ?

@monaka
Copy link
Member Author

monaka commented Jul 11, 2019

I'll make and re-push with some more patches based on the discussion here.

@mkuznyetsov mkuznyetsov mentioned this pull request Jul 11, 2019
Closed
@monaka
Run as uid:gid == 1000:1000 on K8s environment.
924e6c8 
This patch is based on the discussion at (eclipse#13798).

Signed-off-by: Masaki Muranaka <monaka@monami-ya.com>
@monaka monaka requested a review from benoitf as a code owner July 12, 2019 03:04
@skabashnyuk
Copy link
Contributor

ci-test

@l0rd
Copy link
Contributor

l0rd commented Jul 12, 2019

@davidfestal this PR solves a blocker on multi-user Che that's been opened since a few weeks now. I would not be too picky about fsGroup and runAsGroup being set even if we could avoid it: if the PR solves the problem and doesn't introduce any regression let's merge it!

@davidfestal
Copy link
Contributor

davidfestal commented Jul 12, 2019
edited
Loading

@l0rd OK

@rhopp
Copy link
Contributor

rhopp commented Jul 12, 2019

fyi. I've just tried to rebuild just the keycloak image from this PR (https://quay.io/repository/rhopp/rhopp_keycloak) and then tried to deploy che using chectl server:start -a operator with my keycloak image and it started OK on minikube.

@che-bot
Copy link
Contributor

che-bot commented Jul 12, 2019

Results of automated E2E tests of Eclipse Che Multiuser on OCP:
Build details
Test report
docker image: eclipseche/che-server:13798
https://github.com/orgs/eclipse/teams/eclipse-che-qa please check this report.

@skabashnyuk
Copy link
Contributor

@eclipse/eclipse-che-qa can you take a look at results?
@rhopp @l0rd @davidfestal is it ok for you to merge it?

rhopp
rhopp approved these changes Jul 12, 2019
View reviewed changes
Copy link
Contributor

@rhopp rhopp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about the helm chart changes (I haven't tried them), but it looks like it shouldn't hurt ;-)

But for the Dockerfile changes I'm big +1 for merging!

davidfestal
davidfestal approved these changes Jul 12, 2019
View reviewed changes
Copy link
Contributor

@davidfestal davidfestal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK with the changes if they don't break the Openshift operator case.

@mkuznyetsov
Copy link
Contributor

mkuznyetsov commented Jul 12, 2019
edited
Loading

Openshift Operator afaik uses different Keycloak image: registry.access.redhat.com/redhat-sso-7/sso72-openshift:1.2-8

@davidfestal
Copy link
Contributor

@mkuznyetsov No. Only CRW use the the distinct RHSSO docker image.

But when used to deploy the community upstream Eclipse Che, the Che operator uses the upstream che-keycloak docker image.

This is why it is important to check compatibility of the che-keycloak image with both K8s and Openshift use-cases.

benoitf
benoitf approved these changes Jul 12, 2019
View reviewed changes
Copy link
Contributor

@benoitf benoitf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested against operatorhub/openshift v4.1

oc describe pod/keycloak-7ccf4f689f-gwxzt Name: keycloak-7ccf4f689f-gwxzt Namespace: che Priority: 0 PriorityClassName: Node: ip-10-0-130-172.ec2.internal/10.0.130.172 Start Time: Fri, 12 Jul 2019 14:16:08 +0200 Labels: app=che component=keycloak pod-template-hash=7ccf4f689f Annotations: k8s.v1.cni.cncf.io/networks-status=[{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.130.2.35" ], "default": true, "dns": {} }] kubernetes.io/limit-ranger=LimitRanger plugin set: cpu request for container keycloak; cpu limit for container keycloak openshift.io/scc=restricted Status: Running IP: 10.130.2.35 Controlled By: ReplicaSet/keycloak-7ccf4f689f Containers: keycloak: Container ID: cri-o://b2e18eee5178147061027dbe095288062ab7f936f170ea6206cb59f8adf83e59 Image: quay.io/rhopp/rhopp_keycloak Image ID: quay.io/rhopp/rhopp_keycloak@sha256:1635b635df583519d25b8caf873ca6fceb626fbf8f46b6cf8b77bb10c6755553 Port: 8080/TCP Host Port: 0/TCP Command: /bin/sh Args: -c if [ ! -z "${CHE_SELF__SIGNED__CERT}" ]; then echo "${CHE_SELF__SIGNED__CERT}" > /scripts/che.crt && keytool -importcert -alias ROUTERCRT -keystore /scripts/openshift.jks -file /scripts/che.crt -storepass 5TK7jKJwe3rd -noprompt; fi && if [ ! -z "${OPENSHIFT_SELF__SIGNED__CERT}" ]; then echo "${OPENSHIFT_SELF__SIGNED__CERT}" > /scripts/openshift.crt && keytool -importcert -alias OPENSHIFTAPI -keystore /scripts/openshift.jks -file /scripts/openshift.crt -storepass 5TK7jKJwe3rd -noprompt; fi && keytool -importcert -alias MOUNTEDCRT -keystore /scripts/openshift.jks -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -storepass 5TK7jKJwe3rd -noprompt && if [ -f /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt ]; then keytool -importcert -alias MOUNTEDSERVICECRT -keystore /scripts/openshift.jks -file /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt -storepass 5TK7jKJwe3rd -noprompt; fi && keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore /scripts/openshift.jks -srcstorepass changeit -deststorepass 5TK7jKJwe3rd && echo Installing certificates into Keycloak && echo -e "embed-server --server-config=standalone.xml --std-out=echo /subsystem=keycloak-server/spi=truststore/:add /subsystem=keycloak-server/spi=truststore/provider=file/:add(properties={file => "/scripts/openshift.jks", password => "5TK7jKJwe3rd", disabled => "false" },enabled=true) stop-embedded-server" > /scripts/add_openshift_certificate.cli && /opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/add_openshift_certificate.cli && /opt/jboss/docker-entrypoint.sh -b 0.0.0.0 -c standalone.xml State: Running Started: Fri, 12 Jul 2019 14:16:37 +0200 Ready: True Restart Count: 0 Limits: cpu: 500m memory: 2Gi Requests: cpu: 50m memory: 512Mi Readiness: http-get http://:8080/auth/js/keycloak.js delay=25s timeout=5s period=10s #success=1 #failure=10 Environment: PROXY_ADDRESS_FORWARDING: true KEYCLOAK_USER: admin KEYCLOAK_PASSWORD: F0cpcihdaBw8 DB_VENDOR: POSTGRES POSTGRES_PORT_5432_TCP_ADDR: postgres POSTGRES_PORT_5432_TCP_PORT: 5432 POSTGRES_PORT: 5432 POSTGRES_DATABASE: keycloak POSTGRES_USER: keycloak POSTGRES_PASSWORD: 9kqpGthcaYfO CHE_SELF__SIGNED__CERT: Optional: true OPENSHIFT_SELF__SIGNED__CERT: Optional: true Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-jf5k7 (ro) Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled True Volumes: default-token-jf5k7: Type: Secret (a volume populated by a Secret) SecretName: default-token-jf5k7 Optional: false QoS Class: Burstable Node-Selectors: Tolerations: node.kubernetes.io/memory-pressure:NoSchedule node.kubernetes.io/not-ready:NoExecute for 300s node.kubernetes.io/unreachable:NoExecute for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 5m default-scheduler Successfully assigned che/keycloak-7ccf4f689f-gwxzt to ip-10-0-130-172.ec2.internal Normal Pulling 5m kubelet, ip-10-0-130-172.ec2.internal Pulling image "quay.io/rhopp/rhopp_keycloak" Normal Pulled 4m kubelet, ip-10-0-130-172.ec2.internal Successfully pulled image "quay.io/rhopp/rhopp_keycloak" Normal Created 4m kubelet, ip-10-0-130-172.ec2.internal Created container keycloak Normal Started 4m kubelet, ip-10-0-130-172.ec2.internal Started container keycloak Warning Unhealthy 3m (x5 over 4m) kubelet, ip-10-0-130-172.ec2.internal Readiness probe failed: Get http://10.130.2.35:8080/auth/js/keycloak.js: dial tcp 10.130.2.35:8080: connect: connection refused Warning Unhealthy 2m (x5 over 3m) kubelet, ip-10-0-130-172.ec2.internal Readiness probe failed: Get http://10.130.2.35:8080/auth/js/keycloak.js: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
keycloak.log 
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Importing keystore /usr/lib/jvm/java/jre/lib/security/cacerts to /scripts/openshift.jks...
Entry for alias digicertassuredidrootca successfully imported.
Entry for alias trktrustelektroniksertifikahizmetsalaycsh5 successfully imported.
Entry for alias affirmtrustcommercial successfully imported.
Entry for alias t-telesecglobalrootclass3 successfully imported.
Entry for alias certinomis-rootca successfully imported.
Entry for alias t-telesecglobalrootclass2 successfully imported.
Entry for alias comodoecccertificationauthority successfully imported.
Entry for alias swisssignsilverca-g2 successfully imported.
Entry for alias cadisigrootr2 successfully imported.
Entry for alias securetrustca successfully imported.
Entry for alias accvraiz1 successfully imported.
Entry for alias staatdernederlandenrootca-g3 successfully imported.
Entry for alias staatdernederlandenrootca-g2 successfully imported.
Entry for alias entrustrootcertificationauthority successfully imported.
Entry for alias identrustpublicsectorrootca1 successfully imported.
Entry for alias entrust.netpremium2048secureserverca successfully imported.
Entry for alias secureglobalca successfully imported.
Entry for alias opentrustrootcag3 successfully imported.
Entry for alias netlockarany(classgold)ftanstvny successfully imported.
Entry for alias eecertificationcentrerootca successfully imported.
Entry for alias teliasonerarootcav1 successfully imported.
Entry for alias opentrustrootcag2 successfully imported.
Entry for alias autoridaddecertificacionfirmaprofesionalcifa62634068 successfully imported.
Entry for alias opentrustrootcag1 successfully imported.
Entry for alias acraizfnmt-rcm successfully imported.
Entry for alias gdcatrustauthr5root successfully imported.
Entry for alias izenpe.com successfully imported.
Entry for alias e-tugracertificationauthority successfully imported.
Entry for alias quovadisrootca3 successfully imported.
Entry for alias quovadisrootca2 successfully imported.
Entry for alias entrustrootcertificationauthority-ec1 successfully imported.
Entry for alias oistewisekeyglobalrootgbca successfully imported.
Entry for alias addtrustexternalroot successfully imported.
Entry for alias digicertglobalrootg3 successfully imported.
Entry for alias swisssigngoldca-g2 successfully imported.
Entry for alias comodoaaaservicesroot successfully imported.
Entry for alias digicertglobalrootg2 successfully imported.
Entry for alias oistewisekeyglobalrootgaca successfully imported.
Entry for alias dstrootcax3 successfully imported.
Entry for alias certigna successfully imported.
Entry for alias digicerthighassuranceevrootca successfully imported.
Entry for alias chambersofcommerceroot-2008 successfully imported.
Entry for alias soneraclass2rootca successfully imported.
Entry for alias usertrustrsacertificationauthority successfully imported.
Entry for alias geotrustuniversalca successfully imported.
Entry for alias certsignrootca successfully imported.
Entry for alias amazonrootca4 successfully imported.
Entry for alias amazonrootca3 successfully imported.
Entry for alias amazonrootca2 successfully imported.
Entry for alias verisignuniversalrootcertificationauthority successfully imported.
Entry for alias trustcorrootcertca-2 successfully imported.
Entry for alias amazonrootca1 successfully imported.
Entry for alias trustcorrootcertca-1 successfully imported.
Entry for alias ssl.comrootcertificationauthorityecc successfully imported.
Entry for alias ssl.comrootcertificationauthorityrsa successfully imported.
Entry for alias d-trustrootclass3ca2ev2009 successfully imported.
Entry for alias networksolutionscertificateauthority successfully imported.
Entry for alias affirmtrustnetworking successfully imported.
Entry for alias deutschetelekomrootca2 successfully imported.
Entry for alias globalsigneccrootca-r5 successfully imported.
Entry for alias globalsigneccrootca-r4 successfully imported.
Entry for alias szafirrootca2 successfully imported.
Entry for alias globalsignrootca-r3 successfully imported.
Entry for alias globalsignrootca-r2 successfully imported.
Entry for alias buypassclass3rootca successfully imported.
Entry for alias comodorsacertificationauthority successfully imported.
Entry for alias securitycommunicationrootca2 successfully imported.
Entry for alias starfieldclass2ca successfully imported.
Entry for alias actalisauthenticationrootca successfully imported.
Entry for alias cfcaevroot successfully imported.
Entry for alias digicerttrustedrootg4 successfully imported.
Entry for alias certumtrustednetworkca2 successfully imported.
Entry for alias entrustrootcertificationauthority-g2 successfully imported.
Entry for alias taiwangrca successfully imported.
Entry for alias hellenicacademicandresearchinstitutionseccrootca2015 successfully imported.
Entry for alias twcarootcertificationauthority successfully imported.
Entry for alias certplusrootcag2 successfully imported.
Entry for alias twcaglobalrootca successfully imported.
Entry for alias certplusrootcag1 successfully imported.
Entry for alias geotrustuniversalca2 successfully imported.
Entry for alias thawteprimaryrootca-g3 successfully imported.
Entry for alias thawteprimaryrootca-g2 successfully imported.
Entry for alias baltimorecybertrustroot successfully imported.
Entry for alias buypassclass2rootca successfully imported.
Entry for alias digicertassuredidrootg3 successfully imported.
Entry for alias certumtrustednetworkca successfully imported.
Entry for alias geotrustprimarycertificationauthority-g3 successfully imported.
Entry for alias digicertassuredidrootg2 successfully imported.
Entry for alias geotrustprimarycertificationauthority-g2 successfully imported.
Entry for alias isrgrootx1 successfully imported.
Entry for alias ec-acc successfully imported.
Entry for alias ssl.comevrootcertificationauthorityecc successfully imported.
Entry for alias certplusclass2primaryca successfully imported.
Entry for alias globalchambersignroot-2008 successfully imported.
Entry for alias digicertglobalrootca successfully imported.
Entry for alias d-trustrootclass3ca22009 successfully imported.
Entry for alias starfieldservicesrootcertificateauthority-g2 successfully imported.
Entry for alias thawteprimaryrootca successfully imported.
Entry for alias atostrustedroot2011 successfully imported.
Entry for alias luxtrustglobalroot2 successfully imported.
Entry for alias geotrustglobalca successfully imported.
Entry for alias visaecommerceroot successfully imported.
Entry for alias quovadisrootca successfully imported.
Entry for alias identrustcommercialrootca1 successfully imported.
Entry for alias staatdernederlandenevrootca successfully imported.
Entry for alias tubitakkamusmsslkoksertifikasi-surum1 successfully imported.
Entry for alias trustcoreca-1 successfully imported.
Entry for alias securitycommunicationrootca successfully imported.
Entry for alias comodocertificationauthority successfully imported.
Entry for alias verisignclass3publicprimarycertificationauthority-g5 successfully imported.
Entry for alias xrampglobalcaroot successfully imported.
Entry for alias verisignclass3publicprimarycertificationauthority-g4 successfully imported.
Entry for alias quovadisrootca3g3 successfully imported.
Entry for alias verisignclass3publicprimarycertificationauthority-g3 successfully imported.
Entry for alias securesignrootca11 successfully imported.
Entry for alias affirmtrustpremium successfully imported.
Entry for alias globalsignrootca successfully imported.
Entry for alias quovadisrootca2g3 successfully imported.
Entry for alias geotrustprimarycertificationauthority successfully imported.
Entry for alias affirmtrustpremiumecc successfully imported.
Entry for alias quovadisrootca1g3 successfully imported.
Entry for alias hongkongpostrootca1 successfully imported.
Entry for alias usertrustecccertificationauthority successfully imported.
Entry for alias cybertrustglobalroot successfully imported.
Entry for alias godaddyclass2ca successfully imported.
Entry for alias microsece-szignorootca2009 successfully imported.
Entry for alias hellenicacademicandresearchinstitutionsrootca2015 successfully imported.
Entry for alias hellenicacademicandresearchinstitutionsrootca2011 successfully imported.
Entry for alias godaddyrootcertificateauthority-g2 successfully imported.
Entry for alias trustisfpsrootca successfully imported.
Entry for alias epkirootcertificationauthority successfully imported.
Entry for alias starfieldrootcertificateauthority-g2 successfully imported.
Entry for alias ssl.comevrootcertificationauthorityrsar2 successfully imported.
Import command completed:  133 entries successfully imported, 0 entries failed or cancelled
Installing certificates into Keycloak
12:16:45,905 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.9.0.Final
12:16:46,214 INFO  [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.5.Final
12:16:46,408 INFO  [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.3.Final
12:16:47,002 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) starting
12:16:47,404 INFO  [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this
12:16:52,195 INFO  [org.wildfly.security] (ServerService Thread Pool -- 19) ELY00001: WildFly Elytron version 1.8.0.Final
12:16:55,802 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
12:16:56,198 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
12:16:56,999 INFO  [org.jboss.as.patching] (MSC service thread 1-1) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none
12:16:57,001 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-1) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
12:16:57,494 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
12:16:57,495 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) started in 11502ms - Started 64 of 78 services (25 services are lazy, passive or on-demand)
{"outcome" => "success"}
{"outcome" => "success"}
12:16:58,394 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) stopped in 194ms
Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user
WARNING: POSTGRES_DATABASE variable name is DEPRECATED replace with DB_DATABASE
WARNING: POSTGRES_USER variable name is DEPRECATED replace with DB_USER
WARNING: POSTGRES_PASSWORD variable name is DEPRECATED replace with DB_PASSWORD
WARNING: POSTGRES_PORT variable name is DEPRECATED replace with DB_PORT
=========================================================================

Using PostgreSQL database


=========================================================================


12:17:09,397 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.9.0.Final

12:17:09,712 INFO  [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.5.Final

12:17:09,894 INFO  [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.3.Final

12:17:10,508 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) starting

12:17:10,901 INFO  [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this

12:17:15,300 INFO  [org.wildfly.security] (ServerService Thread Pool -- 19) ELY00001: WildFly Elytron version 1.8.0.Final

12:17:18,705 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

12:17:19,202 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

12:17:20,197 INFO  [org.jboss.as.patching] (MSC service thread 1-2) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none

12:17:20,198 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost

12:17:20,697 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server

12:17:20,698 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) started in 11295ms - Started 64 of 78 services (25 services are lazy, passive or on-demand)

The batch executed successfully

12:17:21,593 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0050: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) stopped in 189ms

12:17:26,309 INFO  [org.jboss.modules] (CLI command executor) JBoss Modules version 1.9.0.Final

12:17:26,616 INFO  [org.jboss.msc] (CLI command executor) JBoss MSC version 1.4.5.Final

12:17:26,806 INFO  [org.jboss.threads] (CLI command executor) JBoss Threads version 2.3.3.Final

12:17:27,412 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) starting

12:17:27,815 INFO  [org.jboss.vfs] (MSC service thread 1-2) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this

12:17:32,302 INFO  [org.wildfly.security] (ServerService Thread Pool -- 21) ELY00001: WildFly Elytron version 1.8.0.Final

12:17:36,894 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

12:17:37,308 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

12:17:38,204 INFO  [org.jboss.as.patching] (MSC service thread 1-1) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none

12:17:38,297 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost

12:17:38,793 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server

12:17:38,795 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) started in 12399ms - Started 64 of 83 services (30 services are lazy, passive or on-demand)

The batch executed successfully

12:17:39,609 INFO  [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) stopped in 100ms


JBoss Bootstrap Environment


JBOSS_HOME: /opt/jboss/keycloak


JAVA: /usr/lib/jvm/java/bin/java


JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true


=========================================================================


12:17:41,511 INFO  [org.jboss.modules] (main) JBoss Modules version 1.9.0.Final

12:17:43,208 INFO  [org.jboss.msc] (main) JBoss MSC version 1.4.5.Final

12:17:43,298 INFO  [org.jboss.threads] (main) JBoss Threads version 2.3.3.Final

12:17:43,998 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) starting

12:17:44,399 INFO  [org.jboss.vfs] (MSC service thread 1-1) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this

12:17:48,714 INFO  [org.wildfly.security] (ServerService Thread Pool -- 19) ELY00001: WildFly Elytron version 1.8.0.Final

12:17:52,302 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

12:17:52,494 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 27) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

12:17:52,898 INFO  [org.jboss.as.repository] (ServerService Thread Pool -- 5) WFLYDR0001: Content added at location /opt/jboss/keycloak/standalone/data/content/43/baa2f4a0b4a5ddd4bce681fd554f4676ad7892/content

12:17:53,205 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)

12:17:53,394 INFO  [org.xnio] (MSC service thread 1-1) XNIO version 3.6.5.Final

12:17:53,400 INFO  [org.xnio.nio] (MSC service thread 1-1) XNIO NIO Implementation Version 3.6.5.Final

12:17:53,700 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 52) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique.

12:17:53,796 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 36) WFLYCLINF0001: Activating Infinispan subsystem.

12:17:53,796 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 47) WFLYNAM0001: Activating Naming Subsystem

12:17:53,896 INFO  [org.wildfly.extension.microprofile.config.smallrye._private] (ServerService Thread Pool -- 44) WFLYCONF0001: Activating WildFly MicroProfile Config Subsystem

12:17:53,994 INFO  [org.jboss.as.jaxrs] (ServerService Thread Pool -- 38) WFLYRS0016: RESTEasy version 3.6.3.Final

12:17:53,994 INFO  [org.jboss.as.security] (ServerService Thread Pool -- 50) WFLYSEC0002: Activating Security Subsystem

12:17:53,996 INFO  [org.wildfly.extension.io] (ServerService Thread Pool -- 37) WFLYIO001: Worker 'default' has auto-configured to 2 core threads with 16 task threads based on your 1 available processors

12:17:54,096 INFO  [org.wildfly.extension.microprofile.health.smallrye] (ServerService Thread Pool -- 45) WFLYHEALTH0001: Activating Eclipse MicroProfile Health Subsystem

12:17:54,295 INFO  [org.wildfly.extension.microprofile.metrics.smallrye] (ServerService Thread Pool -- 46) WFLYMETRICS0001: Activating Eclipse MicroProfile Metrics Subsystem

12:17:54,794 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-2) WFLYMAIL0002: Unbound mail session [java:jboss/mail/Default]

12:17:54,796 INFO  [org.jboss.as.security] (MSC service thread 1-2) WFLYSEC0001: Current PicketBox version=5.0.3.Final

12:17:54,896 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 31) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 1.4)

12:17:54,995 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0003: Undertow 2.0.19.Final starting

12:17:55,110 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 31) WFLYJCA0005: Deploying non-JDBC-compliant driver class org.postgresql.Driver (version 42.2)

12:17:55,198 INFO  [org.jboss.as.connector] (MSC service thread 1-1) WFLYJCA0009: Starting JCA Subsystem (WildFly/IronJacamar 1.4.12.Final)

12:17:56,494 INFO  [org.jboss.remoting] (MSC service thread 1-2) JBoss Remoting version 5.0.8.Final

12:17:56,795 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 53) WFLYUT0014: Creating file handler for path '/opt/jboss/keycloak/welcome-content' with options [directory-listing: 'false', follow-symlink: 'false', case-sensitive: 'true', safe-symlink-paths: '[]']

12:17:57,195 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS]

12:17:57,195 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS]

12:17:57,292 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = h2

12:17:57,293 INFO  [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0018: Started Driver service with driver-name = postgresql

12:17:57,394 INFO  [io.smallrye.metrics] (MSC service thread 1-1) Converted [2] config entries and added [4] replacements

12:17:57,512 INFO  [io.smallrye.metrics] (MSC service thread 1-1) Converted [3] config entries and added [14] replacements

12:17:57,698 INFO  [org.jboss.as.ejb3] (MSC service thread 1-1) WFLYEJB0481: Strict pool slsb-strict-max-pool is using a max instance size of 16 (per class), which is derived from thread worker pool sizing.

12:17:57,698 INFO  [org.jboss.as.ejb3] (MSC service thread 1-2) WFLYEJB0482: Strict pool mdb-strict-max-pool is using a max instance size of 4 (per class), which is derived from the number of CPUs on this host.

12:17:57,798 INFO  [org.jboss.as.naming] (MSC service thread 1-2) WFLYNAM0003: Starting Naming Service

12:17:58,197 INFO  [org.jboss.as.mail.extension] (MSC service thread 1-1) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]

12:17:59,098 INFO  [org.jboss.as.patching] (MSC service thread 1-2) WFLYPAT0050: Keycloak cumulative patch ID is: base, one-off patches include: none

12:17:59,108 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0012: Started server default-server.

12:17:59,198 WARN  [org.jboss.as.domain.management.security] (MSC service thread 1-2) WFLYDM0111: Keystore /opt/jboss/keycloak/standalone/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost

12:17:59,206 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0027: Starting deployment of "openshift4-extension-6.0.1.jar" (runtime-name: "openshift4-extension-6.0.1.jar")

12:17:59,207 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war")

12:17:59,292 INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-1) WFLYDS0013: Started FileSystemDeploymentService for directory /opt/jboss/keycloak/standalone/deployments

12:17:59,397 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0018: Host default-host starting

12:17:59,602 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on 0.0.0.0:8080

12:17:59,908 INFO  [org.jboss.as.ejb3] (MSC service thread 1-1) WFLYEJB0493: EJB subsystem suspension complete

12:18:00,397 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0006: Undertow HTTPS listener https listening on 0.0.0.0:8443

12:18:01,201 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]

12:18:01,201 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]

12:18:01,305 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-2) WFLYSRV0018: Deployment "deployment.openshift4-extension-6.0.1.jar" is using a private module ("org.keycloak.keycloak-server-spi-private") which may be changed or removed in future versions without notice.

12:18:01,305 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-2) WFLYSRV0018: Deployment "deployment.openshift4-extension-6.0.1.jar" is using a private module ("org.keycloak.keycloak-services") which may be changed or removed in future versions without notice.

12:18:01,398 INFO  [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-2) Deploying Keycloak provider: openshift4-extension-6.0.1.jar

12:18:01,600 WARN  [org.jboss.as.dependency.private] (MSC service thread 1-1) WFLYSRV0018: Deployment "deployment.keycloak-server.war" is using a private module ("org.kie") which may be changed or removed in future versions without notice.

12:18:03,609 INFO  [org.infinispan.factories.GlobalComponentRegistry] (MSC service thread 1-2) ISPN000128: Infinispan version: Infinispan 'Infinity Minus ONE +2' 9.4.8.Final

12:18:06,194 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 60) WFLYCLINF0002: Started keys cache from keycloak container

12:18:06,294 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 65) WFLYCLINF0002: Started sessions cache from keycloak container

12:18:06,294 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0002: Started work cache from keycloak container

12:18:06,295 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 64) WFLYCLINF0002: Started loginFailures cache from keycloak container

12:18:06,295 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0002: Started actionTokens cache from keycloak container

12:18:06,295 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 61) WFLYCLINF0002: Started offlineClientSessions cache from keycloak container

12:18:06,295 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0002: Started offlineSessions cache from keycloak container

12:18:06,295 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0002: Started realms cache from keycloak container

12:18:06,295 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0002: Started clientSessions cache from keycloak container

12:18:06,295 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0002: Started authenticationSessions cache from keycloak container

12:18:06,295 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started users cache from keycloak container

12:18:06,296 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 66) WFLYCLINF0002: Started authorization cache from keycloak container

12:18:06,894 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 67) WFLYCLINF0002: Started client-mappings cache from ejb container

12:18:06,905 WARN  [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0273: Excluded subsystem weld via jboss-deployment-structure.xml does not exist.

12:18:06,905 WARN  [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0273: Excluded subsystem webservices via jboss-deployment-structure.xml does not exist.

12:18:09,202 INFO  [org.keycloak.services] (ServerService Thread Pool -- 63) KC-SERVICES0001: Loading config from standalone.xml or domain.xml

12:18:11,096 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started realmRevisions cache from keycloak container

12:18:11,100 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started userRevisions cache from keycloak container

12:18:11,107 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0002: Started authorizationRevisions cache from keycloak container

12:18:11,108 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 63) Node name: keycloak-7ccf4f689f-gwxzt, Site name: null

12:18:24,102 INFO  [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 63) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml

12:18:27,899 INFO  [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 63) HHH000204: Processing PersistenceUnitInfo [

name: keycloak-default

...]

12:18:28,112 INFO  [org.hibernate.Version] (ServerService Thread Pool -- 63) HHH000412: Hibernate Core {5.3.9.Final}

12:18:28,114 INFO  [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 63) HHH000206: hibernate.properties not found

12:18:28,716 INFO  [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 63) HCANN000001: Hibernate Commons Annotations {5.0.5.Final}

12:18:29,494 INFO  [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 63) HHH000400: Using dialect: org.hibernate.dialect.PostgreSQL95Dialect

12:18:29,906 INFO  [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl] (ServerService Thread Pool -- 63) HHH000424: Disabling contextual LOB creation as createClob() method threw error : java.lang.reflect.InvocationTargetException

12:18:29,911 INFO  [org.hibernate.type.BasicTypeRegistry] (ServerService Thread Pool -- 63) HHH000270: Type registration [java.util.UUID] overrides previous : org.hibernate.type.UUIDBinaryType@58474ace

12:18:29,916 INFO  [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 63) Envers integration enabled? : true

12:18:32,095 INFO  [org.hibernate.orm.beans] (ServerService Thread Pool -- 63) HHH10005002: No explicit CDI BeanManager reference was passed to Hibernate, but CDI is available on the Hibernate ClassLoader.

12:18:32,314 INFO  [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 63) HV000001: Hibernate Validator 6.0.15.Final

12:18:37,895 INFO  [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 63) HHH000397: Using ASTQueryTranslatorFactory

12:18:39,817 INFO  [org.keycloak.services] (ServerService Thread Pool -- 63) KC-SERVICES0050: Initializing master realm

12:18:43,911 INFO  [org.keycloak.services] (ServerService Thread Pool -- 63) KC-SERVICES0006: Importing users from '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json'

12:18:45,409 INFO  [org.keycloak.services] (ServerService Thread Pool -- 63) KC-SERVICES0009: Added user 'admin' to realm 'master'

12:18:45,702 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002225: Deploying javax.ws.rs.core.Application: class org.keycloak.services.resources.KeycloakApplication

12:18:45,703 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002200: Adding class resource org.keycloak.services.resources.JsResource from Application class org.keycloak.services.resources.KeycloakApplication

12:18:45,703 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002200: Adding class resource org.keycloak.services.resources.ThemeResource from Application class org.keycloak.services.resources.KeycloakApplication

12:18:45,704 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002205: Adding provider class org.keycloak.services.filters.KeycloakTransactionCommitter from Application class org.keycloak.services.resources.KeycloakApplication

12:18:45,704 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002205: Adding provider class org.keycloak.services.error.KeycloakErrorHandler from Application class org.keycloak.services.resources.KeycloakApplication

12:18:45,704 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.WelcomeResource from Application class org.keycloak.services.resources.KeycloakApplication

12:18:45,704 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.RobotsResource from Application class org.keycloak.services.resources.KeycloakApplication

12:18:45,704 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.admin.AdminRoot from Application class org.keycloak.services.resources.KeycloakApplication

12:18:45,704 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002220: Adding singleton resource org.keycloak.services.resources.RealmsResource from Application class org.keycloak.services.resources.KeycloakApplication

12:18:45,704 INFO  [org.jboss.resteasy.resteasy_jaxrs.i18n] (ServerService Thread Pool -- 63) RESTEASY002210: Adding provider singleton org.keycloak.services.util.ObjectMapperResolver from Application class org.keycloak.services.resources.KeycloakApplication

12:18:46,093 INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 63) WFLYUT0021: Registered web context: '/auth' for server 'default-server'

12:18:46,298 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 32) WFLYSRV0010: Deployed "openshift4-extension-6.0.1.jar" (runtime-name : "openshift4-extension-6.0.1.jar")

12:18:46,299 INFO  [org.jboss.as.server] (ServerService Thread Pool -- 42) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war")

12:18:46,603 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server

12:18:46,605 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management

12:18:46,606 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990

12:18:46,606 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 6.0.1 (WildFly Core 8.0.0.Final) started in 66495ms - Started 617 of 880 services (563 services are lazy, passive or on-demand)

image

@benoitf
Copy link
Contributor

benoitf commented Jul 12, 2019

ci-build

@rhopp rhopp mentioned this pull request Jul 12, 2019
Closed
@monaka
Copy link
Member Author

monaka commented Jul 12, 2019

I have no permission to access crw-ci-e2e-happy-path-test. Could anyone tell me why it wasn't passed ?

@rhopp
Copy link
Contributor

rhopp commented Jul 15, 2019

@monaka crw-ci-e2ee-happy-path-test is still kinda WIP. We can ignore it for now (and I hope we can find some public space to run that test in the future, so anybody can take a look at results).

@skabashnyuk
Copy link
Contributor

@monaka would you like me to merge this pr or you want to merge it yourself?

@monaka
Copy link
Member Author

monaka commented Jul 15, 2019

@rhopp Thank you for your information. I ignore crw-ci-e2e-happy-path-test in this time.
@skabashnyuk I push the merge button now. Thank you for your support.

@monaka monaka merged commit ccda8e3 into eclipse-che:master Jul 15, 2019
@monaka monaka deleted the pr-add-fsGroup-to-keycloak branch July 15, 2019 08:07
@benoitf
Copy link
Contributor

benoitf commented Jul 16, 2019

there is a failure on helm/k8s on init container wait-for-postgres

Init Containers:
  wait-for-postgres:
    Container ID:  docker://2aa46976f8727946c607aeae0445dd3b32b4a9a1a8da9137d2f4812518361c3f
    Image:         alpine:3.5
    Image ID:      docker-pullable://alpine@sha256:66952b313e51c3bd1987d7c4ddf5dba9bc0fb6e524eed2448fa660246b3e76ec
    Port:          <none>
    Host Port:     <none>
    Command:
      sh
      -c
      apk --no-cache add curl jq ; adresses_length=0; until [ $adresses_length -gt 0 ]; do echo waiting for postgres to be ready...; sleep 2; endpoints=`curl -s --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"     https://kubernetes.default/api/v1/namespaces/$POD_NAMESPACE/endpoints/postgres`; adresses_length=`echo $endpoints | jq -r ".subsets[]?.addresses // [] | length"`; done;
    State:          Running
      Started:      Tue, 16 Jul 2019 16:32:39 +0200
    Ready:          False
    Restart Count:  0
    Environment:
      POD_NAMESPACE:  che (v1:metadata.namespace)
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from che-keycloak-token-7cwz9 (ro)


$ docker run --user "1000:0" --entrypoint sh -it alpine:3.5
/ $ apk --no-cache add curl jq
ERROR: Unable to lock database: Permission denied
ERROR: Failed to open apk database: Permission denied
/ $ id
uid=1000 gid=0(root)

reported through
#13838

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhopp rhopp rhopp approved these changes

@davidfestal davidfestal davidfestal approved these changes

@l0rd l0rd l0rd approved these changes

@benoitf benoitf benoitf approved these changes

@nickboldt nickboldt Awaiting requested review from nickboldt

@sleshchenko sleshchenko Awaiting requested review from sleshchenko

Assignees
No one assigned
Labels
kind/bug Outline of a bug - must adhere to the bug report template.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@monaka @che-bot @musienko-maxim @mkuznyetsov @skabashnyuk @rhopp @davidfestal @l0rd @benoitf