Saturday, 2024-01-27

fungilooks like there's a master realm and no zuul realm, as best i can tell. our zuul.conf expects an issuer_id of
fungii have a feeling our old data isn't getting mounted correctly into the container00:08
fungialso we'll likely need to change that issuer id to or redirect auth to /00:09
fungibut one problem at a time00:09
fungiwe're mounting in a volume that presents (among other relevant paths) /opt/jboss/keycloak/standalone/data/ but there's also a /opt/keycloak/data/h2/ when i exec a shell in the container and poke around00:12
fungiyeah, looks like keycloak's getting run out of /opt/keycloak/bin inside the container00:14
fungii'm kinda worried that the database filenames aren't quite identical though00:17
fungiin our tree we have and keycloak.trace.db but what the container is creating is and keycloakdb.trace.db (note the extra "db" in the filenames)00:18
Clark[m]I guess keycloak hadnt anticipated people migrating from the old to the new images?00:19
Clark[m]It's weird to me that you would change file paths and mount pointe for the framework change00:19
fungi...maybe? i would have assumed (perhaps incorrectly) that the application would have a default database filename though00:20
Clark[m]I guess part of the issue here is wildfly is jboss and it had/has a bunch of paths specific to it00:21
fungiit's possible if we change our data mount from /opt/jboss/keycloak/standalone/data to /opt/keycloak/data/h2 it will just find the old databases even though the filenames for them differ slightly within those directories00:21
Clark[m]But ya the filename change seems odd00:21
Clark[m]Ya or we rename the files too00:21
fungithat would be... unfortunate00:21
fungii think we probably ought to tar up a local backup of the directories we're mounting in before we go any further though00:22
fungijust so that if we do end up screwing them up somehow we can wipe and restore them easily00:22
fungii'll fiddle with it some more tomorrow. presumably we don't need to worry about rolling this back, but i'm happy to push up a revert if that's preferred. i could also test by copying the production data into the held test node, but i have a feeling that will only get us so far and we still won't be able to end-to-end exercise zuul dashboard logins with it that way00:24
Clark[m] doesn't say anything about the db00:25
Clark[m]It does mention the /auth removal00:25
fungiyet another option would be to wipe the data and start over, configuring the zuul realm from scratch and readding users in it. not a fan of the additional work, but i suppose it would be cleaner00:26
fungimore hassle for everyone though00:26
Clark[m]Ya and maybe if we do that evaluate if an H2 db on disk is portable enough for the future00:28
Clark[m]I suspect if we had a db server running alongside this would've just worked (tm)00:28
fungiwell, i vaguely recall discussing when the initial poc went up that we might revisit the h2 choice in the future00:28
Clark[m]Because db servers handle upgrades and backward compat00:28
fungibut that because h2 was the baked-in default and required no additional configuration, it was simpler for the initial deployment00:29
Clark[m]Ya and it probably would work to adjust the mounts (and rename files if necessary)00:31
fungii'm also getting confused by discussions i'm finding about memory-backed vs file-backed h2 databases for keycloak. maybe the filename difference is denoting a switch in the default for that?00:32
Clark[m]The db has to be persisted to disk but ya maybe it's a different filename if mem is backed to disk?00:33
fungiright, that's what i'm wondering00:33
Clark[m] says dev mem is not persisted to disk and you lose the data on restart00:34
fungithere's also KC_DB=dev-mem vs KC_DB=dev-file, hard to tell if that changed between versions as well00:34
fungiokay, and since dev-file is the default and we're not overriding it, then i guess it's also the default in the old-style images00:35
fungilooks like you can use KC_DB_URL to set the database so maybe the value for that changed00:36
fungilike from jdbc:h2:file:keycloak to jdbc:h2:file:keycloakdb00:37
Clark[m]That would explain it00:37
fungii guess that'll be in a dockerfile somewhere00:50
*** diablo_rojo is now known as Guest61719:34

Generated by 2.17.3 by Marius Gedminas - find it at!