无法在运行在AWS EC2上的Keycloak上启用集群功能。

huangapple go评论65阅读模式
英文:

Unable to enable clustering for Keycloak running on AWS EC2

问题

我正在努力在我的网络上安装和运行Keycloak 20.0.2。我托管在AWS上,使用EC2 Linux实例进行直接安装(没有Kubernetes)。

由于我有两个实例,我需要启用Keycloak上的集群以确保两个节点之间没有用户会话的问题。

我面临的问题是,两个节点似乎都无法识别对方。我还查看了相关的S3存储桶,但没有记录被写入其中。

我成功将jgroups-aws-2.0.1.Final.jar 安装到providers文件夹中。我设置了一个自定义的cache-ispn.xmlcustom-jgroups-ec2.xml文件。

cache-ispn.xml文件如下:

<?xml version="1.0" encoding="UTF-8"?>
<!-- 
  ~ Copyright 2019 Red Hat, Inc. and/or its affiliates
  ~ and other contributors as indicated by the @author tags.
  ~
  ~ Licensed under the Apache License, Version 2.0 (the "License");
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~ http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an "AS IS" BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  -->

<infinispan
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:infinispan:config:11.0 http://www.infinispan.org/schemas/infinispan-config-11.0.xsd"
        xmlns="urn:infinispan:config:11.0">

    <!-- custom stack goes into the jgroups element -->
    <jgroups>
        <stack-file name="ec2" path="/home/keycloak/config/custom-jgroups-ec2.xml"/>
    </jgroups>

    <cache-container name="keycloak">
        <transport lock-timeout="60000" stack="ec2"/>
        <local-cache name="realms">
            <encoding>
                <key media-type="application/x-java-object"/>
                <value media-type="application/x-java-object"/>
            </encoding>
            <memory max-count="10000"/>
        </local-cache>
        <!-- 其他缓存配置 -->
    </cache-container>
</infinispan>

custom-jgroups-ec2.xml文件如下:

<!--
Based on tcp.xml but with new aws.S3_PING.
-->
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="urn:org:jgroups"
        xsi:schemaLocation="urn:org:jgroups http://www.jgroups.org/schema/jgroups.xsd">
    <TCP bind_port="7800"
         recv_buf_size="${tcp.recv_buf_size:5M}"
         send_buf_size="${tcp.send_buf_size:5M}"
         max_bundle_size="64K"
         thread_pool.enabled="true"
         thread_pool.min_threads="2"
         thread_pool.max_threads="8"
         thread_pool.keep_alive_time="5000"/>

    <aws.S3_PING region_name="us-east-1"
                 bucket_name="my_test_proj-keycloak"
                 bucket_prefix="production"/>

    <!-- 其他 JGroups 配置 -->
</config>

然后,我运行了以下构建命令:

/home/keycloak/current/bin/kc.sh build --cache=ispn --cache-config-file=/home/keycloak/config/cache-ispn.xml --db=postgres --health-enabled=true --metrics-enabled=true

最后,我加载了我的环境文件和自定义配置文件,并运行了以下命令:

env "$(cat /home/keycloak/config/keycloak.service.env)" /home/keycloak/current/bin/kc.sh --config-file=/home/keycloak/config/keycloak.conf start --optimized

两个服务器的输出看起来基本上是这样的。

英文:

I'm working to install and run Keycloak 20.0.2 in my own network. I'm hosted on AWS and running on EC2 linux instances with a direct-install (no kubernetes)

As I have two instances, I need to enable clustering on Keycloak to ensure there are no issues with user sessions between the two nodes.

The problem I'm facing is that neither node appears to recognize the other node. I've also taken a look into the S3 bucket in question and no records have been written to it

I was able to install the jgroups-aws-2.0.1.Final.jar to the providers folder. I set up a custom cache-ispn.xml and custom-jgroups-ec2.xml file

The cache-ispn.xml file looks like this

&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;!--
  ~ Copyright 2019 Red Hat, Inc. and/or its affiliates
  ~ and other contributors as indicated by the @author tags.
  ~
  ~ Licensed under the Apache License, Version 2.0 (the &quot;License&quot;);
  ~ you may not use this file except in compliance with the License.
  ~ You may obtain a copy of the License at
  ~
  ~ http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing, software
  ~ distributed under the License is distributed on an &quot;AS IS&quot; BASIS,
  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  --&gt;

&lt;infinispan
        xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;
        xsi:schemaLocation=&quot;urn:infinispan:config:11.0 http://www.infinispan.org/schemas/infinispan-config-11.0.xsd&quot;
        xmlns=&quot;urn:infinispan:config:11.0&quot;&gt;

    &lt;!-- custom stack goes into the jgroups element --&gt;
    &lt;jgroups&gt;
        &lt;stack-file name=&quot;ec2&quot; path=&quot;/home/keycloak/config/custom-jgroups-ec2.xml&quot;/&gt;
    &lt;/jgroups&gt;

    &lt;cache-container name=&quot;keycloak&quot;&gt;
        &lt;transport lock-timeout=&quot;60000&quot; stack=&quot;ec2&quot;/&gt;
        &lt;local-cache name=&quot;realms&quot;&gt;
            &lt;encoding&gt;
                &lt;key media-type=&quot;application/x-java-object&quot;/&gt;
                &lt;value media-type=&quot;application/x-java-object&quot;/&gt;
            &lt;/encoding&gt;
            &lt;memory max-count=&quot;10000&quot;/&gt;
        &lt;/local-cache&gt;
        &lt;local-cache name=&quot;users&quot;&gt;
            &lt;encoding&gt;
                &lt;key media-type=&quot;application/x-java-object&quot;/&gt;
                &lt;value media-type=&quot;application/x-java-object&quot;/&gt;
            &lt;/encoding&gt;
            &lt;memory max-count=&quot;10000&quot;/&gt;
        &lt;/local-cache&gt;
        &lt;distributed-cache name=&quot;sessions&quot; owners=&quot;2&quot;&gt;
            &lt;expiration lifespan=&quot;-1&quot;/&gt;
        &lt;/distributed-cache&gt;
        &lt;distributed-cache name=&quot;authenticationSessions&quot; owners=&quot;2&quot;&gt;
            &lt;expiration lifespan=&quot;-1&quot;/&gt;
        &lt;/distributed-cache&gt;
        &lt;distributed-cache name=&quot;offlineSessions&quot; owners=&quot;2&quot;&gt;
            &lt;expiration lifespan=&quot;-1&quot;/&gt;
        &lt;/distributed-cache&gt;
        &lt;distributed-cache name=&quot;clientSessions&quot; owners=&quot;2&quot;&gt;
            &lt;expiration lifespan=&quot;-1&quot;/&gt;
        &lt;/distributed-cache&gt;
        &lt;distributed-cache name=&quot;offlineClientSessions&quot; owners=&quot;2&quot;&gt;
            &lt;expiration lifespan=&quot;-1&quot;/&gt;
        &lt;/distributed-cache&gt;
        &lt;distributed-cache name=&quot;loginFailures&quot; owners=&quot;2&quot;&gt;
            &lt;expiration lifespan=&quot;-1&quot;/&gt;
        &lt;/distributed-cache&gt;
        &lt;local-cache name=&quot;authorization&quot;&gt;
            &lt;encoding&gt;
                &lt;key media-type=&quot;application/x-java-object&quot;/&gt;
                &lt;value media-type=&quot;application/x-java-object&quot;/&gt;
            &lt;/encoding&gt;
            &lt;memory max-count=&quot;10000&quot;/&gt;
        &lt;/local-cache&gt;
        &lt;replicated-cache name=&quot;work&quot;&gt;
            &lt;expiration lifespan=&quot;-1&quot;/&gt;
        &lt;/replicated-cache&gt;
        &lt;local-cache name=&quot;keys&quot;&gt;
            &lt;encoding&gt;
                &lt;key media-type=&quot;application/x-java-object&quot;/&gt;
                &lt;value media-type=&quot;application/x-java-object&quot;/&gt;
            &lt;/encoding&gt;
            &lt;expiration max-idle=&quot;3600000&quot;/&gt;
            &lt;memory max-count=&quot;1000&quot;/&gt;
        &lt;/local-cache&gt;
        &lt;distributed-cache name=&quot;actionTokens&quot; owners=&quot;2&quot;&gt;
            &lt;encoding&gt;
                &lt;key media-type=&quot;application/x-java-object&quot;/&gt;
                &lt;value media-type=&quot;application/x-java-object&quot;/&gt;
            &lt;/encoding&gt;
            &lt;expiration max-idle=&quot;-1&quot; lifespan=&quot;-1&quot; interval=&quot;300000&quot;/&gt;
            &lt;memory max-count=&quot;-1&quot;/&gt;
        &lt;/distributed-cache&gt;
    &lt;/cache-container&gt;
&lt;/infinispan&gt;

The /home/keycloak/config/custom-jgroups-ec2.xml looks like this

&lt;!--
Based on tcp.xml but with new aws.S3_PING.
--&gt;
&lt;config xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;
        xmlns=&quot;urn:org:jgroups&quot;
        xsi:schemaLocation=&quot;urn:org:jgroups http://www.jgroups.org/schema/jgroups.xsd&quot;&gt;
    &lt;TCP bind_port=&quot;7800&quot;
         recv_buf_size=&quot;${tcp.recv_buf_size:5M}&quot;
         send_buf_size=&quot;${tcp.send_buf_size:5M}&quot;
         max_bundle_size=&quot;64K&quot;
         thread_pool.enabled=&quot;true&quot;
         thread_pool.min_threads=&quot;2&quot;
         thread_pool.max_threads=&quot;8&quot;
         thread_pool.keep_alive_time=&quot;5000&quot;/&gt;

    &lt;aws.S3_PING region_name=&quot;us-east-1&quot;
                 bucket_name=&quot;my_test_proj-keycloak&quot;
                 bucket_prefix=&quot;production&quot;/&gt;

    &lt;MERGE3 min_interval=&quot;10000&quot;
            max_interval=&quot;30000&quot;/&gt;

    &lt;FD_SOCK/&gt;
    &lt;FD_ALL timeout=&quot;30000&quot; interval=&quot;5000&quot;/&gt;
    &lt;VERIFY_SUSPECT timeout=&quot;1500&quot;/&gt;
    &lt;pbcast.NAKACK2 use_mcast_xmit=&quot;false&quot;
                    discard_delivered_msgs=&quot;true&quot;/&gt;

    &lt;UNICAST3/&gt;

    &lt;pbcast.STABLE stability_delay=&quot;1000&quot; desired_avg_gossip=&quot;50000&quot;
                   max_bytes=&quot;4M&quot;/&gt;
    &lt;pbcast.GMS print_local_addr=&quot;true&quot; join_timeout=&quot;2000&quot;
                view_bundling=&quot;true&quot;/&gt;
    &lt;MFC max_credits=&quot;2M&quot;
         min_threshold=&quot;0.4&quot;/&gt;
    &lt;FRAG2 frag_size=&quot;60K&quot;/&gt;
&lt;/config&gt;

Next, I ran the build command

/home/keycloak/current/bin/kc.sh build --cache=ispn --cache-config-file=/home/keycloak/config/cache-ispn.xml --db=postgres --health-enabled=true --metrics-enabled=true

Finally, I loaded my env files and custom config files and ran the following

env &quot;$(cat /home/keycloak/config/keycloak.service.env)&quot; /home/keycloak/current/bin/kc.sh --config-file=/home/keycloak/config/keycloak.conf start --optimized

The output on both servers looks effectively like this

Appending additional Java properties to JAVA_OPTS: -Djgroups.s3.bucket=my_test_proj-keycloak -Djgroups.s3.access_key=**REDACTED_ACCESS_KEY** -Djgroups.s3.secret_access_key=**REDACTED_SECRET_KEY**
2023-01-08 13:36:35,304 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: &lt;unset&gt;, Hostname: ohmvision.com, Strict HTTPS: true, Path: /auth, Strict BackChannel: false, Admin URL: &lt;unset&gt;, Admin: &lt;request&gt;, Port: 443, Proxied: true
2023-01-08 13:36:39,048 WARN  [io.quarkus.agroal.runtime.DataSources] (main) Datasource &lt;default&gt; enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2023-01-08 13:36:41,474 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2023-01-08 13:36:41,500 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2023-01-08 13:36:41,541 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2023-01-08 13:36:41,604 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller &#39;org.infinispan.jboss.marshalling.core.JBossUserMarshaller&#39;
2023-01-08 13:36:42,137 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan &#39;Triskaidekaphobia&#39; 13.0.10.Final
2023-01-08 13:36:42,392 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2023-01-08 13:36:42,392 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000088: Unable to use any JGroups configuration mechanisms provided in properties {}. Using default JGroups configuration!
2023-01-08 13:36:42,536 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2023-01-08 13:36:42,539 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 20.00MB, but the OS only allocated 212.99KB
2023-01-08 13:36:42,541 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the send buffer of socket MulticastSocket was set to 1.00MB, but the OS only allocated 212.99KB
2023-01-08 13:36:42,543 WARN  [org.jgroups.protocols.UDP] (keycloak-cache-init) JGRP000015: the receive buffer of socket MulticastSocket was set to 25.00MB, but the OS only allocated 212.99KB
2023-01-08 13:36:44,553 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) web1-11583: no members discovered after 2003 ms: creating cluster as coordinator
2023-01-08 13:36:44,565 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [web1-11583|0] (1) [web1-11583]
2023-01-08 13:36:44,571 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `web1-11583`, physical addresses are `[11.159.1.137:54366]`
2023-01-08 13:36:45,554 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: web1-11583, Site name: null
2023-01-08 13:36:47,108 INFO  [io.quarkus] (main) Keycloak 20.0.2 on JVM (powered by Quarkus 2.13.3.Final) started in 15.837s. Listening on: http://0.0.0.0:7000
2023-01-08 13:36:47,108 INFO  [io.quarkus] (main) Profile prod activated. 
2023-01-08 13:36:47,109 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, smallrye-metrics, vault, vertx]

答案1

得分: 0

Keycloak: 20.0.3
要实现默认的 "ec2" Infinispan 栈协议,您应该执行以下步骤:

  1. 将以下文件放入 ./providers 目录中
    • jgroups-aws-2.0.1.Final.jar(栈协议)
    • aws-java-sdk-core-1.12.410.jar(访问 AWS 凭证等)
    • aws-java-sdk-s3-1.12.410.jar(访问 S3 等)
    • joda-time-2.12.2.jar(被使用)
  2. 设置 JAVA_OPTS_APPEND 参数为 -Djgroups.s3.region_name=us-east-1 -Djgroups.s3.bucket_name=<bucket_name>
    • 需要将 IAM 个人资料角色应用于 EC2 实例(用于 AWS 凭证),并创建 S3 存储桶
  3. 使用选项 --cache-stack=ec2 构建 Keycloak(不要使用 --cache-config-file 选项!)
    • bin/kc.[sh|bat] build --cache-stack=ec2

这些步骤对我有效。祝您好运!

英文:

Keycloak: 20.0.3
To implement default "ec2" Infinispan stacks protocol you should:

  1. Put these files in ./providers dir
  • jgroups-aws-2.0.1.Final.jar (stacks protocol)
  • aws-java-sdk-core-1.12.410.jar (access to AWS creds, etc.)
  • aws-java-sdk-s3-1.12.410.jar (access to S3, etc.)
  • joda-time-2.12.2.jar (is used)
  1. JAVA_OPTS_APPEND='-Djgroups.s3.region_name=us-east-1 -Djgroups.s3.bucket_name=<backet_name>'
  • IAM profile role should be applied to EC2 instance (for AWS creds) and S3 bucket created
  1. Build Keycloak with option --cache-stack=ec2 (no --cache-config-file option!)
  • bin/kc.[sh|bat] build --cache-stack=ec2

By me it's working) GL & HF!

Logs:

2023-02-21 09:47:28,062 INFO  [org.infinispan.server.core.transport.EPollAvailable] (keycloak-cache-init) ISPN005028: Native Epoll transport not available, using NIO instead: java.lang.ExceptionInInitializerError
2023-02-21 09:47:28,453 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2023-02-21 09:47:28,472 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2023-02-21 09:47:28,506 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller &#39;org.infinispan.jboss.marshalling.core.JBossUserMarshaller&#39;
2023-02-21 09:47:28,987 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2023-02-21 09:47:29,086 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000128: Infinispan version: Infinispan &#39;Triskaidekaphobia&#39; 13.0.10.Final
2023-02-21 09:47:29,270 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN`
2023-02-21 09:47:29,290 WARN  [org.jgroups.stack.Configurator] (keycloak-cache-init) NATIVE_S3_PING has been deprecated; please upgrade to a newer version of the protocol
2023-02-21 09:47:30,181 INFO  [org.jgroups.aws.s3.NATIVE_S3_PING] (keycloak-cache-init) using Amazon S3 ping in region us-east-1 with bucket &#39;my-jgroups-s3-bucket-test&#39; and prefix &#39;&#39;
2023-02-21 09:47:30,937 INFO  [org.jgroups.aws.s3.NATIVE_S3_PING] (keycloak-cache-init) found bucket my-jgroups-s3-bucket-test
2023-02-21 09:48:04,101 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [ip-10-68-49-170-40943|3] (2) [ip-10-68-49-170-40943, ip-10-68-49-190-31671]
2023-02-21 09:48:04,111 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `ip-10-68-49-190-31671`, physical addresses are `[10.68.49.190:7800]`

2023-02-21 09:48:07,087 INFO  [io.quarkus] (main) Keycloak 20.0.3 on JVM (powered by Quarkus 2.13.6.Final) started in 78.156s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
2023-02-21 09:48:07,087 INFO  [io.quarkus] (main) Profile prod activated.

huangapple
  • 本文由 发表于 2023年1月9日 00:16:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/75049372.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定