由于无法访问部署目录，Keycloak引导时扫描失败: /opt/jboss/keycloak/standalone/deployments

Question

在将Keycloak部署到Docker群时，堆栈跟踪中会出现以下警告和错误：

我们正在尝试将keycloak SPI部署到给定的卷中。这可以工作，但keycloak不能写入/读取卷。

10:13:05,350 INFO  [org.jboss.modules] (main) JBoss Modules version 1.10.2.Final

10:13:06,057 INFO  [org.jboss.msc] (main) JBoss MSC version 1.4.12.Final

10:13:06,069 INFO  [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final

10:13:06,220 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: Keycloak 12.0.1 (WildFly Core 13.0.3.Final) starting

10:13:06,392 INFO  [org.jboss.vfs] (MSC service thread 1-4) VFS000002: Failed to clean existing content for temp file provider of type temp. Enable DEBUG level log to find what caused this

10:13:07,466 INFO  [org.wildfly.security] (ServerService Thread Pool -- 22) ELY00001: WildFly Elytron version 1.13.1.Final

10:13:08,587 INFO  [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

10:13:08,653 WARN  [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) WFLYDS0039: /opt/jboss/keycloak/standalone/deployments is not writable

10:13:08,675 ERROR [org.jboss.as.server.deployment.scanner] (DeploymentScanner-threads - 1) WFLYDS0042: Boot-time scan failed due to inaccessible deployment directory: /opt/jboss/keycloak/standalone/deployments

10:13:08,690 INFO  [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 3) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.

10:13:08,861 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)

错误WFLYDS0039和WFLYDS0042是问题所在。我们将deployments文件夹挂载到服务器上的docker卷上的路径:/srv/keycloak。在部署SPI时，我可以看到.JAR文件可以在服务器上的上述路径中找到。

下面是keycloak docker-compose文件：

version: "3.7"
services:
  db:
    image: mariadb
    volumes:
      - keycloak_db:/var/lib/mysql
    environment:
      MYSQL_DATABASE: keycloak
    networks:
      db:
        aliases:
          - mariadb

  keycloak:
    image: jboss/keycloak:12.0.1
    environment:
      - DB_ADDR=mariadb
      - DB_PORT=3306
      - DB_DATABASE=keycloak
      - DB_VENDOR=mariadb
      - PROXY_ADDRESS_FORWARDING=true
    networks:
      - public
      - db
    volumes:
      - keycloak_themes:/opt/jboss/keycloak/themes
      - keycloak_providers:/opt/jboss/keycloak/standalone/deployments/
networks:
  db:
    driver: overlay
  public:
    external: true

volumes:
  keycloak_db:
    driver: local-persist
    driver_opts:
      mountpoint: /srv/keycloak_db
  keycloak_themes:
    driver: local-persist
    driver_opts:
      mountpoint: /srv/keycloak_themes
  keycloak_providers:
    driver: local-persist
    driver_opts:
      mountpoint: /srv/keycloak_providers

Answer 1

Keycloak服务器以uid/gid设置为1000的jboss用户身份运行。确保用户id 1000对该源文件夹/srv/keycloak_providers具有读/写权限。最简单的解决方案是从主机OS执行chmod -R 777 /srv/keycloak_providers。但您可能需要更安全的权限配置-只需记住uid 1000必须具有读/写访问权限，并且最终还需要来自主机操作系统的一些用户。

当然，如果Docker守护进程/Keycloak容器配置了uid重新映射，情况可能会更加复杂--场景中会有另一个uid。