I have initialized https://hub.docker.com/r/jboss/keycloak/ on my Digital Ocean Docker Droplet.
$docker run -e KEYCLOAK_USER=admin -e -p 8080:8080 KEYCLOAK_PASSWORD={password with upcase etc.} jboss/keycloak
success
Everything worked well and the server started in the Droplets IP address on a port :8080.
Problems started when I entered the admin console from the UI in the URL. There was a message: "HTTPS required". This was a real issue and the only solution I have found is to login to the Keycloak from the console and to change the setting of HTTPS=required from admin console without the UI.
I then opened the bash for my Docker container :
$docker exec -it keycloak bash
success
As I entered my command to login in the keycloak/bin folder:
cd keycloak/bin
keycloak/bin $./kcadm.sh config credentials --server http://<droplet IP>:8080/auth --realm master --user admin --password {password with upcase etc.}
the bash freezes and gives a timeout message after some time
Reason for logging in from bash would be complete this:
keycloak/bin $ ./kcadm.sh update realms/master -s sslRequired=NONE.
which would hopefully solve the original problem of HTTPS required.
Update Feb 2022:
Keycloak 17+ (e.g. quay.io/keycloak/keycloak:17.0.0) doesn't support autogeneration of selfsigned cert. Minimal HTTPS working example for Keycloak 17+:
1.) Generate selfsigned domain cert/key (follow instructions on your terminal):
openssl req -newkey rsa:2048 -nodes \
-keyout server.key.pem -x509 -days 3650 -out server.crt.pem
2.) Update permissions for the key
chmod 755 server.key.pem
3.) Start Keycloak (use volumes for cert/key):
docker run \
--name keycloak \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=password \
-e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/server.crt.pem \
-e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/server.key.pem \
-v $PWD/server.crt.pem:/opt/keycloak/conf/server.crt.pem \
-v $PWD/server.key.pem:/opt/keycloak/conf/server.key.pem \
-p 8443:8443 \
quay.io/keycloak/keycloak:17.0.0 \
start-dev
Keycloak will be exposed on port 8443 with HTTPS protocol with this setup. If you use also proxy (e.g. nginx) you will need to configure also env variable KC_PROXY properly (e.g. KC_PROXY=edge). Of course you can use also keycloak.conf file instead of env variables.
Old answer for Keycloak up to 16.1.1 and Keycloak legacy 17+:
Publish port 8443 (HTTPS) and use it instead of 8080 (HTTP):
docker run \
--name keycloak \
-e KEYCLOAK_USER=myadmin \
-e KEYCLOAK_PASSWORD=mypassword \
-p 8443:8443 \
jboss/keycloak
Keycloak generates self signed cert for https in this setup. Of course, this is not a production setup.
Update
Use volumes for own TLS certificate:
-v /<path>/tls.crt:/etc/x509/https/tls.crt \
-v /<path>/tls.key:/etc/x509/https/tls.key \
This was a solution that also granted access to the admin console with no security when using https://hub.docker.com/r/jboss/keycloak/ as a starting point and DigitalOcean as service provider:
Start container:
$ docker run {containerName}
Open bash for container:
$ docker exec -it {containerName} bash
Move to:
$ cd keycloak/bin
create new admin user with:
$ ./add-user-keycloak.sh --server http://{IP}:8080/admin
--realm master --user admin --password newpassword
(not add-user.sh as suggested in many places)
Restart droplet in DigitalOcean etc. to activated admin user created prior to the shutdown. After restarting the droplet login with:
$ ./kcadm.sh config credentials --server http://localhost:8080/auth
--realm master --user admin
Changing ssl settings on the realm:
$ ./kcadm.sh update realms/master -s sslRequired=NONE
This solution does not create any security but allows you to access the Admin console.
After this it is suggested to start workin on this:
https://www.keycloak.org/docs/latest/server_installation/index.html#setting-up-https-ssl
The following sequence of commands worked for me
On the host VM:
docker run --name key -d -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak
docker exec -it key bash
Inside the container:
cd keycloak/bin/
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
Logging into http://localhost:8080/auth as user admin of realm master
Enter password: admin
./kcadm.sh update realms/master -s sslRequired=NONE
Just in case if someone wants to use it on a Docker Swarm using secrets to store the certificate files and admin credentials:
keycloak:
image: jboss/keycloak
container_name: keycloak-server
hostname: keycloak-server
ports:
- target: 8443 # Keycloak HTTPS port
published: 8443
mode: host
- target: 8080 # Keycloak HTTP port
published: 8080
mode: host
networks:
default:
aliases:
- keycloak-server
deploy:
replicas: 1
secrets:
- keycloak_user_file
- keycloak_password_file
- source: server_crt
target: /etc/x509/https/tls.crt
uid: '103'
gid: '103'
mode: 0440
- source: server_key
target: /etc/x509/https/tls.key
uid: '103'
gid: '103'
mode: 0440
environment:
- KEYCLOAK_USER_FILE=/run/secrets/keycloak_user_file
- KEYCLOAK_PASSWORD_FILE=/run/secrets/keycloak_password_file
secrets:
server_crt:
file: ./certs/server.crt
server_key:
file: ./certs/server.key
keycloak_user_file:
file: ./keycloak/adminuser
keycloak_password_file:
file: ./keycloak/adminpassword
Update after Jboss/Keyclok 12.0.0
Use following command in the server without login to docker container via bash.
$ docker exec <container_id> /opt/jboss/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE --server http://localhost:8080/auth --realm master --user <admin_username> --password <admin_password>
Logging into http://localhost:8080/auth as user admin of realm master
Finally get it working with https (Keycloak 14.0.0) in the simplest way after trying innumerable ways.
Create a docker-compose.yml and DO NOT specify the volumes for cert and key:
version: '2'
services:
keycloak:
image: quay.io/keycloak/keycloak:14.0.0
command: -c standalone.xml
environment:
DB_VENDOR: h2
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
ports:
- 8080:8080
- 8443:8443
Run your docker-compose.yml with docker-compose up.
Wait over a minute and Keycloak will generate a self signed certificate automatically! you´ll see the logs on cli:
WARN [org.jboss.as.domain.management.security] (default I/O-3) WFLYDM0113: Generated self signed certificate at /opt/jboss/keycloak/standalone/configuration/application.keystore. Please note that self signed certificates are not secure, and should only be used for testing purposes. Do not use this self signed certificate in production.
Access your Keycloak server on port 8443.
If you don´t see the logs indicating the generation of the self signed certificate, just try to access your server including 'https://' and ':8443', like 'https://your_ip_or_dns:8443/auth'.
I also experienced bash freezing when trying to config credentials.
Adding the --password argument to the config credentials command resulted in a successful execution:
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password {YOUR_PASSWORD_HERE}
Execute ./kcadm.sh config credentials for examples of secure/alternate ways to pass the argument.
For cases where Docker was used to build Keycloak. This worked for me:
docker exec -it demo-keycloak bash
/opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm realmname --user admin --password admin
/opt/jboss/keycloak/bin/kcadm.sh update realms/realmname -s sslRequired=NONE
Explanation:
First line gives an interactive bash shell on the Keycloak container.
second and third line authenticates you and makes modification to the realm settings using the Keycloak admin-cli. There is no need for container restart
If you just want to disable HTTPS, you can with this
docker exec -it {contaierID} bash
cd keycloak/bin
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
./kcadm.sh update realms/master -s sslRequired=NONE
Pay attention to the image you use. If you use the quay.io/keycloak/keycloak. Your must explicitly specify the path that cert and key use KC_HTTPS_CERTIFICATE_FILE and KC_HTTPS_CERTIFICATE_KEY_FILE. A little different from the one jboss.
Related
I want to deploy on this server serverBNP-prod1
I tried to write this code below. Using this code where should i add my ssh local key please?
Thank you
job_deploy_prod:
stage: deploy
only:
- master
- tags
when: manual
environment:
name: prod
variables:
SERVER: serverBNP-prod1
SSH_OPTS: -p 22 -l udoc -o BatchMode=true -o StrictHostKeyChecking=no
script:
- export VERSION=$(fgrep -m 1 -w version pom.xml | sed -re 's/^.*>(.*)<.*$/\1/')
- ssh $SSH_OPTS -i $HOME/.ssh/id_rsa $SERVER "docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.gitlab.com"
- ssh $SSH_OPTS -i $HOME/.ssh/id_rsa $SERVER "docker rm -f proj"
- ssh $SSH_OPTS -i $HOME/.ssh/id_rsa $SERVER "docker pull registry.gitlab.com/bnp/proj:$VERSION"
- ssh $SSH_OPTS -i $HOME/.ssh/id_rsa $SERVER "docker run -d -p 8080:8080 -e 'SPRING_PROFILES_ACTIVE=prod' -v /etc/localtime:/etc/localtime -v /etc/timezone:/etc/timezone --name proj registry.gitlab.com/bnp/proj:$VERSION"
tags:
- prod
You can either:
use a Settings / CI-CD / Variable of type File, in which you will put your private key data, or
if you have only a username and password for your server you can use the ''sshpass'' command and provide a SSHPASS environment variable, still in the CI-CD variables section
More details on how to use the GitLab CI/CD environment variables (File type, security, etc.) can be found here:
https://docs.gitlab.com/ce/ci/variables/
You can mask variables but be aware that contrary to Jenkins there is no way to remove the "Reveal value" button when a user has sufficient rights in Gitlab to view/edit the settings, so you will have to carefully select your project rights, e.g., by allowing other people the Developer right but without the Maintainer one (which allows to edit the settings).
I am running the latest redisai official image from Docker, but I can't seem to set my password.
I have changed the redis.conf and uncommented requirepass followed by my own password.
I then run the image with
sudo docker run --name test -v /path/to/redis/conf/redis.conf:/usr/local/etc/redis/redis.conf -p 6379:6379 --gpus all -it --rm redisai/redisai:latest-gpu
and when I investigate the configuration
127.0.0.1:6379> config get requirepass
1) "requirepass"
2) ""
Do I need to set a proper binding?
127.0.0.1:6379> config get bind
1) "bind"
2) ""
127.0.0.1:6379> auth <password>
(error) ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?
I am able to access the server from outside the localhost also.
sudo docker run --name test -v /path/to/redis/conf/redis.conf:/redis.conf -p 6379:6379 --gpus all -it --rm redisai/redisai:latest-gpu redis-server /redis.conf
Turns out, I was just missing the last section redis-server /redis.conf to initialize the server with the appropriate configuration file.
I've followed this tutorial and run keycloak with postgres via Docker. Since port 8080 is already in use by my front-end app, it used 9990 instead.
As the logs say:
13:26:00,602 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
13:26:00,603 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
But when I go to these urls through my browser, nothing happens. I've also tried going to http://127.0.0.1:9990/auth/admin/ and it doesn't work to. When I try to connect, nothing appears in my keycloak console.
I've followed the tutorial without any additional settings. What's wrong?
Firstly I create a user define network:
docker network create keycloak-network
Then I run postgres:
docker run -d --name postgres --net keycloak-network -e POSTGRES_DB=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password postgres
And Finally Keycloak:
docker run --name keycloak --net keycloak-network jboss/keycloak
You need to publish ports (8080 for http, 8443 for https) of the Keycloak container + remap ports, because 8080 is already used on your machine. For example:
docker run --rm \
--name keycloak \
--net keycloak-network \
-e KEYCLOAK_USER=myadmin \
-e KEYCLOAK_PASSWORD=mypassword \
-p 9990:8080 \
-p 9991:8443 \
jboss/keycloak
Keycloak admin UI will be available on:
http://<ip of the host machine\>:9990/
https://<ip of the host machine\>:9991/ (self signed cert will be generated in this case, so you will need to approve TLS exception in the browser)
If someone else like me will start his way in Docker from installing Keycloak asap.
Full path to install Keycloak on Docker and then have access to web UI via port 9990 (you can change it in last command):
docker network create keycloak-network
docker run -d --name postgres --net keycloak-network -e POSTGRES_DB=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password postgres
docker run --rm --name keycloak --net keycloak-network -e KEYCLOAK_USER=myadmin -e KEYCLOAK_PASSWORD=mypassword -e DB_USER=keycloak -e DB_PASSWORD=password -p 9990:8080 -p 9991:8443 jboss/keycloak
Difference from topickstarter's and previous answer is avoiding of error below:
"WFLYCTL0113: '' is an invalid value for parameter user-name
by providing DB username and password in last command.
i am creating a mysql 5.6 docker using bash script and i would like to change the password.
how can i send sql commands from bash to docker?
build:
sudo docker build -t mysql-5.6 -f ./.Dockerfile .
run.sh:
#!/bin/bash
sudo docker run --name=mysql1 -d mysql-5.6
sudo docker exec -it mysql1 mysql -uroot -p$base_password \
<<< SET PASSWORD FOR 'root'#'localhost' = PASSWORD('new_pass');
You need to bind MySQL-port like descriped here. To keep the port 3306 you can just expose it on your host the following way:
sudo docker run --name=mysql1 -p 3306:3306 -d mysql-5.6
After that you should be able to use mysql -u USER -p PASSWORD on your local host. This will then allow you to send commands to your docker-container.
I am just getting started with LDAP. I downloaded the osixia openldap docker image and the phpLDAPAdmin:
OpenLDAP
LDAPAdmin
I created the containers this way:
docker run --name ldap -p 389:389 -p 689:689 -e LDAP_DOMAIN=localhost -e LDAP_ORGANISATION=MyOrganisation -e LDAP_ADMIN_PASSWORD=mypw -v D:\docker\LDAP\ldap:/var/lib/ldap -v D:\docker\LDAP\slapd:/etc/ldap/slapd.d -d osixia/openldap
docker run -p 6443:443 --env PHPLDAPADMIN_LDAP_HOSTS=172.17.0.4 --detach osixia/phpldapadmin
It seems to have worked: I can open the admin console and I can connect to LDAP from keycloak.
What I don't understand is, how do I log into the phpLDAPAdmin. What is the
Login DN and password? Password is mypw in this cas I guess, but the login DN?
phpLDAPadmin user name must be something like this.
cn=admin,dc=first_part_of_the_domain,dc=second_part_of_the_domain,dc=third__part_of_the_domain
as an example, cn=admin,dc=example,dc=mail,dc=com