Issue deploying keycloak on docker with reverse proxy

dakkafex · June 3, 2020, 10:15pm

So im trying to run a Keycloak server on my Plesk server in a docker container.

The issue is that my keycloak server dies after a while(or after an action, im not sure because nothing gets logged), all im getting in the log is

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-11.1.1.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS()
WARNING: Please consider reporting this to the maintainers of org.wildfly.extension.elytron.SSLDefinitions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
*** JBossAS process (340) received KILL signal ***

I have the required env setting PROXY_ADDRESS_FORWARDING to true, and im pretty sure i followed the instructions properly on https://github.com/keycloak/keycloak-containers/blob/10.0.2/server/README.md

I have tried with and without TLS settings and it still just dies after about 5 min

here is some extra log dump after setting it to extreme verbose logging

[0m16:51:30,688 TRACE [org.jboss.modules] (ServerService Thread Pool -- 63) Attempting to find all resources META-INF/jpa-changelog-1.2.0.Beta1-db2.xml in Module "org.keycloak.keycloak-model-jpa" version 10.0.2 from local module loader @797cf65c (finder: local module finder @31bcf236 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))
[0m16:51:30,705 TRACE [org.jboss.modules] (ServerService Thread Pool -- 63) Attempting to find all resources liquibase/parser/core/xml/dbchangelog-3.1.xsd in Module "org.keycloak.keycloak-model-jpa" version 10.0.2 from local module loader @797cf65c (finder: local module finder @31bcf236 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))
[0m16:51:30,770 TRACE [org.jboss.modules] (ServerService Thread Pool -- 63) Attempting to find all resources META-INF/jpa-changelog-1.2.0.CR1.xml in Module "org.keycloak.keycloak-model-jpa" version 10.0.2 from local module loader @797cf65c (finder: local module finder @31bcf236 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))
[0m16:51:30,771 TRACE [org.jboss.modules] (ServerService Thread Pool -- 63) Attempting to find all resources liquibase/parser/core/xml/dbchangelog-3.1.xsd in Module "org.keycloak.keycloak-model-jpa" version 10.0.2 from local module loader @797cf65c (finder: local module finder @31bcf236 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))
[0m16:51:30,882 TRACE [org.jboss.modules] (ServerService Thread Pool -- 63) Attempting to find all resources META-INF/jpa-changelog-1.2.0.CR1-db2.xml in Module "org.keycloak.keycloak-model-jpa" version 10.0.2 from local module loader @797cf65c (finder: local module finder @31bcf236 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))
[0m16:51:30,904 TRACE [org.jboss.modules] (ServerService Thread Pool -- 63) Attempting to find all resources liquibase/parser/core/xml/dbchangelog-3.1.xsd in Module "org.keycloak.keycloak-model-jpa" version 10.0.2 from local module loader @797cf65c (finder: local module finder @31bcf236 (roots: /opt/jboss/keycloak/modules,/opt/jboss/keycloak/modules/system/layers/keycloak,/opt/jboss/keycloak/modules/system/layers/base))
[0m*** JBossAS process (148) received KILL signal ***

hmof · June 4, 2020, 11:08am

I am running 10.0.1 like this with SSL disabled and it’s working fine. Try downgrading?

dakkafex · June 4, 2020, 12:11pm

Nope, still getting OOM crashes

hmof · June 4, 2020, 12:52pm

OOM? Are you actually out of memory then? Have you limited the resources of the container too much?

dakkafex · June 4, 2020, 12:57pm

Yes my VPS itself is logging OOM errors even.

first i was running the container with no memory limit, which made it crash(despite having 1 GB max) and then i limited it to 512 MB, which seems to keep it alive for longer before it crashes.

hmof · June 4, 2020, 12:59pm

Where does the 1Gb limit come from? Is that all the VM has? I have not set any limits at all. But my setup is tiny, 1 realm, 10 users, a handful of clients.

Does any Java application work in 1Gb? It’s not much and Java isn’t lean.

zonaut · June 4, 2020, 1:07pm

Keycloak requires at least 512MB of memory so a VPS with 512MB isn’t enough, you’ll need one with at least 1GB. It’s not really a Java thing in this case but a JBoss thing.
They are working on a Keycloak version that is more lean but meanwhile we need a bit more memory.
I’ve run Keycloak on a 1GB VPS on Digitalocean without problems.

dakkafex · June 4, 2020, 1:09pm

Well my VPS is 1GB aswell but ik keep running into those memory issues ever 5-30 min, i have set it to reboot on a crash but its certainly anoying.

zonaut · June 4, 2020, 1:12pm

1GB with what? Seems you’re using Plesk which on it’s own already has a big memory requirement.
What DB are you using? I’m using PostgreSQL which is less of a memory hog and a superior DB anyway
How much memory is in use when Keycloak is not running?

dakkafex · June 4, 2020, 1:17pm

currently just running it with h2, planning on putting it on PG yeah

I think ill also upgrade the hardware on my VPS, im currently overpaying a bit for an old config.

but yeah memory does seem short even without KC

djarmoluk · August 13, 2021, 3:51pm

Running keycloak:latest and am getting this error as well:

WARNING: Illegal reflective access by org.wildfly.extension.elytron.SSLDefinitions (jar:file:/opt/jboss/keycloak/modules/system/layers/base/org/wildfly/extension/elytron/main/wildfly-elytron-integration-15.0.1.Final.jar!/) to method com.sun.net.ssl.internal.ssl.Provider.isFIPS()

ECS Fargate container task setup w/ 1024 for memory and 512 for cpu.

The task will continue to provision for a minute or so, then a

*** JBossAS process (336) received TERM signal ***

message is logged. No other errors or warnings are logged.

I’m running HTTPS to the application load balancer, then running over port 80 from the load balancer to the ECS cluster where Keycloak is running.

Any ideas?

djarmoluk · August 13, 2021, 6:11pm

I’ve bumped the memory to 2048 and the cpu to 1024. We also forced our task configuration to only run one task for the time being. I’m now able to get to the login screen and login. Not sure if the the memory and cpu configuration corrected my original issue with JBoss terming unexpectedly.

I do know that we were getting a ton of redirects during the login process, and going to one task corrected that issue. Now we need to figure out how to configure for multiple tasks running behind a load balancer.

Topic		Replies	Views
Unabel to run keycloak in k8s container Configuring the server	1	475	March 23, 2021
SSL error after certificate update Getting advice	0	779	March 8, 2022
Getting error related to wildfly for deploying keycloak	0	545	May 7, 2021
Keycloak was unable to start	3	2048	August 18, 2022
Keycloak Server on Tomcat Configuring the server	2	316	July 28, 2021

Issue deploying keycloak on docker with reverse proxy

Related Topics