Keycloak wiped all data on Docker

Configuring the server
1

Hi,

Since the last few updates, Keycloak just decided to wiped all the data (realms, users, apps), everything but the master realm with the admin. Since I have Keycloak, I made several updates without issues, and now, it’s every update.

I give you my Docker Compose if I did something wrong, but everything is on persistent storage…

version: "3.9"

services:
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    restart: unless-stopped
    hostname: keycloak
    command: start --optimized
    dns:
      - 192.168.16.1
    networks:
      - keycloak-network
    environment:
      DB_VENDOR: postgres
      DB_ADDR: keycloak-db
      DB_DATABASE: keycloak
      DB_USER: keycloak
      DB_SCHEMA: public
      DB_PASSWORD: password
      KC_HTTP_ENABLED: "true"
      KC_HTTPS_CERTIFICATE_FILE: /etc/x509/https/cert.pem
      KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/x509/https/key.pem
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_HOSTNAME_URL: https://auth.domain.com
      KC_HOSTNAME_ADMIN_URL: https://auth.domain.com
      KC_PROXY: passthrough
    ports:
      - "54000:8080"
      - "8443:8443"
    volumes:
      - "/mnt/docker/keycloak/data:/data:rw"
      - "/mnt/docker/keycloak/providers:/opt/jboss/keycloak/providers:rw"
      - "/mnt/docker/keycloak/standalone/configuration:/opt/jboss/keycloak/standalone/configuration:rw"
      - "/mnt/docker/_certs/:/etc/x509/https:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.keycloak.entrypoints=https"
      - "traefik.http.routers.keycloak.rule=Host(`auth.domain.com`)"
      - "traefik.http.routers.keycloak.tls=true"
      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
      - "traefik.docker.network=keycloak-network"
    depends_on:
      db:
        condition: service_healthy

  db:
    image: postgres:15
    container_name: keycloak-db
    restart: unless-stopped
    networks:
      - keycloak-network
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: keycloak
    volumes:
      - "/mnt/docker/keycloak/db:/var/lib/postgresql/data:rw"
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "keycloak", "-d", "keycloak", "-U", "keycloak"]
      interval: 30s
      timeout: 10s
      retries: 5

networks:
  keycloak-network:
    external: true

I genuinely don’t understand where it messed up…

2

Maybe DB_ADDR should be db and not keycloak-db.

Check the docker logs of the keycloak containe on startup, I’m pretty sur the database connection should fail.
Now, When not havinf a working database connection Keycloak in docker would still work on these versions, but simply with a fallback memory database, loosing everything on restart.
that’s usefull for tests, but that’s quite annoying in fact, I would prefer also a nice crash than a sstill-working-but-no-db mode.

3

Thanks for your reply.

DB_ADDR is definitely keycloak-db as keycloak will try to get the magic DNS of the DB container, which is keycloak-db. db is only use inside the Docker Compose.

You may be right about the connection… I double-checked the password and for some reason, It was different between the DB and Keycloak… I had to change it when I wanted to do a test and forgot to reverse.

However, it doesn’t fix the fact, even after a restart, my non-master realm isn’t saved… :frowning:

I don’t understand what changed between my old install and now.

4

I don’t know if It’s normal or not, but with all my tests, I always see lines that question me:

keycloak     | 2024-01-15 21:22:23,891 INFO  [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
keycloak     | 2024-01-15 21:22:25,353 INFO  [io.quarkus] (main) Keycloak 23.0.1 on JVM (powered by Quarkus 3.2.9.Final) started in 12.327s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
keycloak     | 2024-01-15 21:22:25,353 INFO  [io.quarkus] (main) Profile prod activated. 
keycloak     | 2024-01-15 21:22:25,353 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
keycloak     | 2024-01-15 21:22:25,635 INFO  [org.keycloak.services] (main) KC-SERVICES0009: Added user 'admin' to realm 'master'

Like it forgets, the existing realms in database. While there’s no such errors related to database connection this time.

5

Several things…

Why do you use the DB_... env vars?
They are not correct, please see Configuring the database - Keycloak

How do you build your Keycloak server?
While you are starting it with optimized´ option, it is assumed that you did a build` step before with proper build-time properties set. See docs for details.

6

Why do you use the DB_... env vars?

Because It was the way (likely changed during the 22.X to 23.X).

So, I fixed it thanks to your hints by:

  • Changing the environment variables with the KC_…
  • Removing --optimized

Topic solved.

7

Configuration changed with migration from Wildfly AS to Quarkus framework as the underlying architecture. Quarkus was introduced with 17 as default distribution, Wildfly was still available as legacy distribution until 20.

Be sure to read the release notes for every (at least) major version!

1 Like