The default kc.sh for keycloak17 (quarkus distribution) assumes that everything below kc.home.dir is writable for the uid of the running server. I’d like to separate code from data; with the code not writable. So when starting the server it should be possible to point to a separate tmpdir, datadir, etc where data can be written. Is this possible? The wildfly based installation used to have -Djboss.home.dir, -Djboss.server.base.dir, -Djboss.server.data.dir, -Djboss.server.log.dir, -Djboss.server.temp.dir and -Djboss.server.config.dir that could be used to point to different paths in the filesystem. How can this be achieved using the quarkus based server?

This might be of interest for you: Keycloak Quarkus volatile installation data · Discussion #10323 · keycloak/keycloak · GitHub

Spot on!
My solution so far is to create a “kc.home.dir” consisting of symlinks to the code / data.
Assume keycloak is installed below /path/to/keycloak; during installation time a “kc.sh build” is done to reconfigure /path/ro/keycloak to our needs. Runtime we do something like this:

mkdir /some/place/home; cd /some/place/home
ln -sfn /path/to/keycloak/lib
ln -sfn /path/to/keycloak/providers
ln -sfn /path/to/keycloak/themes
ln -sfn /path/to/writabe/directory/data

And then start keycloak with kc.home.dir=/some/place/home