Startup keycloak as a permanent runing service

Getting advice
1

Hello everybody,

i started with the installation of keycloak as a standalone server based on the zip file with wildfly.

But i have run into problems to start the service keycloak permanently as a service or behind a reverse proxy like apache or nginx

How can I start keycloak permanently without having to start the file manually?

Here I have already tested the following configuration but unfortunately the service keycloak does not start

/etc/systemd/system/keycloak.service

[Unit]
Description=Keycloak
After=network.target

[Service]
Type=idle
User=keycloak
Group=keycloak
ExecStart=KEYCLOAK_HOME/bin/standalone.sh -b 0.0.0.0
TimeoutStartSec=600
TimeoutStopSec=600

[Install]
WantedBy=multi-user.target

And the error message from the service “keycloak.service”:

grafik
grafik861×192 8.94 KB

Maybe someone here can help me

Many thanks for your help

Using Keycloak 12.0.4 (Distribution powered by WildFly) on Cent OS 7

2
1 Like
3

Thanks for your reply @dasniko

I will have a look at the sample files in the ZIP directory “…\keycloak-12.0.4\docs\contrib…” and get back to you otherwise if necessary

4

I’m replying to this because it’s the second hit on google for “keycloak systemd”

I did a lot of research on starting keycloak standalone using systemd, including the reviewing the information keycloak-15.0.1/docs/contrib/scripts. One note about the contrib scripts: they appear to be from the wildfly project and not specific to keycloak.

I Basically used the OP’s service file with a couple of changes:

[Unit]
Description=Keycloak Service
After=network.target

[Service]
User=keycloak
Group=keycloak
ExecStart=/opt/keycloak-15.0.1/bin/standalone.sh
WorkingDirectory=/opt/keycloak-15.0.1

[Install]
WantedBy=multi-user.target

I found the Type=idle and Timeout* fields did not appear to be needed. I think the key attribute is the WorkingDirectory= setting. I read the standalone.sh script and it does quite a few things based on the current directory.

Notes:

  1. I’m unpacking keycloak into /opt
  2. I created the keycloak user and group, and chown’d /opt/keycloak-15.0.1 with this user and group.
  3. I’m not overriding the default of binding to 127.0.0.1 because I’m using nginx to reverse proxy, but that should be a simple change to the ExecStart= setting.

The above script is working for me on CentOS, and both starts and stops keycloak, and I have it enabled and it starts keycloak at boot.

HTH anyone who comes after me.

1 Like
5

My 2p:

  1. The ‘WorkingDirectory’ isn’t required
  2. Keycloak normally exits with code 143, which looks like a problem in the systemctl and journalctl output. Avoid this by adding ‘SuccessExitStatus=0 143’ in the ‘Service’ section
  3. Add ‘–optimized’ to the ExecStart line
  4. The default ‘Restart’ is no, so your service never restarts if it dies. This isn’t great: consider ‘Restart=always’
  5. You’ve set owner ‘keycloak:keycloak’ for the entire /opt/keycloak tree. This sounds like a really bad idea. My setup works fine with only /opt/keycloak/data owned by keycloak:keycloak, with everything else being owned by root:root

My setup: Keycloak 23, Ubuntu 22.04, Apache reverse proxy.