From d90c9685c424f72cce54e6bf076c202263cca712 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 13:21:03 +0100 Subject: [PATCH 01/10] Debug molecule in gh workflow --- roles/keycloak/tasks/systemd.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index 67fd2e1..c189a70 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -38,12 +38,23 @@ daemon_reload: yes when: systemdunit.changed -- name: start keycloak - systemd: - name: keycloak - enabled: yes - state: started - become: yes +- block: + - name: start keycloak + systemd: + name: keycloak + enabled: yes + state: started + become: yes + rescue: + - command: "systemctl status keycloak" + changed_when: False + ignore_errors: True + - command: "journalctl -xe -ukeycloak" + changed_when: False + ignore_errors: True + - command: "tail -n 100 /opt/keycloak/keycloak.log" + changed_when: False + ignore_errors: True - command: "systemctl status keycloak" register: keycloak_service_status From cc211d22e58178576b4b90978c96c11a385b3c84 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 13:37:19 +0100 Subject: [PATCH 02/10] Workaround 'Protocol family unavailable on a Java+Docker+WildFly' See: https://access.redhat.com/solutions/2801771 --- roles/keycloak/templates/keycloak-service.sh.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/keycloak/templates/keycloak-service.sh.j2 b/roles/keycloak/templates/keycloak-service.sh.j2 index 6e9a4e2..66fece0 100755 --- a/roles/keycloak/templates/keycloak-service.sh.j2 +++ b/roles/keycloak/templates/keycloak-service.sh.j2 @@ -81,6 +81,7 @@ startKeycloak() { -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \ -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \ -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ + {% if ansible_facts.virtualization_type == 'docker' %}-Djava.net.preferIPv4Stack=true \{% endif %} -Djboss.node.name={{ inventory_hostname }} 2>&1 >> "${KEYCLOAK_LOGFILE}" & echo "${!}" > "${KEYCLOAK_PIDFILE}" fi From 5eead6fc027634c31cf18ec50672b87e0a9bdece Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 13:51:01 +0100 Subject: [PATCH 03/10] Fix initd script --- roles/keycloak/templates/keycloak-service.sh.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/keycloak/templates/keycloak-service.sh.j2 b/roles/keycloak/templates/keycloak-service.sh.j2 index 66fece0..9db7d5a 100755 --- a/roles/keycloak/templates/keycloak-service.sh.j2 +++ b/roles/keycloak/templates/keycloak-service.sh.j2 @@ -81,8 +81,8 @@ startKeycloak() { -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \ -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \ -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ - {% if ansible_facts.virtualization_type == 'docker' %}-Djava.net.preferIPv4Stack=true \{% endif %} - -Djboss.node.name={{ inventory_hostname }} 2>&1 >> "${KEYCLOAK_LOGFILE}" & + -Djboss.node.name={{ inventory_hostname }} {% if ansible_facts.virtualization_type in ['docker','oci'] %}-Djava.net.preferIPv4Stack=true {% endif %}\ + 2>&1 >> "${KEYCLOAK_LOGFILE}" & echo "${!}" > "${KEYCLOAK_PIDFILE}" fi } From 26ef1eb531c0e8c2a7392c2fe68e4ff2f0c2d54b Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 14:25:01 +0100 Subject: [PATCH 04/10] add preferIPv4addresses to java_opts --- molecule/default/molecule.yml | 2 -- roles/keycloak/templates/keycloak-service.sh.j2 | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 1b3efda..fdafef5 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -13,8 +13,6 @@ platforms: - "8080/tcp" - "8443/tcp" - "8009/tcp" - published_ports: - - 0.0.0.0:8443:8443/TCP provisioner: name: ansible config_options: diff --git a/roles/keycloak/templates/keycloak-service.sh.j2 b/roles/keycloak/templates/keycloak-service.sh.j2 index 9db7d5a..d5d3457 100755 --- a/roles/keycloak/templates/keycloak-service.sh.j2 +++ b/roles/keycloak/templates/keycloak-service.sh.j2 @@ -81,7 +81,7 @@ startKeycloak() { -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \ -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \ -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ - -Djboss.node.name={{ inventory_hostname }} {% if ansible_facts.virtualization_type in ['docker','oci'] %}-Djava.net.preferIPv4Stack=true {% endif %}\ + -Djboss.node.name={{ inventory_hostname }} {% if ansible_facts.virtualization_type in ['docker','oci'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\ 2>&1 >> "${KEYCLOAK_LOGFILE}" & echo "${!}" > "${KEYCLOAK_PIDFILE}" fi From b8dad07e5fd7e71ffe4729b8c7a104664871ced4 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 14:40:40 +0100 Subject: [PATCH 05/10] add more debugging --- roles/keycloak/tasks/systemd.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index c189a70..777f6a6 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -55,6 +55,13 @@ - command: "tail -n 100 /opt/keycloak/keycloak.log" changed_when: False ignore_errors: True + - debug: + msg: "Virt type: {{ ansible_facts.virtualization_type }} - {{ ansible_facts['virtualization_type'] }}" + changed_when: False + ignore_errors: True + - command: "cat /opt/keycloak/keycloak-service.sh" + changed_when: False + ignore_errors: True - command: "systemctl status keycloak" register: keycloak_service_status From 2c87d1023fa0db1fabef69e303c1978b443da4f3 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 14:50:54 +0100 Subject: [PATCH 06/10] add virtualization_type containerd to initd template --- roles/keycloak/templates/keycloak-service.sh.j2 | 2 +- roles/keycloak/templates/keycloak.service.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/keycloak/templates/keycloak-service.sh.j2 b/roles/keycloak/templates/keycloak-service.sh.j2 index d5d3457..32aba1c 100755 --- a/roles/keycloak/templates/keycloak-service.sh.j2 +++ b/roles/keycloak/templates/keycloak-service.sh.j2 @@ -81,7 +81,7 @@ startKeycloak() { -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \ -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \ -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ - -Djboss.node.name={{ inventory_hostname }} {% if ansible_facts.virtualization_type in ['docker','oci'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\ + -Djboss.node.name={{ inventory_hostname }} {% if ansible_facts.virtualization_type in ['docker','containerd'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\ 2>&1 >> "${KEYCLOAK_LOGFILE}" & echo "${!}" > "${KEYCLOAK_PIDFILE}" fi diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2 index 2824a25..a3aa846 100644 --- a/roles/keycloak/templates/keycloak.service.j2 +++ b/roles/keycloak/templates/keycloak.service.j2 @@ -11,7 +11,7 @@ Group={{ keycloak_service_group }} PIDFile={{ keycloak_service_pidfile }} ExecStart={{ keycloak_dest }}/keycloak-service.sh start ExecStop={{ keycloak_dest }}/keycloak-service.sh stop -TimeoutStartSec=90 +TimeoutStartSec=60 TimeoutStopSec=60 LimitNOFILE=102642 From 26fe41595d214c278ce92adeb053566dc983b03f Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 15:37:58 +0100 Subject: [PATCH 07/10] Reconfig initd start script --- roles/keycloak/templates/keycloak-service.sh.j2 | 3 +-- roles/keycloak/templates/keycloak.service.j2 | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/keycloak/templates/keycloak-service.sh.j2 b/roles/keycloak/templates/keycloak-service.sh.j2 index 32aba1c..051af77 100755 --- a/roles/keycloak/templates/keycloak-service.sh.j2 +++ b/roles/keycloak/templates/keycloak-service.sh.j2 @@ -75,7 +75,7 @@ startKeycloak() { if [ "$(isKeyCloakRunning)" -eq 1 ]; then statusKeycloak else - ${KEYCLOAK_HOME}/bin/standalone.sh \ + JLAUNCH_JBOSS_IN_BACKGROUND=1 JBOSS_PIDFILE=${KEYCLOAK_PIDFILE} ${KEYCLOAK_HOME}/bin/standalone.sh \ -Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \ -Djboss.http.port=${KEYCLOAK_HTTP_PORT} \ -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \ @@ -83,7 +83,6 @@ startKeycloak() { -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ -Djboss.node.name={{ inventory_hostname }} {% if ansible_facts.virtualization_type in ['docker','containerd'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\ 2>&1 >> "${KEYCLOAK_LOGFILE}" & - echo "${!}" > "${KEYCLOAK_PIDFILE}" fi } diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2 index a3aa846..a56acce 100644 --- a/roles/keycloak/templates/keycloak.service.j2 +++ b/roles/keycloak/templates/keycloak.service.j2 @@ -11,8 +11,8 @@ Group={{ keycloak_service_group }} PIDFile={{ keycloak_service_pidfile }} ExecStart={{ keycloak_dest }}/keycloak-service.sh start ExecStop={{ keycloak_dest }}/keycloak-service.sh stop -TimeoutStartSec=60 -TimeoutStopSec=60 +TimeoutStartSec=30 +TimeoutStopSec=30 LimitNOFILE=102642 [Install] From e14220a01b7cde09e030af144d5226ac938884f5 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 16:01:41 +0100 Subject: [PATCH 08/10] Rewrite initd/systemd scripts interaction --- .github/workflows/ci.yml | 2 +- roles/keycloak/tasks/systemd.yml | 30 ++++--------------- .../keycloak/templates/keycloak-service.sh.j2 | 18 ++++++----- 3 files changed, 17 insertions(+), 33 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 27f622a..9034acc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,7 +38,7 @@ jobs: working-directory: ./ansible_collections/middleware_automation/keycloak - name: Run molecule test - run: molecule test --all -- -vvvvv + run: molecule test --all working-directory: ./ansible_collections/middleware_automation/keycloak env: PY_COLORS: '1' diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index 777f6a6..67fd2e1 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -38,30 +38,12 @@ daemon_reload: yes when: systemdunit.changed -- block: - - name: start keycloak - systemd: - name: keycloak - enabled: yes - state: started - become: yes - rescue: - - command: "systemctl status keycloak" - changed_when: False - ignore_errors: True - - command: "journalctl -xe -ukeycloak" - changed_when: False - ignore_errors: True - - command: "tail -n 100 /opt/keycloak/keycloak.log" - changed_when: False - ignore_errors: True - - debug: - msg: "Virt type: {{ ansible_facts.virtualization_type }} - {{ ansible_facts['virtualization_type'] }}" - changed_when: False - ignore_errors: True - - command: "cat /opt/keycloak/keycloak-service.sh" - changed_when: False - ignore_errors: True +- name: start keycloak + systemd: + name: keycloak + enabled: yes + state: started + become: yes - command: "systemctl status keycloak" register: keycloak_service_status diff --git a/roles/keycloak/templates/keycloak-service.sh.j2 b/roles/keycloak/templates/keycloak-service.sh.j2 index 051af77..60adab2 100755 --- a/roles/keycloak/templates/keycloak-service.sh.j2 +++ b/roles/keycloak/templates/keycloak-service.sh.j2 @@ -75,14 +75,16 @@ startKeycloak() { if [ "$(isKeyCloakRunning)" -eq 1 ]; then statusKeycloak else - JLAUNCH_JBOSS_IN_BACKGROUND=1 JBOSS_PIDFILE=${KEYCLOAK_PIDFILE} ${KEYCLOAK_HOME}/bin/standalone.sh \ - -Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \ - -Djboss.http.port=${KEYCLOAK_HTTP_PORT} \ - -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \ - -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \ - -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ - -Djboss.node.name={{ inventory_hostname }} {% if ansible_facts.virtualization_type in ['docker','containerd'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\ - 2>&1 >> "${KEYCLOAK_LOGFILE}" & + LAUNCH_JBOSS_IN_BACKGROUND=1 JBOSS_PIDFILE=${KEYCLOAK_PIDFILE} ${KEYCLOAK_HOME}/bin/standalone.sh \ + -Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \ + -Djboss.http.port=${KEYCLOAK_HTTP_PORT} \ + -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \ + -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \ + -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ + -Djboss.node.name={{ inventory_hostname }} \ + {% if ansible_facts.virtualization_type in ['docker','oci','containerd'] %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\ + 2>&1 >> "${KEYCLOAK_LOGFILE}" & + while [ ! -f ${KEYCLOAK_PIDFILE} ]; do sleep 1; done fi } From 210d3ebf4da01adeed66a1265ddd7a3efdd42105 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 16:12:26 +0100 Subject: [PATCH 09/10] Move envvars to /etc/defaults --- roles/keycloak/tasks/main.yml | 1 + roles/keycloak/tasks/systemd.yml | 30 +++++++++++++++---- .../keycloak/templates/keycloak-sysconfig.j2 | 2 ++ roles/keycloak/templates/keycloak.service.j2 | 2 +- 4 files changed, 28 insertions(+), 7 deletions(-) diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index ce8b8b5..c6bf0b9 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -8,6 +8,7 @@ - include_tasks: tasks/install.yml +## FIXME not idempotent (keyclock removes the file when it restarts) - name: create Keycloak admin user command: args: diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index 67fd2e1..8584c2e 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -38,12 +38,30 @@ daemon_reload: yes when: systemdunit.changed -- name: start keycloak - systemd: - name: keycloak - enabled: yes - state: started - become: yes +- block: + - name: start keycloak + systemd: + name: keycloak + enabled: yes + state: started + become: yes + rescue: + - command: "systemctl status keycloak" + changed_when: False + ignore_errors: True + - command: "journalctl -xe -ukeycloak" + changed_when: False + ignore_errors: True + - command: "tail -n 100 /opt/keycloak/keycloak.log" + changed_when: False + ignore_errors: True + - debug: + msg: "Virt type: {{ ansible_facts.virtualization_type }}" + changed_when: False + ignore_errors: True + - command: "cat /opt/keycloak/keycloak-service.sh" + changed_when: False + ignore_errors: True - command: "systemctl status keycloak" register: keycloak_service_status diff --git a/roles/keycloak/templates/keycloak-sysconfig.j2 b/roles/keycloak/templates/keycloak-sysconfig.j2 index d0682ac..f2eda03 100644 --- a/roles/keycloak/templates/keycloak-sysconfig.j2 +++ b/roles/keycloak/templates/keycloak-sysconfig.j2 @@ -5,3 +5,5 @@ KEYCLOAK_HTTP_PORT={{ keycloak_http_port }} KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }} KEYCLOAK_MANAGEMENT_HTTP_PORT={{ keycloak_management_http_port }} KEYCLOAK_MANAGEMENT_HTTPS_PORT={{ keycloak_management_https_port }} +JBOSS_PIDFILE='{{ keycloak_service_pidfile }}' +LAUNCH_JBOSS_IN_BACKGROUND=1 \ No newline at end of file diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2 index a56acce..4c55da6 100644 --- a/roles/keycloak/templates/keycloak.service.j2 +++ b/roles/keycloak/templates/keycloak.service.j2 @@ -11,7 +11,7 @@ Group={{ keycloak_service_group }} PIDFile={{ keycloak_service_pidfile }} ExecStart={{ keycloak_dest }}/keycloak-service.sh start ExecStop={{ keycloak_dest }}/keycloak-service.sh stop -TimeoutStartSec=30 +TimeoutStartSec=45 TimeoutStopSec=30 LimitNOFILE=102642 From c7940e4f588aac30556c9b17f933d789393de80b Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Tue, 14 Dec 2021 16:20:26 +0100 Subject: [PATCH 10/10] Run as root or systemd wont accept the pidfile --- roles/keycloak/defaults/main.yml | 2 +- roles/keycloak/tasks/systemd.yml | 30 ++++---------------- roles/keycloak/templates/keycloak.service.j2 | 5 +--- 3 files changed, 8 insertions(+), 29 deletions(-) diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index af9ccdc..b0d574d 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -20,7 +20,7 @@ keycloak_jboss_home: "{{ keycloak_rhsso_installdir if rhsso_rhn_id is defined el keycloak_config_dir: "{{ keycloak_jboss_home }}/standalone/configuration" keycloak_service_user: keycloak keycloak_service_group: keycloak -keycloak_service_pidfile: "{{ keycloak_dest }}/keycloak.pid" +keycloak_service_pidfile: "/run/keycloak.pid" keycloak_service_logfile: "{{ keycloak_dest }}/keycloak.log" ### Keycloak configuration settings diff --git a/roles/keycloak/tasks/systemd.yml b/roles/keycloak/tasks/systemd.yml index 8584c2e..67fd2e1 100644 --- a/roles/keycloak/tasks/systemd.yml +++ b/roles/keycloak/tasks/systemd.yml @@ -38,30 +38,12 @@ daemon_reload: yes when: systemdunit.changed -- block: - - name: start keycloak - systemd: - name: keycloak - enabled: yes - state: started - become: yes - rescue: - - command: "systemctl status keycloak" - changed_when: False - ignore_errors: True - - command: "journalctl -xe -ukeycloak" - changed_when: False - ignore_errors: True - - command: "tail -n 100 /opt/keycloak/keycloak.log" - changed_when: False - ignore_errors: True - - debug: - msg: "Virt type: {{ ansible_facts.virtualization_type }}" - changed_when: False - ignore_errors: True - - command: "cat /opt/keycloak/keycloak-service.sh" - changed_when: False - ignore_errors: True +- name: start keycloak + systemd: + name: keycloak + enabled: yes + state: started + become: yes - command: "systemctl status keycloak" register: keycloak_service_status diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2 index 4c55da6..5816af0 100644 --- a/roles/keycloak/templates/keycloak.service.j2 +++ b/roles/keycloak/templates/keycloak.service.j2 @@ -5,13 +5,10 @@ After=network.target [Service] Type=forking EnvironmentFile=-/etc/sysconfig/keycloak - -User={{ keycloak_service_user }} -Group={{ keycloak_service_group }} PIDFile={{ keycloak_service_pidfile }} ExecStart={{ keycloak_dest }}/keycloak-service.sh start ExecStop={{ keycloak_dest }}/keycloak-service.sh stop -TimeoutStartSec=45 +TimeoutStartSec=30 TimeoutStopSec=30 LimitNOFILE=102642