Problems with Installation of Keycloak in TrueNAS jail

[matclou]

Hi all,

I am facing some problems while installing the keycloak port into a FreeBSD jail. I used a 13.1 jail and TrueNAS 13 U4.

I used the following command to install the port:

Code:

pkg install git
git clone https://git.FreeBSD.org/ports.git /usr/ports
git -C /usr/ports pull
cd /usr/ports/net/keycloak/ && make install clean BATCH=yes

Afterwards I receive some problems while openjdkl is built (see code below this message).

Code:

===>  Building for openjdk11-11.0.18+10.1

gmake[2]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'

gmake[3]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'

gmake[3]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'

gmake[3]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'

Building target 'images' in configuration 'bsd-x86_64-normal-server-release'

gmake[4]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

Compiling 8 files for BUILD_TOOLS_LANGTOOLS

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

Warning: No SCM configuration present and no .src-rev

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make/hotspot'

gmake[5]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

Creating hotspot/variant-server/tools/adlc/adlc from 13 file(s)

Compiling 2 files for BUILD_JVMTI_TOOLS

dtrace: dtrace: dtrace: failed to compile script /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/support/dtrace/hotspot_jni.h.d: "/usr/lib/dtrace/ipfw.d", line 1: syntax error near "in_addr_t"

failed to compile script /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/support/dtrace/hs_private.h.d: "/usr/lib/dtrace/ipfw.d", line 1: syntax error near "in_addr_t"

failed to compile script /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/support/dtrace/hotspot.h.d: "/usr/lib/dtrace/ipfw.d", line 1: syntax error near "in_addr_t"

gmake[5]: *** [gensrc/GensrcDtrace.gmk:51: /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/gensrc/dtracefiles/hotspot_jni.h] Error 1

gmake[5]: *** Waiting for unfinished jobs....

gmake[5]: *** [gensrc/GensrcDtrace.gmk:51: /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/gensrc/dtracefiles/hotspot.h] Error 1

gmake[5]: *** [gensrc/GensrcDtrace.gmk:51: /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/gensrc/dtracefiles/hs_private.h] Error 1

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make/hotspot'

gmake[4]: *** [make/Main.gmk:265: hotspot-server-gensrc] Error 2

gmake[4]: *** Waiting for unfinished jobs....

gmake[5]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make'

gmake[4]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'


ERROR: Build failed for target 'images' in configuration 'bsd-x86_64-normal-server-release' (exit code 2)

gmake[4]: Entering directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'


=== Output from failing command(s) repeated here ===

* For target hotspot_variant-server_gensrc_dtracefiles_hotspot.h:

dtrace: failed to compile script /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/support/dtrace/hotspot.h.d: "/usr/lib/dtrace/ipfw.d", line 1: syntax error near "in_addr_t"

* For target hotspot_variant-server_gensrc_dtracefiles_hotspot_jni.h:

dtrace: failed to compile script /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/support/dtrace/hotspot_jni.h.d: "/usr/lib/dtrace/ipfw.d", line 1: syntax error near "in_addr_t"

* For target hotspot_variant-server_gensrc_dtracefiles_hs_private.h:

dtrace: failed to compile script /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/hotspot/variant-server/support/dtrace/hs_private.h.d: "/usr/lib/dtrace/ipfw.d", line 1: syntax error near "in_addr_t"


* All command lines available in /usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/build/bsd-x86_64-normal-server-release/make-support/failure-logs.

=== End of repeated output ===


No indication of failed target found.

Hint: Try searching the build log for '] Error'.

Hint: See doc/building.html#troubleshooting for assistance.


gmake[4]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'

gmake[3]: *** [/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make/Init.gmk:305: main] Error 2

gmake[3]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'

gmake[2]: *** [/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1/make/Init.gmk:186: images] Error 2

gmake[2]: Leaving directory '/usr/ports/java/openjdk11/work/jdk11u-jdk-11.0.18-10-1'

===> Compilation failed unexpectedly.

Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to

the maintainer.

*** Error code 1


Stop.

make[1]: stopped in /usr/ports/java/openjdk11

*** Error code 1


Stop.

make: stopped in /usr/ports/net/keycloak

I also wrote with the maintainer of this port. He wrote to me that it is likely no issue with the port itself but with
the java build in TrueNAS itself, referring to these two threads:

232675 – dtrace: "failed to compile script" when more than 2^15 distinct types are in CTF info

bugs.freebsd.org

Problems with DTRACE in poudriere jail

===> Building for tcl86-8.6.12 /usr/sbin/dtrace -h -o tclDTrace.h -s /wrkdirs/usr/ports/lang/tcl86/work/tcl8.6.12/generic/tclDTrace.d dtrace: failed to compile script /wrkdirs/usr/ports/lang/tcl86/work/tcl8.6.12/generic/tclDTrace.d: "/usr/lib/dtrace/ipfw.d", line 1: syntax error near...

www.truenas.com

Would you agree that this is a problem with the java build in TrueNAS? How can I fix this problem? I read this instruction "Try to set MAKE_JOBS_UNSAFE=yes and rebuild" - but I do not know whether that could help given that the maintainer already told me that there should be no mistake in the keycloak build.

Best regards

matclou

 

[winnielinnie]

Why are you using the Ports Collection instead of the binary packages?

I'd delete the Ports Collection (which takes up about 1 GiB of space) and use the binary package system instead. Easier to update and install.

 

[matclou]

Hi, thanks for that! In fact I just tried this, and there were no error messages! I am fine trying it this way!

But I have to confess that I am a real beginner with regard to FreeBSD - so I really do not have any idea how to proceed after the installation Or in other words: how can I now start the application? Do you maybe have a link what has to be done now? You see, I am a bit lost here, trying to find a good way to get some practical experiences :-/

 

[winnielinnie]

Or in other words: how can I now start the application?

You enable the service using sysrc or by manually editing /etc/rc.conf.

Then just start the service or restart the jail.

The rest is a matter of configuring Keycloak, which would be the same for a FreeBSD or Linux environment. (Make sure to bind it to an IP address available to other clients on the network. Otherwise, it will only listen to connections on 127.0.0.1)

 

[matclou]

hi,

okay; but in my case the rc.conf file looks like this:

What options should I enable?

 

[Patrick M. Hausen]

Add keycloak_enable="YES". Then execute service keycloak start.

 

[matclou]

Hi & Thanks! I tried this and in fact the service "keycloak" is now running.

However I still cannot access a web GUI under the URL of the jail and the port 8080.

Maybe some more steps are necessary to actual run keycloak? I found this script: https://gist.github.com/tatsuyaueda/09286695eac2739d762e9df0f3894223

Do I maybe have to execute these steps?

Sorry, these are now very detailed questions - if there is a better place for them (or you have a resource I should use), please let me know ;-)

 

[Patrick M. Hausen]

What does the default keycloak configuration file look like? On which IP addresses does the service listen? The keycloak manual is the resource to consult now.

 

[winnielinnie]

On which IP addresses does the service listen?

It defaults to listen only on 127.0.0.1, and this is intentional by design. The official Keycloak documentation shows you what to configure to add another address or hostname so that you can access it from other clients on the local network.


As I don't use Keycloak, I can't share my own experience. That's why after the service in the jail is up and running, I said this:

The rest is a matter of configuring Keycloak, which would be the same for a FreeBSD or Linux environment. (Make sure to bind it to an IP address available to other clients on the network. Otherwise, it will only listen to connections on 127.0.0.1)

 

[Patrick M. Hausen]

This is an authentication server - formerly known as AAA, Authentication, Authorization and Accounting. One would assume anyone deploying such a thing would familiarize themselves with the basic concepts and the product's documentation.

 

[matclou]

Hi!

Thank you for your hint with the IP address - forgot that in my last reply.

I tried two things which both did not work:

First, according to https://www.keycloak.org/server/configuration there is a keycloak.conf file somewhere - the only file I found was in the java directory: "/usr/local/share/java/keycloak/conf/keycloak.conf". There I replaced the marked localhost namings with the local IP address of the jail:

Code:

# Basic settings for running in production. Change accordingly before deploying

# Database

# The database vendor.
db=postgres

# The username of the database user.
db-username=keycloak

# The password of the database user.
#db-password=password

# The full database JDBC URL. If not provided, a default URL is set based on the
db-url=jdbc:postgresql://localhost/keycloak

# Observability

# If the server should expose healthcheck endpoints.
health-enabled=true

# If the server should expose metrics endpoints.
metrics-enabled=true

#health-enabled=true

# If the server should expose metrics endpoints.
metrics-enabled=truet.sh

# HTTP

# The file path to a server certificate or certificate chain in PEM format.
https-certificate-file=${kc.home.dir}conf/server.crt.pem


# The file path to a private key in PEM format.
https-certificate-key-file=${kc.home.dir}conf/server.key.pem

# The proxy address forwarding mode if the server is behind a reverse proxy.
proxy=reencrypt

# Do not attach route to cookies and rely on the session affinity capabilities from reverse proxy
spi-sticky-session-encoder-infinispan-should-attach-route=false

# Hostname for the Keycloak server.
hostname=localhost

... and than I alo tried to add the line "hostname=[MY IP ADDRESS]" into the rc.conf file we talked about earlier - which also did not work.

I also found the following page on the binding of IP addresses in keycloak: https://wjw465150.gitbooks.io/keycl...installation/topics/network/bind-address.html However, I did not find script files called "standalone.sh" and I also did not find files like "standalone.xml" or "domain.xml".

I am sure I am lacking of basic understanding, but where can I fix this issues?

 

[Patrick M. Hausen]

OK, so I installed keycloak in a jail and was as unsuccessful as you were to start the service the "naive" way.

But, here's the documentation:

Configuring Keycloak - Keycloak

Keycloak is an open source identity and access management solution

www.keycloak.org

That says to start keycloak in development mode (get it up and running as simply as possible) you need to invoke the kc.sh script with the start-dev parameter.

The FreeBSD rc script is /usr/local/etc/rc.d/keycloak. To perform that development mode thing you need to change line 52 of that script so instead of start you have start-dev in there.

At least in my environment keycloak now starts and listens on port 8080 and is reachable at the jail's IP address.

For a production installation you will need to generate SSL certificates and perform additional configuration according to the documentation I linked above. As I get from the configuration file (/usr/local/share/java/keycloak/conf/keycloak.conf) it is probably a good idea to have a database backend for that product, so you might want to familiarize yourself with running PostgreSQL.

All of this is in no way TrueNAS or jail related. Keycloak is a complex software product and you will have to learn how to configure and operate it. No way around that. And I have no experience with keycloak, I just spent 15 minutes to try and help you.

HTH,
Patrick

P.S. When you install the OpenJDK necessary to run keycloak, the package message tells you that you need /proc and /dev/fd mounted to use it. You can do that from your TrueNAS host: iocage set mount_fdescfs=1 <jailname>; iocage set mount_procfs=1 <jailname>; iocage restart <jailname>

P.P.S. If I am not mistaken one of my developer colleagues runs keycloak in our proServer product (a jail, essentially) in production. I asked him about details and expect an answer tomorrow.

 

[matclou]

Hi Patrick,

very helpful, thank you It now runs also on my system and I can proceed to understand it better ;-)

All of this is in no way TrueNAS or jail related. Keycloak is a complex software product and you will have to learn how to configure and operate it. No way around that. And I have no experience with keycloak, I just spent 15 minutes to try and help you.

You are absolutely right! In the moment I am just figuring out a way to get used to it - and sometimes, if you do not have any idea and experience it is really hard to find the "right" solution alone. The goal is however still to figure out as much as possible on my own ;-)

PS: Still the problem is that to create the initial admin user, access to http://localhost:8080/ is needed and it is required to "set the environment variables KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD before starting the server" - I am currently trying to figure out how to do this ;-)