Permissions Error on exporting realm from docker container instance via standalone.sh
creisle opened this issue · 1 comments
creisle commented
Describe the bug
I am trying to export a realm to a JSON file from the latest jboss/keycloak docker container but I am running into permissions errors. I suspect I am doing something wrong but I haven't been able to figure it out and I was hoping you might know or be able to redirect me
Version
jboss/keycloak:16.1.1
Expected behavior
I expected the export command to produce the json file in the bound directory with either an empty array of users or just the admin user
Actual behavior
I ran into a permissions error (see below)
INFO [org.keycloak.services] (ServerService Thread Pool -- 52) KC-SERVICES0034: Export of realm 'PORI' requested.
INFO [org.keycloak.exportimport.singlefile.SingleFileExportProvider] (ServerService Thread Pool -- 52) Exporting realm 'PORI' into file /tmp/realm_export_PORI.json
�[0m�[31m21:37:42,598 FATAL [org.keycloak.services] (ServerService Thread Pool -- 52) Error during startup: java.lang.RuntimeException: Error during export/import: /tmp/realm_export_PORI.json (Permission denied)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:37)
at org.keycloak.keycloak-server-spi-private@16.1.1//org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:239)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.exportimport.singlefile.SingleFileExportProvider.exportRealm(SingleFileExportProvider.java:74)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.exportimport.ExportImportManager.runExport(ExportImportManager.java:105)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.services.resources.KeycloakApplication.startup(KeycloakApplication.java:144)
at org.keycloak.keycloak-wildfly-extensions@16.1.1//org.keycloak.provider.wildfly.WildflyPlatform.onStartup(WildflyPlatform.java:36)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:114)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ConstructorInjectorImpl.constructOutsideRequest(ConstructorInjectorImpl.java:225)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:209)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.providerfactory.Utils.createProviderInstance(Utils.java:102)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.providerfactory.ResteasyProviderFactoryImpl.createProviderInstance(ResteasyProviderFactoryImpl.java:1385)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResteasyDeploymentImpl.createApplication(ResteasyDeploymentImpl.java:418)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResteasyDeploymentImpl.initializeObjects(ResteasyDeploymentImpl.java:265)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResteasyDeploymentImpl.startInternal(ResteasyDeploymentImpl.java:137)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.core.ResteasyDeploymentImpl.start(ResteasyDeploymentImpl.java:121)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:144)
at org.jboss.resteasy.resteasy-core@4.7.4.Final//org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:42)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.RunAsLifecycleInterceptor.doIt(RunAsLifecycleInterceptor.java:70)
at org.wildfly.security.elytron-web.undertow-server-servlet@1.10.1.Final//org.wildfly.elytron.web.undertow.server.servlet.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:76)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:309)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:145)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:588)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow@26.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at org.wildfly.extension.undertow@26.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at org.wildfly.extension.undertow@26.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at org.wildfly.extension.undertow@26.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at io.undertow.servlet@2.2.14.Final//io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:601)
at org.wildfly.extension.undertow@26.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:106)
at org.wildfly.extension.undertow@26.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:87)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.JBossThread.run(JBossThread.java:513)
Caused by: java.io.FileNotFoundException: /tmp/realm_export_PORI.json (Permission denied)
at java.base/java.io.FileOutputStream.open0(Native Method)
at java.base/java.io.FileOutputStream.open(FileOutputStream.java:298)
at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:237)
at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:187)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.exportimport.singlefile.SingleFileExportProvider.writeToFile(SingleFileExportProvider.java:98)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.exportimport.singlefile.SingleFileExportProvider.access$000(SingleFileExportProvider.java:41)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.exportimport.singlefile.SingleFileExportProvider$2.runExportImportTask(SingleFileExportProvider.java:80)
at org.keycloak.keycloak-services@16.1.1//org.keycloak.exportimport.util.ExportImportSessionTask.run(ExportImportSessionTask.java:35)
... 45 more
INFO [org.jboss.as.server] (Thread-1) WFLYSRV0220: Server shutdown has been requested via an OS signal
How to Reproduce?
I started the container with the following command, importing a previous realm export (does not contain any users). That export file is here: https://github.com/bcgsc/pori/blob/master/demo/kc_realm_export.json
export KEYCLOAK_USER=admin
export KEYCLOAK_PASSWORD=admin
export KEYCLOAK_IMPORT=/realm_data/demo_export.json
CWD=$(pwd)
docker run \
-e KEYCLOAK_USER=$KEYCLOAK_USER \
-e KEYCLOAK_PASSWORD=$KEYCLOAK_PASSWORD \
-e KEYCLOAK_IMPORT=$KEYCLOAK_IMPORT \
--mount "type=bind,src=$CWD/tmp/container_output,dst=/tmp" \
-p 8443:8334 \
-p 8888:8080 \
--mount "type=bind,src=/path/to/demo/kc_realm_export.json,dst=${KEYCLOAK_IMPORT},readonly" \
-d \
jboss/keycloak:16.1.1
Then I ran the export command like so (using the CONTAINER_ID from the newly spun up jboss/keycloak image in the previous command)
REALM_NAME=PORI
REALM_FILE=/tmp/realm_export_${REALM_NAME}.json
docker exec -it CONTAINER_ID /opt/jboss/keycloak/bin/standalone.sh \
-Djboss.socket.binding.port-offset=100 \
-Dkeycloak.migration.action=export \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.realmName=$REALM_NAME \
-Dkeycloak.migration.usersExportStrategy=REALM_FILE \
-Dkeycloak.migration.file=$REALM_FILE
Anything else?
The reason I am trying to do this is so that I can have a realm import that includes some default users. This will be helpful when setting up keycloak as part of docker-compose on a development stack where you just need some users for testing
Docker version 18.09.6, build 481bc77156
stianst commented
With Keycloak 20 the WildFly based distribution is no longer supported. For the newer Quarkus distribution of Keycloak, check out the new documentation, or the updated container sources.