[ClusterLabs] Pacemaker managing Keycloak

Ken Gaillot kgaillot at redhat.com
Fri Jan 28 14:25:25 EST 2022

On Fri, 2022-01-28 at 12:15 -0500, Philip Alesio wrote:
> Hi Everyone,
> I'm attempting to create a failover cluster that uses Postgresql and
> Keycloak and am having difficulty getting Keycloak running.  Keycloak
> is using a Postgresql database.  In one case I'm using DRBD to
> replicate the data and in another case I'm using Postgresql.  The
> failure, in both cases, is that Keycloak fails to connect to the
> database.  In both cases Pacemaker is running with the Postgresql
> resource when I add the Keycloak resource. If I "docker run"
> Keyclock, not adding it as a Pacemaker resource, Keycloak starts and
> connects to the database. 
> Below adds Keycloak as a Pacemaker resource:
>                 pcs cluster cib  cluster1.xml
>                 pcs -
> f cluster1.xml resource create p_keycloak ocf:heartbeat:docker image=
> jboss/keycloak name=keycloak run_opts="-d -e KEYCLOAK_USER=admin -
> e KEYCLOAK_PASSWORD=admin -e DB_ADDR=postgres -e DB_VENDOR=postgres -
> e DB_USER=postgres -e DB_PASSWORD=postgres -
> e DB_DATABASE=keycloak_db -e JDBC_PARAMS=useSSL=false -p 8080:8080 -
> e DB_ADDR=postgres -
> e DB_PORT='5432' –network=cluster1dkrnet" op monitor interval=60s
>                 pcs -f
> cluster1.xml resource group add g_receiver p_keycloak
>                 pcs cluster cib-push  cluster1.xml --config
> Below creates a Keycloak container that is not managed by Pacemaker: 
> > docker run --name keycloak -e KEYCLOAK_USER=admin -
> > e KEYCLOAK_PASSWORD=admin -e DB_ADDR=postgres -
> > e DB_VENDOR=postgres -e DB_USER=postgres -e DB_PASSWORD=postgres -
> > e DB_DATABASE=keycloak_db -e JDBC_PARAMS=useSSL=false -
> > p 8080:8080 -e DB_ADDR=postgres -e DB_PORT='5432' 
> > --network=cluster1dkrnet jboss/keycloak
>  Does anyone have experience with Pacemaker with Keyclock and/or if
> there are any thoughts about why Keycloak is not connecting to the
> Postgresql database?
> Thanks in advance.

I'd check for SELinux denials first. A command executed from the
command line is unconstrained, while being executed by a daemon is
subject to SELinux policies.

Other than that, maybe turn on any debugging options and check the
keycloak logs from the container (e.g. using network logging or an
exported host disk).
Ken Gaillot <kgaillot at redhat.com>

More information about the Users mailing list