From 07b1c514bb4432e8dd0ba607c0c1f86f5634df90 Mon Sep 17 00:00:00 2001 From: Massimo Schiavon Date: Tue, 8 Aug 2023 16:52:23 +0200 Subject: [PATCH 1/7] Add User and Group directives in systemd unit file --- roles/keycloak/templates/keycloak.service.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2 index 5de014b7..8a94c622 100644 --- a/roles/keycloak/templates/keycloak.service.j2 +++ b/roles/keycloak/templates/keycloak.service.j2 @@ -8,6 +8,8 @@ StartLimitBurst={{ keycloak_service_startlimitburst }} [Service] Type=forking +User={{ keycloak_service_user }} +Group={{ keycloak_service_group }} EnvironmentFile=-/etc/sysconfig/keycloak PIDFile={{ keycloak_service_pidfile }} ExecStart={{ keycloak_dest }}/keycloak-service.sh start From 91ec4116993fc6042d8756970184df7c17e20ccd Mon Sep 17 00:00:00 2001 From: Massimo Schiavon Date: Tue, 8 Aug 2023 17:49:43 +0200 Subject: [PATCH 2/7] create pidfile folder if needed --- roles/keycloak/tasks/install.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 581db9f7..13f4ef35 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -53,6 +53,21 @@ group: "{{ keycloak_service_group }}" mode: 0750 +- name: Check pidfile folder + ansible.builtin.stat: + path: "{{ keycloak_service_pidfile | dirname }}" + register: keycloak_service_pidfile_stat +- name: Create pidfile folder + become: yes + become_user: root + ansible.builtin.file: + dest: "{{ keycloak_service_pidfile | dirname }}" + state: directory + owner: "{{ keycloak_service_user }}" + group: "{{ keycloak_service_group }}" + mode: "0750" + when: not keycloak_service_pidfile_stat.stat.exists + ## check remote archive - name: Set download archive path ansible.builtin.set_fact: From c8ebbe72d2c07dede02c981d3d4497834ce9a95d Mon Sep 17 00:00:00 2001 From: Massimo Schiavon Date: Tue, 8 Aug 2023 18:30:46 +0200 Subject: [PATCH 3/7] change default pidfile location Signed-off-by: Massimo Schiavon --- roles/keycloak/README.md | 2 +- roles/keycloak/defaults/main.yml | 2 +- roles/keycloak/meta/argument_specs.yml | 2 +- roles/keycloak_quarkus/defaults/main.yml | 2 +- roles/keycloak_quarkus/meta/argument_specs.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md index f25420f6..aae309b9 100644 --- a/roles/keycloak/README.md +++ b/roles/keycloak/README.md @@ -77,7 +77,7 @@ Role Defaults |`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` | |`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` | |`keycloak_service_restartsec`| systemd RestartSec | `10s` | -|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` | +|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` | |`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]` |`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` | |`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` | diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index a139d923..156af468 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -19,7 +19,7 @@ keycloak_config_override_template: '' keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties" keycloak_service_user: keycloak keycloak_service_group: keycloak -keycloak_service_pidfile: "/run/keycloak.pid" +keycloak_service_pidfile: "/run/keycloak/keycloak.pid" keycloak_service_name: keycloak keycloak_service_desc: Keycloak keycloak_service_start_delay: 10 diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index 5392cfc9..daba3ba5 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -86,7 +86,7 @@ argument_specs: type: "str" keycloak_service_pidfile: # line 31 of keycloak/defaults/main.yml - default: "/run/keycloak.pid" + default: "/run/keycloak/keycloak.pid" description: "PID file path for service" type: "str" keycloak_features: diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 53a9c762..0989868c 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -17,7 +17,7 @@ keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf" keycloak_quarkus_start_dev: False keycloak_quarkus_service_user: keycloak keycloak_quarkus_service_group: keycloak -keycloak_quarkus_service_pidfile: "/run/keycloak.pid" +keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid" keycloak_quarkus_configure_firewalld: False ### administrator console password diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 66e8adfe..2986c0ca 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -61,7 +61,7 @@ argument_specs: type: "str" keycloak_quarkus_service_pidfile: # line 18 of defaults/main.yml - default: "/run/keycloak.pid" + default: "/run/keycloak/keycloak.pid" description: "Pid file path for service" type: "str" keycloak_quarkus_configure_firewalld: From 40c015d3e170fc06f3ec6da1a8cca3f70609a86a Mon Sep 17 00:00:00 2001 From: Massimo Schiavon Date: Tue, 29 Aug 2023 21:41:38 +0200 Subject: [PATCH 4/7] always create pidfile folder add keycloak_service_runas feature flag fix previous installs permissions --- roles/keycloak/meta/argument_specs.yml | 5 +++++ roles/keycloak/tasks/install.yml | 18 +++++++++--------- roles/keycloak/templates/keycloak.service.j2 | 2 ++ 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml index daba3ba5..db73f3fa 100644 --- a/roles/keycloak/meta/argument_specs.yml +++ b/roles/keycloak/meta/argument_specs.yml @@ -74,6 +74,11 @@ argument_specs: default: "" description: "Path to custom template for standalone.xml configuration" type: "str" + keycloak_service_runas: + # line 20 of keycloak/defaults/main.yml + default: false + description: "Enable execution of service as `keycloak_service_user`" + type: "bool" keycloak_service_user: # line 29 of keycloak/defaults/main.yml default: "keycloak" diff --git a/roles/keycloak/tasks/install.yml b/roles/keycloak/tasks/install.yml index 13f4ef35..a2467d3f 100644 --- a/roles/keycloak/tasks/install.yml +++ b/roles/keycloak/tasks/install.yml @@ -53,20 +53,14 @@ group: "{{ keycloak_service_group }}" mode: 0750 -- name: Check pidfile folder - ansible.builtin.stat: - path: "{{ keycloak_service_pidfile | dirname }}" - register: keycloak_service_pidfile_stat - name: Create pidfile folder become: yes - become_user: root ansible.builtin.file: dest: "{{ keycloak_service_pidfile | dirname }}" state: directory - owner: "{{ keycloak_service_user }}" - group: "{{ keycloak_service_group }}" - mode: "0750" - when: not keycloak_service_pidfile_stat.stat.exists + owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}" + group: "{{ keycloak_service_group if keycloak_service_runas else omit }}" + mode: 0750 ## check remote archive - name: Set download archive path @@ -209,6 +203,12 @@ become: yes changed_when: false +- name: Ensure permissions are correct on existing deploy + ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}" + when: keycloak_service_runas + become: yes + changed_when: false + # driver and configuration - name: "Install {{ keycloak_jdbc_engine }} driver" ansible.builtin.include_tasks: jdbc_driver.yml diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2 index 8a94c622..cc4f3240 100644 --- a/roles/keycloak/templates/keycloak.service.j2 +++ b/roles/keycloak/templates/keycloak.service.j2 @@ -8,8 +8,10 @@ StartLimitBurst={{ keycloak_service_startlimitburst }} [Service] Type=forking +{% if keycloak_service_runas %} User={{ keycloak_service_user }} Group={{ keycloak_service_group }} +{% endif -%} EnvironmentFile=-/etc/sysconfig/keycloak PIDFile={{ keycloak_service_pidfile }} ExecStart={{ keycloak_dest }}/keycloak-service.sh start From 276444ce0ecb721250235881cdf20bba823e761d Mon Sep 17 00:00:00 2001 From: Massimo Schiavon Date: Tue, 29 Aug 2023 22:02:18 +0200 Subject: [PATCH 5/7] Add default for keycloak_service_runas --- roles/keycloak/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/keycloak/defaults/main.yml b/roles/keycloak/defaults/main.yml index 156af468..9e098045 100644 --- a/roles/keycloak/defaults/main.yml +++ b/roles/keycloak/defaults/main.yml @@ -17,6 +17,7 @@ keycloak_config_standalone_xml: "keycloak.xml" keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}" keycloak_config_override_template: '' keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties" +keycloak_service_runas: false keycloak_service_user: keycloak keycloak_service_group: keycloak keycloak_service_pidfile: "/run/keycloak/keycloak.pid" From 0199e554b53ba811ac1e91def7f1afe300f982c7 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Wed, 30 Aug 2023 10:16:41 +0200 Subject: [PATCH 6/7] overridexml test uses runas feature --- molecule/overridexml/converge.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/molecule/overridexml/converge.yml b/molecule/overridexml/converge.yml index 3c451da5..e0bed70e 100644 --- a/molecule/overridexml/converge.yml +++ b/molecule/overridexml/converge.yml @@ -6,6 +6,7 @@ keycloak_config_override_template: custom.xml.j2 keycloak_http_port: 8081 keycloak_management_http_port: 19990 + keycloak_service_runas: True roles: - role: keycloak tasks: @@ -51,4 +52,4 @@ sso_offline_install: True when: - assets_server is defined - - assets_server | length > 0 \ No newline at end of file + - assets_server | length > 0 From 7bb9647d0d1602dece70d9386cb9a5a6348f9993 Mon Sep 17 00:00:00 2001 From: Guido Grazioli Date: Wed, 30 Aug 2023 10:58:37 +0200 Subject: [PATCH 7/7] update systemd unit to use standalone.sh directly --- roles/keycloak/templates/keycloak-sysconfig.j2 | 10 +++++++++- roles/keycloak/templates/keycloak.service.j2 | 5 ++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/roles/keycloak/templates/keycloak-sysconfig.j2 b/roles/keycloak/templates/keycloak-sysconfig.j2 index 68474c36..86a96d67 100644 --- a/roles/keycloak/templates/keycloak-sysconfig.j2 +++ b/roles/keycloak/templates/keycloak-sysconfig.j2 @@ -8,4 +8,12 @@ KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }} KEYCLOAK_MANAGEMENT_HTTP_PORT={{ keycloak_management_http_port }} KEYCLOAK_MANAGEMENT_HTTPS_PORT={{ keycloak_management_https_port }} JBOSS_PIDFILE='{{ keycloak_service_pidfile }}' -LAUNCH_JBOSS_IN_BACKGROUND=1 \ No newline at end of file + +WILDFLY_OPTS=-Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \ + -Djboss.http.port=${KEYCLOAK_HTTP_PORT} \ + -Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \ + -Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \ + -Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \ + -Djboss.node.name={{ inventory_hostname }} \ + {% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\ + {% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %} diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2 index cc4f3240..15a6ddfb 100644 --- a/roles/keycloak/templates/keycloak.service.j2 +++ b/roles/keycloak/templates/keycloak.service.j2 @@ -7,15 +7,14 @@ StartLimitBurst={{ keycloak_service_startlimitburst }} [Service] -Type=forking {% if keycloak_service_runas %} User={{ keycloak_service_user }} Group={{ keycloak_service_group }} {% endif -%} EnvironmentFile=-/etc/sysconfig/keycloak PIDFile={{ keycloak_service_pidfile }} -ExecStart={{ keycloak_dest }}/keycloak-service.sh start -ExecStop={{ keycloak_dest }}/keycloak-service.sh stop +ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS +WorkingDirectory={{ keycloak.home }} TimeoutStartSec=30 TimeoutStopSec=30 LimitNOFILE=102642