Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run service as keycloak_service_user #106

Merged
merged 7 commits into from
Aug 30, 2023
Merged

Run service as keycloak_service_user #106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
07b1c51
Add User and Group directives in systemd unit file
schmaxit Aug 8, 2023
91ec411
create pidfile folder if needed
schmaxit Aug 8, 2023
c8ebbe7
change default pidfile location
schmaxit Aug 8, 2023
40c015d
always create pidfile folder
schmaxit Aug 29, 2023
276444c
Add default for keycloak_service_runas
schmaxit Aug 29, 2023
0199e55
overridexml test uses runas feature
guidograzioli Aug 30, 2023
7bb9647
update systemd unit to use standalone.sh directly
guidograzioli Aug 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion molecule/overridexml/converge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
keycloak_config_override_template: custom.xml.j2
keycloak_http_port: 8081
keycloak_management_http_port: 19990
keycloak_service_runas: True
roles:
- role: keycloak
tasks:
Expand Down Expand Up @@ -51,4 +52,4 @@
sso_offline_install: True
when:
- assets_server is defined
- assets_server | length > 0
- assets_server | length > 0
2 changes: 1 addition & 1 deletion roles/keycloak/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ Role Defaults
|`keycloak_service_startlimitintervalsec`| systemd StartLimitIntervalSec | `300` |
|`keycloak_service_startlimitburst`| systemd StartLimitBurst | `5` |
|`keycloak_service_restartsec`| systemd RestartSec | `10s` |
|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak.pid` |
|`keycloak_service_pidfile`| pid file path for service | `/run/keycloak/keycloak.pid` |
|`keycloak_features` | List of `name`/`status` pairs of features (also known as profiles on RH-SSO) to `enable` or `disable`, example: `[ { name: 'docker', status: 'enabled' } ]` | `[]`
|`keycloak_jvm_package`| RHEL java package runtime | `java-1.8.0-openjdk-headless` |
|`keycloak_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_jvm_package RPM path | `None` |
Expand Down
3 changes: 2 additions & 1 deletion roles/keycloak/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,10 @@ keycloak_config_standalone_xml: "keycloak.xml"
keycloak_config_path_to_standalone_xml: "{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}"
keycloak_config_override_template: ''
keycloak_config_path_to_properties: "{{ keycloak_jboss_home }}/standalone/configuration/profile.properties"
keycloak_service_runas: false
keycloak_service_user: keycloak
keycloak_service_group: keycloak
keycloak_service_pidfile: "/run/keycloak.pid"
keycloak_service_pidfile: "/run/keycloak/keycloak.pid"
guidograzioli marked this conversation as resolved.
Show resolved Hide resolved
keycloak_service_name: keycloak
keycloak_service_desc: Keycloak
keycloak_service_start_delay: 10
Expand Down
7 changes: 6 additions & 1 deletion roles/keycloak/meta/argument_specs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ argument_specs:
default: ""
description: "Path to custom template for standalone.xml configuration"
type: "str"
keycloak_service_runas:
# line 20 of keycloak/defaults/main.yml
default: false
description: "Enable execution of service as `keycloak_service_user`"
type: "bool"
keycloak_service_user:
# line 29 of keycloak/defaults/main.yml
default: "keycloak"
Expand All @@ -86,7 +91,7 @@ argument_specs:
type: "str"
keycloak_service_pidfile:
# line 31 of keycloak/defaults/main.yml
default: "/run/keycloak.pid"
default: "/run/keycloak/keycloak.pid"
description: "PID file path for service"
type: "str"
keycloak_features:
Expand Down
15 changes: 15 additions & 0 deletions roles/keycloak/tasks/install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
- name: Stop and restart if existing deployment exists and install forced
when: existing_deploy.stat.exists and keycloak_force_install | bool
block:
- name: "Stop the old {{ keycloak.service_name }} service"

Check warning on line 22 in roles/keycloak/tasks/install.yml

View workflow job for this annotation

GitHub Actions / ci / linter (3.11, 2.15)

ignore-errors 

Use failed_when and specify error conditions instead of using ignore_errors.
become: yes
ignore_errors: yes
ansible.builtin.systemd:
Expand Down Expand Up @@ -53,6 +53,15 @@
group: "{{ keycloak_service_group }}"
mode: 0750

- name: Create pidfile folder
become: yes
ansible.builtin.file:
dest: "{{ keycloak_service_pidfile | dirname }}"
state: directory
owner: "{{ keycloak_service_user if keycloak_service_runas else omit }}"
group: "{{ keycloak_service_group if keycloak_service_runas else omit }}"
mode: 0750

## check remote archive
- name: Set download archive path
ansible.builtin.set_fact:
Expand Down Expand Up @@ -194,6 +203,12 @@
become: yes
changed_when: false

- name: Ensure permissions are correct on existing deploy
ansible.builtin.command: chown -R "{{ keycloak_service_user }}:{{ keycloak_service_group }}" "{{ keycloak.home }}"
when: keycloak_service_runas
become: yes
changed_when: false

# driver and configuration
- name: "Install {{ keycloak_jdbc_engine }} driver"
ansible.builtin.include_tasks: jdbc_driver.yml
Expand Down
10 changes: 9 additions & 1 deletion roles/keycloak/templates/keycloak-sysconfig.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,12 @@ KEYCLOAK_HTTPS_PORT={{ keycloak_https_port }}
KEYCLOAK_MANAGEMENT_HTTP_PORT={{ keycloak_management_http_port }}
KEYCLOAK_MANAGEMENT_HTTPS_PORT={{ keycloak_management_https_port }}
JBOSS_PIDFILE='{{ keycloak_service_pidfile }}'
LAUNCH_JBOSS_IN_BACKGROUND=1

WILDFLY_OPTS=-Djboss.bind.address=${KEYCLOAK_BIND_ADDRESS} \
-Djboss.http.port=${KEYCLOAK_HTTP_PORT} \
-Djboss.https.port=${KEYCLOAK_HTTPS_PORT} \
-Djboss.management.http.port=${KEYCLOAK_MANAGEMENT_HTTP_PORT} \
-Djboss.management.https.port=${KEYCLOAK_MANAGEMENT_HTTPS_PORT} \
-Djboss.node.name={{ inventory_hostname }} \
{% if keycloak_prefer_ipv4 %}-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true {% endif %}\
{% if keycloak_config_standalone_xml is defined %}--server-config={{ keycloak_config_standalone_xml }}{% endif %}
9 changes: 6 additions & 3 deletions roles/keycloak/templates/keycloak.service.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,14 @@ StartLimitBurst={{ keycloak_service_startlimitburst }}


[Service]
Type=forking
{% if keycloak_service_runas %}
User={{ keycloak_service_user }}
Group={{ keycloak_service_group }}
{% endif -%}
EnvironmentFile=-/etc/sysconfig/keycloak
PIDFile={{ keycloak_service_pidfile }}
ExecStart={{ keycloak_dest }}/keycloak-service.sh start
ExecStop={{ keycloak_dest }}/keycloak-service.sh stop
ExecStart={{ keycloak.home }}/bin/standalone.sh $WILDFLY_OPTS
WorkingDirectory={{ keycloak.home }}
TimeoutStartSec=30
TimeoutStopSec=30
LimitNOFILE=102642
Expand Down
2 changes: 1 addition & 1 deletion roles/keycloak_quarkus/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ keycloak_quarkus_config_dir: "{{ keycloak_quarkus_home }}/conf"
keycloak_quarkus_start_dev: False
keycloak_quarkus_service_user: keycloak
keycloak_quarkus_service_group: keycloak
keycloak_quarkus_service_pidfile: "/run/keycloak.pid"
keycloak_quarkus_service_pidfile: "/run/keycloak/keycloak.pid"
keycloak_quarkus_configure_firewalld: False

### administrator console password
Expand Down
2 changes: 1 addition & 1 deletion roles/keycloak_quarkus/meta/argument_specs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ argument_specs:
type: "str"
keycloak_quarkus_service_pidfile:
# line 18 of defaults/main.yml
default: "/run/keycloak.pid"
default: "/run/keycloak/keycloak.pid"
description: "Pid file path for service"
type: "str"
keycloak_quarkus_configure_firewalld:
Expand Down
Loading