Hello,
I try to install Keycloak on a UCS5.0 in Version: 5.0-6 errata713
but I always get the error that the Packega jq can not be found.
The error message looks like this.
This is the message when I want to install the Keycloak app in the web gui:
Can someone help me with this issue?
Posting to confirm an issue with the current keycloak app (update from 22.0.3-ucs1 to 22.0.3-ucs2, UCS version is 5.0-6 errata904.).
The updater complains about the keycloak app not running (but it is) and being unable to start it:
20831 actions.upgrade.readme 23-12-22 13:05:12 [ INFO]: 2. https://help.univention.com/t/21420
20831 actions.upgrade.readme 23-12-22 13:05:12 [ INFO]: 3. https://github.com/keycloak/keycloak/issues/14184
20831 actions.configure 23-12-22 13:05:12 [ DEBUG]: Calling configure
20831 actions.configure.progress 23-12-22 13:05:12 [ DEBUG]: 0
20831 actions.configure 23-12-22 13:05:12 [ INFO]: Configuring keycloak=22.0.3-ucs2
20831 actions.configure.progress 23-12-22 13:05:12 [ DEBUG]: 100
20831 actions.upgrade 23-12-22 13:05:12 [ DEBUG]: Calling prescript (preinst)
20831 actions.upgrade 23-12-22 13:05:12 [ DEBUG]: Calling /var/cache/univention-appcenter/appcenter.software-univent
ion.de/5.0/keycloak_20230927180351.preinst --old-version 22.0.3-ucs1 --version 22.0.3-ucs2 --error-file /tmp/tmpnb0rgi6e --binddn uid=Ad
ministrator,cn=users,dc=e4a,dc=fperh,dc=net --bindpwdfile /tmp/tmpmbh8oroo --locale en
20831 actions.upgrade 23-12-22 13:05:12 [ INFO]: /usr/bin/jq
20831 actions.upgrade 23-12-22 13:05:12 [ INFO]: Installing univention-keycloak apache template
20831 actions.upgrade 23-12-22 13:05:12 [ INFO]: Installing Keycloak data/settings acl
20831 actions.upgrade 23-12-22 13:05:12 [ INFO]: Installing Keycloak apache template info
20831 actions.upgrade 23-12-22 13:05:12 [ INFO]: Installing Keycloak translation template info
20831 actions.upgrade 23-12-22 13:05:12 [ INFO]: Installing Keycloak transaltion template
20831 actions.upgrade 23-12-22 13:05:12 [ INFO]: File: /var/lib/univention-appcenter/apps/keycloak/conf/UCS/login/m
essages/messages_de.properties
20831 actions.upgrade 23-12-22 13:05:13 [ INFO]: File: /var/lib/univention-appcenter/apps/keycloak/conf/UCS/login/m
essages/messages_en.properties
20831 actions.upgrade 23-12-22 13:05:13 [ INFO]: Installing 50-keycloak postgresql 11 template
20831 actions.upgrade 23-12-22 13:05:13 [ INFO]: Installing 50-keycloak postgresql 15 template
20831 actions.upgrade 23-12-22 13:05:13 [ INFO]: Installing 50-keycloak postgresql template info
20831 actions.upgrade 23-12-22 13:05:13 [ INFO]: Installing keycloak ispn configuration template
20831 actions.upgrade 23-12-22 13:05:13 [ DEBUG]: /var/cache/univention-appcenter/appcenter.software-univention.de/5
.0/keycloak_20230927180351.preinst returned with 0
20831 packages 23-12-22 13:05:13 [ DEBUG]: Holding LOCK
20831 actions.start 23-12-22 13:05:13 [ DEBUG]: Calling start
20831 actions.start.progress 23-12-22 13:05:13 [ DEBUG]: 0
20831 docker 23-12-22 13:05:13 [ DEBUG]: Calling in /var/lib/univention-appcenter/apps/keycloak/compose:
20831 docker 23-12-22 13:05:13 [ DEBUG]: Calling docker-compose -p keycloak start
20831 docker 23-12-22 13:05:13 [ WARNING]: Starting keycloak ...
20831 docker 23-12-22 13:05:13 [ WARNING]: ^MStarting keycloak ... failed ^M No containers to start
20831 actions.start.progress 23-12-22 13:05:13 [ DEBUG]: 100
20831 packages 23-12-22 13:05:13 [ DEBUG]: Releasing LOCK
20831 actions.upgrade 23-12-22 13:05:13 [CRITICAL]: Could not start the app container. It needs to be running to be upgraded!
20831 actions.upgrade 23-12-22 13:05:13 [ WARNING]: Aborting...
20831 actions.start 23-12-22 13:05:13 [ DEBUG]: Calling start
20831 actions.start.progress 23-12-22 13:05:13 [ DEBUG]: 0
20831 docker 23-12-22 13:05:13 [ DEBUG]: Calling in /var/lib/univention-appcenter/apps/keycloak/compose:
20831 docker 23-12-22 13:05:13 [ DEBUG]: Calling docker-compose -p keycloak start
20831 docker 23-12-22 13:05:13 [ WARNING]: Starting keycloak ...
20831 docker 23-12-22 13:05:13 [ WARNING]: ^MStarting keycloak ... failed ^M No containers to start
20831 actions.start.progress 23-12-22 13:05:13 [ DEBUG]: 100
20831 utils 23-12-22 13:05:13 [ DEBUG]: send_information: action=upgrade app=keycloak value=None status=429
20831 utils 23-12-22 13:05:13 [ DEBUG]: tracking information: {'action': 'upgrade', 'status': 429, 'uuid': '6e1fc2e6-25b2-4e64-8746-e442dcc5133f', 'role': 'domaincontroller_master', 'app': 'keycloak', 'version': '22.0.3-ucs2', 'system-uuid': '76ca183d-2fb7-429a-a7ea-72ae53829ade'}
20831 actions.upgrade-search 23-12-22 13:05:14 [ DEBUG]: Calling upgrade-search
20831 actions.upgrade-search.progress 23-12-22 13:05:14 [ DEBUG]: 0
20831 actions.upgrade-search 23-12-22 13:05:14 [ DEBUG]: Checking keycloak=22.0.3-ucs2
20831 actions.upgrade-search.progress 23-12-22 13:05:14 [ DEBUG]: 100
20831 actions.upgrade.progress 23-12-22 13:05:14 [ DEBUG]: 100
Keycloak itself is running however, but cannot be started in the UMC. It can be startet manually i.e.
docker compose up
in /var/lib/univention-appcenter/apps/keycloak/compose#
however the updater fails to recognize the running app.
The logs of the keycloak app (-ucs1) don’t show anything unusual:
UCS, using built-in themes
keycloak | 2023-12-22 12:08:10,271 INFO [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
keycloak | 2023-12-22 12:08:10,446 INFO [io.quarkus] (main) Keycloak stopped in 0.465s
keycloak | 2023-12-22 12:08:17,757 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: ucs-sso-ng.e4a.fperh.net, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
keycloak | 2023-12-22 12:08:20,340 WARN [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
keycloak | 2023-12-22 12:08:20,473 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
keycloak | 2023-12-22 12:08:20,882 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `jdbc-ping-tcp`
keycloak | 2023-12-22 12:08:20,885 INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: ec1976a8-9dad-4873-804a-6e0afc581491, name: 39dbd7c97880-11996
keycloak | 2023-12-22 12:08:20,895 INFO [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.57600
keycloak | 2023-12-22 12:08:20,901 WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
keycloak | 2023-12-22 12:08:20,959 INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 39dbd7c97880-11996: no members discovered after 58 ms: creating cluster as coordinator
keycloak | 2023-12-22 12:08:21,015 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [39dbd7c97880-11996|0] (1) [39dbd7c97880-11996]
keycloak | 2023-12-22 12:08:21,070 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `39dbd7c97880-11996`, physical addresses are `[213.239.206.77:7600]`
keycloak | 2023-12-22 12:08:21,081 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
keycloak | 2023-12-22 12:08:21,509 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 39dbd7c97880-11996, Site name: null
keycloak | 2023-12-22 12:08:21,515 INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
keycloak | 2023-12-22 12:08:22,997 INFO [io.quarkus] (main) Keycloak 22.0.3 on JVM (powered by Quarkus 3.2.5.Final) started in 6.403s. Listening on: http://0.0.0.0:8180
keycloak | 2023-12-22 12:08:22,998 INFO [io.quarkus] (main) Profile prod activated.
keycloak | 2023-12-22 12:08:22,998 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy, resteasy-jackson, smallrye-context-propagation, smallrye-health, vertx]
keycloak | 2023-12-22 12:08:25,347 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-1) Failed to find ADMIN theme keycloak, using built-in themes
keycloak | 2023-12-22 12:08:27,694 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-1) Failed to find ADMIN theme keycloak, using built-in themes
keycloak | 2023-12-22 12:08:44,743 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-3) Failed to find ADMIN theme keycloak, using built-in themes
keycloak | 2023-12-22 12:08:47,936 WARN [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ACCOUNT theme 'UCS' due to this.
keycloak | 2023-12-22 12:08:47,938 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ACCOUNT theme UCS, using built-in themes
keycloak | 2023-12-22 12:08:47,946 WARN [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ADMIN theme 'UCS' due to this.
keycloak | 2023-12-22 12:08:47,947 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ADMIN theme UCS, using built-in themes
Hey,
thanks to the both of you for bringing this up! The error was catched beforehand, but unfortunately the app was released without the fix applied. We just corrected that, could you retry the installation?
Regards
Jan-Luca
Hello, after completly uninstall UCS and reinstall the whole system I was able to install the keycloak service. But now I get this error:
Bad Gateway 503
The proxy server received an invalid response from an upstream server.
Apache/2.4.38 (Univention) Server at ucs-sso-ng.h2-invent.intranet Port 443
I just realised that the keyloak service has not joind the domain. So propably this could be the first issue.
When I try to execute the join script the service tries to find the domain of the keycloak but it is not reachable because of an internal testdomain.
How can I fix this issue?
This is hard to debug when several steps have been tried already. What was the initial error you got, it can maybe still be found in /var/log/univention/appcenter.log
What is the exact error message you get now? Please check the /var/univention/join.log for errors.
Which UCS version is in use? univention-app info
@jlk
I gave it another try: At first I tried upgrading in the UMC but this only ended in (appcenter.log):
27091 actions.install 24-01-18 17:48:30 [ DEBUG]: Calling install
27091 actions.install.progress 24-01-18 17:48:30 [ DEBUG]: 0
27091 utils 24-01-18 17:48:30 [ INFO]: Resolving dependencies for keycloak
27091 actions.install 24-01-18 17:48:30 [ INFO]: Going to install Keycloak (22.0.3-ucs2)
27091 actions.install 24-01-18 17:48:30 [ WARNING]: (shall_have_enough_free_disk_space)
27091 actions.install 24-01-18 17:48:30 [ WARNING]: (shall_have_enough_ram)
27091 actions.install 24-01-18 17:48:39 [ INFO]: Showing License agreement for keycloak=2
2.0.3-ucs2
27091 actions.install 24-01-18 17:48:39 [ INFO]: Showing README for keycloak=22.0.3-ucs2
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for keyclo
ak/apache2/ssl/certificate
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for keyclo
ak/apache2/ssl/key
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for keyclo
ak/apache2/ssl/ca
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for keyclo
ak/csp/frame-ancestors
27091 settings 24-01-18 17:48:39 [ INFO]: Cannot read ucs/self/registration/check_
email_verification while keycloak=22.0.3-ucs2 is not running
27091 settings 24-01-18 17:48:39 [ INFO]: Cannot read keycloak/password/change/endpoint while keycloak=22.0.3-ucs2 is not running
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for keycloak/password/change/endpoint
27091 settings 24-01-18 17:48:39 [ INFO]: Cannot read kc/db/url while keycloak=22.0.3-ucs2 is not running
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for kc/db/url
27091 settings 24-01-18 17:48:39 [ INFO]: Cannot read kc/db/username while keycloak=22.0.3-ucs2 is not running
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for kc/db/username
27091 settings 24-01-18 17:48:39 [ INFO]: Cannot read kc/db/password while keycloak=22.0.3-ucs2 is not running
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for kc/db/password
27091 settings 24-01-18 17:48:39 [ INFO]: Cannot read kc/db/driver while keycloak=22.0.3-ucs2 is not running
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for kc/db/driver
27091 settings 24-01-18 17:48:39 [ INFO]: Cannot read kc/db/ping/datatype while keycloak=22.0.3-ucs2 is not running
27091 settings 24-01-18 17:48:39 [ INFO]: Falling back to initial value for kc/db/ping/datatype
27091 actions.configure 24-01-18 17:48:39 [ DEBUG]: Calling configure
27091 actions.configure.progress 24-01-18 17:48:39 [ DEBUG]: 0
27091 actions.configure 24-01-18 17:48:39 [ INFO]: Configuring keycloak=22.0.3-ucs2
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/server/sso/fqdn to 'ucs-sso-ng.servi.domain.net'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/server/sso/path to '/'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/server/sso/virtualhost to 'true'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/apache/config to 'true'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/server/sso/autoregistration to 'true'
27091 settings 24-01-18 17:48:39 [ INFO]: Unsetting keycloak/apache2/ssl/certificate
27091 settings 24-01-18 17:48:39 [ INFO]: Unsetting keycloak/apache2/ssl/key
27091 settings 24-01-18 17:48:39 [ INFO]: Unsetting keycloak/apache2/ssl/ca
27091 settings 24-01-18 17:48:39 [ INFO]: Unsetting keycloak/csp/frame-ancestors
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/cookies/samesite to 'None'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/login/messages/en/accountNotVerifiedMsg to 'Your account is not verified.<br>You must <a id="loginSelfServiceLink" href="https://ucs01.servi.domain.net/univention/selfservice/#/selfservice/verifyaccount" target="_blank">verify your account</a> before you can login.<br/>'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/login/messages/de/accountNotVerifiedMsg to 'Konto nicht verifiziert.<br>Sie m\\u00FCssen Ihr <a id="loginSelfServiceLink" href="https://ucs01.servi.domain.net/univention/selfservice/#/selfservice/verifyaccount" target="_blank">Konto verifizieren</a>, bevor Sie sich einloggen k\\u00F6nnen.<br/>'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/login/messages/en/accessDeniedMsg to 'Access forbidden.<br>You do not have the needed privileges to access this application. Please contact the administrator that you do not have access to the service {0} if you find this to be incorrect.'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/login/messages/de/accessDeniedMsg to 'Zugriff verboten.<br>Bitte wenden Sie sich an den Administrator, dass Sie keinen Zugriff auf den Service {0} haben, wenn Sie feststellen, dass dies nicht korrekt ist.'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/log/level to 'INFO'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting kc/db/kind to 'postgres'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting kc/db/xa to 'false'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/federation/remote/identifier to 'univentionObjectIdentifier'
27091 settings 24-01-18 17:48:39 [ INFO]: Setting keycloak/federation/source/identifier to 'univentionSourceIAM'
27091 actions.configure 24-01-18 17:48:39 [ WARNING]: Cannot write settings while keycloak=22.0.3-ucs2 is not running
27091 actions.configure.progress 24-01-18 17:48:39 [ DEBUG]: 100
27091 actions.install 24-01-18 17:48:39 [ DEBUG]: Calling prescript (preinst)
27091 actions.install 24-01-18 17:48:39 [ DEBUG]: Calling /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/keycloak_20230927180351.preinst --version 22.0.3-ucs2 --error-file /tmp/tmp4gu3y7qb --binddn uid=Administrator,cn=users,dc=servi,dc=domain,dc=net --bindpwdfile /tmp/tmpm02ht57y --locale de
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing univention-keycloak apache template
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing Keycloak data/settings acl
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing Keycloak apache template info
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing Keycloak translation template info
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing Keycloak transaltion template
27091 actions.install 24-01-18 17:48:39 [ INFO]: File: /var/lib/univention-appcenter/apps/keycloak/conf/UCS/login/messages/messages_de.properties
27091 actions.install 24-01-18 17:48:39 [ INFO]: File: /var/lib/univention-appcenter/apps/keycloak/conf/UCS/login/messages/messages_en.properties
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing 50-keycloak postgresql 11 template
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing 50-keycloak postgresql 15 template
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing 50-keycloak postgresql template info
27091 actions.install 24-01-18 17:48:39 [ INFO]: Installing keycloak ispn configuration template
27091 actions.install 24-01-18 17:48:39 [ DEBUG]: /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/keycloak_20230927180351.preinst returned with 0
27091 packages 24-01-18 17:48:39 [ DEBUG]: Holding LOCK
27091 actions.install 24-01-18 17:48:39 [ INFO]: Creating data directories for keycloak...
27091 actions.install.progress 24-01-18 17:48:39 [ DEBUG]: 5
27091 actions.install 24-01-18 17:48:39 [ INFO]: Registering UCR for keycloak
27091 actions.install 24-01-18 17:48:39 [ INFO]: Marking keycloak=22.0.3-ucs2 as installed
27091 actions.install 24-01-18 17:48:39 [ INFO]: Adding localhost to LDAP object
27091 actions.install 24-01-18 17:48:39 [ DEBUG]: Calling /etc/init.d/apache2 reload
27091 actions.install 24-01-18 17:48:40 [ INFO]: Reloading apache2 configuration (via systemctl): apache2.service.
27091 actions.install 24-01-18 17:48:40 [ DEBUG]: /etc/init.d/apache2 returned with 0
27091 actions.install.progress 24-01-18 17:48:40 [ DEBUG]: 10
27091 database 24-01-18 17:48:40 [ DEBUG]: keycloak=22.0.3-ucs2 uses PostgreSQL
27091 packages 24-01-18 17:48:40 [ DEBUG]: Calling /usr/bin/apt-mark manual univention-postgresql
27091 packages 24-01-18 17:48:40 [ INFO]: univention-postgresql wurde bereits auf manuell installiert gesetzt.
27091 database 24-01-18 17:48:40 [ DEBUG]: Calling service postgresql start
27091 database 24-01-18 17:48:41 [ DEBUG]: Password already exists
27091 database 24-01-18 17:48:41 [ INFO]: Checking if database keycloak exists (postgresql implementation)
27091 database 24-01-18 17:48:41 [ INFO]: Database keycloak already exists
27091 database 24-01-18 17:48:41 [ DEBUG]: Database and User already exist
27091 database 24-01-18 17:48:41 [ INFO]: keycloak=22.0.3-ucs2 already has its database
27091 actions.install.progress 24-01-18 17:48:41 [ DEBUG]: 15
27091 actions.install.progress 24-01-18 17:48:41 [ DEBUG]: 25
27091 actions.install 24-01-18 17:48:41 [ INFO]: Already found cn=keycl-06955476,cn=memberserver,cn=computers,dc=servi,dc=domain,dc=net as a host for keycloak. Trying to retrieve machine secret.
27091 actions.install.progress 24-01-18 17:48:41 [ DEBUG]: 30
27091 docker 24-01-18 17:48:41 [ DEBUG]: Getting network for keycloak=22.0.3-ucs2
27091 docker 24-01-18 17:48:41 [ DEBUG]: Found 172.16.1.0/24
27091 actions.install 24-01-18 17:48:41 [ INFO]: Downloading app images
27091 docker 24-01-18 17:48:41 [ DEBUG]: Running in /var/lib/univention-appcenter/apps/keycloak/compose:
27091 docker 24-01-18 17:48:41 [ INFO]: Running command: docker-compose -p keycloak pull
27091 docker 24-01-18 17:48:42 [ INFO]: Pulling keycloak ...
[... pulling ...]
27091 actions.install 24-01-18 17:48:52 [ INFO]: Initializing app image
27091 database 24-01-18 17:48:52 [ DEBUG]: keycloak=22.0.3-ucs2 uses PostgreSQL
27091 docker 24-01-18 17:48:52 [ DEBUG]: Getting network for keycloak=22.0.3-ucs2
27091 docker 24-01-18 17:48:52 [ DEBUG]: Found 172.16.1.0/24
27091 utils 24-01-18 17:48:52 [ DEBUG]: Running in /var/lib/univention-appcenter/apps/keycloak/compose:
27091 utils 24-01-18 17:48:52 [ INFO]: Running command: docker-compose -p keycloak up -d --no-build --no-recreate
27091 utils 24-01-18 17:48:53 [ INFO]: Creating network "keycloak_appcenter_net" with the default driver
27091 utils 24-01-18 17:48:53 [ INFO]: Pool overlaps with other one on this address space
27091 utils 24-01-18 17:48:53 [ ERROR]: Command docker-compose -p keycloak up -d --no-build --no-recreate failed with: Creating network "keycloak_appcenter_net" with the default driver
Pool overlaps with other one on this address space (1)
27091 packages 24-01-18 17:48:53 [ DEBUG]: Releasing LOCK
27091 actions.install 24-01-18 17:48:53 [CRITICAL]: Creating network "keycloak_appcenter_net" with the default driver
Pool overlaps with other one on this address space
27091 actions.install 24-01-18 17:48:53 [ WARNING]: Aborting...
27091 actions.remove 24-01-18 17:48:53 [ DEBUG]: Calling remove
27091 actions.remove.progress 24-01-18 17:48:53 [ DEBUG]: 0
27091 utils 24-01-18 17:48:53 [ INFO]: Resolving dependencies for keycloak
27091 actions.remove 24-01-18 17:48:53 [ INFO]: Going to remove Keycloak (22.0.3-ucs2)
27091 cache 24-01-18 17:48:53 [ DEBUG]: Cache outdated. Need to rebuild
27091 cache 24-01-18 17:48:53 [ DEBUG]: Loaded 271 apps from cache
27091 actions.remove 24-01-18 17:48:53 [ INFO]: Showing README for keycloak=22.0.3-ucs2
27091 actions.configure 24-01-18 17:48:53 [ DEBUG]: Calling configure
27091 actions.configure.progress 24-01-18 17:48:53 [ DEBUG]: 0
27091 actions.configure 24-01-18 17:48:53 [ INFO]: Configuring keycloak=22.0.3-ucs2
27091 actions.configure.progress 24-01-18 17:48:53 [ DEBUG]: 100
27091 actions.remove 24-01-18 17:48:53 [ DEBUG]: Calling prescript (prerm)
27091 actions.remove 24-01-18 17:48:53 [ DEBUG]: /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/keycloak_20230927180351.prerm does not exist
27091 packages 24-01-18 17:48:53 [ DEBUG]: Holding LOCK
27091 actions.remove.progress 24-01-18 17:48:53 [ DEBUG]: 5
27091 actions.remove.progress 24-01-18 17:48:53 [ DEBUG]: 5
27091 actions.configure 24-01-18 17:48:53 [ DEBUG]: Calling configure
27091 actions.configure.progress 24-01-18 17:48:53 [ DEBUG]: 0
27091 actions.configure 24-01-18 17:48:53 [ INFO]: Configuring keycloak=22.0.3-ucs2
27091 actions.configure 24-01-18 17:48:53 [ DEBUG]: Calling /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/keycloak_20230927180351.configure_host remove --version 22.0.3-ucs2 --error-file /tmp/tmpamu0s14q --locale de
27091 actions.configure 24-01-18 17:48:53 [ DEBUG]: /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/keycloak_20230927180351.configure_host returned with 0
27091 actions.configure.progress 24-01-18 17:48:53 [ DEBUG]: 100
27091 actions.stop 24-01-18 17:48:53 [ DEBUG]: Calling stop
27091 actions.stop.progress 24-01-18 17:48:53 [ DEBUG]: 0
27091 docker 24-01-18 17:48:53 [ DEBUG]: Calling in /var/lib/univention-appcenter/apps/keycloak/compose:
27091 docker 24-01-18 17:48:53 [ DEBUG]: Calling docker-compose -p keycloak stop
27091 actions.stop.progress 24-01-18 17:48:54 [ DEBUG]: 100
27091 actions.remove 24-01-18 17:48:54 [ DEBUG]: Calling in /var/lib/univention-appcenter/apps/keycloak/compose:
27091 actions.remove 24-01-18 17:48:54 [ DEBUG]: Calling docker-compose -p keycloak stop
27091 actions.remove 24-01-18 17:48:54 [ DEBUG]: Calling in /var/lib/univention-appcenter/apps/keycloak/compose:
27091 actions.remove 24-01-18 17:48:54 [ DEBUG]: Calling docker-compose -p keycloak stop
27091 actions.remove 24-01-18 17:48:55 [ DEBUG]: Calling in /var/lib/univention-appcenter/apps/keycloak/compose:
27091 actions.remove 24-01-18 17:48:55 [ DEBUG]: Calling docker-compose -p keycloak down --remove-orphans
27091 actions.remove 24-01-18 17:48:55 [ WARNING]: Removing network keycloak_appcenter_net
27091 actions.remove 24-01-18 17:48:55 [ WARNING]: Network keycloak_appcenter_net not found.
27091 actions.remove.progress 24-01-18 17:48:55 [ DEBUG]: 45
27091 actions.remove 24-01-18 17:48:55 [ DEBUG]: Calling /usr/sbin/update-rc.d docker-app-keycloak remove
27091 actions.remove 24-01-18 17:48:55 [ DEBUG]: /usr/sbin/update-rc.d returned with 0
27091 actions.remove 24-01-18 17:48:55 [ INFO]: Removing localhost from LDAP object
27091 actions.remove 24-01-18 17:48:56 [ DEBUG]: Calling /etc/init.d/apache2 reload
27091 actions.remove 24-01-18 17:48:56 [ INFO]: Reloading apache2 configuration (via systemctl): apache2.service.
27091 actions.remove 24-01-18 17:48:56 [ DEBUG]: /etc/init.d/apache2 returned with 0
27091 actions.remove.progress 24-01-18 17:48:56 [ DEBUG]: 55
27091 actions.remove.progress 24-01-18 17:48:56 [ DEBUG]: 60
27091 actions.remove.progress 24-01-18 17:48:56 [ DEBUG]: 70
27091 actions.remove.progress 24-01-18 17:48:56 [ DEBUG]: 80
27091 actions.remove 24-01-18 17:48:56 [ INFO]: Uninstalling /usr/lib/univention-install/50keycloak.inst
27091 actions.remove 24-01-18 17:48:56 [ INFO]: Installing join script /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/keycloak_20230927180351.uinst
27091 actions.remove 24-01-18 17:48:56 [ DEBUG]: Calling /usr/sbin/univention-run-join-scripts
27091 actions.remove 24-01-18 17:48:57 [ INFO]: univention-run-join-scripts: runs all join scripts existing on local computer.
27091 actions.remove 24-01-18 17:48:57 [ INFO]: copyright (c) 2001-2023 Univention GmbH, Germany
27091 actions.remove 24-01-18 17:48:57 [ INFO]:
27091 actions.remove 24-01-18 17:48:57 [ INFO]: Running pre-joinscripts hook(s): done
27091 actions.remove 24-01-18 17:48:57 [ INFO]: Running 01univention-ldap-server-init.in
[snip]
27091 actions.remove 24-01-18 17:50:01 [ DEBUG]: /usr/sbin/univention-run-join-scripts returned with 0
27091 packages 24-01-18 17:50:01 [ DEBUG]: Releasing LOCK
27091 actions.remove 24-01-18 17:50:01 [ INFO]: Potential script hook folder is unused: /var/lib/univention-appcenter/apps/keycloak/local/hooks/post-remove.d
27091 actions.remove 24-01-18 17:50:01 [ INFO]: File: /usr/share/univention-management-console/i18n/de/apps.mo
27091 actions.remove 24-01-18 17:50:01 [ INFO]:
27091 actions.remove 24-01-18 17:50:02 [ INFO]: File: /usr/share/univention-management-console/modules/apps.xml
27091 actions.remove 24-01-18 17:50:02 [ INFO]:
27091 actions.remove 24-01-18 17:50:02 [ INFO]: File: /etc/apt/apt.conf.d/55user_agent
27091 actions.remove 24-01-18 17:50:02 [ INFO]:
27091 actions.upgrade-search 24-01-18 17:50:02 [ DEBUG]: Calling upgrade-search
27091 actions.upgrade-search.progress 24-01-18 17:50:02 [ DEBUG]: 0
27091 actions.upgrade-search 24-01-18 17:50:02 [ DEBUG]: Checking keycloak=22.0.3-ucs2
27091 actions.upgrade-search.progress 24-01-18 17:50:02 [ DEBUG]: 100
27091 actions.remove.progress 24-01-18 17:50:02 [ DEBUG]: 100
27091 utils 24-01-18 17:50:02 [ DEBUG]: send_information: action=install app=keycloak value=Creating network "keycloak_appcenter_net" with the default driver
Pool overlaps with other one on this address space
status=417
27091 utils 24-01-18 17:50:02 [ DEBUG]: tracking information: {'action': 'install', 'status': 417, 'uuid': '6e1fc2e6-25b2-4e64-8746-e442dcc5133f', 'role': 'domaincontroller_master', 'app': 'keycloak', 'version': '22.0.3-ucs2', 'value': 'Creating network "keycloak_appcenter_net" with the default driver\nPool overlaps with other one on this address space\n', 'system-uuid': '76ca183d-2fb7-429a-a7ea-72ae53829ade'}
which didn’t work and now the UMC doesn’t show keycloak as being installed anymore.
I then upgraded manually with univention-app install keycloak=22.0.3-ucs2, output is:
root@ucs01:~# univention-app install keycloak=22.0.3-ucs2
Falling back to initial value for keycloak/apache2/ssl/ca
Falling back to initial value for keycloak/csp/frame-ancestors
Cannot read ucs/self/registration/check_email_verification while keycloak=22.0.3-ucs2 is not running
Cannot read keycloak/password/change/endpoint while keycloak=22.0.3-ucs2 is not running
[snip]
Configuring keycloak=22.0.3-ucs2
Setting keycloak/server/sso/fqdn to 'ucs-sso-ng.servi.domain.net'
Setting keycloak/server/sso/path to '/'
Setting keycloak/server/sso/virtualhost to 'true'
Setting keycloak/apache/config to 'true'
Setting keycloak/server/sso/autoregistration to 'true'
Unsetting keycloak/apache2/ssl/certificate
Unsetting keycloak/apache2/ssl/key
Unsetting keycloak/apache2/ssl/ca
Unsetting keycloak/csp/frame-ancestors
Setting keycloak/cookies/samesite to 'None'
Setting keycloak/login/messages/en/accountNotVerifiedMsg to 'Your account is not verified.<br>You must <a id="loginSelfServiceLink" href="https://ucs01.servi.domain.net/univention/selfservice/#/selfservice/verifyaccount" target="_blank">verify your account</a> before you can login.<br/>'
Setting keycloak/login/messages/de/accountNotVerifiedMsg to 'Konto nicht verifiziert.<br>Sie m\\u00FCssen Ihr <a id="loginSelfServiceLink" href="https://ucs01.servi.domain.net/univention/selfservice/#/selfservice/verifyaccount" target="_blank">Konto verifizieren</a>, bevor Sie sich einloggen k\\u00F6nnen.<br/>'
Setting keycloak/login/messages/en/accessDeniedMsg to 'Access forbidden.<br>You do not have the needed privileges to access this application. Please contact the administrator that you do not have access to the service {0} if you find this to be incorrect.'
Setting keycloak/login/messages/de/accessDeniedMsg to 'Zugriff verboten.<br>Bitte wenden Sie sich an den Administrator, dass Sie keinen Zugriff auf den Service {0} haben, wenn Sie feststellen, dass dies nicht korrekt ist.'
Setting keycloak/log/level to 'INFO'
Setting kc/db/kind to 'postgres'
Setting kc/db/xa to 'false'
Setting keycloak/federation/remote/identifier to 'univentionObjectIdentifier'
Setting keycloak/federation/source/identifier to 'univentionSourceIAM'
Cannot write settings while keycloak=22.0.3-ucs2 is not running
Installing univention-keycloak apache template
Installing Keycloak data/settings acl
I
[snip]
Database keycloak already exists
keycloak=22.0.3-ucs2 already has its database
Already found cn=keycl-06955476,cn=memberserver,cn=computers,servi,dc=domain,dc=net as a host for keycloak. Trying to retrieve machine secret.
Downloading app images
Running command: docker-compose -p keycloak pull
Pulling keycloak ... done
Initializing app image
Running command: docker-compose -p keycloak up -d --no-build --no-recreate
Creating network "keycloak_appcenter_net" with the default driver
Pool overlaps with other one on this address space
Command docker-compose -p keycloak up -d --no-build --no-recreate failed with: Creating network "keycloak_appcenter_net" with the default driver
Pool overlaps with other one on this address space (1)
Creating network "keycloak_appcenter_net" with the default driver
Pool overlaps with other one on this address space
Aborting...
Resolving dependencies for keycloak
Going to remove Keycloak (22.0.3-ucs2)
Showing README for keycloak=22.0.3-ucs2
Configuring keycloak=22.0.3-ucs2
Configuring keycloak=22.0.3-ucs2
Removing network keycloak_appcenter_net
Network keycloak_appcenter_net not found.
Removing localhost from LDAP object
File: /etc/univention/service.info/services/univention-appcenter.cfg
Multifile: /etc/apache2/sites-available/default-ssl.conf
File: /etc/apache2/sites-available/univention-letsencrypt.conf
Multifile: /etc/postgresql/11/main/pg_hba.conf
Multifile: /etc/apache2/sites-available/000-default.conf
Reloading apache2 configuration (via systemctl): apache2.service.
Uninstalling /usr/lib/univention-install/50keycloak.inst
Installing join script /var/cache/univention-appcenter/appcenter.software-univention.de/5.0/keycloak_20230927180351.uinst
univention-run-join-scripts: runs all join scripts existing on local computer.
copyright (c) 2001-2023 Univention GmbH, Germany
Running pre-joinscripts hook(s): done
[snip]
Running 51keycloak-uninstall.uinst done
Running post-joinscripts hook(s): done
Potential script hook folder is unused: /var/lib/univention-appcenter/apps/keycloak/local/hooks/post-remove.d
File: /usr/share/univention-management-console/i18n/de/apps.mo
File: /usr/share/univention-management-console/modules/apps.xml
File: /etc/apt/apt.conf.d/55user_agent
I remember that I had the error with the overlapping pool before, but I’m not sure, what my solution was. Could have been using docker-compose up --force-recreate network.
The old keycloak 22.0.3-ucs1 was still up, so I shut it down and started again with docker-compose upL
Creating network "compose_appcenter_net" with the default driver
Creating keycloak ... done
Attaching to keycloak
keycloak | Changes detected in configuration. Updating the server image.
keycloak | Updating the configuration and installing your custom providers, if any. Please wait.
keycloak | 2024-01-18 16:52:07,032 WARN [org.keycloak.services] (build-20) KC-SERVICES0047: univention-saml-user-attribute-nameid-mapper-base64 [snip]
keycloak | ... 25 more
keycloak | Caused by: org.infinispan.manager.EmbeddedCacheManagerStartupException: ISPN000541: Error while trying to create a channel using the specified configuration '[TCP(bundler.max_size=64000, sock_conn_timeout=300, thread_pool.keep_alive_time=60000, diag.enabled=false, bind_port=7600, thread_naming_pattern=pl, thread_pool.thread_dumps_threshold=10000, send_buf_size=640k, thread_pool.max_threads=200, bundler_type=transfer-queue, external_addr=ucs01.servi.domain.net,
[snip]
keycloak | at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:782)
keycloak | at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:747)
keycloak | at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:411)
keycloak | at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:96)
keycloak | at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
keycloak | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
keycloak | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
keycloak | at java.base/java.lang.Thread.run(Thread.java:840)
keycloak | Caused by: org.infinispan.commons.CacheConfigurationException: ISPN000541: Error while trying to create a channel using the specified configuration '[TCP(bundler.max_size=64000, sock_conn_timeout=300, thread_pool.keep_alive_time=60000, diag.enabled=false, bind_port=7600, thread_naming_pattern=pl, thread_pool.thread_dumps_threshold=10000, send_buf_size=640k, thread_pool.max_threads=200, bundler_type=transfer-queue, external_addr=ucs01.servi.domain.net, thread_pool.min_threads=0), RED(),
[snip]
s.JChannel.init(JChannel.java:901)
keycloak | at org.jgroups.JChannel.<init>(JChannel.java:123)
keycloak | at org.infinispan.remoting.transport.jgroups.EmbeddedJGroupsChannelConfigurator.createChannel(EmbeddedJGroupsChannelConfigurator.java:80)
keycloak | at org.infinispan.remoting.transport.jgroups.JGroupsTransport.channelFromConfigurator(JGroupsTransport.java:777)
keycloak | ... 30 more
keycloak |
keycloak | 2024-01-18 16:52:17,665 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
keycloak | 2024-01-18 16:52:17,665 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to obtain JDBC connection
keycloak | 2024-01-18 16:52:17,666 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Connection to localhost:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
keycloak | 2024-01-18 16:52:17,666 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Connection refused
keycloak | 2024-01-18 16:52:17,666 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.
keycloak | 2024-01-18 16:52:17,667 ERROR [org.jgroups.protocols.JDBC_PING] (Thread-4) JGRP000115: Could not open connection to database: java.sql.SQLException: The url cannot be null
keycloak | at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:664)
[snip]
keycloak | 2024-01-18 16:52:17,667 ERROR [org.jgroups.protocols.JDBC_PING] (Thread-4) JGRP000215: Failed to delete PingData in database
keycloak ucs2 is running though
I didn’t have time to look into this. esp. the issues with the db and the network.
Just to make sure: You updated the 22.0.3-ucs2 or did you create a ucs3-Package I missed?
[The forum is limiting posts to 32k characters – I had to cut half of the output. Let me know if you need the full output.]
Bump @jlk and @damrose
do you need anything else for debugging?
univention-app info
UCS: 5.0-6 errata904
Installed: letsencrypt=2.0.0-2 4.4/openid-connect-provider=2.2-konnect-0.33.11-2
Upgradable:
Keycloak is still installed, though. But it keeps restarting because it can’t connect to the DB.
I kind of have some doubts about upgrading to UCS 5.2 w/ Keycloak will be a smooth ride.
EDIT: What I did to get a running keycloak again is:
docker network prune
docker rename $MY_OLD_KEYCLOAK_CONTAINER SOME_NEW_NAME
and reinstall keycloak from the appcenter again. (Renaming because I wanted to keep it, just in case I need to investigate further.)