Not able to export via bin/kc.sh

[scubbo]

Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

dist/quarkus

Describe the bug

Replica of this issue - I'm not able to export realms via kc.sh, on Keycloak 23.0.7 - error reports an inability to bind to a port (full Stack Trace in "Actual Behaviour").

Version

23.0.7

Regression

• The issue is a regression

Expected behavior

Realm information exported to output file

Actual behavior

Logs and stack trace as below:

Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
2024-04-03 01:17:33,579 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-04-03 01:17:35,397 WARN  [io.quarkus.agroal.runtime.DataSources] (main) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-04-03 01:17:36,268 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2024-04-03 01:17:36,408 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-04-03 01:17:36,733 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `kubernetes`
2024-04-03 01:17:36,737 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: ae35db28-7f7a-424d-956d-84384f44bd85, name: keycloak-0-49417
2024-04-03 01:17:36,743 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheException: Unable to start JGroups Channel
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:610)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGroupsTransport.java:481)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:63)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:49)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.metrics.impl.MetricsCollector.start(MetricsCollector.java:43)
	at org.infinispan.metrics.impl.CorePackageImpl$3.start(CorePackageImpl.java:78)
	at org.infinispan.metrics.impl.CorePackageImpl$3.start(CorePackageImpl.java:70)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startDependencies(BasicComponentRegistryImpl.java:634)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:598)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.AbstractComponentRegistry.internalStart(AbstractComponentRegistry.java:379)
	at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:252)
	at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:779)
	at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:747)
	at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:411)
	at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:96)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.net.BindException: No available port to bind to in range [7800 .. 7800]
	at org.jgroups.util.Util.bind(Util.java:4095)
	at org.jgroups.util.Util.createServerSocket(Util.java:4071)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:68)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:43)
	at org.jgroups.protocols.TCP.start(TCP.java:111)
	at org.jgroups.stack.ProtocolStack.startStack(ProtocolStack.java:905)
	at org.jgroups.JChannel.startStack(JChannel.java:921)
	at org.jgroups.JChannel._preConnect(JChannel.java:799)
	at org.jgroups.JChannel.connect(JChannel.java:322)
	at org.jgroups.JChannel.connect(JChannel.java:316)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:608)
	... 28 more

2024-04-03 01:17:37,312 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-04-03 01:17:37,355 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2024-04-03 01:17:37,356 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start caches
2024-04-03 01:17:37,356 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: Unable to start JGroups Channel
2024-04-03 01:17:37,356 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-03 01:17:37,356 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-03 01:17:37,356 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No available port to bind to in range [7800 .. 7800]
2024-04-03 01:17:37,356 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

How to Reproduce?

Install Keycloak as an ArgoCD Application via a Helm chart:

project: default
source:
  repoURL: 'https://charts.bitnami.com/bitnami'
  targetRevision: 19.3.4
  helm:
    valuesObject:
      ingress:
        enabled: true
        hostname: <myhostname>
  chart: keycloak
destination:
  server: 'https://kubernetes.default.svc'
  namespace: keycloak
syncPolicy:
  automated:
    prune: true
  syncOptions:
    - CreateNamespace=true

Create a realm via the UI.

Open a shell on the container, and attempt to export:

$ kubectl -n keycloak exec -it statefulset.apps/keycloak bash
Defaulted container "keycloak" out of: keycloak, init-quarkus-directory (init)
keycloak@keycloak-0:/$ /opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm <your-realm>

Anything else?

I note from here that "as part of [import/export, Keycloak] spins up the http server, so when that port is blocked (e.g. keycloak runs or another app has a binding) this could cause the error you are observing" - that is, that you can't export from a pod with a running server. That's unexpected! (though, in fairness, documented here)

The workaround mentioned in that discussion (QUARKUS_HTTP_HOST_ENABLED=false ./bin/kc.sh ...) also failed with a similar-looking stack trace:

Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
2024-04-03 01:02:20,935 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-04-03 01:02:22,812 WARN  [io.quarkus.agroal.runtime.DataSources] (main) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-04-03 01:02:23,731 WARN  [org.infinispan.PERSISTENCE] (keycloak-cache-init) ISPN000554: jboss-marshalling is deprecated and planned for removal
2024-04-03 01:02:23,891 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-04-03 01:02:24,249 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `kubernetes`
2024-04-03 01:02:24,251 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 4b93e0e4-8192-48e3-9884-6c9c4627d29d, name: keycloak-0-39771
2024-04-03 01:02:24,256 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheException: Unable to start JGroups Channel
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:610)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGroupsTransport.java:481)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:63)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:49)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.metrics.impl.MetricsCollector.start(MetricsCollector.java:43)
	at org.infinispan.metrics.impl.CorePackageImpl$3.start(CorePackageImpl.java:78)
	at org.infinispan.metrics.impl.CorePackageImpl$3.start(CorePackageImpl.java:70)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startDependencies(BasicComponentRegistryImpl.java:634)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:598)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.AbstractComponentRegistry.internalStart(AbstractComponentRegistry.java:379)
	at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:252)
	at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:779)
	at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:747)
	at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:411)
	at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:96)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.net.BindException: No available port to bind to in range [7800 .. 7800]
	at org.jgroups.util.Util.bind(Util.java:4095)
	at org.jgroups.util.Util.createServerSocket(Util.java:4071)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:68)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:43)
	at org.jgroups.protocols.TCP.start(TCP.java:111)
	at org.jgroups.stack.ProtocolStack.startStack(ProtocolStack.java:905)
	at org.jgroups.JChannel.startStack(JChannel.java:921)
	at org.jgroups.JChannel._preConnect(JChannel.java:799)
	at org.jgroups.JChannel.connect(JChannel.java:322)
	at org.jgroups.JChannel.connect(JChannel.java:316)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:608)
	... 28 more

2024-04-03 01:02:24,859 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-04-03 01:02:24,899 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2024-04-03 01:02:24,900 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start caches
2024-04-03 01:02:24,900 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: Unable to start JGroups Channel
2024-04-03 01:02:24,900 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-03 01:02:24,900 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-03 01:02:24,900 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No available port to bind to in range [7800 .. 7800]
2024-04-03 01:02:24,900 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

I also can't see any way of temporarily stopping the server - kill -9 <pid> does not seem to do anything, and ./kc.sh --help does not list a stop command.

It looks like the option introduced here is not in my version of kc.sh - I don't see such an option from ./kc.sh export --help. In case I was misunderstanding that file, I also tried prepending QUARKUS_HTTP_SERVER_ENABLED=false or HTTP_SERVER_ENABLED=false to the kc.sh command (i.e. QUARKUS_HTTP_SERVER_ENABLED=false /opt/bitnami/keycloak/bin/kc.sh ...), to no avail.

./kc.sh --version gives:

Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
Keycloak 23.0.7
JVM: 17.0.10 (BellSoft OpenJDK 64-Bit Server VM 17.0.10+13-LTS)
OS: Linux 6.1.0-10-amd64 amd64

[scubbo]

By spinning up another pod that is similar to the main one (but with command: ["sh", "-c", "--"], args: [ "while true; do sleep 30; done;" ] so that I can shell into it), I was able to run ./kc.sh export without the stack trace - but, when I try to export any realm except master, I get errors (and no output to the file):

2024-04-03 01:47:52,348 INFO  [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
2024-04-03 01:47:54,168 INFO  [org.keycloak.services] (main) KC-SERVICES0034: Export of realm '<realm-name>' requested.
2024-04-03 01:47:54,168 INFO  [org.keycloak.exportimport.singlefile.SingleFileExportProvider] (main) Exporting realm '<realm-name>' into file /tmp/realm-export.json
2024-04-03 01:47:54,193 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
2024-04-03 01:47:54,444 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2024-04-03 01:47:54,444 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: realm not found by realm name '<realm-name>'

[keycloak-github-bot]

Thanks for reporting this issue, but as this is reported against an older and unsupported release we are not able to evaluate the issue. Please verify with the nightly buildor the latest release.

If the issue can be reproduced in the nightly build or latest release add a comment with additional information, otherwise this issue will be automatically closed within 14 days.

[scubbo]

Huh, I guess the Helm chart lags a version. Will do - thanks!

[scubbo]

Recreated the application with the following Argo definition:

project: default
source:
  repoURL: 'https://charts.bitnami.com/bitnami'
  targetRevision: 19.3.4
  helm:
    valuesObject:
      image:
        tag: 24.0.2
      ingress:
        enabled: true
        hostname: <myhostname>
  chart: keycloak
destination:
  server: 'https://kubernetes.default.svc'
  namespace: keycloak
syncPolicy:
  automated:
    prune: true
  syncOptions:
    - CreateNamespace=true

And re-verified behaviour:

$ k get pod keycloak-0 -o jsonpath='{.spec.containers[0].image}'
docker.io/bitnami/keycloak:24.0.2%
$ k exec -it keycloak-0 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
Defaulted container "keycloak" out of: keycloak, init-quarkus-directory (init)
keycloak@keycloak-0:/$ ls /opt/bitnami/keycloak/bin
client	federation-sssd-setup.sh  kc.bat  kc.sh  kcadm.bat  kcadm.sh  kcreg.bat  kcreg.sh
keycloak@keycloak-0:/$ /opt/bitnami/keycloak/bin/kc.sh --version
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
Keycloak 24.0.2
JVM: 17.0.10 (BellSoft OpenJDK 64-Bit Server VM 17.0.10+13-LTS)
OS: Linux 6.1.0-10-amd64 amd64

# Linebreaks added for readability

keycloak@keycloak-0:/$ /opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm new-realm
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
2024-04-04 01:46:22,515 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-04-04 01:46:22,864 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-04-04 01:46:23,371 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `kubernetes`
2024-04-04 01:46:23,380 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: d44d7045-d161-4b7c-94ea-63d5200cdb71, name: keycloak-0-5697
2024-04-04 01:46:23,389 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheException: Unable to start JGroups Channel
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:604)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGroupsTransport.java:477)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:63)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:49)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startDependencies(BasicComponentRegistryImpl.java:634)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:598)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.GlobalComponentRegistry.preStart(GlobalComponentRegistry.java:284)
	at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:250)
	at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:779)
	at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:747)
	at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:411)
	at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:120)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.net.BindException: No available port to bind to in range [7800 .. 7800]
	at org.jgroups.util.Util.bind(Util.java:4113)
	at org.jgroups.util.Util.createServerSocket(Util.java:4089)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:68)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:43)
	at org.jgroups.protocols.TCP.start(TCP.java:111)
	at org.jgroups.stack.ProtocolStack.startStack(ProtocolStack.java:905)
	at org.jgroups.JChannel.startStack(JChannel.java:922)
	at org.jgroups.JChannel._preConnect(JChannel.java:800)
	at org.jgroups.JChannel.connect(JChannel.java:323)
	at org.jgroups.JChannel.connect(JChannel.java:317)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:602)
	... 21 more

2024-04-04 01:46:24,941 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-04-04 01:46:25,953 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-04-04 01:46:26,000 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2024-04-04 01:46:26,000 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start caches
2024-04-04 01:46:26,000 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: Unable to start JGroups Channel
2024-04-04 01:46:26,000 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-04 01:46:26,000 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-04 01:46:26,000 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No available port to bind to in range [7800 .. 7800]
2024-04-04 01:46:26,001 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

keycloak@keycloak-0:/$ QUARKUS_HTTP_HOST_ENABLED=false QUARKUS_HTTP_SERVER_ENABLED=false HTTP_SERVER_ENABLED=false /opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm new-realm
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
2024-04-04 01:48:22,782 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-04-04 01:48:23,160 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-04-04 01:48:23,515 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `kubernetes`
2024-04-04 01:48:23,522 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 218a3bae-3350-439f-8e74-3f9b8a32ff7b, name: keycloak-0-12838
2024-04-04 01:48:23,532 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheException: Unable to start JGroups Channel
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:604)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGroupsTransport.java:477)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:63)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:49)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startDependencies(BasicComponentRegistryImpl.java:634)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:598)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.GlobalComponentRegistry.preStart(GlobalComponentRegistry.java:284)
	at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:250)
	at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:779)
	at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:747)
	at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:411)
	at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:120)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.net.BindException: No available port to bind to in range [7800 .. 7800]
	at org.jgroups.util.Util.bind(Util.java:4113)
	at org.jgroups.util.Util.createServerSocket(Util.java:4089)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:68)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:43)
	at org.jgroups.protocols.TCP.start(TCP.java:111)
	at org.jgroups.stack.ProtocolStack.startStack(ProtocolStack.java:905)
	at org.jgroups.JChannel.startStack(JChannel.java:922)
	at org.jgroups.JChannel._preConnect(JChannel.java:800)
	at org.jgroups.JChannel.connect(JChannel.java:323)
	at org.jgroups.JChannel.connect(JChannel.java:317)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:602)
	... 21 more

2024-04-04 01:48:25,113 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-04-04 01:48:26,290 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-04-04 01:48:26,343 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2024-04-04 01:48:26,343 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start caches
2024-04-04 01:48:26,344 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: Unable to start JGroups Channel
2024-04-04 01:48:26,344 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-04 01:48:26,344 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-04 01:48:26,344 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No available port to bind to in range [7800 .. 7800]
2024-04-04 01:48:26,344 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

[shawkins]

I also can't see any way of temporarily stopping the server - kill -9 does not seem to do anything, and ./kc.sh --help does not list a stop command.

That is correct, there is no stop command in the kc scripts. A kill -9 should stop the server.

It looks like the option introduced #15056 is not in my version of kc.sh

@scubbo that logic is part of your version - there's no explicit option, it happens implicitly for import/export. Your problem is related to jgroups, not http serving.

Your export command is likely picking up the cache / cache-stack from environment variables, and thus is trying to join the cache cluster. Can you try forcing local cache instead:

/opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm <your-realm> --cache=local

The keycloak operator sets --cache=local for a similar reason when doing an import.

cc @vmuzikar if there is never a scenario where joining the cache makes sense with import / export we could for this handling on the server side.

[scubbo]

Looks like there's no such option:

keycloak@keycloak-0:/$ /opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm new-realm --cache=local
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
Option: '--cache' not valid for command export
Try 'kc.sh export --help' for more information on the available options.

# Checking available options
keycloak@keycloak-0:/$ /opt/bitnami/keycloak/bin/kc.sh export --help
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
Export data from realms to a file or directory.

Usage:

kc.sh export [OPTIONS]

Export data from realms to a file or directory.

Options:

-h, --help           This help message.
--help-all           This same help message but with additional options.
--optimized          Use this option to achieve an optimal startup time if you have previously
                       built a server image using the 'build' command.
-v, --verbose        Print out error details when running this command.

Database:

--db <vendor>        The database vendor. Possible values are: dev-file, dev-mem, mariadb, mssql,
                       mysql, oracle, postgres. Default: dev-file.
--db-driver <driver> The fully qualified class name of the JDBC driver. If not set, a default
                       driver is set accordingly to the chosen database.
--db-password <password>
                     The password of the database user.
--db-pool-initial-size <size>
                     The initial size of the connection pool.
--db-pool-max-size <size>
                     The maximum size of the connection pool. Default: 100.
--db-pool-min-size <size>
                     The minimal size of the connection pool.
--db-schema <schema> The database schema to be used.
--db-url <jdbc-url>  The full database JDBC URL. If not provided, a default URL is set based on the
                       selected database vendor. For instance, if using 'postgres', the default
                       JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.
--db-url-database <dbname>
                     Sets the database name of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-host <hostname>
                     Sets the hostname of the default JDBC URL of the chosen vendor. If the
                       `db-url` option is set, this option is ignored.
--db-url-port <port> Sets the port of the default JDBC URL of the chosen vendor. If the `db-url`
                       option is set, this option is ignored.
--db-url-properties <properties>
                     Sets the properties of the default JDBC URL of the chosen vendor. Make sure to
                       set the properties accordingly to the format expected by the database
                       vendor, as well as appending the right character at the beginning of this
                       property value. If the `db-url` option is set, this option is ignored.
--db-username <username>
                     The username of the database user.

Transaction:

--transaction-xa-enabled <true|false>
                     If set to false, Keycloak uses a non-XA datasource in case the database does
                       not support XA transactions. Default: true.

Feature:

--features <feature> Enables a set of one or more features. Possible values are: account-api[:v1],
                       account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1],
                       admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1],
                       client-secret-rotation[:v1], client-types[:v1], declarative-ui[:v1],
                       device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1],
                       hostname[:v1], impersonation[:v1], js-adapter[:v1], kerberos[:v1],
                       linkedin-oauth[:v1], login2[:v1], multi-site[:v1], offline-session-preloading
                       [:v1], oid4vc-vci[:v1], par[:v1], preview, recovery-codes[:v1], scripts[:
                       v1], step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1],
                       update-email[:v1], web-authn[:v1].
--features-disabled <feature>
                     Disables a set of one or more features. Possible values are: account-api,
                       account2, account3, admin-api, admin-fine-grained-authz, admin2,
                       authorization, ciba, client-policies, client-secret-rotation, client-types,
                       declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips,
                       impersonation, js-adapter, kerberos, linkedin-oauth, login2, multi-site,
                       offline-session-preloading, oid4vc-vci, par, preview, recovery-codes,
                       scripts, step-up-authentication, token-exchange, transient-users,
                       update-email, web-authn.

Config:

--config-keystore <config-keystore>
                     Specifies a path to the KeyStore Configuration Source.
--config-keystore-password <config-keystore-password>
                     Specifies a password to the KeyStore Configuration Source.
--config-keystore-type <config-keystore-type>
                     Specifies a type of the KeyStore Configuration Source. Default: PKCS12.

Logging:

--log <handler>      Enable one or more log handlers in a comma-separated list. Possible values
                       are: console, file, gelf (deprecated). Default: console.
--log-console-color <true|false>
                     Enable or disable colors when logging to console. Default: false.
--log-console-format <format>
                     The format of unstructured console log entries. If the format has spaces in
                       it, escape the value using "<format>". Default: %d{yyyy-MM-dd HH:mm:ss,SSS} %
                       -5p [%c] (%t) %s%e%n.
--log-console-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default.
--log-file <file>    Set the log file path and filename. Default: data/log/keycloak.log.
--log-file-format <format>
                     Set a format specific to file log entries. Default: %d{yyyy-MM-dd HH:mm:ss,
                       SSS} %-5p [%c] (%t) %s%e%n.
--log-file-output <output>
                     Set the log output to JSON or default (plain) unstructured logging. Possible
                       values are: default, json. Default: default.
--log-gelf-facility <name>
                     DEPRECATED. The facility (name of the process) that sends the message.
                       Default: keycloak.
--log-gelf-host <hostname>
                     DEPRECATED. Hostname of the Logstash or Graylog Host. By default UDP is used,
                       prefix the host with 'tcp:' to switch to TCP. Example: 'tcp:localhost'
                       Default: localhost.
--log-gelf-include-location <true|false>
                     DEPRECATED. Include source code location. Default: true.
--log-gelf-include-message-parameters <true|false>
                     DEPRECATED. Include message parameters from the log event. Default: true.
--log-gelf-include-stack-trace <true|false>
                     DEPRECATED. If set to true, occuring stack traces are included in the
                       'StackTrace' field in the GELF output. Default: true.
--log-gelf-level <level>
                     DEPRECATED. The log level specifying which message levels will be logged by
                       the GELF logger. Message levels lower than this value will be discarded.
                       Default: INFO.
--log-gelf-max-message-size <size>
                     DEPRECATED. Maximum message size (in bytes). If the message size is exceeded,
                       GELF will submit the message in multiple chunks. Default: 8192.
--log-gelf-port <port>
                     DEPRECATED. The port the Logstash or Graylog Host is called on. Default: 12201.
--log-gelf-timestamp-format <pattern>
                     DEPRECATED. Set the format for the GELF timestamp field. Uses Java
                       SimpleDateFormat pattern. Default: yyyy-MM-dd HH:mm:ss,SSS.
--log-level <category:level>
                     The log level of the root category or a comma-separated list of individual
                       categories and their levels. For the root category, you don't need to
                       specify a category. Default: info.

Truststore:

--tls-hostname-verifier <tls-hostname-verifier>
                     The TLS hostname verification policy for out-going HTTPS and SMTP requests.
                       Possible values are: ANY, WILDCARD, STRICT. Default: WILDCARD.
--truststore-paths <truststore-paths>
                     List of pkcs12 (p12 or pfx file extensions), PEM files, or directories
                       containing those files that will be used as a system truststore.

Export:

--dir <dir>          Set the path to a directory where files will be created with the exported data.
--file <file>        Set the path to a file that will be created with the exported data. To export
                       more than 500 users, export to a directory with different files instead.
--realm <realm>      Set the name of the realm to export. If not set, all realms are going to be
                       exported.
--users <strategy>   Set how users should be exported. Possible values are: skip, realm_file,
                       same_file, different_files. Default: different_files.
--users-per-file <number>
                     Set the number of users per file. It is used only if 'users' is set to
                       'different_files'. Increasing this number leads to exponentially increasing
                       export times. Default: 50.

[shawkins]

Looks like there's no such option:

Sorry I did not double check that before making the suggestion. The operator is actually using an environment variable, so try

KC_CACHE=local /opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm <your-realm>

[scubbo]

Still no luck:

keycloak@keycloak-0:/$ KC_CACHE=local /opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm new-realm
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
2024-04-05 01:31:32,066 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-04-05 01:31:32,532 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-04-05 01:31:32,965 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `kubernetes`
2024-04-05 01:31:32,971 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 770c13a2-40b2-45a0-b211-81e3833fbff3, name: keycloak-0-39342
2024-04-05 01:31:32,979 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheException: Unable to start JGroups Channel
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:604)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGroupsTransport.java:477)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:63)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:49)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startDependencies(BasicComponentRegistryImpl.java:634)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:598)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.GlobalComponentRegistry.preStart(GlobalComponentRegistry.java:284)
	at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:250)
	at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:779)
	at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:747)
	at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:411)
	at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:120)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.net.BindException: No available port to bind to in range [7800 .. 7800]
	at org.jgroups.util.Util.bind(Util.java:4113)
	at org.jgroups.util.Util.createServerSocket(Util.java:4089)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:68)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:43)
	at org.jgroups.protocols.TCP.start(TCP.java:111)
	at org.jgroups.stack.ProtocolStack.startStack(ProtocolStack.java:905)
	at org.jgroups.JChannel.startStack(JChannel.java:922)
	at org.jgroups.JChannel._preConnect(JChannel.java:800)
	at org.jgroups.JChannel.connect(JChannel.java:323)
	at org.jgroups.JChannel.connect(JChannel.java:317)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:602)
	... 21 more

2024-04-05 01:31:34,785 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-04-05 01:31:35,775 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-04-05 01:31:35,823 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2024-04-05 01:31:35,823 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start caches
2024-04-05 01:31:35,823 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: Unable to start JGroups Channel
2024-04-05 01:31:35,823 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-05 01:31:35,824 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-05 01:31:35,824 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No available port to bind to in range [7800 .. 7800]
2024-04-05 01:31:35,824 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

[shawkins]

this export is still behaving as if cache=ispn and cache-stack=kubernetes are set. Can you confirm if those are otherwise being set via your env or are they already built into the optimized image?

I should be able to reproduce what you are seeing from there.

[suthagarht]

Hi,

I have tested the current nightly build and the export fails as below.

bash-5.1# date
Fri Apr  5 12:04:09 PM UTC 2024

bash-5.1# ./kc.sh --version
Keycloak 999.0.0-SNAPSHOT
JVM: 17.0.10 (Red Hat, Inc. OpenJDK 64-Bit Server VM 17.0.10+7-LTS)
OS: Linux 5.15.0-1049-aws amd64

bash-5.1# ./kc.sh export --dir /tmp --users realm_file --realm master --verbose
ERROR: Unexpected error when starting the server in (import_export) mode
Error details:
java.lang.RuntimeException: Failed to start quarkus
.....
Caused by: java.lang.NoClassDefFoundError: org/jboss/resteasy/spi/ResteasyProviderFactory
.....
Caused by: java.lang.ClassNotFoundException: org.jboss.resteasy.spi.ResteasyProviderFactory

The current latest do allow exporting the master realm.

bash-5.1# date
Fri Apr  5 12:16:46 PM UTC 2024

bash-5.1# ./kc.sh --version
Keycloak 24.0.2
JVM: 17.0.10 (Red Hat, Inc. OpenJDK 64-Bit Server VM 17.0.10+7-LTS)
OS: Linux 5.15.0-1049-aws amd64


bash-5.1# ./kc.sh export --dir /tmp --users realm_file --realm master --verbose
2024-04-05 12:17:31,911 INFO  [org.keycloak.services] (main) KC-SERVICES0034: Export of realm 'master' requested.
2024-04-05 12:17:32,359 INFO  [org.keycloak.exportimport.dir.DirExportProvider] (main) Exporting into directory /tmp
2024-04-05 12:17:32,451 INFO  [org.keycloak.exportimport.dir.DirExportProvider] (main) Realm 'master' - data exported
2024-04-05 12:17:32,452 INFO  [org.keycloak.services] (main) KC-SERVICES0035: Export finished successfully

However , exporting any other realm causes an error.

bash-5.1# ./kc.sh export --dir /tmp --users realm_file --realm myrealm --verbose
...
2024-04-05 12:18:44,913 INFO  [org.keycloak.services] (main) KC-SERVICES0034: Export of realm 'myrealm' requested.
2024-04-05 12:18:44,951 INFO  [org.infinispan.CLUSTER] (main) ISPN000080: Disconnecting JGroups channel `ISPN`
2024-04-05 12:18:44,969 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2024-04-05 12:18:44,969 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) Error details:: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.RealmModel.getId()" because "realm" is null
...

error.txt

Can someone kindly help please.

[shawkins]

@suthagarht please open a separate issue / discussion. None of that is related to this issue.

[suthagarht]

Thanks @shawkins . Done #28471

[shawkins]

this export is still behaving as if cache=ispn and cache-stack=kubernetes are set. Can you confirm if those are otherwise being set via your env or are they already built into the optimized image?

I should be able to reproduce what you are seeing from there.

@scubbo Tried this scenario with cache=ispn baked into the image - at that point even using an environment variable for the cache option does not work. The reason this works for the operator is that the import test cases are working against an unoptimized image or for the custom image test - that's running in a separate pod so there's no port contention.

I think I've seen other import/export issues due to picking up configuration from an optimized image, namely #15898

Some possible workaround:

• make more ports available. At least with using main and trying this locally I can have both the server and export join jgroups as separate processes on the same machine. However after that I do hit a problem with a management port conflict, which requires a workaround "./kc.sh export ... --http-management-port=9001" - I don't think we should be defaulting to exposing the management interface for import/export.

• run a build prior to the export "./kc.sh build --cache=local"

  • it may be best to use a separate installation to perform the import / export because you'll need to rebuild back to your server needs afterwards.

At the very least import / export behavior with a shared optimized image is very confusing. @keycloak/cloud-native let's use this issue to come up with at least better documentation about the expectations if not continue to refine the behavior to make it more sensible.

~priority-important

[scubbo]

Appreciate your attention on this! Sorry I haven't been more responsive, day-job things 😞 I'll be able to give this more attention over the weekend.

Here's a dump of env | grep -i 'cache' on the pod:

keycloak@keycloak-0:/$ env | grep -i 'cache'
KEYCLOAK_CACHE_STACK=kubernetes
KEYCLOAK_CACHE_TYPE=ispn

I didn't explicitly set either of those, but there are plenty of preset default env variables via the Helm chart:

k get pods keycloak-0 -o jsonpath={'.spec.containers[0]'} | jq
{
  "env": [
    {
      "name": "KUBERNETES_NAMESPACE",
      "valueFrom": {
        "fieldRef": {
          "apiVersion": "v1",
          "fieldPath": "metadata.namespace"
        }
      }
    },
    {
      "name": "BITNAMI_DEBUG",
      "value": "false"
    },
    {
      "name": "KEYCLOAK_ADMIN_PASSWORD",
      "valueFrom": {
        "secretKeyRef": {
          "key": "admin-password",
          "name": "keycloak"
        }
      }
    },
    {
      "name": "KEYCLOAK_DATABASE_PASSWORD",
      "valueFrom": {
        "secretKeyRef": {
          "key": "password",
          "name": "keycloak-postgresql"
        }
      }
    },
    {
      "name": "KEYCLOAK_HTTP_RELATIVE_PATH",
      "value": "/"
    }
  ],
  "envFrom": [
    {
      "configMapRef": {
        "name": "keycloak-env-vars"
      }
    }
  ],
...

$ k get configmap keycloak-env-vars -o jsonpath='{.data}' | jq
{
  "JAVA_OPTS_APPEND": "-Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local",
  "KEYCLOAK_ADMIN": "user",
  "KEYCLOAK_CACHE_STACK": "kubernetes",
  "KEYCLOAK_CACHE_TYPE": "ispn",
  "KEYCLOAK_DATABASE_HOST": "keycloak-postgresql",
  "KEYCLOAK_DATABASE_NAME": "bitnami_keycloak",
  "KEYCLOAK_DATABASE_PORT": "5432",
  "KEYCLOAK_DATABASE_USER": "bn_keycloak",
  "KEYCLOAK_ENABLE_HTTPS": "false",
  "KEYCLOAK_ENABLE_STATISTICS": "false",
  "KEYCLOAK_HTTP_PORT": "8080",
  "KEYCLOAK_LOG_LEVEL": "INFO",
  "KEYCLOAK_LOG_OUTPUT": "default",
  "KEYCLOAK_PRODUCTION": "false",
  "KEYCLOAK_PROXY": "passthrough"
}

I'll poke around more this evening or tomorrow.

[shawkins]

I'll poke around more this evening or tomorrow.

What should be happening here is that KEYCLOAK_CACHE_STACK and KEYCLOAK_CACHE_TYPE are getting converted to arguments to a kc.sh build (Keycloak will only look for environment variables with the KC_ prefix). Then that optimized image will have those values persisted, and will be picked up by your export command.

There is logic that will check for build time option changes when running an import / export - but only if it's a cli option, which cache is not.

Also moving forward we're talking about making cache options runtime, instead of build time - see #27549 cc @mabartos - which would help here as well.

See if the workarounds from the previous comment make sense.

[scubbo]

Can you expand on what "make more ports available" means? I'm guessing this means:

• Have the jgroups tool(? process? server? not sure of the proper nomenclature) listen on more ports than just 7800 (which is the port that the keycloak server connects to)
  • what's the option to set that? I see KEYCLOAK_HTTP_PORT, but that appears to be a single value, not an array. Here's the full command that the Helm chart is using to run keycloak - I would guess I need to set a -Djgroups.some.other.parameter=... to set more listening ports?
  • /opt/bitnami/java/bin/java -Dkc.config.built=true -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -Xms64m -Xmx512m --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local -Dkc.home.dir=/opt/bitnami/keycloak/bin/.. -Djboss.server.config.dir=/opt/bitnami/keycloak/bin/../conf -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Dpicocli.disable.closures=true -Dquarkus-log-max-startup-records=10000 -cp /opt/bitnami/keycloak/bin/../lib/quarkus-run.jar io.quarkus.bootstrap.runner.QuarkusEntryPoint -cf /opt/bitnami/keycloak/conf/keycloak.conf --profile=dev start-dev
• Run the ./kc.sh export command pointed at that other listening port.
  • Again, what would be the flag (or env variable?) to configure that? I don't see a --jgroups-port option in the help output

[shawkins]

Have the jgroups tool(? process? server? not sure of the proper nomenclature) listen on more ports than just 7800 (which is the port that the keycloak server connects to)

I was thinking that later versions were using a port range for the base port, but now I'm not so sure after looking at the infinispan configuration.

what's the option to set that? I see KEYCLOAK_HTTP_PORT, but that appears to be a single value, not an array. Here's the full command that the Helm chart is using to run keycloak - I would guess I need to set a -Djgroups.some.other.parameter=... to set more listening ports?

Yes adding -Djgroups.bind.port=7900 should do that.

Run the ./kc.sh export command pointed at that other listening port

Yes adding -Djgroups.bind.port=7900 is picked up via the export command, the log shows:

2024-04-05 14:25:03,848 INFO  [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.57900

Which is expected to be at the base port + 50000. But at least for my local tests on main with is using the default cache-stack, that is not actually connecting to port 7900 (nor the server to 7800).

[scubbo]

OK - with an Argo app defined like so:

project: default
source:
  repoURL: 'https://charts.bitnami.com/bitnami'
  targetRevision: 19.3.4
  helm:
    valuesObject:
      extraEnvVars:
        - name: JAVA_OPTS_APPEND
          value: >-
            -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
            -Djgroups.bind.port=7900
      image:
        tag: 24.0.2
      ingress:
        enabled: true
        hostname: keycloak.avril
  chart: keycloak
destination:
  server: 'https://kubernetes.default.svc'
  namespace: keycloak
syncPolicy:
  automated:
    prune: true
  syncOptions:
    - CreateNamespace=true

, the required parameter was passed to the keycloak executable:

$ k exec -it keycloak-0 -- bash
Defaulted container "keycloak" out of: keycloak, init-quarkus-directory (init)
keycloak@keycloak-0:/$ echo "$(ps aux)"
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
keycloak       1 16.4  0.7 10393192 505996 ?     Ssl  19:14   1:13 /opt/bitnami/java/bin/java -Dkc.config.built=true -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -Xms64m -Xmx512m --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local -Djgroups.bind.port=7900 -Dkc.home.dir=/opt/bitnami/keycloak/bin/.. -Djboss.server.config.dir=/opt/bitnami/keycloak/bin/../conf -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Dpicocli.disable.closures=true -Dquarkus-log-max-startup-records=10000 -cp /opt/bitnami/keycloak/bin/../lib/quarkus-run.jar io.quarkus.bootstrap.runner.QuarkusEntryPoint -cf /opt/bitnami/keycloak/conf/keycloak.conf --profile=dev start-dev
keycloak     596  0.2  0.0   4188  3508 pts/1    Ss+  19:21   0:00 bash
keycloak     602  0.0  0.0   8088  4004 pts/1    R+   19:21   0:00 ps aux

# line breaks added for readability

keycloak@keycloak-0:/$ ps aux | grep 'opt/bitnami' | grep -v 'grep' | tr ' ' '\n' | grep "Djgroups"
-Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
-Djgroups.bind.port=7900

keycloak@keycloak-0:/$ /opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm new-realm
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local -Djgroups.bind.port=7900
2024-04-06 19:25:38,441 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-04-06 19:25:38,562 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-04-06 19:25:38,839 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `kubernetes`
2024-04-06 19:25:38,845 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: f6812887-b85e-46b0-aa39-f4a5252aff75, name: keycloak-0-52402
2024-04-06 19:25:38,854 ERROR [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000660: DefaultCacheManager start failed, stopping any running components: org.infinispan.commons.CacheException: Unable to start JGroups Channel
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:604)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.start(JGroupsTransport.java:477)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:63)
	at org.infinispan.remoting.transport.jgroups.CorePackageImpl$2.start(CorePackageImpl.java:49)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.invokeStart(BasicComponentRegistryImpl.java:616)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:607)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startDependencies(BasicComponentRegistryImpl.java:634)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.doStartWrapper(BasicComponentRegistryImpl.java:598)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl.startWrapper(BasicComponentRegistryImpl.java:576)
	at org.infinispan.factories.impl.BasicComponentRegistryImpl$ComponentWrapper.running(BasicComponentRegistryImpl.java:807)
	at org.infinispan.factories.GlobalComponentRegistry.preStart(GlobalComponentRegistry.java:284)
	at org.infinispan.factories.AbstractComponentRegistry.start(AbstractComponentRegistry.java:250)
	at org.infinispan.manager.DefaultCacheManager.internalStart(DefaultCacheManager.java:779)
	at org.infinispan.manager.DefaultCacheManager.start(DefaultCacheManager.java:747)
	at org.infinispan.manager.DefaultCacheManager.<init>(DefaultCacheManager.java:411)
	at org.keycloak.quarkus.runtime.storage.legacy.infinispan.CacheManagerFactory.startCacheManager(CacheManagerFactory.java:120)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.net.BindException: No available port to bind to in range [7900 .. 7900]
	at org.jgroups.util.Util.bind(Util.java:4113)
	at org.jgroups.util.Util.createServerSocket(Util.java:4089)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:68)
	at org.jgroups.blocks.cs.TcpServer.<init>(TcpServer.java:43)
	at org.jgroups.protocols.TCP.start(TCP.java:111)
	at org.jgroups.stack.ProtocolStack.startStack(ProtocolStack.java:905)
	at org.jgroups.JChannel.startStack(JChannel.java:922)
	at org.jgroups.JChannel._preConnect(JChannel.java:800)
	at org.jgroups.JChannel.connect(JChannel.java:323)
	at org.jgroups.JChannel.connect(JChannel.java:317)
	at org.infinispan.remoting.transport.jgroups.JGroupsTransport.startJGroupsChannelIfNeeded(JGroupsTransport.java:602)
	... 21 more

2024-04-06 19:25:40,620 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-04-06 19:25:42,217 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (import_export) mode
2024-04-06 19:25:42,218 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start caches
2024-04-06 19:25:42,218 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: org.infinispan.manager.EmbeddedCacheManagerStartupException: Unable to start JGroups Channel
2024-04-06 19:25:42,219 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-06 19:25:42,219 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Unable to start JGroups Channel
2024-04-06 19:25:42,219 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: No available port to bind to in range [7900 .. 7900]
2024-04-06 19:25:42,219 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

I.e. same behaviour as before (except it's now failing to bind to the new port).

---

I had a look at how the image itself is built. The Dockerfile is here, and the entrypoint pulls a bunch of environment variables (including KEYCLOAK_CACHE_STACK and KEYCLOAK_CACHE_TYPE from keycloak-env.sh. I wasn't able to find where the kc.sh build is getting invoked, though.

[scubbo]

Although I didn't have high hopes for this working (because, if I'm understanding your comments correctly, this value is getting set at image-creation time and not at runtime) I also tried explicitly setting the KEYCLOAK_CACHE_TYPE as an environment variable on the container, and this seemed to work just fine:

$ k get -n argo applications.argoproj.io/keycloak -o jsonpath={'.spec.source'} | jq
{
  "chart": "keycloak",
  "helm": {
    "valuesObject": {
      "extraEnvVars": [
        {
          "name": "JAVA_OPTS_APPEND",
          "value": "-Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local -Djgroups.bind.port=7900"
        },
        {
          "name": "KEYCLOAK_CACHE_TYPE",
          "value": "local"
        }
      ],
      "image": {
        "tag": "24.0.2"
      },
      "ingress": {
        "enabled": true,
        "hostname": "keycloak.avril"
      }
    }
  },
  "repoURL": "https://charts.bitnami.com/bitnami",
  "targetRevision": "19.3.4"
}

$ k -n keycloak exec -it keycloak-0 -- bash
Defaulted container "keycloak" out of: keycloak, init-quarkus-directory (init)

keycloak@keycloak-0:/$ env | grep 'KEYCLOAK_CACHE'
KEYCLOAK_CACHE_STACK=kubernetes
KEYCLOAK_CACHE_TYPE=local

keycloak@keycloak-0:/$ /opt/bitnami/keycloak/bin/kc.sh export --file /tmp/realm-export.json --realm new-realm
Appending additional Java properties to JAVA_OPTS: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local -Djgroups.bind.port=7900
2024-04-06 19:57:02,593 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-04-06 19:57:02,667 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-04-06 19:57:02,904 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: <request>, Strict HTTPS: false, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-04-06 19:57:04,894 WARN  [io.quarkus.agroal.runtime.DataSources] (JPA Startup Thread) Datasource <default> enables XA but transaction recovery is not enabled. Please enable transaction recovery by setting quarkus.transaction-manager.enable-recovery=true, otherwise data may be lost if the application is terminated abruptly
2024-04-06 19:57:05,960 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: node_432458, Site name: null
2024-04-06 19:57:06,536 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-04-06 19:57:07,291 INFO  [org.keycloak.services] (main) KC-SERVICES0034: Export of realm 'new-realm' requested.
2024-04-06 19:57:07,292 INFO  [org.keycloak.exportimport.singlefile.SingleFileExportProvider] (main) Exporting realm 'new-realm' into file /tmp/realm-export.json
2024-04-06 19:57:08,088 INFO  [org.keycloak.services] (main) KC-SERVICES0035: Export finished successfully
2024-04-06 19:57:08,116 INFO  [io.quarkus] (main) Keycloak 24.0.2 on JVM (powered by Quarkus 3.8.3) started in 7.451s. Listening on:
2024-04-06 19:57:08,117 INFO  [io.quarkus] (main) Profile import_export activated.
2024-04-06 19:57:08,117 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-postgresql, keycloak, logging-gelf, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, vertx]
2024-04-06 19:57:08,166 INFO  [io.quarkus] (main) Keycloak stopped in 0.046s

keycloak@keycloak-0:/$ cat /tmp/realm-export.json | head
{
  "id" : "c221b428-2847-4397-9abc-cec86de2faa5",
  "realm" : "new-realm",
  "notBefore" : 0,
  "defaultSignatureAlgorithm" : "RS256",
  "revokeRefreshToken" : false,
  "refreshTokenMaxReuse" : 0,
  "accessTokenLifespan" : 300,
  "accessTokenLifespanForImplicitFlow" : 900,
  "ssoSessionIdleTimeout" : 1800,

keycloak@keycloak-0:/$ grep -C 5 'created-user' /tmp/realm-export.json
  "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister" : false,
  "webAuthnPolicyPasswordlessAcceptableAaguids" : [ ],
  "webAuthnPolicyPasswordlessExtraOrigins" : [ ],
  "users" : [ {
    "id" : "50ef7221-96ae-4943-a8b1-a12600ccf7c9",
    "username" : "created-user",
    "firstName" : "Test",
    "lastName" : "Anonymous",
    "email" : "me@example.org",
    "emailVerified" : false,
    "createdTimestamp" : 1712433375557,

So - while I am technically unblocked (I can export realms, by setting KEYCLOAK_CACHE_TYPE to local), it feels like there's still an issue to be resolved here (presumably, larger installations than my dinky little homelab setup would not want to choose between caching and backups). I'd understand if you want to track that issue separately and close this one, though.

[scubbo]

(Just for completeness - I tested removing the JAVA_OPTS_APPEND env and just including the KEYCLOAK_CACHE_TYPE, and the export still worked fine)

[scubbo]

while I am technically unblocked

Unfortunately I spoke too soon - I'm able to carry out a manual command to export a realm, but not able to automate it:

• the custom image does not have cron installed, so I can't set a regular export from the "main" Pod
• attempting to run backup from an separate Pod fails - the realm is not found (I'm mostly guessing from the log messages, but it looks like the "backup Pod" is not actually connecting to the primary Pod's data)

I'm not sure if that qualifies as a Bitnami issue or a Keycloak one. The absence of cron on a custom image is certainly not up to you - but, given that "as part of [import/export, Keycloak] spins up the http server, so when that port is blocked (e.g. keycloak runs or another app has a binding) this could cause the error you are observing", and that I was advised earlier in this issue to "it may be best to use a separate installation to perform the import / export because you'll need to rebuild back to your server needs afterwards.", I get the impression (could be wrong!) that your suggestion would be for exports to be run from a separate Pod, not the primary one.

[scubbo]

I was able to get a separate Pod to successfully run a Realm Export by adding a --db option (and corresponding --db-url, --db-username, and --db-password) to the kc.sh command. Is this the intended workflow?

[shawkins]

I'll try to address as much as I can from the preceeding comments - let me know if I miss something.

I.e. same behaviour as before (except it's now failing to bind to the new port).

Is there something you need to do in your environment to declare / allow for port usage? Unless I was really unlucky at picking an alternative port, I would expect that to work.

I had a look at how the image itself is built. The Dockerfile is here, and the entrypoint pulls a bunch of environment variables (including KEYCLOAK_CACHE_STACK and KEYCLOAK_CACHE_TYPE from keycloak-env.sh. I wasn't able to find where the kc.sh build is getting invoked, though.

It's not using an explicit build. The start command will implicitly perform a build if needed.

What I don't see at first glance is where KEYCLOAK_ env variables are being mapped to something that keycloak will use.

So - while I am technically unblocked (I can export realms, by setting KEYCLOAK_CACHE_TYPE to local), it feels like there's still an issue to be resolved here (presumably, larger installations than my dinky little homelab setup would not want to choose between caching and backups). I'd understand if you want to track that issue separately and close this one, though.

No, you would not want to do it this way because you don't want to use cache type local for the server.

You can achieve the same thing by using the workaround of first performing a build, then doing your export.

If you will not be restarting the keycloak process from within the same pod (which looks to be the case), you shouldn't need to worry about optimizing the image again back to what would be used by a regular start command. But of course using a separate pod makes this even clearer.

I was able to get a separate Pod to successfully run a Realm Export by adding a --db option (and corresponding --db-url, --db-username, and --db-password) to the kc.sh command. Is this the intended workflow?

Yes, this is effectively the operator flow for import when using a separate Pod. It is given all of the environment variables and command line arguments as would be given to the regular server process, but is scrubbed of the cache related settings so that local can be forced. What we should use this issue for to rationalize exactly what import/export is inferring it needs - similar to what was done for the http serving port it doesn't seem like it should ever need cache access nor the mangement interface.

[scubbo]

Great, thanks. Sorry, I know I dumped a lot of information on you while investigating - appreciate the helpful responses and explanations (especially the explanation that I should have been trying to do an export from a separate Pod in the first place anyway 🙃)!

[shawkins]

@vmuzikar @mabartos I have this marked as important because it seems there are issues with users trying to figure out what needs supplied to import / export. There are several cases now:

• the user assumes that production access is being provided, but instead it's accessing the dev database Keycloak Relm Export Issue #28471 - this is highly related to Keycloak Export only accept H2 datase-URL (Datasource: URL format error; must be jdbc:h2 ... but is jdbc:mariadb: ...) #15898
• staring import / export in the same vm as a running server can lead to port conflicts - raised on this issue for jgroups, but I also saw it locally with the management port as well. The changes @mabartos did to move cache options to runtime will make the former easier to deal with, but it doesn't seem like users should need to think about setting these options when doing an import / export

It seems like we should generally avoid any workarounds that require using an explicit build or even relying upon an implicit build when dealing with import / export - that gets pretty confusing when a single installation.

Do you want to stick with important or lessen this?

[vmuzikar]

@shawkins Do you see this as a bug? From my perspective I perceive it as a documentation issue (we could be more clear on the behavior), or a UX enhancement (to improve the behavior to be more intuitive).

[shawkins]

@vmuzikar I would go as far to call it a bug if you need to adjust anything build time related - the build vs run time is already confusing enough for our users having to consider that you may need two separate build time profiles is even worse. Unless there are other possible build time options in play, getting the cache properties to runtime would make this more of a doc / UX issue.

[vmuzikar]

The most prominent build time options relevant to export are the --db* ones. Cache options were made runtime in #28542. So I'd say we can clearly document it for now, and investigate a possible improvements in a follow-up.