Description

I'm trying to get the Keycloak image to work in an environment that requires the use of read only root file systems, such as via the "--read-only" flag when running Docker directly, or the "readOnlyRootFilesystem" in the context of k8s.

Currently, the startup scripts in the image do some various forms of file manipulation, such as "sed -i" and "touch", and probably others I just haven't bumped into yet. When running the Keycloak image with the Docker locally using the "--read-only" flag, it immediately fails with:

sed: couldn't open temporary file /opt/jboss/keycloak/bin/sedwhvBHR: Read-only file system

because of: https://github.com/keycloak/keycloak-containers/blob/main/server/tools/docker-entrypoint.sh#L108

but there are seemingly other places that try to do file I/O as well.

Discussion

No response

Motivation

Running on a read only root file system is becoming more commonly enforced and is also recommended by the NSA: https://www.cisa.gov/uscert/ncas/current-activity/2021/08/02/cisa-and-nsa-release-kubernetes-hardening-guidance

Details

No response

Spent a few minutes investigating. Bottom line, the commit that introduced the "sed -i" should better have belonged to the wildfly repo which provides the standalone.conf file. https://github.com/wildfly/wildfly/blob/main/docs/src/main/asciidoc/_admin-guide/General_configuration_concepts.adoc

@radudd @slaskawi any chance you could relocate/reapply the patchset.

Otherwise i hope that quarkus keycloak is obsoleting some of this.

With Keycloak 20 the WildFly based distribution is no longer supported. For the newer Quarkus distribution of Keycloak, check out the new documentation, or the updated container sources.