Keycloak does not work with Docker read_only: true

Just found that issue, while searching for a solution for the same problem. This is needed for deployment of keycloak in kubernetes for my company, because we have a policy that any deployment must be rootless and read-only (excepted mounted PVCs). So this is keeping me from using keycloak at the moment.

Running into this as well. I had previously gotten Keycloak to work on read only K8S via a custom Dockerfile, a /tmp dir volume mount, and a handful of symlinks/overrides created in the Dockerfile to trick it into writing to the mounted tmp directory.

I’m in the process of trying to upgrade to 20.0.1 and running into a similar (but different) issue trying to get it to work on a read only FS. I’ve managed to get it working locally for the moment with the --read-only flag via Docker run (will try with K8S next) by overriding one of the jar files. I could get the server to start up, but the first time loading a page it would then fail and I could see various exceptions like this in stdout:

2022-12-02 15:25:28,917 WARN  [org.keycloak.services] (executor-thread-1) KC-SERVICES0075: Failed to get theme request: java.lang.RuntimeException: Temporary directory /opt/keycloak/bin/../data/tmp does not exist and it was not possible to create it.

	at org.keycloak.quarkus.runtime.integration.QuarkusPlatform.getTmpDirectory(QuarkusPlatform.java:167)
	at org.keycloak.encoding.GzipResourceEncodingProviderFactory.initCacheDir(GzipResourceEncodingProviderFactory.java:70)
	at org.keycloak.encoding.GzipResourceEncodingProviderFactory.create(GzipResourceEncodingProviderFactory.java:29)
	at org.keycloak.encoding.GzipResourceEncodingProviderFactory.create(GzipResourceEncodingProviderFactory.java:18)
	at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:282)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:166)
	at com.sun.proxy.$Proxy50.getProvider(Unknown Source)
	at org.keycloak.encoding.ResourceEncodingHelper.getResourceEncodingProvider(ResourceEncodingHelper.java:14)
	at org.keycloak.services.resources.ThemeResource.getResource(ThemeResource.java:65)

I even tried my symlink override trick on that directory but it didn’t work, seemingly because Java’s isDirectory() method might not work on symlinks: https://github.com/keycloak/keycloak/blob/release/20.0/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/QuarkusPlatform.java#L151-L160

Next, I tried building Keycloak from source and updated that method so that in the presence of a new env variable I added (e.g. KC_TMP_DIR) it would then use that instead, and I have that configured in my container to use the mounted /tmp directory. I then compiled that, grabbed the updated jar, and included that override as part of my Dockerfile. This seems to work, but obviously is a pretty ugly hack 😃

For the moment though it seems to be working now (though I wouldn’t be surprised if I bump into another issue at some point).