Re: S2I with wildfly: keycloak adapter
I think the wildfly builder also understand that you can put modules in your source repo under modules/ and they will get copied into the right location https://github.com/openshift/openshift-jee-sample/blob/master/.s2i/bin/assemble.ignore#L59 On Wed, Dec 6, 2017 at 7:37 AM, Ben Parees wrote: > > > > > On Dec 6, 2017 1:47 AM, "jelmer van amen" wrote: > > The keycloak adapter subsystem needs more than just some XML configuration > (as described on http://www.keycloak.org/docs/latest/securing_apps/index. > html#_jboss_adapter). It needs to have some layers extracted to the > wildfly root dir, besides from the XML change. How would one go around > solving this using the standard S2I pipeline? > > > If the default assemble script doesn't allow you to override the > configuration you need to override, you'll have to provide a custom > assemble script that does. > > > On 5 December 2017 at 14:38, Ben Parees wrote: > >> The wildfly image allows you to supply your own standalone.xml config as >> part of your source. >> >> >> Ben Parees | OpenShift >> >> On Dec 5, 2017 05:10, "jelmer van amen" wrote: >> >>> When using the standard s2i pipeline, no configuration seems to be >>> present to add a keycloak security subsystem. How would one go about adding >>> a keycloak adapter (as subsystem in wildfly) using the standard S2I image >>> stream for wildfly? >>> >>> Kind regards, >>> Jelmer >>> >>> On 5 December 2017 at 07:15, Steven Pousty wrote: >>> >>>> Why do you think it doesn't support it. There should be no problem >>>> adding it. WHich part are you stuck on? >>>> Thanks >>>> Steve >>>> >>>> On Mon, Dec 4, 2017 at 10:11 PM, jelmer van amen < >>>> jelmervana...@gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> We’re migrating our software to OpenShift. We have a maven (well, >>>>> actually gradle, but we’re ok with moving to maven) J2EE war application >>>>> secured using keycloak adapter in a wildfly instance. >>>>> >>>>> >>>>> >>>>> We’d like to use s2i for this application. Our first guess would be >>>>> https://github.com/openshift-s2i/s2i-wildfly , but that does not >>>>> (seem to) support adding the keycloak adapter ( >>>>> http://www.keycloak.org/docs/3.0/securing_apps/topics/oidc/ >>>>> java/jboss-adapter.html#_jboss_adapter). >>>>> >>>>> >>>>> >>>>> What would be the best way to go? >>>>> >>>>> >>>>> >>>>> Thanks! >>>>> >>>>> ___ >>>>> users mailing list >>>>> users@lists.openshift.redhat.com >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>> >>>>> >>>> >>> >>> ___ >>> users mailing list >>> users@lists.openshift.redhat.com >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> > > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: S2I with wildfly: keycloak adapter
Why do you think it doesn't support it. There should be no problem adding it. WHich part are you stuck on? Thanks Steve On Mon, Dec 4, 2017 at 10:11 PM, jelmer van amen wrote: > Hi, > > > > We’re migrating our software to OpenShift. We have a maven (well, actually > gradle, but we’re ok with moving to maven) J2EE war application secured > using keycloak adapter in a wildfly instance. > > > > We’d like to use s2i for this application. Our first guess would be > https://github.com/openshift-s2i/s2i-wildfly , but that does not (seem > to) support adding the keycloak adapter (http://www.keycloak.org/docs/ > 3.0/securing_apps/topics/oidc/java/jboss-adapter.html#_jboss_adapter). > > > > What would be the best way to go? > > > > Thanks! > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: Openshift Online Restriction Problem
Have you tried shelling into the pod and then doing a whoami? Just being extra sure ;) But that is the extent of my help. I don't know how to query to see what restriction you are hitting up against On Wed, Apr 12, 2017 at 9:16 AM, Barış Aydınöz wrote: > > No, we switch the user before running CMD > > Dockerfile: > > … > ENV USER_NAME=hazelcast > ENV USER_UID=10001 > > ….. > > RUN useradd -l -u $USER_UID -r -g 0 -d $HZ_HOME -s /sbin/nologin -c > "${USER_UID} application user" $USER_NAME > ….. > > USER $USER_UID > > EXPOSE 5701 > CMD ["/bin/sh", "-c", "./start.sh"] > > > > On 12 Apr 2017, at 18:11, Steven Pousty wrote: > > Do you run your container as root? > > On Wed, Apr 12, 2017 at 6:04 AM, Barış Aydınöz > wrote: > >> Hello, >> >> We use a image that we build on Docker 1.13.1 on MacOS. Regarding image >> works with no problem on OCP platform, which comes as a Vagrant box from >> CDK 2.4 >> >> Whereas, we have a *restriction* problem on Openshift Online. Below I >> share error log from Openshift Online. >> >> >> >> >> $ oc describe pod hazelcast-cluster-rc-hz-tp7zs-dey84 | grep Security >> Security Policy: *restricted* >> >> >> >> Could you please advice? >> >> Thanks and kind regards >> Baris >> >> ___ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: Openshift Online Restriction Problem
Do you run your container as root? On Wed, Apr 12, 2017 at 6:04 AM, Barış Aydınöz wrote: > Hello, > > We use a image that we build on Docker 1.13.1 on MacOS. Regarding image > works with no problem on OCP platform, which comes as a Vagrant box from > CDK 2.4 > > Whereas, we have a *restriction* problem on Openshift Online. Below I > share error log from Openshift Online. > > > > $ oc describe pod hazelcast-cluster-rc-hz-tp7zs-dey84 | grep Security > Security Policy: *restricted* > > > > Could you please advice? > > Thanks and kind regards > Baris > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users