Keycloak DevServices issue with quarkus RHEL 8 CSB "#yum docker install" install - works fine with docker-ce install

[orivat]

Describe the bug

1. Description
   ===========

On RHEL 8 CSB, when docket is installed using the command

#yum install docker

It is not possible to run use Quarkus keycloak devservices correctly.
They are failing if docker has been installed using command "yum docker install".

Keyclaok Quarkus worksfine if it is installed from docker-ce

Note:
The command "yum install docker" install at the same podman Openshift package

This issue is not showing up if docker is installed from docker as follows:

dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
dnf list docker-ce --showduplicates | sort -r
dnf install docker-ce-3:20.10.9-3.el8
systemctl start docker

2. Example
   =========

This example is showcasing an example of failure with following application.properties

# Configuration file
prod.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret
quarkus.keycloak.devservices.realm-path=quarkus-realm.json

quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc-client.grant.type=password
quarkus.oidc-client.grant-options.password.username=alice
quarkus.oidc-client.grant-options.password.password=alice

%prod.port=8080
%dev.port=8080
%test.port=8081

org.acme.security.openid.connect.client.ProtectedResourceOidcClientFilter/mp-rest/url=http://localhost:${port}/protected
org.acme.security.openid.connect.client.ProtectedResourceTokenPropagationFilter/mp-rest/url=http://localhost:${port}/protected

#2.1. build quarkus

git clone https://github.com/quarkusio/quarkus.git
cd quarkus

export MAVEN_OPTS="-Xmx4g"
./mvnw -Dquickly

#2.2 add security-openid-connect-client-quickstart

git clone https://github.com/quarkusio/quarkus-quickstarts
cd quarkus-quickstarts
gh pr checkout 1107

cd /home/orivat/dev/quarkus_ws/quarkus-quickstarts/security-openid-connect-client-quickstart

3. Build is failing

mvn test

mvn test
 
 
[INFO] Scanning for projects...
[INFO]
[INFO] ---------< org.acme:security-openid-connect-client-quickstart >---------
[INFO] Building security-openid-connect-client-quickstart 1.0.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ security-openid-connect-client-quickstart ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 1 resource
[INFO] Copying 1 resource
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ security-openid-connect-client-quickstart ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ security-openid-connect-client-quickstart ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/orivat/dev/quarkus_ws/quarkus-quickstarts/security-openid-connect-client-quickstart/src/test/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ security-openid-connect-client-quickstart ---
[INFO] Nothing to compile - all classes are up to date
[INFO]
[INFO] --- maven-surefire-plugin:3.0.0-M5:test (default-test) @ security-openid-connect-client-quickstart ---
[INFO]
[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.acme.security.openid.connect.OidcClientTokenPropagationTest
2022-05-06 17:53:25,821 INFO  [org.jbo.threads] (main) JBoss Threads version 3.4.2.Final
2022-05-06 17:53:27,838 INFO  [io.quarkus] (main) security-openid-connect-client-quickstart 1.0.0-SNAPSHOT on JVM (powered by Quarkus 999-SNAPSHOT) started in 2.518s. Listening on: http://localhost:8081/
2022-05-06 17:53:27,839 INFO  [io.quarkus] (main) Profile test activated.
2022-05-06 17:53:27,839 INFO  [io.quarkus] (main) Installed features: [cdi, oidc, oidc-client, oidc-client-reactive-filter, oidc-token-propagation-reactive, rest-client-reactive, resteasy-reactive, resteasy-reactive-jackson, security, smallrye-context-propagation, vertx]
[ERROR] Tests run: 2, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 34.672 s <<< FAILURE! - in org.acme.security.openid.connect.OidcClientTokenPropagationTest
[ERROR] org.acme.security.openid.connect.OidcClientTokenPropagationTest.testGetNameWithOidcClient  Time elapsed: 30.547 s  <<< ERROR!
java.net.SocketTimeoutException: Read timed out
        at org.acme.security.openid.connect.OidcClientTokenPropagationTest.testGetNameWithOidcClient(OidcClientTokenPropagationTest.java:38)
 
2022-05-06 17:53:59,335 INFO  [io.quarkus] (main) security-openid-connect-client-quickstart stopped in 0.028s
[INFO]
[INFO] Results:
[INFO]
[ERROR] Errors:
[ERROR]   OidcClientTokenPropagationTest.testGetNameWithOidcClient:38 » SocketTimeout Re...
[INFO]
[ERROR] Tests run: 2, Failures: 0, Errors: 1, Skipped: 0

4. Work-around (for #yum install docker on RHEL8 CSB)
   ============
   Only way to make it working is:
   -To start docker externally (see 4.1)
   -To update application.properties adding/updating

oidc.keycloak.devservices.enabled=false

Configuration file

#%prod.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
client.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus

1. start docker externally
   docker run -p 8180:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password quay.io/keycloak/keycloak:18.0.0 start-dev

2. update application properteis as follows:

oidc.keycloak.devservices.enabled=false

Configuration file

#%prod.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
client.quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=secret
quarkus.keycloak.devservices.realm-path=quarkus-realm.json

quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc-client.grant.type=password
quarkus.oidc-client.grant-options.password.username=alice
quarkus.oidc-client.grant-options.password.password=alice

%prod.port=8080
%dev.port=8080
%test.port=8081

org.acme.security.openid.connect.client.ProtectedResourceOidcClientFilter/mp-rest/url=http://localhost:${port}/protected
org.acme.security.openid.connect.client.ProtectedResourceTokenPropagationFilter/mp-rest/url=http://localhost:${port}/protected

3. run test

mvn test

It should display

INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.acme.security.openid.connect.OidcClientTokenPropagationTest
2022-05-09 10:40:33,756 INFO  [org.jbo.threads] (main) JBoss Threads version 3.4.2.Final
2022-05-09 10:40:35,785 INFO  [io.quarkus] (main) security-openid-connect-client-quickstart 1.0.0-SNAPSHOT on JVM (powered by Quarkus 999-SNAPSHOT) started in 2.601s. Listening on: http://localhost:8081/
2022-05-09 10:40:35,785 INFO  [io.quarkus] (main) Profile test activated. 
2022-05-09 10:40:35,786 INFO  [io.quarkus] (main) Installed features: [cdi, oidc, oidc-client, oidc-client-reactive-filter, oidc-token-propagation-reactive, rest-client-reactive, resteasy-reactive, resteasy-reactive-jackson, security, smallrye-context-propagation, smallrye-openapi, swagger-ui, vertx]
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 5.113 s - in org.acme.security.openid.connect.OidcClientTokenPropagationTest
2022-05-09 10:40:37,611 INFO  [io.quarkus] (main) security-openid-connect-client-quickstart stopped in 0.032s
[INFO] 
[INFO] Results:
[INFO] 
[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0















       

### Expected behavior

_No response_

### Actual behavior

_No response_

### How to Reproduce?

_No response_

### Output of `uname -a` or `ver`

Linux remote.csb 4.18.0-348.20.1.el8_5.x86_64 #1 SMP Tue Mar 8 12:56:54 EST 2022 x86_64 x86_64 x86_64 GNU/Linux

### Output of `java -version`

java -version openjdk version "11.0.14.1" 2022-02-08 LTS OpenJDK Runtime Environment 18.9 (build 11.0.14.1+1-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.14.1+1-LTS, mixed mode, sharing)

### GraalVM version (if different from Java)

_No response_

### Quarkus version or git rev

build compilation version

### Build tool (ie. output of `mvnw --version` or `gradlew --version`)

3.82

### Additional information

_No response_

[quarkus-bot]

/cc @geoand, @iocanel, @pedroigor, @sberyozkin, @stuartwdouglas

[sberyozkin]

The stack trace which can be relevant:

2022-05-06 17:13:23,634 ERROR [org.tes.doc.DockerClientProviderStrategy] (build-11) Could not find a valid Docker environment. Please check configuration. Attempted configurations were:
2022-05-06 17:13:23,635 ERROR [org.tes.doc.DockerClientProviderStrategy] (build-11)     UnixSocketClientProviderStrategy: failed with exception InvalidConfigurationException (Could not find unix domain socket). Root cause AccessDeniedException (/var/run/docker.sock)
2022-05-06 17:13:23,635 ERROR [org.tes.doc.DockerClientProviderStrategy] (build-11) As no valid configuration was found, execution cannot continue
2022

@orivat Thanks for providing the detailed instructions on how to reproduce, note this demo is already in the development branch. Trying to build the existing security-openid-connect-quickstart can be even simpler, it also uses DevServices for Keycloak for testing

[sberyozkin]

@orivat I wonder if it is a groups setup issue on your system, see for example

https://stackoverflow.com/questions/48568172/docker-sock-permission-denied,

there is a note there related to sudo yum install -y docker as well

[gsmet]

I think we improved a lot in this area (and Podman too) so let's close this one.