fusionauth / fusionauth-containers Goto Github PK

View Code? Open in Web Editor NEW

213.0 16.0 68.0 488 KB

Container definitions for docker, kubernetes, helm, and whatever containers come next!

Home Page: https://fusionauth.io/

Dockerfile 87.86% Shell 12.14%

kubernetes docker docker-image docker-compose fusionauth k8s

fusionauth-containers's People

Contributors

Stargazers

Watchers

fusionauth-containers's Issues

Upgrade Java

Upgrade Java from JRE8

Details

FusionAuth is currently using Oracle JRE8.

Oracle has moved away from the Oracle Binary License (BCL) which is the license had been operating under - to a license with even a more restrictive terms.

Oracle essentially has cut off all uses of Java in projects such s FusionAuth unless you purchase a license from Oracle. We have attempted to pursue a license with Oracle in the past, and the license costs are cost prohibitive - essentially being a percentage of our revenue.

For this and other reasons the next upgrade for FusionAuth will be to OpenJDK 12 or 13. We hope to make this transition in Q1 or Q2 of 2020.

BCL : https://www.oracle.com/downloads/licenses/binary-code-license.html
OTNL : https://www.oracle.com/downloads/licenses/javase-license1.html

Additional Context

From Oracle:
https://www.oracle.com/java/technologies/javase-jdk8-downloads.html

Important Oracle JDK License Update
The Oracle JDK License has changed for releases starting April 16, 2019.

The new Oracle Technology Network License Agreement for Oracle Java SE is substantially different from prior Oracle JDK licenses. The new license permits certain uses, such as personal use and development use, at no cost -- but other uses authorized under prior Oracle JDK licenses may no longer be available. Please review the terms carefully before downloading and using this product. An FAQ is available here.

Commercial license and support is available with a low cost Java SE Subscription.

Oracle also provides the latest OpenJDK release under the open source GPL License at jdk.java.net.

Original Description

Original title: Update JRE to 8u191

Original description:
Please upgrade the JRE to 8u191 so that we can use +UseContainerSupport for cgroup awareness.

Additional benefits will be that we will be able to (subject to enhancements) specify FUSIONAUTH_MEMORY as a percentage of RAM available instead of a static value (using +XX:MaxRAMPercentage). This has huge advantages i.t.o config management when running in the cloud and compute resources scale vertically.

Right now, we need to pre-touch the JVM heap but this causes an OOM error because the JVM is not respecting cgroup limits.

Docker DB container doesn't start

Following the installation docs from https://fusionauth.io/docs/v1/tech/installation-guide/docker doesn't result in a working fusionauth docker setup.

DB container fusionauth-db-1 doesn't start due to version conflict.

fusionauth-db-1          | 
fusionauth-db-1          | PostgreSQL Database directory appears to contain a database; Skipping initialization
fusionauth-db-1          | 
fusionauth-db-1          | 2022-07-18 08:30:07.657 UTC [1] FATAL:  database files are incompatible with server
fusionauth-db-1          | 2022-07-18 08:30:07.657 UTC [1] DETAIL:  The data directory was initialized by PostgreSQL version 11, which is not compatible with this version 12.9 (Debian 12.9-1.pgdg110+1).
fusionauth-db-1 exited with code 1
fusionauth-db-1          | 
fusionauth-db-1          | PostgreSQL Database directory appears to contain a database; Skipping initialization
fusionauth-db-1          | 
fusionauth-db-1          | 2022-07-18 08:30:11.191 UTC [1] FATAL:  database files are incompatible with server
fusionauth-db-1          | 2022-07-18 08:30:11.191 UTC [1] DETAIL:  The data directory was initialized by PostgreSQL version 11, which is not compatible with this version 12.9 (Debian 12.9-1.pgdg110+1).
fusionauth-db-1 exited with code 1

How to perform healthchecks?

I tried to add healthchecks to my docker-compose files and noticed that there is no curl installed.
Is there another way to test when the system is loaded and ready?

for context I tried:
healthcheck:
test: [ "CMD-SHELL", "curl", "--silent", "--fail", "http://localhost:9011/api/status || exit 1" ]
interval: 30s
timeout: 10s
retries: 5
start_period: 30s

looking at the logs I noticed the "curl command not found".
Thanks

Fusionauth-app tries to connect to Elasticsearch via port 9021 after docker-compose up

I used the v3 docker-compose.yml as posted in this repo, only adding a db password.

Using "docker-compose up" with the yml file, I get the initial setup wizard page, but after entering info, I see this in the log:

io.fusionauth.api.service.search.ElasticSearchClientProvider - Connecting to FusionAuth Search Engine at [http://localhost:9021]

And in the wizard, I see an error saying "The search engine appears to be down or failing to respond to the search query." I can see from netstat and from the yml file that elasticsearch is running in port 9200 and that fusionauth is directed to connect via port 9200, but still it's trying to connect to 9021.

If I modify the yml to expose elasticsearch container via port 9021 (9021:9200), I get this in the wizard:

"Silent Configuration Mode Failed"

And this in the logs:

search_1 | [2018-10-05T15:00:18,952][INFO ][o.e.g.GatewayService ] [9FG48XP] recovered [1] indices into cluster_state
search_1 | [2018-10-05T15:00:19,368][INFO ][o.e.c.r.a.AllocationService] [9FG48XP] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[fusionauth_user][0]] ...]).
fusionauth_1 | Oct 05, 2018 3:01:52.911 PM ERROR c.inversoft.maintenance.search.ElasticsearchSilentConfigurationWorkflowTask - Silent configuration was unable to complete search configuration. Entering maintenance mode. State [SERVER_DOWN]

Please advise...

Preload configuration

I would like to define an initial configuration for using at the deployment time.
For instance, would be nice to have some pre-configured app/users/passwords/permissions (can be loaded via script)
just in case I need to throw all containers away and start clean but avoid to reconfigure the authentication when the focus would be developing an webapp.
It can be something only enabled in development mode.
Is there a way to do it?

Docker won't build for version 1.15.3 due to malformed archive

The real issue is a malformed zip archive - i wasn't sure where to report that. In any case, this is failing:

RUN export FUSIONAUTH_VERSION=1.15.3 \
  && curl -Sk --progress-bar https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/${FUSIONAUTH_VERSION}/fusionauth-app-${FUSIONAUTH_VERSION}.zip -o fusionauth-app.zip \
  && mkdir -p /usr/local/fusionauth/fusionauth-app \
  && unzip -nq fusionauth-app.zip -d /usr/local/fusionauth

Output:

[fusionauth-app.zip]
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of fusionauth-app.zip or
        fusionauth-app.zip.zip, and cannot find fusionauth-app.zip.ZIP, period.

Sanity check (works for 1.15.2):

$ export FUSIONAUTH_VERSION=1.15.2
$ curl -Sk --progress-bar https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/${FUSIONAUTH_VERSION}/fusionauth-app-${FUSIONAUTH_VERSION}.zip -o fusionauth-app.zip
##################################################################################################################################### 100.0%
$ unzip -nq fusionauth-app.zip
$

/bin/bash not found on k8s init container

It seems that giantswarm/tiny-tools:3.10 is based on alpine which doesn't have /bin/bash. Replacing with /bin/sh worked!

Reverse Proxy Not Working

Reverse proxying via caddy doesn't work. It gives 502

CaddyFile Content As below

# replace :80 with your domain name to get automatic https via LetsEncrypt
https://<your_domain> {
  reverse_proxy fusionauth:9011
}

fusionauth is service running in docker
caddy is running as service running in docker with above CaddyFile

building a container for AWS Fargate and connectivity to Postgres RDS

I am having difficulty creatine containers to run in Fargate with a custom configuration to our RDS. Please see https://stackoverflow.com/questions/59055078/creating-app-and-search-containers-to-run-in-aws-ecs-fargate

FA time outs

Hi everybody,
We have Fusionauth installed on EKS and we have an LB pointing towards CF.
We are experiencing time outs from time to time with the admin page.
I was wondering if this could be a tomcat problem since I noticed that this is its web-server.
Logs are telling us nothing.

This is the version that we use:
fusionauth/fusionauth-app:1.30.1

Looking forward your replies.

Database schema doesn't initialize

Following the guide here: https://fusionauth.io/docs/v1/tech/installation-guide/docker

When I do docker-compose up the credentials in the .env file don't work (not surprising since they haven't been created) so I point them to postgres/postgres.

POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
DATABASE_USER=postgres
DATABASE_PASSWORD=postgres

After that step, try to run docker-compose up again but still not working. Database wasn't created. I uncomment out the port mapping in the docker-compose.yml and create the fusionauth database

fusionauth_1  | May 20, 2020 1:30:52.734 AM INFO  io.fusionauth.app.maintenance.FusionAuthMaintenanceModeWorkflow - Determine database status : ORDINARY_USER_CANNOT_CONNECT [FATAL: database "fusionauth" does not exist]
fusionauth_1  | May 20, 2020 1:30:52.737 AM INFO  org.primeframework.mvc.servlet.PrimeServletContextListener - Initializing Prime
fusionauth_1  | May 20, 2020 1:30:52.739 AM INFO  io.fusionauth.app.maintenance.guice.FusionAuthMaintenanceModeModule - 
fusionauth_1  | 
fusionauth_1  | ---------------------------------------------------------------------------------------------------------
fusionauth_1  | --------------------------------------- Entering Maintenance Mode ---------------------------------------
fusionauth_1  | ---------------------------------------------------------------------------------------------------------
fusionauth_1  |

I think it used to create the database before, but no matter. Create the database manually and docker-compose down/up

Looks like the schema doesn't get generated either:

fusionauth_1  | May 20, 2020 1:38:27.202 AM INFO  io.fusionauth.app.maintenance.FusionAuthMaintenanceModeWorkflow - Determine database status : NO_SCHEMA
fusionauth_1  | May 20, 2020 1:38:27.204 AM INFO  org.primeframework.mvc.servlet.PrimeServletContextListener - Initializing Prime
fusionauth_1  | May 20, 2020 1:38:27.206 AM INFO  io.fusionauth.app.maintenance.guice.FusionAuthMaintenanceModeModule - 
fusionauth_1  | 
fusionauth_1  | ---------------------------------------------------------------------------------------------------------
fusionauth_1  | --------------------------------------- Entering Maintenance Mode ---------------------------------------
fusionauth_1  | --

db_1          | LOG:  incomplete startup packet
db_1          | ERROR:  relation "version" does not exist at character 21
db_1          | STATEMENT:  select version from version

When I navigate to localhost:9011 I get the maintenance mode screen which I can put in the db user and password to go forward but I think the intention is for this to run out of the box. Forgive me and feel free to promptly close if that is not the intention and I should just use the maintenance mode screen to set up the database.

1.10.2

fusionauth-containers/docker/fusionauth/fusionauth-app/Dockerfile

Line 41 in 2461785

RUN export FUSIONAUTH_VERSION=1.10.2 \

Hey just FYI this URL is not working if pinned to 1.10.2 (probably because its not live yet) but it does work for 1.10.1

fusionauth-app won't run due to filesystem permissions issue

Having a permissions issue when running a fusionauth-app container. Same results for 1.15.2 all the way down to 1.13. For example:

$ docker run -it fusionauth/fusionauth-app:1.15.2
mkdir: cannot create directory '/usr/local/fusionauth/fusionauth-app/apache-tomcat/../../logs': Permission denied
Using CATALINA_BASE:   /usr/local/fusionauth/fusionauth-app/apache-tomcat
Using CATALINA_HOME:   /usr/local/fusionauth/fusionauth-app/apache-tomcat
Using CATALINA_TMPDIR: /usr/local/fusionauth/fusionauth-app/apache-tomcat/temp
Using JRE_HOME:        /usr/local/fusionauth/fusionauth-app/apache-tomcat/../../java/current
Using CLASSPATH:       /usr/local/fusionauth/fusionauth-app/apache-tomcat/bin/bootstrap.jar:/usr/local/fusionauth/fusionauth-app/apache-tomcat/bin/tomcat-juli.jar
Feb 20, 2020 5:28:25 PM org.apache.catalina.startup.Catalina load
WARNING: Unable to load server configuration from [/usr/local/fusionauth/fusionauth-app/apache-tomcat/conf/server.xml]
Feb 20, 2020 5:28:25 PM org.apache.catalina.startup.Catalina start
SEVERE: Cannot start server. Server instance is not configured.

Seems it's trying to create /usr/local/fusionauth/logs but unable due to permissions.

Using a dockerfile based on https://github.com/FusionAuth/fusionauth-containers/blob/1.15.2/docker/fusionauth/fusionauth-app/Dockerfile but using bash as the entrypoint, i'm seeing these permissions:

$ cd /usr/local/fusionauth/fusionauth-app/
$ ls -al
total 24
drwxr-sr-x 6 root fusionauth 4096 Feb 20 20:30 .
drwxr-sr-x 1 root fusionauth 4096 Feb 20 20:30 ..
drwxrwsr-x 8 root fusionauth 4096 Feb 19 11:58 3rd-party-licenses
drwxrwsr-x 6 root fusionauth 4096 Feb 19 11:58 apache-tomcat
drwxrwsr-x 2 root fusionauth 4096 Feb 19 11:58 template
drwxrwsr-x 7 root fusionauth 4096 Feb 19 11:58 web
$ cd ..
$ mkdir logs
mkdir: cannot create directory 'logs': Permission denied

Given that the Docker user is fusionauth, and root owns /usr/local/fusionauth, it doesn't work. Additionally, this user can't do anything in the apache-tomcat/conf directory:

$ cd /usr/local/fusionauth/fusionauth-app/apache-tomcat
$ ls -al
total 140
drwxrwsr-x 6 root fusionauth  4096 Feb 19 11:58 .
drwxr-sr-x 6 root fusionauth  4096 Feb 20 20:30 ..
-rw-r----- 1 root fusionauth 19534 Feb 19 11:58 BUILDING.txt
-rw-r----- 1 root fusionauth  5407 Feb 19 11:58 CONTRIBUTING.md
-rw-r----- 1 root fusionauth 57011 Feb 19 11:58 LICENSE
-rw-r----- 1 root fusionauth  1726 Feb 19 11:58 NOTICE
-rw-r----- 1 root fusionauth  3255 Feb 19 11:58 README.md
-rw-r----- 1 root fusionauth  7139 Feb 19 11:58 RELEASE-NOTES
-rw-r----- 1 root fusionauth 16262 Feb 19 11:58 RUNNING.txt
drwxr-s--- 2 root fusionauth  4096 Feb 19 11:58 bin
drwx--S--- 2 root fusionauth  4096 Feb 19 11:58 conf
drwxr-s--- 2 root fusionauth  4096 Feb 19 11:58 lib
drwxr-s--- 2 root fusionauth  4096 Feb 19 11:58 temp
$ cd conf/
bash: cd: conf/: Permission denied

At first i thought this was the same as #31, which was closed yesterday, but i don't think that's the case.

Publish / deploy 1.22.1

Can you publish version 1.22.1 to Docker hub? I believe the latest version published is 1.22.0 (https://hub.docker.com/r/fusionauth/fusionauth-app/tags?page=1&ordering=last_updated). Thanks.

ARM64v8 - Raspberry Pi compatible docker image

I want to deploy fusionAuth onto ARM64v8 - Raspberry Pi 4. So far the docker images for fusionAuth only support amd64 architecture. Is there a way to deploy fusionAuth docker image on Raspberry Pi 4 k8s cluster?

Access fusionauth-app UI from outside container (external access)?

I am using the following docker-compose.yml for deployment cloned from following https://fusionauth.io/docs/v1/tech/installation-guide/docker

version: '3'

services:
  db:
    image: postgres:9.6
    environment:
      PGDATA: /var/lib/postgresql/data/pgdata
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
# Un-comment to access the db service directly
    ports:
      - 5432:5432
    networks:
      - db
    restart: unless-stopped
    volumes:
      - db_data:/var/lib/postgresql/data

  search:
    image: docker.elastic.co/elasticsearch/elasticsearch:6.3.1
    environment:
      - cluster.name=fusionauth
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=${ES_JAVA_OPTS}"
# Un-comment to access the search service directly
    ports:
      - 9200:9200
      - 9300:9300
    networks:
      - search
    restart: unless-stopped
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - es_data:/usr/share/elasticsearch/data

  fusionauth:
    image: fusionauth/fusionauth-app:latest
    depends_on:
      - db
      - search
    environment:
      DATABASE_URL: jdbc:postgresql://db:5432/fusionauth
      DATABASE_ROOT_USER: ${POSTGRES_USER}
      DATABASE_ROOT_PASSWORD: ${POSTGRES_PASSWORD}
      DATABASE_USER: ${DATABASE_USER}
      DATABASE_PASSWORD: ${DATABASE_PASSWORD}
      FUSIONAUTH_MEMORY: ${FUSIONAUTH_MEMORY}
      FUSIONAUTH_SEARCH_SERVERS: http://search:9200
      FUSIONAUTH_URL: http://fusionauth:9011
    networks:
     - db
     - search
    restart: unless-stopped
    ports:
      - 9011:9011
    volumes:
      - fa_config:/usr/local/fusionauth/config

networks:    
  db:
    driver: bridge
  search:
    driver: bridge
  
volumes:
  db_data:
  es_data:
  fa_config:

I am unable to access the fusionauth UI screeen from http://localhost:9011 or http://fusionauth:9011

How can I access the UI welcome screen from outside docker container? is there any
enableExternal: true env variable available?

Is there a way to test or ping the fusionAuth App to make sure its up and running other than using docker ps -a

Docker installation problem

I'm trying to run fusionAuth using docker containers. Is the first time I'm doing this.
Running the following command

curl -o docker-compose.yml https://raw.githubusercontent.com/FusionAuth/fusionauth-containers/master/docker/fusionauth/docker-compose.yml curl -o .env https://raw.githubusercontent.com/FusionAuth/fusionauth-containers/master/docker/fusionauth/.env docker-compose up

I've got the following error with search:

> 
> search_1      | OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
> search_1      | OpenJDK 64-Bit Server VM warning: UseAVX=2 is not supported on this CPU, setting it to UseAVX=1
> search_1      | [2019-10-26T07:59:42,358][INFO ][o.e.n.Node               ] [] initializing ...
> search_1      | [2019-10-26T07:59:42,577][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [] uncaught exception in thread [main]
> search_1      | org.elasticsearch.bootstrap.StartupException: ElasticsearchException[java.io.IOException: failed to read [id:236, legacy:false, file:/usr/share/elasticsearch/data/nodes/0/_state/node-236.st]]; nested: IOException[failed to read [id:236, legacy:false, file:/usr/share/elasticsearch/data/nodes/0/_state/node-236.st]]; nested: IllegalArgumentException[[node_meta_data] unknown field [node_version], parser not found];
> search_1      | 	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | Caused by: org.elasticsearch.ElasticsearchException: java.io.IOException: failed to read [id:236, legacy:false, file:/usr/share/elasticsearch/data/nodes/0/_state/node-236.st]
> search_1      | 	at org.elasticsearch.ExceptionsHelper.maybeThrowRuntimeAndSuppress(ExceptionsHelper.java:199) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.gateway.MetaDataStateFormat.loadLatestState(MetaDataStateFormat.java:331) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.env.NodeEnvironment.loadOrCreateNodeMetaData(NodeEnvironment.java:357) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:245) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.node.Node.<init>(Node.java:270) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	... 6 more
> search_1      | Caused by: java.io.IOException: failed to read [id:236, legacy:false, file:/usr/share/elasticsearch/data/nodes/0/_state/node-236.st]
> search_1      | 	at org.elasticsearch.gateway.MetaDataStateFormat.loadLatestState(MetaDataStateFormat.java:325) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.env.NodeEnvironment.loadOrCreateNodeMetaData(NodeEnvironment.java:357) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:245) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.node.Node.<init>(Node.java:270) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	... 6 more
> search_1      | Caused by: java.lang.IllegalArgumentException: [node_meta_data] unknown field [node_version], parser not found
> search_1      | 	at org.elasticsearch.common.xcontent.ObjectParser.getParser(ObjectParser.java:347) ~[elasticsearch-x-content-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.common.xcontent.ObjectParser.parse(ObjectParser.java:158) ~[elasticsearch-x-content-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.common.xcontent.ObjectParser.apply(ObjectParser.java:182) ~[elasticsearch-x-content-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.env.NodeMetaData$1.fromXContent(NodeMetaData.java:110) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.env.NodeMetaData$1.fromXContent(NodeMetaData.java:94) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.gateway.MetaDataStateFormat.read(MetaDataStateFormat.java:199) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.gateway.MetaDataStateFormat.loadLatestState(MetaDataStateFormat.java:320) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.env.NodeEnvironment.loadOrCreateNodeMetaData(NodeEnvironment.java:357) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.env.NodeEnvironment.<init>(NodeEnvironment.java:245) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.node.Node.<init>(Node.java:270) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.node.Node.<init>(Node.java:252) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.3.2.jar:6.3.2]
> search_1      | 	... 6 more

How to upgrade Elasticsearch Deployment Template.

Hello,

I have been trying to upgrade the Elasticsearch version of my search configurations.
Current version is: 6.3.1.
I run this in an EKS cluster.

What I am asking is any tips regarding the upgrade.
When I firstly attempted to upgrade it failed.
I am trying to jump to >= 7.2
Is there a document showing how to update it, because I have started receiving feedback from our back-end developers stating that the application has been down for a whole day.
When I checked the logs find around 12/14 attempts of Fusion to connect to Elasticsearch.
Looking into the Elasticsearch logs shows that
[2022-03-03T05:04:55,070][WARN ][o.e.x.s.a.s.m.NativeRoleMappingStore] [PcFr0Jo] Failed to clear cache for realms [[]]

During the whole day Fusionauth was attempting to restart and connect and Elasticsearch was still trying start I guess.

DNS resolution issues when run in kubernetes / rancher

We're running the server in kubernetes on a rancher cluster using the helm chart and occasionally the server gets into a state where unpredictably the DNS resolution starts to fail.

In our event logs we see

Request to the [https://github.com/login/oauth/access_token] endpoint failed. Status code [-1]

Exception encountered.

java.net.UnknownHostException : Message: github.com

Our network manager pointed us at DNS resolution issues with the musl library in alpine images.
See for example: https://support.cloudbees.com/hc/en-us/articles/360040999471-UnknownHostException-caused-by-DNS-Resolution-issue-with-Alpine-Images

Would you consider switching from alpine to another base layer?

Use a good version of TinyTools

In the deployment manifest for Kubernetes, you are using a very suspicious version of TinyTools.

You want to be using this version of TinyTools. Might even want to use latest so you get all of the security patches.

Versioning (Git) templates and styles of the OAuth v2.0

Hi Daniel,
i am using FusionAuth with Docker containers, and i have a doubt.
It would be possible to version UI templates of the OAuth?
In my yaml configuration file I have tried with volumes but I think that the path where the templates are located is not correct.

Thanks and regards!

request: include CURL or WGET in built images so that we can test docker healthcheck within docker-compose

Docker-compose (and docker run)'s healthchecks execute a command inside the container, and fusionauth's healthcheck lives at an HTTP endpoint, so in order to test it from inside the container we need either wget or curl available.

One possible solution is to install these tools in the built image, another possible solution is switching to alpine which includes wget by default and may make built containers slimmer.

problem with loading fusionauthdb on RDS

I have been battling with getting fa to work with mysql rds. I am using fusionauth/fusionauth-app:1.19.7

When I use this DATABASE_URL: jdbc:mysql://database-2.cwymdn16cxes.us-east-1.rds.amazonaws.com;dbname=fusionauthdb and I look in the docker logs, I see a huge number or errors.

for example:

2021-02-27 12:23:59.094 PM ERROR com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService - Configuration [database.url] is invalid. It must begin with either jdbc:mysql: or jdbc:postgresql:
2021-02-27 12:23:59.102 PM ERROR com.inversoft.maintenance.db.JDBCURL - Could not parse jdbcString [jdbc:mysql://database-2.cwymdn16cxes.us-east-1.rds.amazonaws.com;dbname=fusionauthdb]

If I instead use this one:
DATABASE_URL: jdbc:mysql://database-2.cwymdn16cxes.us-east-1.rds.amazonaws.com:3306/fusionauthdb
the errors go away, but the rds times out with this message after about 10 minutes:

mysqli::real_connect(): (HY000/1129): Host '69.124.176.183' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'

Either way, I am trying to run fa in docker on my laptop and access the dbase on rds. When I type localhost:9011 the system always goes into maint mode as if it can't see the existing rds fusionauthdb.

I have another installation on EC2 that can access this same fusionauthdb fine. Any ideas on why the rds is timing out from the localhost but not from EC2 when accessing fusionauthdb?

Do not publish unnecessary ports on docker-compose.yml

Postgres' port isn't necessary to be bind on the public interface. Same goes for the Elasticsearch.

[helm] pods stuck in init using custom PostgreSQL and Elasticsearch

Using my own Elasticsearch and PostgreSQL. So in values.yaml I am setting:

  ...
  data:
    memory: 256M
    database:
      # if empty {{- .Release.Name -}}-postgresql will be used
      host: postgres-master.default.svc.cluster.local
      port: 5432
      tls: false
      name: fusionauth
      user: localhost
      password: localhost
      root:
        user: localhost
        password: localhost
    elasticsearch:
      host: elasticsearch-master.default.svc.cluster.local
      port: 9200
  ...
  elasticsearch:
    enabled: false

  postgresql:
    enabled: false

But the pods are just stuck on:

fusionauth-6c4745bfd9-6jgth     0/1     Init:0/2           0          16m
fusionauth-6c4745bfd9-r48k2     0/1     Init:0/2           0          16m
fusionauth-6c4745bfd9-sjl72     0/1     Init:0/2           0          16m

Looking at the pods ENVARS I see:

    Environment:
      DATABASE_USER:              localhost
      DATABASE_PASSWORD:          localhost
      DATABASE_ROOT_PASSWORD:     localhost
      DATABASE_ROOT_USER:         localhost
      DATABASE_URL:               jdbc:postgresql://fusionauth-postgresql:5432/fusionauth
      FUSIONAUTH_SEARCH_SERVERS:  http://elasticsearch-master:9200
      FUSIONAUTH_MEMORY:          256M

Is that right? I would have expected to see the custom hosts in ENVARs

Kubernetes deployment

Hello guys,

I've been trying to convert the docker-compose to a kubernetes setup.

The issue I ran into is, that the config folder remains empty after the fusionauth-app container deploys. I presume upon the first startup the fusionauth.properties and keystore files would be either downloaded from created from the environment variables provided in the deplyoment file

      containers:
      - env:
        - name: DATABASE_PASSWORD
          value: <password>
        - name: DATABASE_ROOT_PASSWORD
          value: <password>
        - name: DATABASE_ROOT_USER
          value: postgres
        - name: DATABASE_URL
          value: jdbc:postgresql://fusionauth-db:5432/fusionauth
        - name: DATABASE_USER
          value: fusionauth
        - name: FUSIONAUTH_MEMORY
          value: 256M
        - name: FUSIONAUTH_SEARCH_SERVERS
          value: http://fusionauth-search:9200
        image: fusionauth/fusionauth-app:latest
        name: fusionauth
        ports:
        - containerPort: 9011

However the /usr/local/fusionauth/config is empty after startup.
If I manually create the properties file during initialization, we're one step closer. :)

What’s the condition for the “silent configuration” to be triggered?

Docker-Compose: .env not working -> max virtual memory areas too low

Hi,

When i run the docker-compose stack with default parameters,
The Elastic Search Container does not run properly.

max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

After changing the .env

ES_JAVA_OPTS=-Xms1024m -Xmx1024m
and
FUSIONAUTH_MEMORY=1024M

It seems to not be reflected by the Elastic Search Container... nothing changes still the same error..

Am i missing something here or is it a bug?

Example: usage with Kubernetes

Hi there,

great work: I was trying to use the kubernetes setup locally with minikube.

The container setup seems to work good.

However there is no way I got it working (meaning: accessing from outside the cluster) with an ingress such as traefik, except using port forward (which is a non-solution).
kubectl port-forward svc/fusionauth 9011:9011

I tried adding this traefik configuration for an ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: fusionauth
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
    - host: fusionauth.minikube
      http:
        paths:
          - path: /
            backend:
              serviceName: fusionauth
              servicePort: 9011

I followed this guide and used a Deployment for the access. fusionauth.minikube is something like: clusterIp: where port was assigned to the deployment, in my case 30657

Browsing to http://fusionauth.minikube:30657 I get a nasty error

error_description" : "Invalid redirection uri http://fusionauth.minikube:30657:30657/login",

What I'm doing wrong here?

Thank you

DATABASE_ROOT_USER vs DATABASE_ROOT_USERNAME

Just did a fresh install and saw the following warning:

2020-10-19 10:14:56.764 PM WARN  com.inversoft.configuration.BasePropertiesFileInversoftConfiguration - Your FusionAuth configuration file [/usr/local/fusionauth/fusionauth-app/apache-tomcat/../../config/fusionauth.properties] needs attention. Here are the warnings:

  - You are using a deprecated configuration property name of [DATABASE_ROOT_USER]. The new allowed names for that property are [database.root.username]

It seems that DATABASE_ROOT_USER should now be DATABASE_ROOT_USERNAME, but didn't make it into the updated compose file yet maybe? Making that change seems to have gotten rid of the warning.

error starting containers fusionauth-app:1.15.1

org.apache.catalina.startup.Catalina load WARNING: Unable to load server configuration from [/usr/local/fusionauth/fusionauth-app/apache-tomcat/conf/server.xml]
org.apache.catalina.startup.Catalina start SEVERE: Cannot start server. Server instance is not configured.

IMAGE
fusionauth/fusionauth-app:1.15.1

image version 1.14.0 works!

is there any breaking change?

X-Forwarded-Port Proxy Header missing

After initial setup FusionAuth warns about proxy configuration.
This prevents using the App, like adding an Application.
It seems X-Forwarded-Port is missing in the nginx configuration.
Adding the statement in http_default.conf fixes this, in my case.

Question: Docker folder-volumes

Hi,

when running the example docker compose I don't want to create a "docker volume", instead I want to use a specific folder like:

  image: fusionauth/fusionauth-app:latest  
  ....
  volumes:
      - :/data/fa_config:/usr/local/fusionauth/config

When I do so I get this error:

fusionauth_1  | ===================================================================================================
fusionauth_1  |
fusionauth_1  |   Unable to start the server. Here's why:
fusionauth_1  |
fusionauth_1  |
fusionauth_1  | [Error injecting constructor, java.lang.IllegalArgumentException: The configuration file [/usr/local/fusionauth/fusionauth-app/apache-tomcat/../../config/fusionauth.properties] doesn't exist.]
fusionauth_1  | 	-> [class java.lang.IllegalArgumentException] The configuration file [/usr/local/fusionauth/fusionauth-app/apache-tomcat/../../config/fusionauth.properties] doesn't exist.
fusionauth_1  |
fusionauth_1  | ===================================================================================================
fusionauth_1  |
fusionauth_1  |
fusionauth_1  | May 10, 2019 1:16:35.873 PM ERROR org.primeframework.mvc.guice.GuiceBootstrap - Unable to start the server. Exception:
fusionauth_1  |
fusionauth_1  | com.google.inject.CreationException: Unable to create injector, see the following errors:
fusionauth_1  |
fusionauth_1  | 1) Error injecting constructor, java.lang.IllegalArgumentException: The configuration file [/usr/local/fusionauth/fusionauth-app/apache-tomcat/../../config/fusionauth.properties] doesn't exist.
fusionauth_1  |   at io.fusionauth.api.configuration.PropertiesFileFusionAuthConfiguration.<init>(PropertiesFileFusionAuthConfiguration.java:35)
fusionauth_1  |   at io.fusionauth.api.configuration.PropertiesFileFusionAuthConfiguration.class(PropertiesFileFusionAuthConfiguration.java:21)
fusionauth_1  |   while locating io.fusionauth.api.configuration.PropertiesFileFusionAuthConfiguration
fusionauth_1  |   at io.fusionauth.app.maintenance.guice.FusionAuthMaintenanceModeSilentConfigurationModule.configure(FusionAuthMaintenanceModeSilentConfigurationModule.java:30)
fusionauth_1  |   while locating com.inversoft.configuration.InversoftConfiguration
fusionauth_1  |     for the 1st parameter of com.inversoft.maintenance.db.JDBCMaintenanceModeDatabaseService.downloadMySQLConnector(JDBCMaintenanceModeDatabaseService.java:67)
fusionauth_1  |
fusionauth_1  | 1 error
fusionauth_1  | 	at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:543) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:178) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:109) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.Guice.createInjector(Guice.java:87) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.Guice.createInjector(Guice.java:69) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.Guice.createInjector(Guice.java:59) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at org.primeframework.mvc.guice.GuiceBootstrap.initialize(GuiceBootstrap.java:58) ~[prime-mvc-1.13.2.jar:1.13.2]
fusionauth_1  | 	at com.inversoft.maintenance.servlet.MaintenanceModePrimeServletContextListener.contextInitialized(MaintenanceModePrimeServletContextListener.java:39) [inversoft-maintenance-mode-0.12.8.jar:0.12.8]
fusionauth_1  | 	at io.fusionauth.app.primeframework.FusionAuthAppPrimeServletContextListener.contextInitialized(FusionAuthAppPrimeServletContextListener.java:29) [fusionauth-app-1.5.0.jar:1.5.0]
fusionauth_1  | 	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4792) [catalina.jar:8.5.31]
fusionauth_1  | 	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5256) [catalina.jar:8.5.31]
fusionauth_1  | 	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) [catalina.jar:8.5.31]
fusionauth_1  | 	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1421) [catalina.jar:8.5.31]
fusionauth_1  | 	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1411) [catalina.jar:8.5.31]
fusionauth_1  | 	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_171]
fusionauth_1  | 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_171]
fusionauth_1  | 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_171]
fusionauth_1  | 	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_171]
fusionauth_1  | Caused by: java.lang.IllegalArgumentException: The configuration file [/usr/local/fusionauth/fusionauth-app/apache-tomcat/../../config/fusionauth.properties] doesn't exist.
fusionauth_1  | 	at com.inversoft.configuration.BasePropertiesFileInversoftConfiguration.initialize(BasePropertiesFileInversoftConfiguration.java:263) ~[inversoft-config-0.6.2.jar:0.6.2]
fusionauth_1  | 	at io.fusionauth.api.configuration.PropertiesFileFusionAuthConfiguration.initialize(PropertiesFileFusionAuthConfiguration.java:94) ~[fusionauth-api-1.5.0.jar:1.5.0]
fusionauth_1  | 	at com.inversoft.configuration.BasePropertiesFileInversoftConfiguration.initializeAndLogErrors(BasePropertiesFileInversoftConfiguration.java:323) ~[inversoft-config-0.6.2.jar:0.6.2]
fusionauth_1  | 	at com.inversoft.configuration.BasePropertiesFileInversoftConfiguration.<init>(BasePropertiesFileInversoftConfiguration.java:64) ~[inversoft-config-0.6.2.jar:0.6.2]
fusionauth_1  | 	at io.fusionauth.api.configuration.PropertiesFileFusionAuthConfiguration.<init>(PropertiesFileFusionAuthConfiguration.java:35) ~[fusionauth-api-1.5.0.jar:1.5.0]
fusionauth_1  | 	at io.fusionauth.api.configuration.PropertiesFileFusionAuthConfiguration$$FastClassByGuice$$62935ad5.newInstance(<generated>) ~[fusionauth-api-1.5.0.jar:1.5.0]
fusionauth_1  | 	at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:148) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:148) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.SingleMethodInjector.inject(SingleMethodInjector.java:82) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.InjectionRequestProcessor$StaticInjection.injectMembers(InjectionRequestProcessor.java:125) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.InjectionRequestProcessor.injectMembers(InjectionRequestProcessor.java:80) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:173) ~[guice-4.2.0.jar:na]
fusionauth_1  | 	... 16 common frames omitted

Any plans to implement the possibility to use the folder structure? :) The database and elastic search are already able to run with the folder structure.

Best regards,
Jan

Move helm?

@nadilas @trollr @drpebcak

Now that we have a charts repo ( https://github.com/FusionAuth/charts ) does it make sense to remove all of the Helm charts stuff from this repo and just point to the charts repo in the README?

I'm an idiot with this stuff, so I'll happily take your advice.

Add ping to docker file

Please add ping or telnet to docker file. It is useful to test external postgresql/elasticsearch networking.

apt-get install iputils-ping -y

Is it open source?

I'm curious, I found you there: https://opensource.builders/

But this repo doens't have a license, and you link to this docker image: https://hub.docker.com/r/fusionauth/fusionauth-app that has no repo associated.

I'm just wondering, thanks for the clarification.

Allow additional JDK modules via docker arg

Description

If someone wants to extend our base docker image and add additional JDK modules, we could optionally let them do this with a Docker arg I think.

Work arounds

Modify the docker file definition and add additional arguments to the jlink command.

[Advice] Remove Namespace "default" from manifest

Just a bit of advice, the namespace is assumed default by default, remove the "namespace: default" designator from the manifest so that alternate namespace can be defined within kubectl.

Silent Configuration without root database password

I'm looking at using FusionAuth in a Kubernetes environment, where my database is already hosted by Amazon RDS, but I'll be hosting FusionAuth-app and ElasticSearch in Amazon EKS (kubernetes).

CREATE DATABASE "fusionauth" ENCODING 'UTF-8' LC_CTYPE 'en_US.UTF-8' LC_COLLATE 'en_US.UTF-8' TEMPLATE template0;
CREATE ROLE "fusionauth" WITH LOGIN PASSWORD '<hidden>';
GRANT ALL PRIVILEGES ON DATABASE "fusionauth" TO "fusionauth"; 
ALTER DATABASE "fusionauth" OWNER TO "fusionauth";

If I provide the following environment variables:

DATABASE_URL: jdbc:postgresql://myrdsurl:5432/fusionauth
DATABASE_USER: fusionauth
DATABASE_PASSWORD: <hidden>
FUSIONAUTH_SEARCH_SERVERS: http://search:9200
FUSIONAUTH_URL: http://fusionauth:9011

And I omit:

DATABASE_ROOT_USER: foo
DATABASE_ROOT_PASSWORD: bar

Then I am always greeted with the "Silent Configuration Mode Failed" failed message.

Why is the root database password required when the username and database has already been setup in Postgres?

why is there a "pi" link on bottom left of /page with URL https://thepraetorians.net/ ?

Hi all,

I'm surprise to discover a link on https://thepraetorians.net/ on the / page
What is this link ?

Test with the m1 chip

Looks like there's GA support for the m1 chip with Docker.

https://docs.docker.com/docker-for-mac/apple-silicon/

We should test our image on this hardware (it should work, but there may be issues with mysql as mentioned in the above link).

It looks like openjdk runs fine on m1: https://doesitarm.com/app/openjdk/

FusionAuth/fusionauth-issues#1227

vCPU requirements for FusionAuth

Hi Team,

May you please share the vCPU requirements and recommendations for each component on FusionAuth?

I am planning to run this on Kubernetes, so please tell me if there would be any issues with that?

Published images include wrong JDK

(From image fusionauth/fusionauth-app:1.32.1 linux/arm64)

When I build from these Dockerfiles, I get an image that properly contains the arm64 JDK/JRE, but when I pull from Dockerhub I get an arm64 image with an x86-64 JDK that fails to start. Not sure where the inconsistency was introduced, but just wanting to draw attention to it. Image tag latest for platform linux/arm64 is currently broken.

Proxy Config Warning

I chose to utilize Load Balancer over the ingress controller, and I'm sure that's where this is coming from. Apart from which would be better to utilize in production (opinions are welcome), I'm curious to figure out how to fix it. I utilized the same configuration files, except for the istio folder config files, and I already have elasticsearch running under a different namespace for logging for the k8 cluster.

With that said, I did need to add namespace: fusionauth to the fusionauth DB PVC config file (since unlike the example, I was not using the default namespace).

I also had to change the URL in the fusionauth deployment for elasticsearch, since it was under a different namespace (elasticsearch.logging.svc.cluster.local).

The only real major change was the fusionauth SVC configuration. I'm using the following.

apiVersion: v1
kind: Service
metadata:
  name: fusionauth
  namespace: fusionauth
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:..."
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
spec:
  selector:
    app: fusionauth
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 9011
  - name: https
    protocol: TCP
    port: 443
    targetPort: 9011
  type: LoadBalancer

With the following configuration, everything appears to be working. Except, I have the following warning Your browser reported a request origin that is not equal to the actual HTTP request. Because these are not equal we will fail CSRF (Cross Site Request Forgery) validation when you submit a form that is using the POST method. If you attempt to create an Application, API key, User, etc you will receive an Unauthorized message. which can be fixed with X-Forwarded-Proto: https. Now, this is of course easy when using nginx reverse proxies, so I'm guessing that's why you're using the ingress controller. Can this be fixed with load balancers? Also, with this setup, I'm able to capture HTTP and HTTPS requests, but the user is not auto redirected to HTTPS.

Unpatched vulnerabilities in latest build

see docker scan fusionauth/fusionauth-app:1.37.1

There are 13 vulnerabilities in apt/deb packages, and 11 vulnerabilities in maven packages.

Apt ones are usually fixed by running an apt-get upgrade in the build of your release docker image. Maven ones I'm less sure about as I'm not a Java dev but Snyk recommends fixes.

Upgrade of charts for k8s 1.16 and beyond

Helm charts need migration for newer version of k8s as outlined in,
https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/

Error when installing chart off tag 1.14.0 using kind below,
$ kind --version
kind version 0.7.0
:$ sudo kubectl version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2019-12-07T21:20:10Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.0", GitCommit:"70132b0f130acc0bed193d9ba59dd186f0e634cf", GitTreeState:"clean", BuildDate:"2020-01-14T00:09:19Z", GoVersion:"go1.13.4", Compiler:"gc", Platform:"linux/amd64"}
:$ sudo kind --version
kind version 0.7.0
:$ sudo helm version
version.BuildInfo{Version:"v3.0.3", GitCommit:"ac925eb7279f4a6955df663a0128044a8a6b7593", GitTreeState:"clean", GoVersion:"go1.13.6"}
:/fusionauth-containers$ git branch

(HEAD detached at 1.14.0)
:$ sudo helm install my-release-fusionauth ./fusionauth-containers/helm/fusionauth/ --namespace authnamespace
Error: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "Deployment" in version "apps/v1beta1", unable to recognize "": no matches for kind "StatefulSet" in version "apps/v1beta1", unable to recognize "": no matches for kind "StatefulSet" in version "apps/v1beta2"]
:$

Docker file references unpublished version

https://github.com/FusionAuth/fusionauth-containers/blob/master/docker/fusionauth/fusionauth-app/Dockerfile references version 1.17.1, which doesn't exist.

Latest as of bug filing is 1.17.0: https://hub.docker.com/r/fusionauth/fusionauth-app/tags

Optionally ship required modules for JMX in our Docker image

Re: #59

We added the option for anyone to add additional JDK modules and build their own image based upon our Dockerfile. This was added to make it easier to add JMX support to the base image. This can be done by setting JDK_MODULES.

If we think that many will want to use JMX, perhaps it makes sense to add these two modules to our base image if it doesn't add much bloat.

At a minimum, we would need to add jdk.management.agent and if we want to support the HTTP connector, we'd also need to add jdk.httpserver.

Curious if this is preferred to the Fusionauth-search container?

fusionauth-containers/docker/fusionauth/docker-compose.yml

Line 20 in 88bd62b

image: docker.elastic.co/elasticsearch/elasticsearch:6.3.1

Hi all,

Mostly just curious if this is the preferred use over the fusionauth-search container. It feels like having both is redundant. I have been using this with luck locally but as im settling on automating some local dev things I'm wondering why there is an fa_search container at all if this is the preferred method or vice versa.

Would be good to get an understanding of why both are here?

FusionAuth doesn't start because it cannot find `curl`

FA stopped working for me and my teammates this week, even the example isn't working anymore. We're using Docker and docker-compose.

Here's the output of the example:

fusionauth_1  | tty: ignoring all arguments
fusionauth_1  | not a tty
fusionauth_1  | /usr/local/fusionauth/fusionauth-app/apache-tomcat/bin/catalina.sh: /usr/local/fusionauth/fusionauth-app/apache-tomcat/bin/setenv.sh: line 59: curl: not found

Elasticsearch container fails in swarm mode

When launching the v3 docker-compose in a swarm stack, the Elasticsearch container fails repeatedly and kills itself.

This error is recorded in the container log:
ERROR: [1] bootstrap checks failed
[1]: memory locking requested for elasticsearch process but memory is not locked

Apparently this is due to swarm ignoring the ulimits parameter.

Is there a way to run this app in swarm mode? Trying to get redundancy/resiliency for the application.