Shinyproxy Docker with keycloak: failed to start

dmenne · August 22, 2021, 10:18am

The dreaded failed to start strikes again.

All on internal net, using 192.168.2.20 et al. instead of localhost everywhere as suggested in many threads
Simple authentication (not shown here) works, even when keycloak is installed but not used
Keycloak good
Logging in to Shinyproxy with keycloak works
Clicking on Hello Application gives error:

**Status code:** 500
**Message:** Failed to start container
**Stack Trace:**
eu.openanalytics.containerproxy.ContainerProxyException: Failed to start container
...
Caused by: java.lang.IllegalArgumentException: second is marked non-null but is null

docker-compose.yml:

version: '3.8'
services:
  # shinyproxy
  shinyproxy:
    build: 
      context: .
    image: shinyproxy-example
    container_name: shinyproxy-ex
    ports:
      - '8020:8080'
    group_add:
      - 1001 # docker cannot be used here in version 3+
    networks:
      - sp-net
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  # Keycloak
  keycloak:
    image: jboss/keycloak
    container_name: keycloak
    ports:
      - 8010:8080
    networks:
      - sp-net
    volumes:
      # Make this writeable for group docker
      # do not use ~ 
      - /home/dieter/keycloak/data/:/opt/jboss/keycloak/standalone/data/     
    environment:
    # Only on first run
    # https://stackoverflow.com/a/61071811
#      - KEYCLOAK_USER=admin 
#      - KEYCLOAK_PASSWORD=admin
      - PROXY_ADDRESS_FORWARDING=true
      - TZ=Europe/Berlin 

networks:
   sp-net:
     name: sp-net

application.yml

proxy:
  title: Anomanor Shiny proxy
  logo-url: https://menne-biomed.de/images/mennebiomed48.gif
  port: 8080
  authentication: keycloak
  admin-groups: admins
  keycloak:
    realm: anomanor                                                     
    auth-server-url: http://192.168.2.20:8010/auth
    resource: anomanor                                                  
    credentials-secret: 3f944ef7-2d15-481b-acc3-c5df3adc522a
  docker:
      internal-networking: true
  specs:
  - id: 01_hello
    display-name: Hello Application
    description: Application which demonstrates the basics of a Shiny app
    container-cmd: ["R", "-e", "shinyproxy::run_01_hello()"]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-net
  - id: 06_tabsets
    container-cmd: ["R", "-e", "shinyproxy::run_06_tabsets()"]
    container-image: openanalytics/shinyproxy-demo
    container-network: sp-net

logging:
  file:
    shinyproxy.log

Note: Keykloak login IS rejects wrong logins, but these are not forwarded to Shinyprox, it always says User logged in [user: null], and the top right display of user name is empty.

dmenne · August 22, 2021, 4:28pm

After a good Sunday lunch: Partially solved. Keycloak does not required to enter firstname/lastname, but ShinyProxy needs these with Keycloak. The error and missing name top right was corrected by adding the name in keycloak.

Now seeing:

Caused by: com.spotify.docker.client.exceptions.DockerException: java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: java.io.IOException: Permission denied

Which showed to be a simple permission error for docker.sock

Take-home: simple autentication works with user name alone, when using keycloak you need first name/name

dmenne · August 23, 2021, 2:00pm

Which showed to be a simple permission error for docker.sock

Not so simple, though: