Catch Docker check exceptions in lightweight OIDC devservice

[sberyozkin]

I've noticed integration-tests/oidc-wiremock-logout is failing periodically on Windows, I looked at the stacktrace,

2025-04-13T22:15:17.6845464Z [INFO] --- surefire:3.5.2:test (default-test) @ quarkus-integration-test-oidc-wiremock-logout ...
2025-04-13T22:15:25.1747536Z 2025-04-13 22:15:24,935 INFO  [org.tes.DockerClientFactory] (build-49) Testcontainers version: 1.20.6
2025-04-13T22:15:26.2371962Z 2025-04-13 22:15:26,233 INFO  [org.tes.doc.DockerClientProviderStrategy] (build-49) Found Docker environment with local Npipe socket (npipe:////./pipe/docker_engine)
2025-04-13T22:15:26.2411325Z 2025-04-13 22:15:26,233 WARN  [org.tes.doc.DockerClientProviderStrategy] (build-49) windows is currently not supported

2025-04-13T22:15:26.3392629Z 2025-04-13 22:15:26,240 INFO  [org.tes.doc.DockerMachineClientProviderStrategy] (build-49) docker-machine executable was not found on PATH ...

2025-04-13T22:15:26.3401567Z 2025-04-13 22:15:26,242 ERROR [org.tes.doc.DockerClientProviderStrategy] (build-49) Could not find a valid Docker environment. Please check configuration. Attempted configurations were:
2025-04-13T22:15:26.3402733Z 	NpipeSocketClientProviderStrategy: failed with exception InvalidConfigurationException (windows containers are currently not supported)As no valid configuration was found, execution cannot continue.
2025-04-13T22:15:26.3403611Z See https://java.testcontainers.org/on_failure.html for more details.
2025-04-13T22:15:36.5670701Z java.lang.RuntimeException: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
2025-04-13T22:15:36.5672877Z 	[error]: Build step io.quarkus.devservices.oidc.OidcDevServicesProcessor#startServer threw an exception: java.lang.IllegalThreadStateException: process has not exited
2025-04-13T22:15:36.5675023Z 	at java.base/java.lang.ProcessImpl.exitValue(ProcessImpl.java:566)
2025-04-13T22:15:36.5677248Z 	at io.quarkus.deployment.util.ContainerRuntimeUtil.getVersionOutputFor(ContainerRuntimeUtil.java:239)
2025-04-13T22:15:36.5679890Z 	at io.quarkus.deployment.util.ContainerRuntimeUtil.getContainerRuntimeEnvironment(ContainerRuntimeUtil.java:116)
2025-04-13T22:15:36.5685047Z 	at io.quarkus.deployment.util.ContainerRuntimeUtil.detectContainerRuntime(ContainerRuntimeUtil.java:66)
2025-04-13T22:15:36.5690161Z 	at io.quarkus.deployment.util.ContainerRuntimeUtil.detectContainerRuntime(ContainerRuntimeUtil.java:55)
2025-04-13T22:15:36.5692352Z 	at io.quarkus.deployment.IsDockerWorking$DockerBinaryStrategy.get(IsDockerWorking.java:23)
2025-04-13T22:15:36.5693435Z 	at io.quarkus.deployment.IsDockerWorking$DockerBinaryStrategy.get(IsDockerWorking.java:20)
2025-04-13T22:15:36.5694790Z 	at io.quarkus.deployment.IsContainerRuntimeWorking.getAsBoolean(IsContainerRuntimeWorking.java:37)
2025-04-13T22:15:36.5696365Z 	at io.quarkus.deployment.builditem.ContainerRuntimeStatusBuildItem.isContainerRuntimeAvailable(ContainerRuntimeStatusBuildItem.java:18)
2025-04-13T22:15:36.5698449Z 	at io.quarkus.devservices.oidc.OidcDevServicesProcessor.shouldNotStartServer(OidcDevServicesProcessor.java:164)

so I hope just wrapping the check in a catch block will help, the lightweight OIDC devservice only checks if the Docker is available to figure out if Keycloak dev service may have to start instead, it does not start any container itself

• Fixes: CI failure in OIDC wiremock logout on Windows #47396

[michalvavrik]

I didn't know about the failure, but I have also mentioned that dockerStatusBuildItem.isContainerRuntimeAvailable() results into exception logged when I was testing DEV mode. +1 for not failing

[gsmet]

Should we have a dependency between the two instead? And have a build item that states if the Keycloak Dev Services will be started or not?

[michalvavrik]

Should we have a dependency between the two instead? And have a build item that states if the Keycloak Dev Services will be started or not?

yep, but as I tried to explain (I think last week on Slack? not sure when) right now when OIDC Dev Svc is tightly coupled to OIDC while Keycloak Dev SVc has very different logic for other extensions and maybe, we should share a great deal of that logic as well (e.g. is server url set, is client server url set etc. etc.). I think we shouldn't hurry with introducing SPI just because of this, I'd like to enhance the startup logic, but I don't have space now

[michalvavrik]

but that would avoid the Docker check in this extension, is that what you meant? that is clever, I didn't realize. we can add spi

[sberyozkin]

OIDC dev service is likely going to remain the only dev service that may have to be aware that Keycloak devservice may have to be started instead, is SPI really needed ?

[gsmet]

So not saying we should do what I said but I'm a bit unhappy about what's going on: it's a bit annoying that we end up with logging about Docker not being available while it's a perfectly acceptable setup in this case.

[sberyozkin]

As far as I recall, we only added this Docker check to avoid asking users to set quarkus.oidc.devservice.enabled=false, given that Dev Service for Keycloak starts by default. So the lightweight service is not started if the Keycloak devservice is expected to be able to start.
Equally, quarkus.oidc.devservice.enabled=true is not needed if we know Keycloak is not able to start given that Docker is not available

[sberyozkin]

we end up with logging about Docker not being available while it's a perfectly acceptable setup in this case.

OK, I see what you mean

[sberyozkin]

That said, may be can shoud log: Docker is not available, enabling OIDC devservice ?

[michalvavrik]

That said, may be can shoud log: Docker is not available, enabling OIDC devservice ?

@gsmet added some line like that lately

[sberyozkin]

I see it, that message is useful, but that one is about not starting because the container runtime being available, and my understanding is that @gsmet would like the users be not alarmed unnecessarily when they see a log that the docker/container not available because this is OK for this light devservice option...

[michalvavrik]

I see it, that message is useful, but that one is about not starting because the container runtime being available, and my understanding is that @gsmet would like the users be not alarmed unnecessarily when they see a log that the docker/container not available because this is OK for this light devservice option...

yeah, that makes definitely sense if we can't avoid the warn logging altogether

[sberyozkin]

@michalvavrik @gsmet I've updated the log messages related to the docker check, have a look please

[sberyozkin]

The failure looks unrelated and to do with the legacy Keycloak image pull

[sberyozkin]

Just rerun it on my laptop, this test passes on this branch. Rebased and force-pushed.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit ee0d217.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

[gsmet]

Let's merge this but as discussed with @michalvavrik I would prefer if we had a proper integration between the two.