Backup error on QNAP NAS

Hello,

I run my Passbolt container on a QNAP NAS and i don’t manage to Backup my Passbolt container.

mysqldump --user=passbolt --password=P4ssb0lt --databases passbolt \ > /share/CACHEDEV1/Public/passbolt_backup.sql

With this code the console starts and gives the following error after loading some databases:

mysqldump: Got error: 1044: "Access denied for user 'passbolt'@'%' to database ' >'" when selecting the database

I’ve tried many code combinations, but it just doesn’t work.

Docker File

version: '3.9'
services:
  db:
    image: mariadb:10.3
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql
...

Have a good day.
Martin

Hi @martin.24 ,

Just read the doc :slightly_smiling_face:

docker exec -i database-container bash -c \
  'mysqldump -u${MYSQL_USER} -p${MYSQL_PASSWORD} ${MYSQL_DATABASE}' \
  > /path/to/backup.sql

Cheers,

Too bad to go to the right page :sweat_smile:

Thanks…

Another problem, I’m migrating passbolt to a new NAS.
It doesn’t load the dumb.sql file into the database volume.

...
MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql
      - /var/lib/dump.sql:/docker-entrypoint-initdb.d/dump.sql

  passbolt:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
    environment:
      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "f6717f027105b9781450dfd015377ec652bca433"
      PASSBOLT_KEY_EMAIL: "passbolt@yourdomain.com"
...

after that error code on the container station

error mounting "/share/CACHEDEV1_DATA/Container/container-station-data/lib/docker/volumes/passbolt_database_volume/_data

Thanks a lot for the quick answer!

Hi,

Can you check rights on this folder ?

I don’ t use QNAP, but here is mine:

root@desktop:/var/lib/docker/volumes/kendo_database_volume/_data# ls -alh
total 185M
drwxr-xr-x 5 systemd-coredump systemd-coredump  264 Nov 10 10:30 .
drwx-----x 3 root             root               19 Nov 10 10:30 ..
-rw-rw---- 1 systemd-coredump systemd-coredump  16K Nov 10 10:30 aria_log.00000001
-rw-rw---- 1 systemd-coredump systemd-coredump   52 Nov 10 10:30 aria_log_control
-rw-rw---- 1 systemd-coredump systemd-coredump  930 Nov 10 10:30 ib_buffer_pool
-rw-rw---- 1 systemd-coredump systemd-coredump  76M Nov 10 10:31 ibdata1
-rw-rw---- 1 systemd-coredump systemd-coredump  48M Nov 10 10:31 ib_logfile0
-rw-rw---- 1 systemd-coredump systemd-coredump  48M Nov 10 10:30 ib_logfile1
-rw-rw---- 1 systemd-coredump systemd-coredump  12M Nov 10 10:30 ibtmp1
-rw-rw---- 1 systemd-coredump systemd-coredump    0 Nov 10 10:30 multi-master.info
drwx------ 2 systemd-coredump systemd-coredump 4.0K Nov 10 10:30 mysql
-rw-r--r-- 1 systemd-coredump systemd-coredump   15 Nov 10 10:30 mysql_upgrade_info
drwx------ 2 systemd-coredump systemd-coredump 4.0K Nov 10 10:31 passbolt
drwx------ 2 systemd-coredump systemd-coredump   20 Nov 10 10:30 performance_schema
-rw-rw---- 1 systemd-coredump systemd-coredump  24K Nov 10 10:30 tc.log
root@desktop:/var/lib/docker/volumes/kendo_database_volume/_data# id systemd-coredump
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)

This folder and content is owner by a user systemd-coredump (it will be different for you) but the most important part is its id: 999.

Can you check on your side the id of the user on your NAS ?

Cheers,

I started again from the beginning:

  1. Create a fresh new Passbolt instance on Docker following this documentation.

  2. I started the Docker an created the first admin user
    https://passbolt.huberfeichter.it/setup/install/5245bd59-7ee0-409a-ad92-95949da26c01/64a38d73-a16e-4ff7-9cbd-2233c08dd76f open this link and select a passphrase.

  3. I stop the Docker and run this command delete the passbolt_database_volume

  4. Then I put the dump.sql on my NAS on the directory /share/CACHEDEV1_DATA/Container/container-station-data/lib/dumb.sql

  5. Add this code line:

volumes:
  - database_volume:/var/lib/mysql
  - /var/lib/dump.sql:/docker-entrypoint-initdb.d/dump.sql (I am not sure about this path)
  1. Set this environment variables:
services:
  passbolt:
    environment:
      PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "MY OWN FINGERPRINT"
      PASSBOLT_KEY_EMAIL: "passbolt@yourdomain.com"
  1. Then I start the containers

  2. Restore my server keys:

docker cp serverkey_private.asc passbolt_passbolt_1:/etc/passbolt/gpg/serverkey_private.asc
docker cp serverkey.asc passbolt_passbolt_1:/etc/passbolt/gpg/serverkey.asc
  1. Change the correct rights:
docker exec -it passbolt_passbolt_1 chown www-data:www-data /etc/passbolt/gpg/serverkey.asc
docker exec -it passbolt_passbolt_1 chown www-data:www-data /etc/passbolt/gpg/serverkey_private.asc
docker exec -it passbolt_passbolt_1 chmod 440 /etc/passbolt/gpg/serverkey.asc
docker exec -it passbolt_passbolt_1 chmod 440 /etc/passbolt/gpg/serverkey_private.asc

Now passbolt starts but the database was not migrated.

I’m sorry but maybe we can find a solution this way
Thanks Martin

Hi :wave:

If passbolt starts, it is a good point. FYI, We have a dedicated help page for troubleshooting docker here: Passbolt Help | Troubleshoot Docker

Can you connect into your container:

docker exec -ti passbolt_passbolt_1 bash

Inside the container, connect as www-data user:

su -s /bin/bash www-data

Ensure the PASSBOLT_GPG_SERVER_KEY_FINGERPRINT variable contains your GPG fingerprint:

echo $PASSBOLT_GPG_SERVER_KEY_FINGERPRINT

Just in case, you can set the PASSBOLT_GPG_SERVER_KEY_FINGERPRINT this way:

export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=REPLACE-ME-WITH-YOUR-GPG-FINGERPRINT

Now you can check the database migration status:

./bin/cake migrations status

You can run database migrations:

./bin/cake migrations migrate

If you have any error, can you post them and the healthcheck output:

./bin/cake passbolt healthcheck

Best regards,

Hi,

www-data@2bab2c06e566:/usr/share/php/passbolt$ ./bin/cake migrations migrate
using migration paths
 - /etc/passbolt/Migrations
using seed paths
using environment default
using adapter mysql
using database passbolt
ordering by creation time

All Done. Took 0.0092s

Dumps the current schema of the database to be used while baking a diff

using migration paths
 - /etc/passbolt/Migrations
using seed paths
Writing dump file `/etc/passbolt/Migrations/schema-dump-default.lock`...
Warning Error: file_put_contents(/etc/passbolt/Migrations/schema-dump-default.lock): failed to open stream: Permission denied
In [/usr/share/php/passbolt/vendor/cakephp/migrations/src/Command/Phinx/Dump.php, line 109]

2022-11-11 15:25:04 warning: Warning (2): file_put_contents(/etc/passbolt/Migrations/schema-dump-default.lock): failed to open stream: Permission denied in [/usr/share/php/passbolt/vendor/cakephp/migrations/src/Command/Phinx/Dump.php, line 109]
An error occurred while writing dump file `/etc/passbolt/Migrations/schema-dump-default.lock`

Healthcheck output:

Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.30.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.huberfeichter.it
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] fopen(): Peer certificate CN=`www.passbolt.local' did not match expected CN=`passbolt.huberfeichter.it'
fopen(): Failed to enable crypto
fopen(https://passbolt.huberfeichter.it/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php.
 [HELP] Double check the key fingerprint, example:
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [PASS] There is a valid email id defined for the server key.

 Application configuration

 [PASS] Using latest passbolt version (3.7.3).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 4 error(s) found. Hang in there!

Thanks Martin

Should the left side of the dump.sql path match #4 path above?

Does the path not point to this folder?

Best regards Martin

We can’t know your NAS setup but also see this thread in case you are running into the same issue Passbolt in Docker on Synology NAS not working after docker pull - #3 by diego