Docker installation: Various problems with traefik container (SOLVED)

Hello,

I’m new to passbolt and am trying to install it on a new server.

I followed the installation guide without problem and prepared the docker-compose-ce.yaml, traefik.yaml, headers.yaml and tls.yaml files as proposed in the guide. I put the docker-compose-ce.yaml and traefik.yaml files in a /srv/passbolt directory, and the 2 headers.yaml and tls.yaml files in the /srv/passbolt/conf directory.

When I then launch the

docker-compose -f docker-compose-ce.yaml up -d

command, the 2 passbolt and database containers are properly started, but I get an error for the traefik container:

ERROR: for passbolt_traefik_1  Cannot start service traefik: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/srv/passbolt/traefik.yaml" to rootfs at "/traefik.yaml": mount /srv/passbolt/traefik.yaml:/traefik.yaml (via /proc/self/fd/6), flags: 0x5001: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

I’m confused by this error. It seems docker is trying to mount the traefik.yaml file as a directory. I don’t understand why.

Environment notes:

  • OS: Ubuntu 22.04.1
  • Docker 20.10.21
  • Docker-compose 1.29.2
  • Docker-compose-ce-yaml (version 3.9)
  • Passbolt image 3.8.3-1-ce
  • traefik image 2.6
  • I created a tls.yaml instead of a tls.conf as indicated in the documentation. I think it is a documentation error.

Hello @Julrich, welcome to the forum :slightly_smiling_face:

I think you are referencing this documentation ?

I tried to reproduce your issue on a fresh Ubuntu 22.04 server, however I wasn’t able to reproduce it and I had no error regarding traefik container:

Pulling traefik (traefik:2.6)...
2.6: Pulling from library/traefik
df9b9388f04a: Pull complete
07cb125bb766: Pull complete
d749ef5bf2b8: Pull complete
10594e2a764b: Pull complete
Status: Downloaded newer image for traefik:2.6
Creating passbolt_traefik_1 ... done

Indeed, you are right our documentation that indicate “tls.conf” is a mistake, that is “tls.yaml” who needs to be created. We will be updating this page really soon, thanks for the report.

Is it possible that after you removed any sensitive informations you give us the full content of “docker-compose-ce.yaml” ? It may be related.
Also, have you created the folder “conf” in the same tree structure?

Thanks in advance.

Thank you very much for your help Antony.

So first, regarding the documentation, yes, I am referring to the document you indicate, plus the main installation documentation.

Regarding the file tree structure, yes, my “conf” folder is in the same directory as the docker-compose-ce.yaml and traefik.yaml files (/srv/passbolt)

Here is the content of docker-compose-ce.yaml:

version: '3.9'
services:
  db:
    image: mariadb:10.3
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "foo"
      MYSQL_USER: "foo"
      MYSQL_PASSWORD: "foo"
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:3.8.3-1-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://passbolt.atalan.net
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "foo"
      DATASOURCES_DEFAULT_PASSWORD: "foo"
      DATASOURCES_DEFAULT_DATABASE: "foo"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
    labels:
      traefik.enable: "true"
      traefik.http.routers.passbolt-http.entrypoints: "web"
      traefik.http.routers.passbolt-http.rule: "Host(`mydomain.com`)"
      traefik.http.routers.passbolt-http.middlewares: "SslHeader@file"
      traefik.http.routers.passbolt-https.middlewares: "SslHeader@file"
      traefik.http.routers.passbolt-https.entrypoints: "websecure"
      traefik.http.routers.passbolt-https.rule: "Host(`mydomain.com`)"
      traefik.http.routers.passbolt-https.tls: "true"
      traefik.http.routers.passbolt-https.tls.certresolver: "letsencrypt"
      
    #The ports definition are removed as the HTTPS connexion is handled by traefic service
    #ports:
    #  - 80:80
    #  - 443:443
    #Alternatively for non-root images:
    # - 8080:80
    # - 4443:433

  traefik:
    image: traefik:2.6
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yaml:/traefik.yaml:ro
      - ./conf/:/etc/traefik/conf
      - ./shared/:/shared


volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

And here is the content of my traefik.yaml file:

global:
  sendAnonymousUsage: false
log:
  level: INFO
  format: common
providers:
  docker:
    endpoint: 'unix:///var/run/docker.sock'
    watch: true
    exposedByDefault: true
    swarmMode: false
  file:
    directory: /etc/traefik/conf/
    watch: true
api:
  dashboard: false
  debug: false
  insecure: false
entryPoints:
  web:
    address: ':80'
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ':443'
certificatesResolvers:
  letsencrypt:
    acme:
      email: passbolt@mydomain.com
      storage: /shared/acme.json
      caServer: 'https://acme-v02.api.letsencrypt.org/directory'
      keyType: EC256
      httpChallenge:
        entryPoint: web
      tlsChallenge: {}

If you need any other information, please ask.

Jerome

Weird issue, I copied/pasted the entire content of all of your yaml files except for “tls.yaml” and “headers.yaml” inside conf/ that I took here

This is what I have:

 ⠿ traefik Pulled                                                           9.2s
   ⠿ df9b9388f04a Pull complete                                             3.5s
   ⠿ 07cb125bb766 Pull complete                                             3.8s
   ⠿ d749ef5bf2b8 Pull complete                                             7.0s
   ⠿ 10594e2a764b Pull complete                                             7.1s
 ⠿ passbolt Pulled                                                         12.8s
   ⠿ a603fa5e3b41 Pull complete                                             5.1s
   ⠿ 2e5b7dc75f9a Pull complete                                            10.6s
   ⠿ bea5a893aa68 Pull complete                                            10.7s
   ⠿ 5dba4366f7f9 Pull complete                                            10.8s
   ⠿ 179dd8c0669b Pull complete                                            10.9s
   ⠿ 8a0ba0bbc186 Pull complete                                            10.9s
   ⠿ 7301cf42c45d Pull complete                                            11.0s
[+] Running 7/7
 ⠿ Network customer_default           Created                               0.1s
 ⠿ Volume "customer_gpg_volume"       Cre...                                0.0s
 ⠿ Volume "customer_jwt_volume"       Cre...                                0.0s
 ⠿ Volume "customer_database_volume"  Created                               0.0s
 ⠿ Container customer-traefik-1       Sta...                                2.0s
 ⠿ Container customer-db-1            Started                               1.7s
 ⠿ Container customer-passbolt-1      St...                                 1.0s

Can you, once again check that the path inside theses files in conf/ are the good one and also their contents?

After investigating on internet for a similar issue, running this command could temporary help:
sudo -E bash -c "docker-compose -f docker-compose-ce.yaml up -d"
Is it possible for you to try it?

Thanks in advance :slight_smile:

Hello Antony,

The command you suggest didn’t help. It returned the same error as before.

So to move forward, here is the content of my tls.yaml and headers.yaml files to be sure that all is ‘iso’ regarding the code :slight_smile:

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      curvePreferences:
        - CurveP521
        - CurveP384
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
http:
  middlewares:
    SslHeader:
      headers:
        FrameDeny: true
        AccessControlAllowMethods: 'GET,OPTIONS,PUT'
        AccessControlAllowOriginList:
          - origin-list-or-null
        AccessControlMaxAge: 100
        AddVaryHeader: true
        BrowserXssFilter: true
        ContentTypeNosniff: true
        ForceSTSHeader: true
        STSIncludeSubdomains: true
        STSPreload: true
        ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
        CustomFrameOptionsValue: SAMEORIGIN
        ReferrerPolicy: same-origin
        PermissionsPolicy: vibrate 'self'
        STSSeconds: 315360000

Then, here are 2 screenshots to give you their precise implementation in the file structure:

Can you launch the containers successfully if you implement the same files in this same file structure (I mean in /srv/passbolt)?

Kind regards

(follow-up)

I noticed that the owner/group of my docker-compose-ce.yaml file was not “root” so I changed that. It’s now root, but I still have the same error on launching the “docker-compose” command.

What are the rights that the yaml files should have?

Kind regards

Hi @Julrich,

I wrote initially the traefik documentation for passbolt and I use it on my own server to host passbolt with docker-compose.

I spinned a fresh new Ubuntu 22.04 VM and set up docker I think like you, following this documentation: Install Docker Engine on Ubuntu | Docker Docs

Then, I followed this: Passbolt Help | Docker passbolt installation
And this: Passbolt Help | Auto configure HTTPS with Let's Encrypt on Docker

As you noticed, the correct file name for tls config is tls.yaml and not tls.conf.

All is working as expected on my environment. Like you I set up passbolt on /srv/passbolt.

Here is the file structure (I use the tree package sudo apt install tree):

root@ubuntu2204:/srv/passbolt# tree
.
├── conf
│   ├── headers.yaml
│   └── tls.yaml
├── docker-compose-ce-SHA512SUM.txt
├── docker-compose-ce.yaml
├── shared
│   └── acme.json
└── traefik.yaml

2 directories, 6 files

Regarding the file rights:

root@ubuntu2204:/srv/passbolt# find | xargs ls -alh
-rw-r--r-- 1 root root  630 Dec 14 04:54 ./conf/headers.yaml
-rw-r--r-- 1 root root  322 Dec 14 04:54 ./conf/tls.yaml
-rw-r--r-- 1 root root  153 Dec  1 09:34 ./docker-compose-ce-SHA512SUM.txt
-rw-r--r-- 1 root root 1.9K Dec 14 04:55 ./docker-compose-ce.yaml
-rw------- 1 root root    0 Dec 14 04:55 ./shared/acme.json
-rw-r--r-- 1 root root  780 Dec 14 04:54 ./traefik.yaml

.:
total 28K
drwxr-xr-x 4 root root 4.0K Dec 14 04:56 .
drwxr-xr-x 3 root root 4.0K Dec 14 04:52 ..
drwxr-xr-x 2 root root 4.0K Dec 14 04:54 conf
-rw-r--r-- 1 root root  153 Dec  1 09:34 docker-compose-ce-SHA512SUM.txt
-rw-r--r-- 1 root root 1.9K Dec 14 04:55 docker-compose-ce.yaml
drwxr-xr-x 2 root root 4.0K Dec 14 04:55 shared
-rw-r--r-- 1 root root  780 Dec 14 04:54 traefik.yaml

./conf:
total 16K
drwxr-xr-x 2 root root 4.0K Dec 14 04:54 .
drwxr-xr-x 4 root root 4.0K Dec 14 04:56 ..
-rw-r--r-- 1 root root  630 Dec 14 04:54 headers.yaml
-rw-r--r-- 1 root root  322 Dec 14 04:54 tls.yaml

./shared:
total 8.0K
drwxr-xr-x 2 root root 4.0K Dec 14 04:55 .
drwxr-xr-x 4 root root 4.0K Dec 14 04:56 ..
-rw------- 1 root root    0 Dec 14 04:55 acme.json

I guess there was an error while the first setup and would try to remove your passbolt instance and re-create it.

To remove all passbolt stack containers and created volumes:

docker-compose -f docker-compose-ce.yaml down -v

The -v flag will remove database created volumes.

Once passbolt, db and traefik containers removed, I would re-create a new stack:

docker compose -f docker-compose-ce.yaml up -d

WARNING:

I assume you don’t have any data in your passbolt. If you have data, don’t miss a backup: Passbolt Help | Docker

If it still doesn’t work, you can try to reset your whole docker setup, I assume here you don’t have other containers running on your machine:

docker system prune

Best regards,

1 Like

Hi @AnatomicJC ,

Thank you for your time!

I eventually decided to take advantage of the week-end to reinitialize my server and repeat the installation procedure step by step. And this time it worked! I have my 3 containers running. I still don’t understand what mistake I did in my previous installation. I seems to me that I did exactly the same procedure. Well, anyway. Containers are up and it’s good!

I also successfully added the initial admin user with the docker-compose command as explained in the documentation. So the passbolt service is working and properly connected to its database.

Remains 2 problems:

1 - I can’t access passbolt through a browser.

When I type my dedicated passbolt url in my browser, I got this error message:

*An error occurred during a connection to passbolt.atalan.net. SSL peer has no certificate for the requested DNS name.

Error code: SSL_ERROR_UNRECOGNIZED_NAME_ALERT
*

Problem with SSL certificate apparently, but I don’t know what to do to solve that. Any idea of where that could come from?

2 - Second problem: The Email service apparently doesn’t work (I haven’t received any Email after the creation of the initial admin as I should have according to the documentation).

Here are the Email environment variables that I set in the docker-compose-ce.yaml file:
EMAIL_DEFAULT_FROM_NAME: “Passbolt”
EMAIL_DEFAULT_FROM: “passbolt@mydomainname.com
EMAIL_TRANSPORT_DEFAULT_HOST: “mySmtpServerUrl”
EMAIL_TRANSPORT_DEFAULT_PORT: 465
EMAIL_TRANSPORT_DEFAULT_USERNAME: “myUsername”
EMAIL_TRANSPORT_DEFAULT_PASSWORD: “myPassword”
EMAIL_TRANSPORT_DEFAULT_TLS: “True”

The smtp server works fine with this account. I tested it. It nevertheless gives a certificate warning that I can bypass with the Email client, but maybe that may be a problem for passbolt?

So that’s it. Sorry for all these problems. Hope I will succeed eventually at having the application properly running on the server :slight_smile:

Here’s a resource for troubleshooting SSL that might be helpful. Passbolt Help | Troubleshoot SSL

Hi @garrett

Thank you for the link. I checked the page and run the ssl checker. It says that I don’t have any installed ssl certificate.

As the certificates must normally be automatically “let’s encrypted” by the traefik service (if I properly understood), I don’t understand.

I tried to enter the traefik container to check the certificates, but the usual

docker exec -it passbolt_traefik_1 bash

returned an error as it didn’t locate the bash app. /bin/bash also failed.

How can I check the certificates? What could have made them failed to be generated?

Hi,

Traefik container is based on Linux Alpine distro and there is no bash inside. You can use ash instead.

I think it will more helpful to investigate traefik container logs:

docker logs passbolt_traefik_1 --tail=100 --follow

Best regards,

Thank you for your help @AnatomicJC. I could easily understand the problem with the logs and fix it. The passbolt site works now! :ok_hand:

Last problem remains the Emails that still don’t work. I changed my smtp server, checked 3 times the settings, tested them on thunderbird. It works perfectly on thunderbird, but refuses to work with passbolt.

I checked the passbolt container logs. Here is the related output:

SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS
Email 8 was not sent

Here are the related env settings in my docker-compose-ce.yaml file:

environment:
  ...
  EMAIL_DEFAULT_FROM_NAME: "Passbolt"
  EMAIL_DEFAULT_FROM: "user@resodia.fr"
  EMAIL_TRANSPORT_DEFAULT_HOST: "ssl://mail.gandi.net"
  EMAIL_TRANSPORT_DEFAULT_PORT: 465
  EMAIL_TRANSPORT_DEFAULT_USERNAME: "myUserName"
  EMAIL_TRANSPORT_DEFAULT_PASSWORD: "myPassword"
  EMAIL_TRANSPORT_DEFAULT_TLS: "null"

My provider supports SSL encryption so I set the TLS parameter value on “null” as described in the “configure Email providers” documentation.

All seems ok. I don’t understand what is wrong.

Any idea?

Hey @Julrich,

You can try to delete the env variable EMAIL_TRANSPORT_DEFAULT_TLS from the set of variables. Passbolt will fallback on the null value by default, therefore disabling TLS

Cheers.

1 Like

Hurra!

It works!!! :man_dancing:

Yes. Commenting the

EMAIL_TRANSPORT_DEFAULT_TLS: “null”

line did it. Thank you @cedric

I would recommend to add that point in the documentation, or at least precise how to write properly the right value for this parameter. It’s really confusing.

Maybe also point out the “ssl://” that has to be put in front of the smtp server name for the DEFAULT_HOST parameter. It took me some time to defect this error.

Thank you all once again for your help. Beautiful community. I owe you a lot.

Cheers!

By the way, how do I signal this thread as “solved”?

There is not one reply that I can choose ; all the answers are part of the chain that helped me put the application online successfully.