Open airbornetrooper82573 opened 1 month ago
Did you double check that your docker user (if not root) has visibility there? Try doing a manual docker run with that bind mounts and see if it works. I'll paste an example later
Yes, please let me know. I'd like to try to get this working. For now I have a working Traefik for my home lab based on Techno Tim's tutorial on YouTube.
Did you double check that your docker user (if not root) has visibility there? Try doing a manual docker run with that bind mounts and see if it works. I'll paste an example later
Any chance I can get that example?
Been a bit busy, sorry. Run these:
export DOCKERDIR=/opt/stacks/my-compose
# Run this container as root
docker run --rm -it \
--entrypoint /bin/ash \
-e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
-e GEOIPUPDATE_FREQUENCY=8 \
-e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id \
-e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
-v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
-v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
-v "$DOCKERDIR/secrets/geoip_acccount_id:/run/secrets/geoip_acccount_id" \
ghcr.io/maxmind/geoipupdate:latest
ls -lha /run/secrets
cat /run/secrets/geoip*
exit
export DOCKERDIR=/opt/stacks/my-compose
# Run this container with a specified UID & GID (1100)
docker run --rm -it \
--user 1100:1100 \
--entrypoint /bin/ash \
-e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
-e GEOIPUPDATE_FREQUENCY=8 \
-e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id \
-e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
-v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
-v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
-v "$DOCKERDIR/secrets/geoip_acccount_id:/run/secrets/geoip_acccount_id" \
ghcr.io/maxmind/geoipupdate:latest
ls -lha /run/secrets
cat /run/secrets/geoip*
exit
Both of these should print out the same thing, your account ID and license key. The only thing this is doing is running the container without secrets like the compose does. If the top one works and the bottom one doesn't (which is what matches my environment) then it's a permission issue. If neither work, paste your full compose file with a tree
of your folder structure.
@airbornetrooper82573 - Any update on your side?
Sorry I had to work more days in the office this week than I intended.
First one:
root@docker:/opt/stacks/my-compose# docker run --rm -it \
--entrypoint /bin/ash \
-e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
-e GEOIPUPDATE_FREQUENCY=8 \
-e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id \
-e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
-v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
-v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
-v "$DOCKERDIR/secrets/geoip_acccount_id:/run/secrets/geoip_acccount_id" \
ghcr.io/maxmind/geoipupdate:latest
/var/lib/geoipupdate # ls -lha /run/secrets
total 2K
drwxr-xr-x 4 root root 4 Aug 10 17:25 .
drwxr-xr-x 1 root root 3 Aug 10 17:25 ..
drwxr-xr-x 2 root root 2 Aug 10 17:20 geoip_acccount_id
drwxr-xr-x 2 root root 2 Aug 10 17:20 geoip_license_key
/var/lib/geoipupdate # cat /run/secrets/geoip*
cat: read error: Is a directory
cat: read error: Is a directory
/var/lib/geoipupdate #
Second one:
root@docker:/opt/stacks/my-compose# export DOCKERDIR=/opt/stacks/my-compose
root@docker:/opt/stacks/my-compose# docker run --rm -it \
--user 1100:1100 \
--entrypoint /bin/ash \
-e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
-e GEOIPUPDATE_FREQUENCY=8 \
-e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id \
-e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
-v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
-v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
-v "$DOCKERDIR/secrets/geoip_acccount_id:/run/secrets/geoip_acccount_id" \
ghcr.io/maxmind/geoipupdate:latest
/var/lib/geoipupdate $ ls -lha /run/secrets
total 2K
drwxr-xr-x 4 root root 4 Aug 10 17:28 .
drwxr-xr-x 1 root root 3 Aug 10 17:28 ..
drwxr-xr-x 2 root root 2 Aug 10 17:20 geoip_acccount_id
drwxr-xr-x 2 root root 2 Aug 10 17:20 geoip_license_key
/var/lib/geoipupdate $ cat /run/secrets/geoip*
cat: read error: Is a directory
cat: read error: Is a directory
/var/lib/geoipupdate $
I found one error, in your instructions you have this:
echo -n 'CHANGEME' > geoip_acccount_id
echo -n 'CHANGEME' > geoip_license_key
should be geoid_account_id without 3 c's
Changed the acccount to account on the commands you sent:
root@docker:/opt/stacks/my-compose# export DOCKERDIR=/opt/stacks/my-compose
root@docker:/opt/stacks/my-compose# docker run --rm -it \
--entrypoint /bin/ash \
-e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
-e GEOIPUPDATE_FREQUENCY=8 \
-e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_account_id \
-e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
-v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
-v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
-v "$DOCKERDIR/secrets/geoip_account_id:/run/secrets/geoip_account_id" \
ghcr.io/maxmind/geoipupdate:latest
/var/lib/geoipupdate # ls -lha /run/secrets
total 2K
drwxr-xr-x 2 root root 4 Aug 10 17:50 .
drwxr-xr-x 1 root root 3 Aug 10 17:50 ..
-rw-r--r-- 1 root root 7 Aug 10 17:33 geoip_account_id
-rw-r--r-- 1 root root 40 Aug 10 17:34 geoip_license_key
/var/lib/geoipupdate # cat /run/secrets/geoip*
mygeoip_account_id_and_mygeoip_license_key/var/lib/geoipupdate # exit
root@docker:/opt/stacks/my-compose#
root@docker:/opt/stacks/my-compose# export DOCKERDIR=/opt/stacks/my-compose
root@docker:/opt/stacks/my-compose# docker run --rm -it \
--user 1100:1100 \
--entrypoint /bin/ash \
-e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
-e GEOIPUPDATE_FREQUENCY=8 \
-e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_account_id \
-e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
-v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
-v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
-v "$DOCKERDIR/secrets/geoip_account_id:/run/secrets/geoip_account_id" \
ghcr.io/maxmind/geoipupdate:latest
/var/lib/geoipupdate $ ls -lha /run/secrets
total 2K
drwxr-xr-x 2 root root 4 Aug 10 17:56 .
drwxr-xr-x 1 root root 3 Aug 10 17:56 ..
-rw-r--r-- 1 root root 7 Aug 10 17:33 geoip_account_id
-rw-r--r-- 1 root root 40 Aug 10 17:34 geoip_license_key
/var/lib/geoipupdate $ cat /run/secrets/geoip*
mygeoip_account_id_and_mygeoip_license_key/var/lib/geoipupdate $ exit
root@docker:/opt/stacks/my-compose#
Tree:
root@docker:/opt/stacks/my-compose# tree
.
├── appdata
│ ├── authentik
│ │ └── geoip
│ │ └── data
│ └── traefik
│ ├── config
│ │ └── traefik.yaml
│ └── rules
│ ├── chain-no-auth.yaml
│ ├── middlewares-authentik.yaml
│ ├── middlewares-buffering.yaml
│ ├── middlewares-compress.yaml
│ ├── middlewares-https-redirectscheme.yaml
│ ├── middlewares-rate-limit.yaml
│ ├── middlewares-secure-headers.yaml
│ └── tls-opts.yaml
├── authentik
│ └── compose.yaml
├── compose.yaml
├── secrets
│ ├── authentik_postgresql_db
│ ├── authentik_postgresql_password
│ ├── authentik_postgresql_user
│ ├── authentik_secret_key
│ ├── cf_dns_api_token
│ ├── cf_email
│ ├── geoip_account_id
│ ├── geoip_license_key
│ ├── gmail_smtp_password
│ └── gmail_smtp_username
├── socket-proxy
│ └── compose.yaml
├── traefik
│ └── compose.yaml
└── whoami
└── compose.yaml
13 directories, 24 files
Good catch on the geoip_acccount_id
to geoip_account_id
. Thank you!
Once you did that, the bind mounts were successful, so your setup should be good to go now. Both cat
commands worked as the files were properly mounted inside.
If you're using my setup, make sure to update your .env
file to be geoip_account_id
without the typo.
If that fixed everything for you, let me know so I can close this out
Thanks, I keep finding more acccount references in my compose and stuff. Trying to hunt them down. I just tried to bring it up and got this:
root@docker:/opt/stacks/my-compose# docker compose up -d
service "geoipupdate" refers to undefined secret geoip_acccount_id: invalid compose project
Thanks, I keep finding more acccount references in my compose and stuff. Trying to hunt them down. I just tried to bring it up and got this:
root@docker:/opt/stacks/my-compose# docker compose up -d service "geoipupdate" refers to undefined secret geoip_acccount_id: invalid compose project
You still have the typo right there. acccount
. That exists in the BASE compose.yaml
. I just made that typo fix on my repo.
EDIT: That typo is in the secrets
section of the base compose.yaml
Thanks, I keep finding more acccount references in my compose and stuff. Trying to hunt them down. I just tried to bring it up and got this:
root@docker:/opt/stacks/my-compose# docker compose up -d service "geoipupdate" refers to undefined secret geoip_acccount_id: invalid compose project
You still have the typo right there.
acccount
. That exists in the BASEcompose.yaml
. I just made that typo fix on my repo.EDIT: That typo is in the
secrets
section of the base compose.yaml
I had fixed it, I found another reference in the authentik compose
When I try to start the stack in dockge, I'm getting this:
validating /opt/stacks/my-compose/traefik/compose.yaml: services.traefik.ports.0 Additional property app_protocol is not allowed
When I run it in ssh, I'm getting this:
root@docker:/opt/stacks/my-compose# docker compose up -d
[+] Running 10/0
✔ Container authentik_redis Running 0.0s
✔ Container socket-proxy Running 0.0s
✔ Container authentik_worker Running 0.0s
✔ Container authentik_server Running 0.0s
✔ Container traefik Running 0.0s
✔ Container whoami-catchall Running 0.0s
✔ Container whoami Running 0.0s
✔ Container whoami-individual Running 0.0s
✔ Container authentik_postgresql Started 0.0s
✔ Container geoipupdate Started 0.0s
root@docker:/opt/stacks/my-compose#
Thanks. I clearly was having a field day with that word. I fixed that change as well.
Are you using my traefik compose.yaml as is in the repo or modified? If modified please paste.
A quick (and easy) fix to that is the following definition inside the traefik compose.yaml
:
OLD
ports:
# - "80:80" # SHORT Syntax of below verbose definition
- name: web
host_ip: 0.0.0.0 # All interfaces, not a specific one
target: 80 # Container Port
published: "80" # STRING
protocol: tcp # tcp or udp
app_protocol: http # OPTIONAL. Layer 7 Protocol used. "Richer behavior"
mode: host # or Ingress for load balancing
- name: websecure
host_ip: 0.0.0.0
target: 443
published: "443"
protocol: tcp
app_protocol: https
mode: host
NEW
ports:
- "80:80"
- "443:443"
I changed the ports section, tried starting in dockge and got this error:
error during connect: Get "http://socket-proxy:2375/v1.24/containers/json?all=1&filters=%7B%22label%22%3A%7B%22com.docker.compose.config-hash%22%3Atrue%2C%22com.docker.compose.oneoff%3DFalse%22%3Atrue%2C%22com.docker.compose.project%3Dmy-compose%22%3Atrue%7D%7D": dial tcp: lookup socket-proxy on 127.0.0.11:53: no such host
Traefik compose.yaml:
GNU nano 7.2 compose.yaml
###############################################################
# Project Name
#
# https://docs.docker.com/compose/compose-file/05-services/#security_opt
# https://docs.docker.com/compose/environment-variables/set-environment-variables/
#
###############################################################
name: traefik
services:
# ------------------------------
# -- Traefik 3
# -- Updated 2024-June-04
# ------------------------------
traefik:
image: traefik:3.0.4
container_name: traefik
restart: unless-stopped
user: ${PUID}:${PGID}
security_opt:
- no-new-privileges=true
depends_on:
- socket-proxy # Comment out if not using socket-proxy
networks:
# This is ONLY defined this way so that Homepage can reach this container via DNS name due to Stric>
# Meaning this container INTERNAL TO DOCKER is only traefik, by adding the alias it is now
# traefik AND traefik.domain.tld WITHOUT reaching to a DNS server
# Allows containers to reach each other internally without asking out
traefik:
aliases:
- traefik.${DOMAINNAME}
#ipv4_address: 10.255.224.2
socket_proxy:
#ipv4_address: 172.16.224.2
command:
- "--configFile=/config/traefik.yaml"
ports:
- "80:80"
- "443:443"
secrets:
- cf_dns_api_token
environment:
- TZ=${TZ}
- DOMAINNAME
## Docker Secrets
- CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
volumes:
- "$DOCKERDIR/appdata/traefik/config:/config" # traefik.yaml
- "$DOCKERDIR/appdata/traefik/data:/data" # acme.json defined in traefik.yaml
- "$DOCKERDIR/appdata/traefik/rules:/rules" # Dynamic File Provider directory
- "$DOCKERDIR/logs/traefik:/logs"
## When using Docker Socket Proxy, comment out the below direct socket access
## Ensure traefik.yaml matches chosen method
# - "/var/run/docker.sock:/var/run/docker.sock:ro"
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.traefik-rtr.rule=Host(`traefik.${DOMAINNAME}`) || Host(`traefik.traefik`)"
- "traefik.http.routers.traefik-rtr.entrypoints=websecure" # Defined in traefik.yaml
#### Migrate individual service cert resolver to global resolution in traefik.yaml
#- "traefik.http.routers.traefik-rtr.tls=true"
#- "traefik.http.routers.traefik-rtr.tls.certresolver=le"
#- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
#- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
Updated the .env with the correct account naming and tried again, still same error over socket-proxy.
I'm not sure right now, I'll look into it later. That looks like weird DNS issues or a socket-proxy missing permission for docker ge. You could try editing the socket-proxy compose, setting all the env vars to 1 and down/up the stack. If there's still a DNS issue I'll have to look into that.
A second option for you is by not using socket-proxy - I just like it.
Tried with all set to 1:
GNU nano 7.2 compose.yaml
# ------------------------------
# -- Socket Proxy
# -- Updated 2024-June-04
# ------------------------------
name: socket-proxy # Project Name
services:
socket-proxy:
image: tecnativa/docker-socket-proxy:0.1.2
container_name: socket-proxy
restart: unless-stopped
security_opt:
- no-new-privileges=true
networks:
- socket_proxy
#socket_proxy:
# ipv4_address: 172.16.224.254
privileged: true # true for VM. false for unprivileged LXC container.
#depends_on:
# - traefik
ports:
- "127.0.0.1:2375:2375"
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
### 0 to revoke access.
### 1 to grant access.
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
## Revoked by Default
### Security critical
- AUTH=1
- SECRETS=1
- POST=1 # Watchtower
### Not always needed
- BUILD=1
- COMMIT=1
- CONFIGS=1
- CONTAINERS=1 # Traefik, portainer, etc.
- DISTRIBUTION=1
- EXEC=1
- IMAGES=1 # Portainer
- INFO=1 # Portainer
- NETWORKS=1 # Portainer
- NODES=1
- PLUGINS=1
- SERVICES=1 # Portainer
- SESSION=1
- SWARM=1
- SYSTEM=1
- TASKS=1 # Portainer
- VOLUMES=1 # Portainer
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
Still getting an error on dockge:
error during connect: Get "http://socket-proxy:2375/v1.24/containers/json?all=1&filters=%7B%22label%22%3A%7B%22com.docker.compose.config-hash%22%3Atrue%2C%22com.docker.compose.oneoff%3DFalse%22%3Atrue%2C%22com.docker.compose.project%3Dmy-compose%22%3Atrue%7D%7D": dial tcp: lookup socket-proxy on 127.0.0.11:53: no such host
Let me know if you need to look at all my compose.yaml files to help troubleshoot. I'd like to get this working otherwise I'll have to ditch authentik.
I'm honestly not sure, you might need to switch to louislam's dockerge repo and post an issue for him. If it's docker in docker then I'm not sure how to solve it. It could be simply defining a docker alias for internal container usage.
Honestly at this point, I would just remove socket-proxy and all dependency on it.
I use TrueNAS and use jailmaker to run a docker jail.
What would be the best way to remove socket-proxy dependency with your configs?
Remove socket-proxy
as a running compose. Everywhere that relies on socket proxy mount in the docker socket. I'm a little busy currently but I'll see if I can gen you up set of composes w/o socket proxy.
No rush, I tried a few other tutorials and just kept getting stuck. At least for now I've got a working Traefik setup from one of Techno Tim's tutorial.
I think another issue could be in the .env
file.
:
needs to change to this =
AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
# AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: CHANGEME_IFAPPLICABLE # Defaults to all of: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fe80::/10, ::1/128
DOCKER_HOST: tcp://socket-proxy:2375
# ^^^^
# Use this if you have Socket Proxy enabled.
AUTHENTIK_EMAIL__HOST=smtp.gmail.com
AUTHENTIK_EMAIL__PORT=587
I’m not sure if this will fix my issue. But I keep getting the error in traefik that port 80 is already in use. Now that I spotted this I will change it on my end and see if it helps.
I'm getting this error when trying to docker compose up:
Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /opt/stacks/my-compose/secrets/geoip_acccount_id
In my .env file I setup I changed DOCKERDIR=/opt/stacks/my-compose to match my setup.... I use dockge instead of portainer.
I don't understand why it's saying the source path doesn't exist when I see this:
root@docker:/opt/stacks/my-compose/secrets# ls -la total 22 drwxr-xr-x 2 root root 12 Aug 3 10:53 . drwxr-xr-x 8 root root 10 Aug 3 11:11 .. -rw-r--r-- 1 root root 12 Aug 3 10:15 authentik_postgresql_db -rw-r--r-- 1 root root 48 Aug 3 10:16 authentik_postgresql_password -rw-r--r-- 1 root root 14 Aug 3 10:15 authentik_postgresql_user -rw-r--r-- 1 root root 80 Aug 3 10:16 authentik_secret_key -rw-r--r-- 1 root root 41 Aug 3 10:12 cf_dns_api_token -rw-r--r-- 1 root root 25 Aug 3 10:09 cf_email -rw-r--r-- 1 root root 7 Aug 3 11:06 geoip_account_id -rw-r--r-- 1 root root 40 Aug 3 10:29 geoip_licnese_key -rw-r--r-- 1 root root 19 Aug 3 10:18 gmail_smtp_password -rw-r--r-- 1 root root 25 Aug 3 10:17 gmail_smtp_username