invalid mount config

[airbornetrooper82573]

I'm getting this error when trying to docker compose up: Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /opt/stacks/my-compose/secrets/geoip_acccount_id

In my .env file I setup I changed DOCKERDIR=/opt/stacks/my-compose to match my setup.... I use dockge instead of portainer.

I don't understand why it's saying the source path doesn't exist when I see this:

root@docker:/opt/stacks/my-compose/secrets# ls -la total 22 drwxr-xr-x 2 root root 12 Aug 3 10:53 . drwxr-xr-x 8 root root 10 Aug 3 11:11 .. -rw-r--r-- 1 root root 12 Aug 3 10:15 authentik_postgresql_db -rw-r--r-- 1 root root 48 Aug 3 10:16 authentik_postgresql_password -rw-r--r-- 1 root root 14 Aug 3 10:15 authentik_postgresql_user -rw-r--r-- 1 root root 80 Aug 3 10:16 authentik_secret_key -rw-r--r-- 1 root root 41 Aug 3 10:12 cf_dns_api_token -rw-r--r-- 1 root root 25 Aug 3 10:09 cf_email -rw-r--r-- 1 root root 7 Aug 3 11:06 geoip_account_id -rw-r--r-- 1 root root 40 Aug 3 10:29 geoip_licnese_key -rw-r--r-- 1 root root 19 Aug 3 10:18 gmail_smtp_password -rw-r--r-- 1 root root 25 Aug 3 10:17 gmail_smtp_username

[brokenscripts]

Did you double check that your docker user (if not root) has visibility there? Try doing a manual docker run with that bind mounts and see if it works. I'll paste an example later

[airbornetrooper82573]

Yes, please let me know. I'd like to try to get this working. For now I have a working Traefik for my home lab based on Techno Tim's tutorial on YouTube.

[airbornetrooper82573]

Did you double check that your docker user (if not root) has visibility there? Try doing a manual docker run with that bind mounts and see if it works. I'll paste an example later

Any chance I can get that example?

[brokenscripts]

Been a bit busy, sorry. Run these:

export DOCKERDIR=/opt/stacks/my-compose

# Run this container as root
docker run --rm -it \
  --entrypoint /bin/ash \
  -e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
  -e GEOIPUPDATE_FREQUENCY=8 \
  -e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id \
  -e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
  -v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
  -v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
  -v "$DOCKERDIR/secrets/geoip_acccount_id:/run/secrets/geoip_acccount_id" \
ghcr.io/maxmind/geoipupdate:latest

ls -lha /run/secrets
cat /run/secrets/geoip*
exit

export DOCKERDIR=/opt/stacks/my-compose

# Run this container with a specified UID & GID (1100)
docker run --rm -it \
  --user 1100:1100 \
  --entrypoint /bin/ash \
  -e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
  -e GEOIPUPDATE_FREQUENCY=8 \
  -e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id \
  -e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
  -v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
  -v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
  -v "$DOCKERDIR/secrets/geoip_acccount_id:/run/secrets/geoip_acccount_id" \
ghcr.io/maxmind/geoipupdate:latest

ls -lha /run/secrets
cat /run/secrets/geoip*
exit

Both of these should print out the same thing, your account ID and license key. The only thing this is doing is running the container without secrets like the compose does. If the top one works and the bottom one doesn't (which is what matches my environment) then it's a permission issue. If neither work, paste your full compose file with a tree of your folder structure.

[brokenscripts]

@airbornetrooper82573 - Any update on your side?

[airbornetrooper82573]

Sorry I had to work more days in the office this week than I intended.

First one:

root@docker:/opt/stacks/my-compose# docker run --rm -it \
  --entrypoint /bin/ash \
  -e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
  -e GEOIPUPDATE_FREQUENCY=8 \
  -e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id \
  -e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
  -v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
  -v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
  -v "$DOCKERDIR/secrets/geoip_acccount_id:/run/secrets/geoip_acccount_id" \
ghcr.io/maxmind/geoipupdate:latest
/var/lib/geoipupdate # ls -lha /run/secrets
total 2K     
drwxr-xr-x    4 root     root           4 Aug 10 17:25 .
drwxr-xr-x    1 root     root           3 Aug 10 17:25 ..
drwxr-xr-x    2 root     root           2 Aug 10 17:20 geoip_acccount_id
drwxr-xr-x    2 root     root           2 Aug 10 17:20 geoip_license_key
/var/lib/geoipupdate # cat /run/secrets/geoip*
cat: read error: Is a directory
cat: read error: Is a directory
/var/lib/geoipupdate # 

[airbornetrooper82573]

Second one:

root@docker:/opt/stacks/my-compose# export DOCKERDIR=/opt/stacks/my-compose
root@docker:/opt/stacks/my-compose# docker run --rm -it \
  --user 1100:1100 \
  --entrypoint /bin/ash \
  -e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
  -e GEOIPUPDATE_FREQUENCY=8 \
  -e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_acccount_id \
  -e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
  -v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
  -v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
  -v "$DOCKERDIR/secrets/geoip_acccount_id:/run/secrets/geoip_acccount_id" \
ghcr.io/maxmind/geoipupdate:latest
/var/lib/geoipupdate $ ls -lha /run/secrets
total 2K     
drwxr-xr-x    4 root     root           4 Aug 10 17:28 .
drwxr-xr-x    1 root     root           3 Aug 10 17:28 ..
drwxr-xr-x    2 root     root           2 Aug 10 17:20 geoip_acccount_id
drwxr-xr-x    2 root     root           2 Aug 10 17:20 geoip_license_key
/var/lib/geoipupdate $ cat /run/secrets/geoip*
cat: read error: Is a directory
cat: read error: Is a directory
/var/lib/geoipupdate $ 

[airbornetrooper82573]

I found one error, in your instructions you have this:

echo -n 'CHANGEME' > geoip_acccount_id
echo -n 'CHANGEME' > geoip_license_key

should be geoid_account_id without 3 c's

[airbornetrooper82573]

Changed the acccount to account on the commands you sent:

root@docker:/opt/stacks/my-compose# export DOCKERDIR=/opt/stacks/my-compose
root@docker:/opt/stacks/my-compose# docker run --rm -it \
  --entrypoint /bin/ash \
  -e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
  -e GEOIPUPDATE_FREQUENCY=8 \
  -e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_account_id \
  -e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
  -v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
  -v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
  -v "$DOCKERDIR/secrets/geoip_account_id:/run/secrets/geoip_account_id" \
ghcr.io/maxmind/geoipupdate:latest
/var/lib/geoipupdate # ls -lha /run/secrets
total 2K     
drwxr-xr-x    2 root     root           4 Aug 10 17:50 .
drwxr-xr-x    1 root     root           3 Aug 10 17:50 ..
-rw-r--r--    1 root     root           7 Aug 10 17:33 geoip_account_id
-rw-r--r--    1 root     root          40 Aug 10 17:34 geoip_license_key
/var/lib/geoipupdate # cat /run/secrets/geoip*
mygeoip_account_id_and_mygeoip_license_key/var/lib/geoipupdate # exit
root@docker:/opt/stacks/my-compose# 

[airbornetrooper82573]

root@docker:/opt/stacks/my-compose# export DOCKERDIR=/opt/stacks/my-compose
root@docker:/opt/stacks/my-compose# docker run --rm -it \
  --user 1100:1100 \
  --entrypoint /bin/ash \
  -e GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN" \
  -e GEOIPUPDATE_FREQUENCY=8 \
  -e GEOIPUPDATE_ACCOUNT_ID_FILE=/run/secrets/geoip_account_id \
  -e GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/geoip_license_key \
  -v "$DOCKERDIR/appdata/authentik/geoip/data:/usr/share/GeoIP" \
  -v "$DOCKERDIR/secrets/geoip_license_key:/run/secrets/geoip_license_key" \
  -v "$DOCKERDIR/secrets/geoip_account_id:/run/secrets/geoip_account_id" \
ghcr.io/maxmind/geoipupdate:latest
/var/lib/geoipupdate $ ls -lha /run/secrets
total 2K     
drwxr-xr-x    2 root     root           4 Aug 10 17:56 .
drwxr-xr-x    1 root     root           3 Aug 10 17:56 ..
-rw-r--r--    1 root     root           7 Aug 10 17:33 geoip_account_id
-rw-r--r--    1 root     root          40 Aug 10 17:34 geoip_license_key
/var/lib/geoipupdate $ cat /run/secrets/geoip*
mygeoip_account_id_and_mygeoip_license_key/var/lib/geoipupdate $ exit
root@docker:/opt/stacks/my-compose# 

[airbornetrooper82573]

Tree:

root@docker:/opt/stacks/my-compose# tree
.
├── appdata
│   ├── authentik
│   │   └── geoip
│   │       └── data
│   └── traefik
│       ├── config
│       │   └── traefik.yaml
│       └── rules
│           ├── chain-no-auth.yaml
│           ├── middlewares-authentik.yaml
│           ├── middlewares-buffering.yaml
│           ├── middlewares-compress.yaml
│           ├── middlewares-https-redirectscheme.yaml
│           ├── middlewares-rate-limit.yaml
│           ├── middlewares-secure-headers.yaml
│           └── tls-opts.yaml
├── authentik
│   └── compose.yaml
├── compose.yaml
├── secrets
│   ├── authentik_postgresql_db
│   ├── authentik_postgresql_password
│   ├── authentik_postgresql_user
│   ├── authentik_secret_key
│   ├── cf_dns_api_token
│   ├── cf_email
│   ├── geoip_account_id
│   ├── geoip_license_key
│   ├── gmail_smtp_password
│   └── gmail_smtp_username
├── socket-proxy
│   └── compose.yaml
├── traefik
│   └── compose.yaml
└── whoami
    └── compose.yaml

13 directories, 24 files

[brokenscripts]

Good catch on the geoip_acccount_id to geoip_account_id. Thank you!

Once you did that, the bind mounts were successful, so your setup should be good to go now. Both cat commands worked as the files were properly mounted inside.

If you're using my setup, make sure to update your .env file to be geoip_account_id without the typo.

If that fixed everything for you, let me know so I can close this out

[airbornetrooper82573]

Thanks, I keep finding more acccount references in my compose and stuff. Trying to hunt them down. I just tried to bring it up and got this:

root@docker:/opt/stacks/my-compose# docker compose up -d
service "geoipupdate" refers to undefined secret geoip_acccount_id: invalid compose project

[brokenscripts]

Thanks, I keep finding more acccount references in my compose and stuff. Trying to hunt them down. I just tried to bring it up and got this:

root@docker:/opt/stacks/my-compose# docker compose up -d
service "geoipupdate" refers to undefined secret geoip_acccount_id: invalid compose project

You still have the typo right there. acccount. That exists in the BASE compose.yaml. I just made that typo fix on my repo.

EDIT: That typo is in the secrets section of the base compose.yaml

[airbornetrooper82573]

Thanks, I keep finding more acccount references in my compose and stuff. Trying to hunt them down. I just tried to bring it up and got this:

root@docker:/opt/stacks/my-compose# docker compose up -d
service "geoipupdate" refers to undefined secret geoip_acccount_id: invalid compose project

You still have the typo right there. acccount. That exists in the BASE compose.yaml. I just made that typo fix on my repo.

EDIT: That typo is in the secrets section of the base compose.yaml

I had fixed it, I found another reference in the authentik compose

[airbornetrooper82573]

When I try to start the stack in dockge, I'm getting this:

validating /opt/stacks/my-compose/traefik/compose.yaml: services.traefik.ports.0 Additional property app_protocol is not allowed

When I run it in ssh, I'm getting this:

root@docker:/opt/stacks/my-compose# docker compose up -d
[+] Running 10/0
 ✔ Container authentik_redis       Running                                                         0.0s 
 ✔ Container socket-proxy          Running                                                         0.0s 
 ✔ Container authentik_worker      Running                                                         0.0s 
 ✔ Container authentik_server      Running                                                         0.0s 
 ✔ Container traefik               Running                                                         0.0s 
 ✔ Container whoami-catchall       Running                                                         0.0s 
 ✔ Container whoami                Running                                                         0.0s 
 ✔ Container whoami-individual     Running                                                         0.0s 
 ✔ Container authentik_postgresql  Started                                                         0.0s 
 ✔ Container geoipupdate           Started                                                         0.0s 
root@docker:/opt/stacks/my-compose# 

[brokenscripts]

Thanks. I clearly was having a field day with that word. I fixed that change as well.

Are you using my traefik compose.yaml as is in the repo or modified? If modified please paste.

[brokenscripts]

A quick (and easy) fix to that is the following definition inside the traefik compose.yaml:

OLD

    ports:
      # - "80:80"           # SHORT Syntax of below verbose definition
      - name: web
        host_ip: 0.0.0.0    # All interfaces, not a specific one
        target: 80          # Container Port
        published: "80"     # STRING
        protocol: tcp       # tcp or udp
        app_protocol: http  # OPTIONAL. Layer 7 Protocol used.  "Richer behavior"
        mode: host          # or Ingress for load balancing
      - name: websecure
        host_ip: 0.0.0.0
        target: 443
        published: "443"
        protocol: tcp
        app_protocol: https
        mode: host

NEW

    ports:
      - "80:80"
      - "443:443"

[airbornetrooper82573]

I changed the ports section, tried starting in dockge and got this error:

error during connect: Get "http://socket-proxy:2375/v1.24/containers/json?all=1&filters=%7B%22label%22%3A%7B%22com.docker.compose.config-hash%22%3Atrue%2C%22com.docker.compose.oneoff%3DFalse%22%3Atrue%2C%22com.docker.compose.project%3Dmy-compose%22%3Atrue%7D%7D": dial tcp: lookup socket-proxy on 127.0.0.11:53: no such host

[airbornetrooper82573]

Traefik compose.yaml:

  GNU nano 7.2                                  compose.yaml                                            
###############################################################
# Project Name
# 
# https://docs.docker.com/compose/compose-file/05-services/#security_opt
# https://docs.docker.com/compose/environment-variables/set-environment-variables/
# 
###############################################################
name: traefik
services:
# ------------------------------  
# -- Traefik 3
# -- Updated 2024-June-04
# ------------------------------
  traefik:
    image: traefik:3.0.4
    container_name: traefik
    restart: unless-stopped
    user: ${PUID}:${PGID}
    security_opt:
      - no-new-privileges=true
    depends_on:
      - socket-proxy  # Comment out if not using socket-proxy
    networks:
    # This is ONLY defined this way so that Homepage can reach this container via DNS name due to Stric>
    # Meaning this container INTERNAL TO DOCKER is only traefik, by adding the alias it is now
    # traefik AND traefik.domain.tld WITHOUT reaching to a DNS server
    # Allows containers to reach each other internally without asking out
      traefik:
          aliases:
            - traefik.${DOMAINNAME}
          #ipv4_address: 10.255.224.2
      socket_proxy:
        #ipv4_address: 172.16.224.2
    command:
      - "--configFile=/config/traefik.yaml"
    ports:
      - "80:80"
      - "443:443"
    secrets:
      - cf_dns_api_token
    environment:
      - TZ=${TZ}
      - DOMAINNAME
      ## Docker Secrets
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
    volumes:
      - "$DOCKERDIR/appdata/traefik/config:/config" # traefik.yaml
      - "$DOCKERDIR/appdata/traefik/data:/data"     # acme.json defined in traefik.yaml
      - "$DOCKERDIR/appdata/traefik/rules:/rules"   # Dynamic File Provider directory
      - "$DOCKERDIR/logs/traefik:/logs"
      ## When using Docker Socket Proxy, comment out the below direct socket access
      ## Ensure traefik.yaml matches chosen method
      # - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.${DOMAINNAME}`) || Host(`traefik.traefik`)"
      - "traefik.http.routers.traefik-rtr.entrypoints=websecure"  # Defined in traefik.yaml
      #### Migrate individual service cert resolver to global resolution in traefik.yaml
      #- "traefik.http.routers.traefik-rtr.tls=true"
      #- "traefik.http.routers.traefik-rtr.tls.certresolver=le"
      #- "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      #- "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"

[airbornetrooper82573]

Updated the .env with the correct account naming and tried again, still same error over socket-proxy.

[brokenscripts]

I'm not sure right now, I'll look into it later. That looks like weird DNS issues or a socket-proxy missing permission for docker ge. You could try editing the socket-proxy compose, setting all the env vars to 1 and down/up the stack. If there's still a DNS issue I'll have to look into that.

A second option for you is by not using socket-proxy - I just like it.

[airbornetrooper82573]

Tried with all set to 1:

  GNU nano 7.2                                  compose.yaml                                            
# ------------------------------  
# -- Socket Proxy
# -- Updated 2024-June-04
# ------------------------------
name: socket-proxy # Project Name
services:
  socket-proxy:
    image: tecnativa/docker-socket-proxy:0.1.2
    container_name: socket-proxy
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true
    networks:
      - socket_proxy
      #socket_proxy:
      #  ipv4_address: 172.16.224.254
    privileged: true  # true for VM.  false for unprivileged LXC container.
    #depends_on:
    #  - traefik
    ports:
      - "127.0.0.1:2375:2375"
    environment:
      - LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
      ## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
      ### 0 to revoke access.
      ### 1 to grant access.
      ## Granted by Default
      - EVENTS=1
      - PING=1
      - VERSION=1
      ## Revoked by Default
      ### Security critical
      - AUTH=1
      - SECRETS=1
      - POST=1          # Watchtower
      ### Not always needed
      - BUILD=1
      - COMMIT=1
      - CONFIGS=1
      - CONTAINERS=1    # Traefik, portainer, etc.
      - DISTRIBUTION=1
      - EXEC=1
      - IMAGES=1        # Portainer
      - INFO=1          # Portainer
      - NETWORKS=1      # Portainer
      - NODES=1
      - PLUGINS=1
      - SERVICES=1      # Portainer
      - SESSION=1
      - SWARM=1
      - SYSTEM=1
      - TASKS=1         # Portainer
      - VOLUMES=1       # Portainer
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

Still getting an error on dockge: error during connect: Get "http://socket-proxy:2375/v1.24/containers/json?all=1&filters=%7B%22label%22%3A%7B%22com.docker.compose.config-hash%22%3Atrue%2C%22com.docker.compose.oneoff%3DFalse%22%3Atrue%2C%22com.docker.compose.project%3Dmy-compose%22%3Atrue%7D%7D": dial tcp: lookup socket-proxy on 127.0.0.11:53: no such host

[airbornetrooper82573]

Let me know if you need to look at all my compose.yaml files to help troubleshoot. I'd like to get this working otherwise I'll have to ditch authentik.

[brokenscripts]

I'm honestly not sure, you might need to switch to louislam's dockerge repo and post an issue for him. If it's docker in docker then I'm not sure how to solve it. It could be simply defining a docker alias for internal container usage.

Honestly at this point, I would just remove socket-proxy and all dependency on it.

[airbornetrooper82573]

I use TrueNAS and use jailmaker to run a docker jail.

What would be the best way to remove socket-proxy dependency with your configs?

[brokenscripts]

Remove socket-proxy as a running compose. Everywhere that relies on socket proxy mount in the docker socket. I'm a little busy currently but I'll see if I can gen you up set of composes w/o socket proxy.

[airbornetrooper82573]

No rush, I tried a few other tutorials and just kept getting stuck. At least for now I've got a working Traefik setup from one of Techno Tim's tutorial.

[plainlytbrown]

I think another issue could be in the .envfile.

: needs to change to this =

AUTHENTIK_COOKIE_DOMAIN=${DOMAINNAME}
# AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: CHANGEME_IFAPPLICABLE # Defaults to all of: 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fe80::/10, ::1/128
DOCKER_HOST: tcp://socket-proxy:2375
#        ^^^^
# Use this if you have Socket Proxy enabled.
AUTHENTIK_EMAIL__HOST=smtp.gmail.com
AUTHENTIK_EMAIL__PORT=587

I’m not sure if this will fix my issue. But I keep getting the error in traefik that port 80 is already in use. Now that I spotted this I will change it on my end and see if it helps.