kopia / kopia

Cross-platform backup tool for Windows, macOS & Linux with fast, incremental backups, client-side end-to-end encryption, compression and data deduplication. CLI and GUI included.
https://kopia.io
Apache License 2.0
7.79k stars 393 forks source link

Kopia repo server crashes when launched with --without-password --insecure and client connects to it #3132

Closed silversword411 closed 1 year ago

silversword411 commented 1 year ago

Trying to get a Kopia Repository server running on Deb11.

It runs for a couple mins, and then crashes. No admin login even connected, just one kopiaui agent using as repo.

This is the crash info on the server.

kb1@kb1:/disk2$ kopia server start   --tls-cert-file ~/my.cert   --tls-key-file ~/my.key   --address 0.0.0.0:51515   --without-password --insecure
SERVER ADDRESS: https://[::]:51515
Open the address above in a web browser to use the UI.
2023/07/07 13:41:39 http: TLS handshake error from 10.0.8.62:49446: remote error: tls: unknown certificate
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xd4486a]

goroutine 714 [running]:
github.com/kopia/kopia/internal/server.(*Server).authenticateGRPCSession(0xc000007d40, {0x1cea8c8, 0xc000724f90}, {0x7fa836805a18, 0xc0001cd080})
        /home/runner/work/kopia/kopia/internal/server/grpc_session.go:63 +0x1aa
github.com/kopia/kopia/internal/server.(*Server).Session(0xc000007d40, {0x1cf1580, 0xc00504f3c0})
        /home/runner/work/kopia/kopia/internal/server/grpc_session.go:85 +0x153
github.com/kopia/kopia/internal/grpcapi._KopiaRepository_Session_Handler({0x162f5a0?, 0xc000007d40}, {0x1cedda0?, 0xc0000190e0})
        /home/runner/work/kopia/kopia/internal/grpcapi/repository_server_grpc.pb.go:98 +0x9f
google.golang.org/grpc.(*Server).processStreamingRPC(0xc005024b40, {0x1cf2278, 0xc00027eab0}, 0xc0006cc5a0, 0xc00504b500, 0x26b9000, 0x0)
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.54.0/server.go:1639 +0x1384
google.golang.org/grpc.(*Server).handleStream(0xc005024b40, {0x1cf2278, 0xc00027eab0}, 0xc0006cc5a0, 0x0)
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.54.0/server.go:1726 +0x9f0
google.golang.org/grpc.(*Server).serveStreams.func1.2()
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.54.0/server.go:966 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.54.0/server.go:964 +0x28a

Let me know if there's other logs/info you need.

lupusA commented 1 year ago

Hi,

is the certificate correct? It seems that it has trouble with the certificate. Maybe the path is wrong? From the command it looks like you have not specified a correct certification. Is my.key and my.cert available in your home directory?

You have to specify the path and the name of the files correctly in order to run a repository server.

Cheers,

silversword411 commented 1 year ago

is the certificate correct?

Yes, the certs were built by kopia itself when I ran the initial command per the docs

kb1@kb1:/disk2$ kopia server start \

  --tls-generate-cert \

  --tls-cert-file ~/my.cert \

  --tls-key-file ~/my.key \

  --address 0.0.0.0:51515 \

  --server-control-username username \

  --server-control-password password
2023-07-09_164430 - MobaXterm_proxmox2_-_kb1_(kb1)

I couldn't get it to login using the username and pass given at the commandline lauch: ID: username Pass: password It would give me the error: UI Access denied. See https://github.com/kopia/kopia/issues/880#issuecomment-798421751 for more information. which I'm not understanding. I thought the .htaccess password file was replaced with the new add username@hostname format

...so I ended up using the extra flags to bypass that: --without-password --insecure

silversword411 commented 1 year ago

Looks like this crash is caused when a kopiaui client connects to the repo when it's launched in insecure mode.

After reading the entire issue 880 issue several times, I finally found/realized the only place I've been able to find so far that explains how to run a kopia repository server and have a login ID/pass you can use: https://github.com/kopia/kopia/issues/880#issuecomment-855291217

kopia server start --tls-cert-file ~/my.cert --tls-key-file ~/my.key --address 0.0.0.0:51515 --server-username=X --server-password=Y

Will let you log into the server with ID: X and Pass: Y

And not crash the server

lupusA commented 1 year ago

Hi @silversword411,

it is mentioned in the docs, that you can not start a repo server with flag "insecure":

Make sure you use a recent nginx version (>=1.16) and you start your kopia server with a certificate (--insecure does not work), e.g. https://kopia.io/docs/repository-server/

We may need to extend the doc to make things clearer. Can we close the issue?

Cheers,

jkowalski commented 1 year ago

Yeah, it's by design. Kopia repository server needs proper user authentication for its clients. PR to fix the panic are welcome.

silversword411 commented 1 year ago

We may need to extend the doc to make things clearer.

@lupusA I've been trying to get a kopia test system operational for months now in my free time, and there's lots of holes in the docs I'm trying to slowly fill. I'll PR when I get to a good spot