Nginx not worked if host system disable ipv6 protocol

[vintury]

How to reproduce: Disable ipv6 on boot:

cat /etc/lsb-release 

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS"

cat /etc/default/grub

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=0
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="audit=1 ipv6.disable=1 cgroup.memory=nokmem crashkernel=auto cloud-init=disabled apparmor=1 security=apparmor audit_backlog_limit=8192"

Installation:

wget "https://download.passbolt.com/ce/docker/docker-compose-ce.yaml"
wget "https://github.com/passbolt/passbolt_docker/releases/latest/download/docker-compose-ce-SHA512SUM.txt"
sha512sum -c docker-compose-ce-SHA512SUM.txt && echo "Checksum OK" || (echo "Bad checksum. Aborting" && rm -f docker-compose-ce.yaml)
docker-compose -f docker-compose-ce.yaml up -d

Logs:

docker logs passbolt-passbolt-1 -f

wait-for.sh: waiting for db:3306 without a timeout
wait-for.sh: db:3306 is available after 7 seconds
==================================================================================
  Your entropy pool is low. This situation could lead GnuPG to not
  be able to create the gpg serverkey so the container start process will hang
  until enough entropy is obtained.
  Please consider installing rng-tools and/or virtio-rng on your host as the
  preferred method to generate random numbers using a TRNG.
  If rngd (rng-tools) does not provide enough or fast enough randomness you could
  consider installing haveged as a helper to speed up this process.
  Using haveged as a replacement for rngd is not recommended. You can read more
  about this topic here: https://lwn.net/Articles/525459/
==================================================================================
gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key 1939D1FE9A433345 marked as ultimately trusted
gpg: directory '/var/lib/passbolt/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/var/lib/passbolt/.gnupg/openpgp-revocs.d/A371FFEBF2A6FE01C370A5881939D1FE9A433345.rev'
gpg: key 1939D1FE9A433345: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: key 1939D1FE9A433345: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: key 1939D1FE9A433345: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1
Generating a RSA private key
.++++
.........................................++++
writing new private key to '/etc/ssl/certs/certificate.key'
-----
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
Installing passbolt
     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   
 Open source password manager for teams
-------------------------------------------------------------------------------
Running baseline checks, please wait...
Critical healthchecks are OK
Cleaning up existing tables if any.
-------------------------------------------------------------------------------
0 tables dropped
Install the schema and default data.
-------------------------------------------------------------------------------
using migration paths 
 - /etc/passbolt/Migrations
using seed paths 
using environment default
using adapter mysql
using database passbolt
ordering by creation time
 == 20170830064410 V162InitialMigration: migrating
 == 20170830064410 V162InitialMigration: migrated 0.4989s
 == 20170830065037 V200ActiveMustBeBoolean: migrating
 == 20170830065037 V200ActiveMustBeBoolean: migrated 0.1367s
 == 20170830065038 V200DropUnusedProfileFields: migrating
 == 20170830065038 V200DropUnusedProfileFields: migrated 0.0294s
 == 20170830065039 V200IncreaseEmailSize: migrating
 == 20170830065039 V200IncreaseEmailSize: migrated 0.1239s
 == 20170830065040 V200DropUnusedCreatedBy: migrating
 == 20170830065040 V200DropUnusedCreatedBy: migrated 0.4067s
 == 20170830065041 V200MigrateUUID: migrating
 == 20170830065041 V200MigrateUUID: migrated 1.0591s
 == 20170830065042 V200MigrateKeyField: migrating
 == 20170830065042 V200MigrateKeyField: migrated 0.0072s
 == 20171002061834 V200DropUnusedResourceFields: migrating
 == 20171002061834 V200DropUnusedResourceFields: migrated 0.0302s
 == 20171006141922 V200AddFavoriteModifiedField: migrating
 == 20171006141922 V200AddFavoriteModifiedField: migrated 0.0065s
 == 20171009093000 V200DropUnusedPermissionTypesTable: migrating
 == 20171009093000 V200DropUnusedPermissionTypesTable: migrated 0.0039s
 == 20171009093001 V200MigrateEmailsTable: migrating
 == 20171009093001 V200MigrateEmailsTable: migrated 0.0337s
 == 20171009093002 V200MigrateFileStorageTable: migrating
 == 20171009093002 V200MigrateFileStorageTable: migrated 0.0288s
 == 20171025154754 V200AddCommentsUserIdField: migrating
 == 20171025154754 V200AddCommentsUserIdField: migrated 0.0078s
 == 20180102065042 V200MigrateForeignIdField: migrating
 == 20180102065042 V200MigrateForeignIdField: migrated 0.0103s
 == 20180102180000 V200DropUnusedTables: migrating
 == 20180102180000 V200DropUnusedTables: migrated 0.0045s
 == 20180102221500 V200AddMissingTablesIndexes: migrating
 == 20180102221500 V200AddMissingTablesIndexes: migrated 0.0054s
 == 20180413171600 V202ForceColumnsCharset: migrating
 == 20180413171600 V202ForceColumnsCharset: migrated 0.1243s
 == 20180503135810 V210InstallAccountSettingsPlugin: migrating
 == 20180503135810 V210InstallAccountSettingsPlugin: migrated 0.0269s
 == 20180930151500 V240AddAuthenticationTokenType: migrating
 == 20180930151500 V240AddAuthenticationTokenType: migrated 0.0135s
 == 20181002171600 V240ExtendAccountSettingsPlugin: migrating
 == 20181002171600 V240ExtendAccountSettingsPlugin: migrated 0.0464s
 == 20181024124300 V250ChangeMfaAccountSettingsDataFormat: migrating
 == 20181024124300 V250ChangeMfaAccountSettingsDataFormat: migrated 0.0590s
 == 20181210170000 V270AddMissingIndexes: migrating
 == 20181210170000 V270AddMissingIndexes: migrated 0.0612s
 == 20190106170300 V280AdditionalEmailMigration: migrating
 == 20190106170300 V280AdditionalEmailMigration: migrated 0.0310s
 == 20190106170301 V280AdditionalFileStorageMigration: migrating
 == 20190106170301 V280AdditionalFileStorageMigration: migrated 0.0372s
 == 20190106170302 V280FileDirectoryPathsMigrations: migrating
 == 20190106170302 V280FileDirectoryPathsMigrations: migrated 0.0285s
 == 20190112124290 V270AddActionsTable: migrating
 == 20190112124290 V270AddActionsTable: migrated 0.0295s
 == 20190112124300 V270AddActionLogsTable: migrating
 == 20190112124300 V270AddActionLogsTable: migrated 0.0284s
 == 20190121111100 V270AddEntitiesHistoryTable: migrating
 == 20190121111100 V270AddEntitiesHistoryTable: migrated 0.0268s
 == 20190121121100 V270AddPermissionsHistoryTable: migrating
 == 20190121121100 V270AddPermissionsHistoryTable: migrated 0.0351s
 == 20190211124300 V270AddSecretsHistoryTable: migrating
 == 20190211124300 V270AddSecretsHistoryTable: migrated 0.0361s
 == 20190221124300 V270AddSecretAccessesTable: migrating
 == 20190221124300 V270AddSecretAccessesTable: migrated 0.0256s
 == 20190512115400 V2100AddOrganizationSettingsTable: migrating
 == 20190512115400 V2100AddOrganizationSettingsTable: migrated 0.0188s
 == 20190623143400 V2110ExtendKeyIdSizeField: migrating
 == 20190623143400 V2110ExtendKeyIdSizeField: migrated 0.0072s
 == 20190923103000 V2120UpdateEmailQueue: migrating
 == 20190923103000 V2120UpdateEmailQueue: migrated 0.0619s
 == 20191119160000 V2120DropUnusedTables: migrating
 == 20191119160000 V2120DropUnusedTables: migrated 0.0462s
 == 20200108135000 V2130DropLegacyAnonymousUser: migrating
 == 20200108135000 V2130DropLegacyAnonymousUser: migrated 0.0046s
 == 20200319135000 V2130SoftDeleteGpgKeysForSoftDeletedUsers: migrating
 == 20200319135000 V2130SoftDeleteGpgKeysForSoftDeletedUsers: migrated 0.0040s
 == 20200501182000 V2130ReconcileLoginHistory: migrating
 == 20200501182000 V2130ReconcileLoginHistory: migrated 0.0034s
 == 20200806110200 V300ExtendSecretsDataField: migrating
 == 20200806110200 V300ExtendSecretsDataField: migrated 0.0538s
 == 20200806110201 V300AddResourceTypeIdField: migrating
 == 20200806110201 V300AddResourceTypeIdField: migrated 0.0171s
 == 20200806110202 V300AddResourceTypesTable: migrating
 == 20200806110202 V300AddResourceTypesTable: migrated 0.0187s
 == 20200806110203 V300AddResourceTypesDefaultData: migrating
 == 20200806110203 V300AddResourceTypesDefaultData: migrated 0.0154s
 == 20200806110204 V300AddResourceTypesToResources: migrating
 == 20200806110204 V300AddResourceTypesToResources: migrated 0.0038s
 == 20200824191900 V2136CleanupUnusedActionLogs: migrating
 == 20200824191900 V2136CleanupUnusedActionLogs: migrated 0.0096s
 == 20200824191901 V2136AddActionLogsRelatedIndexes: migrating
 == 20200824191901 V2136AddActionLogsRelatedIndexes: migrated 0.0866s
 == 20201221093528 V300DeleteMetadataOfSoftDeletedResources: migrating
 == 20201221093528 V300DeleteMetadataOfSoftDeletedResources: migrated 0.0145s
 == 20210111163200 V300AddActionLogsExtraIndex: migrating
 == 20210111163200 V300AddActionLogsExtraIndex: migrated 0.0209s
 == 20210121141742 V320AddAvatarsTable: migrating
 == 20210121141742 V320AddAvatarsTable: migrated 0.0282s
 == 20210125212543 V320TransferFileStorageToAvatars: migrating
 == 20210125212543 V320TransferFileStorageToAvatars: migrated 0.0103s
 == 20210206521254 V320DropFileStorage: migrating
 == 20210206521254 V320DropFileStorage: migrated 0.0516s
 == 20210329110000 V320FixResourceTypesDefaultData: migrating
 == 20210329110000 V320FixResourceTypesDefaultData: migrated 0.0188s
 == 20210427124200 V330AddMobileTransferTable: migrating
 == 20210427124200 V330AddMobileTransferTable: migrated 0.0366s
 == 20211027202137 V331ConvertEmailVariablesToJson: migrating
 == 20211027202137 V331ConvertEmailVariablesToJson: migrated 0.0081s
 == 20211121231300 V340MigrateASCIIFieldsEncoding: migrating
 == 20211121231300 V340MigrateASCIIFieldsEncoding: migrated 3.0629s
 == 20211122732400 V350ConvertIdFieldsToUuidFields: migrating
 == 20211122732400 V350ConvertIdFieldsToUuidFields: migrated 0.1293s
 == 20211215180000 V350RemovePermissionsTypeIndex: migrating
 == 20211215180000 V350RemovePermissionsTypeIndex: migrated 0.0267s
 == 20211215180001 V350AddPermissionsCombinedIndex: migrating
 == 20211215180001 V350AddPermissionsCombinedIndex: migrated 0.0306s
 == 20220103180000 V350IncreaseResourcesNameUsernameColumnsSize: migrating
 == 20220103180000 V350IncreaseResourcesNameUsernameColumnsSize: migrated 0.0081s
 == 20220103180001 V350IncreaseResourcesNameUsernameLengthInResourceTypes: migrating
 == 20220103180001 V350IncreaseResourcesNameUsernameLengthInResourceTypes: migrated 0.0130s
 == 20220405232411 V360RemoveAuthLoginLoginGetActionFromLogs: migrating
 == 20220405232411 V360RemoveAuthLoginLoginGetActionFromLogs: migrated 0.0174s
 == 20220405234003 V360RemoveAuthCheckSessionCheckSessionGetFromLogs: migrating
 == 20220405234003 V360RemoveAuthCheckSessionCheckSessionGetFromLogs: migrated 0.0064s
 == 20220405234359 V360RemoveAuthIsAuthenticatedIsAuthenticatedFromLogs: migrating
 == 20220405234359 V360RemoveAuthIsAuthenticatedIsAuthenticatedFromLogs: migrated 0.0090s
 == 20220802151030 V380AlterNameAndSlugOnResourceTypes: migrating
 == 20220802151030 V380AlterNameAndSlugOnResourceTypes: migrated 0.0995s
 == 20220802151740 V380TrimSpacesOnResourceTypesNameAndSlug: migrating
 == 20220802151740 V380TrimSpacesOnResourceTypesNameAndSlug: migrated 0.0172s
 == 20220913233909 V380SaveSmtpSettingsInDb: migrating
2023-03-13 08:15:10 info: SMTP Settings were detected in env.
 == 20220913233909 V380SaveSmtpSettingsInDb: migrated 0.0357s
 == 20220922082044 V380SaveMfaOrganizationSettingsInDb: migrating
 == 20220922082044 V380SaveMfaOrganizationSettingsInDb: migrated 0.0300s
 == 20230202094451 V3110SaveMfaOrganizationSettingsInDbInDuoV4Format: migrating
 == 20230202094451 V3110SaveMfaOrganizationSettingsInDbInDuoV4Format: migrated 0.0084s
All Done. Took 7.1285s
Import the server private key in the keyring
-------------------------------------------------------------------------------
Importing /etc/passbolt/gpg/serverkey_private.asc
Keyring init OK
Passbolt installation success! Enjoy! ☮
Enjoy! ☮
/usr/lib/python3/dist-packages/supervisor/options.py:474: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
  self.warnings.warn(
2023-03-13 08:15:11,248 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
2023-03-13 08:15:11,248 INFO Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing
2023-03-13 08:15:11,248 INFO Included extra file "/etc/supervisor/conf.d/nginx.conf" during parsing
2023-03-13 08:15:11,248 INFO Included extra file "/etc/supervisor/conf.d/php.conf" during parsing
2023-03-13 08:15:11,263 INFO RPC interface 'supervisor' initialized
2023-03-13 08:15:11,264 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2023-03-13 08:15:11,265 INFO supervisord started with pid 1
2023-03-13 08:15:12,269 INFO spawned: 'php-fpm' with pid 178
2023-03-13 08:15:12,275 INFO spawned: 'nginx' with pid 179
2023-03-13 08:15:12,279 INFO spawned: 'cron' with pid 180
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
2023-03-13 08:15:12,401 INFO exited: nginx (exit status 1; not expected)
[13-Mar-2023 08:15:12] NOTICE: fpm is running, pid 178
[13-Mar-2023 08:15:12] NOTICE: ready to handle connections
[13-Mar-2023 08:15:12] NOTICE: systemd monitor interval set to 10000ms
2023-03-13 08:15:13,495 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2023-03-13 08:15:13,498 INFO spawned: 'nginx' with pid 183
2023-03-13 08:15:13,499 INFO success: cron entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
2023-03-13 08:15:14,544 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2023-03-13 08:15:14,544 INFO exited: nginx (exit status 1; not expected)
2023-03-13 08:15:15,548 INFO spawned: 'nginx' with pid 184
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
2023-03-13 08:15:16,572 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2023-03-13 08:15:16,573 INFO exited: nginx (exit status 1; not expected)
2023-03-13 08:15:17,576 INFO spawned: 'nginx' with pid 185
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
2023-03-13 08:15:17,599 INFO exited: nginx (exit status 1; not expected)
2023-03-13 08:15:18,603 INFO spawned: 'nginx' with pid 186
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
2023-03-13 08:15:18,619 INFO exited: nginx (exit status 1; not expected)
2023-03-13 08:15:20,625 INFO spawned: 'nginx' with pid 187
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
2023-03-13 08:15:20,646 INFO exited: nginx (exit status 1; not expected)
2023-03-13 08:15:23,652 INFO spawned: 'nginx' with pid 188
nginx: [emerg] socket() [::]:80 failed (97: Address family not supported by protocol)
2023-03-13 08:15:23,676 INFO exited: nginx (exit status 1; not expected)
2023-03-13 08:15:23,676 INFO gave up: nginx entered FATAL state, too many start retries too quickly

[garrettboone]

Meant as contribution to issue: as an idea for how to check, since curl is often installed by default in linux systems, maybe:

$ curl -6 https://passbolt.com
curl: (6) Couldn't resolve host 'passbolt.com'

Could be checked before starting supervisor? Maybe also a new env variable like PASSBOLT_HOST_IPV6_DISABLED (boolean, default is FALSE).

EDIT: Docker compose file already seems to be overwriting with ipv4 only for 443. (But not 80?) https://github.com/passbolt/passbolt_docker/blob/e51a518db14d0254d4a4747084eee124fcb1bdbc/debian/Dockerfile#L35

[dlen]

Hello everyone!

Thanks for the feedback @vintury! I think the best would be to mount a specific nginx configuration file disabling ipv6 to support your use case.

@garrettboone The line you posted is not overwriting it is adding ipv4 to the SSL snippet (note the /a command of sed). /etc/nginx/sites-enabled/nginx-passbolt.conf contains the listen for the default port 80 that supports ipv4 and ipv6. I'm saying it is the best to do it but I don't remember the reason behind it at the moment.

We try to accommodate all use cases supporting ipv6 and ipv4 on HTTPS/HTTP using /etc/nginx/snippets/passbolt-ssl.conf and /etc/nginx/sites-enabled/nginx-passbolt.conf. This way people can do full SSL to the container or do SSL offloading if they wish.

I'm not very enthusiastic about doing the ipv6 detection. Especially when users could mount the nginx configuration files they want to support their use cases.

[garrettboone]

@dlen You're right, missed that. I think certbot maybe needs ipv6?

@vintury Here's a related forum post: https://community.passbolt.com/t/cannot-run-passbolt-from-docker/4310/3 If you look for the post in the thread that is the solution, it is suggested to mount an external nginx config file with the settings you need.

[dlen]

@dlen You're right, missed that. I think certbot maybe needs ipv6?

If I'm not wrong support for ipv6 was a user request a long time ago.

[vintury]

Thank you. This workaround help me. May be you can fix this in your image?

[dlen]

I'm closing this we are not likely to include this on the passbolt images unless there is a significant demand.