kopia
kopia copied to clipboard
ERROR unable to initialize repository: unable to initialize repository: error opening repository: unable to open repository: invalid repository password
I'm consistently get this error where first startup of kopia container works normally and I can setup B2 repo and syncing and everything else works fine, but the minute I restart the container I start getting this error in logs and container gets stuck in restart loop:
Server will allow connections from users whose accounts are stored in the repository.
User accounts can be added using 'kopia server user add'.
ERROR unable to initialize repository: unable to initialize repository: error opening repository: unable to open repository: invalid repository password
after that error, container restarts and gets the same error. And that loop continues indefinitely. Happens with latest stable and unstable images.
Here is the docker-compose bit for kopia:
kopia:
image: kopia/kopia
container_name: kopia
user: "0"
environment:
KOPIA_PASSWORD: SuperSecretRepositoryPassword
TZ: ${TZ}
volumes:
- ${DATADIR}/appdata/kopia/config:/app/config
- ${DATADIR}/appdata/kopia/cache:/app/cache
- ${DATADIR}/appdata/kopia/logs:/app/logs
- ${DATADIR}/appdata/kopia/scripts:/app/scripts
- ${NASDIR}/cloud:/app/backup:ro
entrypoint: ["/app/kopia", "server", "--insecure", "--address=0.0.0.0:51515", "--override-username=kopia@localhost", "--server-username=kopia@localhost", "--server-password=SuperSecretPasswordForTheWebUI","--enable-actions"]
labels:
- "traefik.enable=true"
- "traefik.http.routers.kopia.entrypoints=websecure"
- "traefik.http.routers.kopia.rule=Host(`kopia.${DOMAIN}`)"
- "traefik.http.routers.kopia.tls=true"
- "traefik.http.services.kopia.loadbalancer.server.port=51515"
restart: always
I have the same issue too. Here's my compose file:
services:
kopia:
container_name: kopia
image: kopia/kopia:unstable # using unstable as I want to use bash scripts for actions
command:
- server
- start
- --ui
- --insecure
- --disable-csrf-token-checks
- --address=0.0.0.0:51515
- --server-username=${KOPIA_USERNAME}@${KOPIA_HOSTNAME}
- --server-password=${KOPIA_PASSWORD}
- --enable-actions
user: "0:0"
domainname: ${KOPIA_USERNAME}
hostname: ${KOPIA_HOSTNAME}
networks:
main:
ports:
- "51515:51515"
environment:
TZ: Europe/London
USER: ${KOPIA_USERNAME}
KOPIA_PASSWORD: ${KOPIA_PASSWORD}
KOPIA_PERSIST_CREDENTIALS_ON_CONNECT: true
volumes:
# ! Base mounts
- ./volumes/kopia/config:/app/config
- ./.tmp/kopia:/app/cache
- ./volumes/kopia/logs:/app/logs
# ! Extra mounts
- ./scripts/pipes/kopia.pipe:/app/docker.pipe
- ./extra/scripts/kopia:/app/scripts
# ! Backup mounts
- ./secrets:/app/backup/secrets:ro
- ./volumes:/app/backup/volumes:ro
restart: unless-stopped
Looking at repository.config
it has all the correct information, and base64 decoding the contents of repository.config.kopia-password
returns the correct password. There is also a repository.config.mlock
which I don't know the purpose of but is empty
After looking properly at my compose file again after pasting it here, I realised I had the wrong password in the KOPIA_PASSWORD
environment variable (I was using the server password password variable instead of the repository password one) so I don't actually have the issue anymore
After looking properly at my compose file again after pasting it here, I realised I had the wrong password in the KOPIA_PASSWORD environment variable (I was using the server password password variable instead of the repository password one) so I don't actually have the issue anymore
I came here with the same issue, and this fixed it for me as well.
Ok same thing seems to be the issue for me as well. But in my defense the entering repository password in the WebUI is a bit unintuitive. This is how it looks:
since you are asked to enter the password and then confirm it, that step makes it seem like you are creating a new password specifically for that repository. BUT in reality what it is asking for is the same password you supplied to KOPIA_PASSWORD
in docker compose file. For some reason it just asks you to enter it twice.
I'm also not sure why the repository password is asked in the first place during the UI setup, as you have already provided it via environment variable.
I have the same issue too. Here's my compose file:
services: kopia: container_name: kopia image: kopia/kopia:unstable # using unstable as I want to use bash scripts for actions command: - server - start - --ui - --insecure - --disable-csrf-token-checks - --address=0.0.0.0:51515 - --server-username=${KOPIA_USERNAME}@${KOPIA_HOSTNAME} - --server-password=${KOPIA_PASSWORD} - --enable-actions user: "0:0" domainname: ${KOPIA_USERNAME} hostname: ${KOPIA_HOSTNAME} networks: main: ports: - "51515:51515" environment: TZ: Europe/London USER: ${KOPIA_USERNAME} KOPIA_PASSWORD: ${KOPIA_PASSWORD} KOPIA_PERSIST_CREDENTIALS_ON_CONNECT: true volumes: # ! Base mounts - ./volumes/kopia/config:/app/config - ./.tmp/kopia:/app/cache - ./volumes/kopia/logs:/app/logs # ! Extra mounts - ./scripts/pipes/kopia.pipe:/app/docker.pipe - ./extra/scripts/kopia:/app/scripts # ! Backup mounts - ./secrets:/app/backup/secrets:ro - ./volumes:/app/backup/volumes:ro restart: unless-stopped
Looking at
repository.config
it has all the correct information, and base64 decoding the contents ofrepository.config.kopia-password
returns the correct password. There is also arepository.config.mlock
which I don't know the purpose of but is emptyAfter looking properly at my compose file again after pasting it here, I realised I had the wrong password in the
KOPIA_PASSWORD
environment variable (I was using the server password password variable instead of the repository password one) so I don't actually have the issue anymore
Thanks, this was helpful in my setup.
version: '3.3'
services:
kopia:
image: 'kopia/kopia:latest'
container_name: kopia
hostname: '${KOPIA_HOSTNAME}'
restart: unless-stopped
user: '1000:1000'
ports:
- '51515:51515'
command:
- server
- start
- '--ui'
- '--insecure'
- '--disable-csrf-token-checks'
- '--address=0.0.0.0:51515'
- '--server-username=${KOPIA_USERNAME}@${KOPIA_HOSTNAME}'
- '--server-password=${KOPIA_REPOSITORY_PASSWORD}'
environment:
- TZ=Europe/Bucharest
- USER=${KOPIA_USERNAME}
- 'KOPIA_PASSWORD=${KOPIA_USER_PASSWORD}'
- KOPIA_PERSIST_CREDENTIALS_ON_CONNECT=true
volumes:
# ! Base mounts
- './config:/app/config'
- './cache/dir:/app/cache'
- './logs:/app/logs'
# ! Backup mounts
- '/mnt/host-data:/backuproot:ro'
networks:
- proxy-network
networks:
proxy-network:
external: true
I found it strange how the passwords are mapped.
In my case KOPIA_PASSWORD
is actually the password of the user I have added with kopia server users add
to be able to connect to the server, which Is why I have it as KOPIA_USER_PASSWORD
.
Then the --server-password
is actually the password I set for the repository when I have created it, but also of the Web UI.
Lastly, in my case the USER
is the name of the user with UID:GID 1000:1000.
I'm closing this one out as this was reported on Slack as having been addressed/answered. Please feel free to ping me or reopen if there is still an open question.
This is a UX bug. Since there are multiple repositories, why do we only need to supply one password?
Hello, I'm really struggling with all this. If anyone could help out that'd be much appreciated, it's driving me insane :upside_down_face:.
I've picked up the default docker compose file here.
When I start the container the first time, it's all good. If I boot it up for the first time, and restart it, it's all good. But then, if I add a S3 repo and I can see on the UI I've got access to previous backups, without doing anything else, if I put down my docker compose and up it up straight after, I always end up with this error:
ERROR unable to initialize repository: unable to initialize repository: error opening repository: get password: password prompt error: inappropriate ioctl for device
Enter password to open repository:
Server will allow connections from users whose accounts are stored in the repository.
User accounts can be added using 'kopia server user add'.
I suspect I'm missing something with the environment
for both KOPIA_PASSWORD
and USER
. What is this for?! I understand the server-username
argument and the server-password
which both seem to be for the web UI.
But the env variables KOPIA_PASSWORD
and USER
? I've got no clue :exploding_head:. Am I supposed to put the password I've used to encrypt my data before sending to S3? But then what about the user? The S3 user?
I'm tried so many configurations and nothing worked for me, it's a shame I'm quite desperate to switch to Kopia but this is really holding me back as I'm not able to make it work after a restart.
Any help would be much appreciated.
If that helps, my docker compose is like this:
version: '3.7'
services:
kopia:
image: kopia/kopia:latest
hostname: my-hostname
container_name: kopia
restart: unless-stopped
ports:
- 51515:51515
# Setup the server that provides the web gui
command:
- server
- start
- --disable-csrf-token-checks
- --insecure
- --address=0.0.0.0:51515
- --server-username=my-username
- --server-password=ui-password
environment:
- KOPIA_PASSWORD=SOME_PASSWORD
- USER=User
volumes:
# Mount local folders needed by kopia
- ${PWD}/kopia/config/dir:/app/config
- ${PWD}/kopia/cache/dir:/app/cache
- ${PWD}/kopia/logs/dir:/app/logs
# Mount local folders to snapshot
- ${PWD}/kopia-files:/data:ro
# Mount repository location
- ${PWD}/kopia/repository/dir:/repository
# Mount path for browsing mounted snaphots
- ${PWD}/kopia/tmp/dir:/tmp:shared
Then:
-
docker compose up -d
- connect to S3 backend (can use local Minio for example)
-
docker compose down
-
docker compose up -d
-
docker compose logs kopia
--> you'll see errors in the logs :shrug:
Reopening this as there are folks still running into issues.
Hi @maxime1992 the environment variable KOPIA_PASSWORD is the repository password you need to provide to the docker container in case it should connect after a restart.
You can ping me on slack and we will get this :-)
Cheers,
I was having this same issue and was able to get it working.
After having a look through the code, it seems like we have some redundant credential setting.
the --server-password
flag and KOPIA_PASSWORD
environment variable seems to be causing some weird behavior when used together.
Here are my steps:
- Stop Kopia container
- Remove environment variable
KOPIA_PASSWORD
, make sure to set password in--server-password
flag - Remove environment variable
USER
, make sure to set password in--server-username
flag - I opted to nuke my full Kopia config volume at this point
- Restart Kopia container
- Configure s3 repository
- Run task to verify function
- Stop Kopia container
- Restart Kopia container
- Run task to verify function
Works (on my machine anyway)
Yup sorry I forgot to report back here but thanks to @lupusA on the slack channel I was able to get it working.
Also, I believe that if https://github.com/kopia/kopia/issues/2976 is agreed on, the ambiguous flag should be gone and this issue might be closed as a side effect
Hi @vmorganp,
in general, "server-password" is used to provide a password to the basic authentification which you need to enter (see https://kopia.io/docs/reference/command-line/common/server-start/)
The environment variable KOPIA_PASSWORD contains the password for the repository the docker container should connect to. From my experience, both variables should be independet and not interfere with another.
One is used for the basic authentification, the other is used for the repository.
Cheers,
UPDATE 2: Scratch my previous update. This still works. My issue was with my password - I must have used a character that caused problems. I set everything up from scratch with a different password and now things work as they should.
~~UPDATE: Ignore the following. I was sure I had tested everything and that my issue was solved. But it wasn't. The error reappeared. I'm still looking for a solution. As it stands, Kopia is unusable for me. :-(~~
since you are asked to enter the password and then confirm it, that step makes it seem like you are creating a new password specifically for that repository. BUT in reality what it is asking for is the same password you supplied to
KOPIA_PASSWORD
in docker compose file. For some reason it just asks you to enter it twice.
This hint solved it for me! Once I set everything up fresh and used KOPIA_PASSWORD
in the web UI, everything is fine.
I'm also not sure why the repository password is asked in the first place during the UI setup, as you have already provided it via environment variable.
I guess the environment variable only becomes relevant AFTER the repository has been set up in the web UI. Then, after a container restart, it is required to access the repository.
Considering how many people are running into this issue, it should probably be documented better somewhere. A hint in the web UI to use the password from KOPIA_PASSWORD
could already be enough.
I was having the same issue but was able to solve it after checking the answers here.
I believe the variable naming is confusing in the current description and examples.
Here is how I have set it, to avoid confusion.
version: '3.7'
services:
kopia:
image: kopia/kopia:latest
hostname: $HOSTNAME
container_name: kopia
restart: unless-stopped
env_file: .env
cap_add:
- SYS_ADMIN
security_opt:
- apparmor:unconfined
devices:
- /dev/fuse:/dev/fuse:rwm
ports:
- 51515:51515
# Setup the server that provides the web gui
command:
- server
- start
- --disable-csrf-token-checks
#- --insecure
- --tls-generate-cert
- --address=0.0.0.0:51515
- --log-level=debug
- --server-username=$WEB_USER
- --server-password=$WEB_PASS
environment:
## Set repository password
KOPIA_PASSWORD: $KOPIA_PASSWORD
TZ: $TZ
volumes:
# Mount local folders needed by kopia
- .docker/kopia/config:/app/config
- .docker/kopia/cache:/app/cache
- .docker/kopia/logs:/app/logs
- .docker/kopia/rclone:/app/rclone
# Mount local folders to snapshot
- /mnt/media:/data:ro
# Mount repository location
- /mnt/snapshots:/repository
# Mount path for browsing mounted snaphots
#- /path/to/tmp/dir:/tmp:shared
A .env file is also needed, with the actual values for all those variables.
I also would like to ask if it is possible to run the docker without having to open a repository, or setting a password as a variable. I can see that when the docker runs for the first time, the web-server asks you to create or open an existing repository. Either way, this password MUST be used as the KOPIA_PASSWORD variable.
I think it might be better if this password is stored in the configuration file in Kopia, after being created through the web (or access it if it's an existing one). If there's an error when trying to connect everytime the containers starts, it must promt to the same page as it was the first time running it. This might also help in cases when using different repositories, from the same server.
In my case, I really don't mind having to access again the repository, from the web interface, everytime the container is started (as this usually won't happen unless an error with the server itself).