Docker issue with certain flags
nicnatros opened this issue · 24 comments
I'm using traefik-certs-dumper in a Docker container. When I add certain flags to the entrypoint the app breaks.
The below works.
sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs
When I add the extra flags it breaks.
sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs traefik-certs-dumper file **--crt-ext=.pem --key-ext=.pem –domain-subdir=true**
Hello,
your 2nd line contains 2 times "traefik-certs-dumper file".
I don't know if it's a copy-paste error inside the issue or something else.
Hi Ludovic,
Thank you so much for the response. Yes, that was a copy paste mistake.
I've corrected the entrypoint to the below and it still doesn't work. Not sure if maybe my syntax is incorrect somewhere.
sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs --crt-ext=.pem --key-ext=.pem –-domain-subdir=true
It runs just fine until I add those last three flags at the end. The problem appears to be there.
Can these be specified with environment variables instead?
I checked the log but there doesn't seem to be an indication of why it fails.
I don't know that it matters but I'm modifying this field in Portainer where I get a status code 400.
--LOG--
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/2) Installing oniguruma (6.9.4-r1)
(2/2) Installing jq (1.6-r0)
Executing busybox-1.30.1-r3.trigger
OK: 7 MiB in 16 packages
What is the problem exactly?
$ traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs --crt-ext=.pem --key-ext=.pem –-domain-subdir=true
Error: --crt-ext (".pem") and --key-ext (".pem") are identical, in this case --domain-subdir is required
Usage:
traefik-certs-dumper file [flags]
Flags:
-h, --help help for file
--source string Path to 'acme.json' file. (default "./acme.json")
--version string Traefik version. If empty use v1. Possible values: 'v2'.
Global Flags:
--clean Clean destination folder before dumping content. (default true)
--config string config file (default is $HOME/.traefik-certs-dumper.yaml)
--crt-ext string The file extension of the generated certificates. (default ".crt")
--crt-name string The file name (without extension) of the generated certificates. (default "certificate")
--dest string Path to store the dump content. (default "./dump")
--domain-subdir Use domain as sub-directory.
--key-ext string The file extension of the generated private keys. (default ".key")
--key-name string The file name (without extension) of the generated private keys. (default "privatekey")
--post-hook string Execute a command only if changes occurs on the data source. (works only with the watch mode)
--watch Enable watching changes.
2022/07/27 20:18:42 root.go:45: --crt-ext (".pem") and --key-ext (".pem") are identical, in this case --domain-subdir is required
exit status 1it's because you are using an invalid character: you are using an En Dash (\u2013) instead of a Hyphen-Minus (\u002D) here: –-domain-subdir=true (the first character is an En Dash)
I was using Portainer to do this but that obscured the problem because it's not very verbose. I tried adding the entrypoint using the command line and now there is better feedback on why it isn't running.
root@NAS:/var/lib/docker/bindmounts# docker run --entrypoint sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem traefik-certs-dumper
Unable to find image 'apk:latest' locally
docker: Error response from daemon: pull access denied for apk, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
your problem is here –-domain-subdir=true you must use this --domain-subdir=true.
It's related to a wrong character.
Good catch, and I did fix the character. Using the proper character there's still an error about the "apk add jq"
Unable to find image 'apk:latest' locally
docker: Error response from daemon: pull access denied for apk, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
root@NAS:/var/lib/docker/bindmounts# docker run --entrypoint sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ jq ".[] | .Certificates | length" /data/acme.json != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem traefik-certs-dumper
Unable to find image 'apk:latest' locally
docker: Error response from daemon: pull access denied for apk, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
I think you are not using an alpine image: apk is the package manager for alpine.
Ok. I didn't realize that this was OS dependent. I'm on Debian.
Looks like I need to substitute that command for (apt install jq -y) for Debian.
or just use an alpine image.
it's not dependent on your OS but on the OS inside the image.
you just have to use my image ldez/traefik-certs-dumper
The image I've been using is ldez/traefik-certs-dumper:v2.7.4
docker: Error response from daemon: pull access denied for apt, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
This makes it sound like the container either doesn't have the repository or the container permissions don't allow access to pull a package.
No, if you are using the right image, the image contains apk.
The latest version is v2.8.1 but v2.7.4 works too.
I don't know what you are doing but you are doing something wrong:
$ docker run --rm -it --entrypoint /bin/sh ldez/traefik-certs-dumper:v2.8.1
/ # apk add jq
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
(1/2) Installing oniguruma (6.9.7.1-r0)
(2/2) Installing jq (1.6-r1)
Executing busybox-1.34.1-r3.trigger
OK: 7 MiB in 16 packages
It's because you forget to add the name of the image at the end of the command line.
Try this:
$ docker run --entrypoint='sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem' ldez/traefik-certs-dumper:v2.8.1That's right. I accidentally inserted container name instead of image name. I think we are very close.
root@NAS:/var/lib/docker/bindmounts# docker run --entrypoint='sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem' ldez/traefik-certs-dumper:v2.8.1
Unable to find image 'ldez/traefik-certs-dumper:v2.8.1' locally
v2.8.1: Pulling from ldez/traefik-certs-dumper
Digest: sha256:2734462fc8290feab0e34a00d5f3e4992ba74f8e3712d74efff7ae703d0e7e87
Status: Downloaded newer image for ldez/traefik-certs-dumper:v2.8.1
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq \".[] | .Certificates | length\" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem": stat sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem: no such file or directory: unknown.
ERRO[0001] error waiting for container: context canceled
you have to mount the directory
Sorry, this is a result of not being familiar with docker in the command line. I usually use Portainer for the UI to manage containers but wasn't able to get a clear indication of the issue in portainer. In my portainer issue I have the volume bind mounted correctly. Adding volume to the cmd.
If you don't know well Docker, I recommend using a docker-compose file.
You have an example here: https://github.com/ldez/traefik-certs-dumper/blob/master/docs/docker-compose-traefik-v2.yml
I've had no shortage of dumb mistakes. I believe I might be creating the container right this time.
"docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec:"
"no such file or directory: unknown."
root@NAS:/var/lib/docker/bindmounts/traefik# docker run --name cert-extract4 -v /var/lib/docker/bindmounts/traefik:/data --entrypoint='sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem' ldez/traefik-certs-dumper:v2.8.1
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq \".[] | .Certificates | length\" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem": stat sh,-c, apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs –-domain-subdir=true --crt-ext=.pem --key-ext=.pem: **no such file or directory: unknown.**
ERRO[0000] error waiting for container: context canceled
The following command works:
docker run --rm -v /var/lib/docker/bindmounts/traefik/:/data/ --entrypoint='sh' ldez/traefik-certs-dumper:v2.8.1 -c 'apk add jq ; while ! [ -e /data/acme.json ] || ! [ `jq ".[] | .Certificates | length" /data/acme.json` != 0 ]; do sleep 1 ; done && traefik-certs-dumper file --version v2 --watch --source /data/acme.json --dest /data/certs --domain-subdir=true --crt-ext=.pem --key-ext=.pem'Note: you still have an invalid character in –-domain-subdir, you must use --domain-subdir (the first character is a problem because it's not a hyphen)
That worked. I can't believe that wrong character re-entered my string. Thank you so much for all your help. I really appreciate it!