actually i’m going my first steps with Kopia at all and trying to figure out what i’m doing wrong when connecting my first client to the repository server.
My way to go was:
install the repository server with the linux debian way:
docs/installation/#linux-installation-using-apt-debian-ubuntu
checking the UI with the user from the start command:
works
creating new user for the client:
kopia server user add root@testclient --user-password='my_super_secret_client_$assword'
trying to connect the user to the repository server:
kopia repository connect server --url=https://kopia.domain.tld
Connecting to server 'https://kopia.domain.tld' as 'root@testclient'...
Enter password to open repository:
ERROR failed to open repository: unable to establish session for purpose=: error establishing session: Session(): failed to exit idle mode: dns resolver: missing port after port-separator colon
ERROR error connecting to API server: unable to establish session for purpose=: error establishing session: Session(): failed to exit idle mode: dns resolver: missing port after port-separator colon
(thats not nice - why using a port when using a reverse proxy?)
trying again to connect the client with a port:
kopia repository connect server --url=https://kopia.domain.tld:443
Connecting to server 'https://kopia.domain.tld:443' as 'root@testclient'...
Enter password to open repository:
ERROR failed to open repository: unable to establish session for purpose=: error establishing session: unable to initialize session: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR: EOF
ERROR error connecting to API server: unable to establish session for purpose=: error establishing session: unable to initialize session: rpc error: code = Internal desc = stream terminated by RST_STREAM with error code: PROTOCOL_ERROR: EOF
It’s loading for a long time (about 1-2 minutes?) and then the error comes up. Further it’s not that nice that i need to input the password interactive, cause we would like to automate this with ansible as soon as we have a working way.
Is there someone who would like to give me a hint about what i’m facing here?
So i tested now to give the self signed certificate for grpc the kopia.domain.tld name while generating it and checked it with openssl x509 -noout -text -in /etc/ssl/certs/kopia.cert and the name was correct added, then i tried to connect again but unfortunately i’m now facing failed to verify certificate: x509: certificate signed by unknown authority …
thanks for that, helped alot to get the start/stop command smaller and working
yep, that worked after i used the fingerprint, before it reported that it is a unknown authority
As we discussed intern, we will stay on that, cause we will use the reverse proxy just for access from our roadwarrior vpn clients to access the ui - we will use the internal address (my.kopia.srv.ip:51515) for the clients to connect so we dont need to trust on a working dns
So actually i had successful run creating a snapshot from the client with:
kopia repository connect server --url=https://my.kopia.srv.ip:51515 --server-cert-fingerprint MYWONDERFULFINGERPRINT
Unfortunately i didnt… So i thought i got it so i started to test my first playbook (yeah, its dirty, first version is just to get the right steps in the right order).
---
- name: Install Kopia and configure server
hosts: all
become: true
tasks:
- name: Add Kopia GPG key
ansible.builtin.shell: |
curl -s https://kopia.io/signing-key | sudo gpg --batch --yes --dearmor -o /etc/apt/keyrings/kopia-keyring.gpg
- name: Füge Kopia Sources hinzu
ansible.builtin.template:
src: kopia.sources.j2
dest: /etc/apt/sources.list.d/kopia.list
mode: '0644'
tags:
- kopia
- name: Update apt package list
ansible.builtin.apt:
update_cache: yes
cache_valid_time: 10
tags:
- kopia
- name: Install Kopia
ansible.builtin.apt:
name: kopia
state: present
tags:
- kopia
- name: Get client hostname
ansible.builtin.set_fact:
client_hostname: "{{ ansible_hostname }}"
- name: Delegate to the Kopia server to add user
delegate_to: "{{ kopia_server }}"
ansible.builtin.command:
cmd: "kopia server user add root@{{ client_hostname }} --user-password='lalala123'"
tags:
- kopia
- name: Refresh users
delegate_to: "{{ kopia_server }}"
ansible.builtin.shell: |
kopia server refresh --address=https://kopia.domain.lan:51515 --server-cert-fingerprint 8997392FAE6A276F1169D920178D23BD3F6CB38D54BDE313B5FF5C9A23C4ED65 --server-control-username=kopia --server-control-password='lalala123'
- name: Connect to Kopia repository
ansible.builtin.shell: |
export KOPIA_PASSWORD='lalala123'
kopia repository connect server --url=https://kopia.domain.lan:51515 --server-cert-fingerprint MYWONDERFULFINGERPRINT
tags:
- kopia
The connection of the client fails with:
ERROR failed to open repository: unable to establish session for purpose=:
error establishing session: unable to initialize session:
rpc error: code = PermissionDenied desc = access denied for root@dev: EOF
ERROR error connecting to API server: unable to establish session for purpose=:
error establishing session: unable to initialize session:
rpc error: code = PermissionDenied desc = access denied for root@dev: EOF
Do you can see any issue in the order of the commands?
Can’t spot any obvious mistakes but you should make sure you are using the same user on the server and the client. Replace root@{{ client_hostname }} with a static value and use the same value on the host. You can use --override-username=root --override-hostname=dev to override settings when connecting to the client.
Edit: Make sure to lowercase username@hostname and remove and domain parts.
So in the actual case i’m creating a new user for that new client on the repository server which results in this case in root@dev (yeah, lowercase, no tld part) - i’ve checked that user existence. Then i refresh the server so the users get loaded up cause i have read anywhere, that otherwise this can take up to 5 minutes. After that i’m trying to connect to the repository from the client where the access denied issue appears.
I’ve tested again this morning after this user now exists nearly 16 hours. Still the same…