Hi,
for the past three days i have tried to set up the official Docker image of kopia as a repository server and failed. The documentation is of no help since a lot of things are missing or outdated…
What i have done so far:
I have successfully logged in to the web interface and created a local repository on the server.
After that things are getting complicated…
I can’t create users using the command line because it keeps telling me
ERROR failed to open repository: unable to create format manager: invalid repository password
ERROR open repository: unable to open repository: unable to create format manager: invalid repository password
Even tho i have successfully connected to my repository using
kopia repository connect filesystem --path=REPOPATH --password=REPOPASSWORD
Connected to repository.
The documentation mentions nothing about this. It doesn’t mention how to connect to a repo at all, i got that information from the cli command man page…
And while there are some arguments given here Repository Server | Kopia
It doesn’t say what do with it. The part about TLS for example, what is that?
Is that a docker env variable? Am i supposed to put this into the console?
Why does the same thing have so many different Names and places to be? The repository Password for example is all over the place getting set several times, depending on what section of the documentation you follow.
All sections of the documentation also fail to mention the existence and necessity of a htpasswd file, despite it being the default for the Docker image.
Multiple repositories isn’t even mentioned anywhere, even it is pretty much a necessity for having multiple users backing up to the same server.
I will gladly help you fix the documentation, if you provide an actual series of events that needs to happen to set up a repository server.
Can you please add some context? Was this command run inside the container or on the host? Was this command run before the container was started the first time? Is the container creating a repository if none exists?
Note: I personally never used Kopia with Docker.
Maybe I’m already too tired, but I’m really having a hard time understanding what the issue is. Most arguments are either self-explanatory or used with examples. Which arguments are unclear to you?
What exactly is unclear about TLS? There are multiple paragrahps describing the setup in detail.
AFAIK there are no env variables regarding TLS. What makes you think so?
There is only one repository password. Are you referring to the server control password? Can you provide examples?
The documentation states that htpasswd files were used only until release v0.8, which was released in 2021. What makes you think it is still a necessity?
No, it isn’t necessary. Multiple users (clients) can connect to a single server just fine.
I will gladly answer questions to the best of my knowledge when asked specific questions. Please don’t expect people to write a lenghty post when most of it is already in the documentation.
Maybe start by creating a server on a test machine without Docker to get familiar with the concept and the commands. Here’s a very basic list of commands to get started:
Create a new repository on the server: kopia repo create filesystem --path=/path/to/repo
Start the Repository Server and auto-generate TLS certificates: kopia server start --tls-generate-cert --tls-cert-file ~/my.cert --tls-key-file ~/my.key --address 0.0.0.0:51515
Save the certificate fingerprint which is shown on screen. This will be needed when connecting the clients.
Optional but recommended: enable server Access Control Lists kopia server acl enable
Create a new user for your client kopia server user add myuser@mylaptop
Stop the Repository Server and start it again without --tls-generate-cert kopia server start --tls-cert-file ~/my.cert --tls-key-file ~/my.key --address 0.0.0.0:51515
Connect to the Repository Server on your client. The --server-cert-fingerprint is the fingerprint value you saved earlier. kopia repository connect server --url https://<address>:51515 \ --server-cert-fingerprint 48537cce585fed39fb26c639eb8ef38143592ba4b4e7677a84a31916398d40f7
Given that kopia (the command) is unknown to the host this was run from inside the container. You can not run something inside a container without starting it, so no this wasn’t run before first start.
It does create a new repo if i tell it to using “kopia repo create” (or i can also create a local repo using the webUI). It does not create one on its own (which i believe is the expected behaviour)
After spending the last week trying to get this to work i think the problem is the inconsistent naming between Docker and Kopia. The Docker Variable is called “KOPIA_PASSWORD” but is referring to the repository key. The actual Kopia Password (to access the webUI) needs to be given via htpassword file by default.
To connect to a Kopia repo server (from the client side) you will be asked for a “server password”.
Why is this even needed if a user password exists? There is no server password anywhere in the docs, only a server control password and i have no idea what that’s for either.
Its equally confusing with usernames.
It is still the default for docker if you want to use the WebUI. You can do it via console but is the webUI for then?
After doing some more reading i agree. There is just a lot of either old or just wrong information out there about this. Really gotta watch the date on this one
I did get kopia to run localy (backing up a local folder to another local folder) without a problem. But doing that requires basically no configuration whatsoever. And while i agree that most of is in the docs, its so spread out, sometimes as a side note in something completely different. It’s just such a pain to piece it back together when you could just have a “Docker Repo Server” page that contains it all.
To add a more focused Question to my babbel: What is the Server Password my client wants to know when connecting to a repo server (using the WebUI on the client)?
There is a server control password mentioned here, but also completely uncommented, they just appear in some command with no explanation given.
I would also like to thank you for taking the time to write a reply to my little rant
Oh, now I understand where your confusion is coming from. You are only using the WebUI (or HTML UI) component of the server, not the Repository Server (GRPC server) component. I’ll try to explain:
The WebUI is basically an alternative to KopiaUI (the desktop app) for systems which do not have a GUI. In case of the docker-compose file you are connecting the WebUI directly to the repository as the repository owner. But you can aswell start the WebUI on a client to connect to a remote Repository (GRPC) Server.
The Repository (GRPC) Server adds user management and access control. And it abstracts the underlying storage layer, so you can swap the storage on the server side without changing anything on the client side.
To use the Repository Server you need to add users with kopia server user add.
Both components can be disabled by using the --no-ui or --no-grpc option.
Some more notes:
KOPIA_PASSWORD basically is the master password for the owner (or creator) of the repository.
The docker-compose example in the documentation uses a --server-username=USERNAME and --server-password=SECRET_PASSWORD parameter to start the server. Those values are used for HTTP authentication (basic auth) in the WebUI. No htpassword file needed.
The “server password” you are asked for when connecting to a Repository Server in the WebUI or desktop app is the password you provided when creating the user with kopia server user add.
Also make sure to unhide the advanced options on this page and check username and hostname. Those values are case-sensitive and need to exactly match the username you used with kopia server user add.
The server-control-password is required to run API commands (e.g. kopia server refresh). Ignore that for now.
Always happy to help - as a non-programmer that’s my way of contributing and saying thank you to the developers.
And I do understand the rant because some parts of the documentation were clearly written from a developer perspective who knows everything about it.
