container won't start

[adespain]

First of all thanks for providing a docker container for duoauthproxy, if I can get this to work I will be greatful! Whenever I try to run the container following your docs for running it in detached mode with this command:

docker run -d --name duoauthproxy -p 1812:1812/udp -p 18120:18120/udp -v /etc/duoauthproxy:/etc/duoauthproxy:ro --read-only --cap-drop=all --cap-add=setgid --cap-add=setuid jumanjiman/duoauthproxy:latest

The container immediately exits and I get the following error when I do a docker logs command:

  File "/opt/duoauthproxy/bin/authproxy", line 21, in <module>
    application = proxy.create_application(args=sys.argv)
  File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/proxy.py", line 297, in create_application
    server_instance = server_module.Module(server_config, clients[client_name], section_name)
  File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/modules/radius_server_auto.py", line 434, in __init__
    secrets=parse_radius_secrets(config),
  File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/radius/server.py", line 443, in parse_radius_secrets
    % (ip_config_key, ip, e),
duoauthproxy.lib.config_error.ConfigError: Invalid IP, network, or range for 'radius_ip_1': '' (invalid IPNetwork )```


Looking at duo docs I tried their suggestion but that didn't fix it, here is what their docs say:

https://help.duo.com/s/article/4085?language=en_US

```If the Duo Authentication Proxy fails to start due to the error ConfigError: Invalid IP, network, or range for 'radius_ip_1': '' (invalid IPNetwork ) ', performing the following process resolves common issues:
Open the authproxy.cfg file in a text editor other than Notepad. Verify you are modifying the correct authproxy.cfg file located in the proper corresponding location:
Windows 64-bit: C:\Program Files (x86)\Duo Security Authentication Proxy\conf
Windows 32-bit: C:\Program Files\Duo Security Authentication Proxy\conf
Linux: /opt/duoauthproxy/conf
Remove any line specifying a radius_ip value and retype it manually. This can be single IP address (e.g. "1.2.3.4"), a specification in CIDR notation (e.g. "1.2.3.0/24"), or an IP address range (e.g. "3.3.3.3-3.3.3.6" for the IPs 3.3.3.3, 3.3.3.4, 3.3.3.5, and 3.3.3.6).
Restart the proxy.```

[adespain]

@jumanjiman any ideas? I'm a newb with docker so I'm probably doing the command wrong?

[adespain]

I may have fixed the above error but now I am getting an error that says it can't read the authproxy.cfg file. I am finding that the container process is running as duo and it possibly doesn't have permissions to the bind mount on the host located at /opt/duoauthproxy/conf/authproxy.cfg. I also had to copy over the cabundle.crt file. I can give that file 777 permissions and it will start. What user permissions should I put on the host so this will work with secure permissions?

[Stunt0265]

I'm seeing similar issues. Mine is:

IOError: [Errno 13] Permission denied: 'log/authproxy.log'

Can you tell me what you did to resolve? Thx

[Stunt0265]

I got around this above just making sure everyone had rights to the log folder. I'm running this on Docker on a Synology NAS. But I've run into this issue:

twisted.internet.error.CannotListenError: Couldn't listen on any:389: [Errno 13] Permission denied.

[DJR-FP]

I'm getting a similar issue, any advice would be great.

0e3790cae16421a6c4bbd2d151034da81f6106af1d38bcc2c54a9c257b6f0c0a
docker: Error response from daemon: error while creating mount source path '/opt/duoauthproxy/conf': mkdir /opt/duoauthproxy: read-only file system.

[jumanjiman]

Whenever I try to run the container following your docs for running it in detached mode with this command:

docker run -d --name duoauthproxy -p 1812:1812/udp -p 18120:18120/udp -v /etc/duoauthproxy:/etc/duoauthproxy:ro --read-only --cap-drop=all --cap-add=setgid --cap-add=setuid jumanjiman/duoauthproxy:latest

The container immediately exits and I get the following error when I do a docker logs command:

@adespain

The current version of Duo Authproxy hardcodes the path to the config.
It used to support a -c path/to/config, which the container used.
Now:

Authproxy no longer has the -c CONFIG option.
The path to config is hard-coded. The hard-coded path is /opt/duoauthproxy/conf/authproxy.cfg.

Therefore you have to bind-mount via docker run ... -v /path/to/host/conf/dir:/opt/duoauthproxy/conf/.

[jumanjiman]

What user permissions should I put on the host so this will work with secure permissions?

@adespain

The duo user inside the container only needs read permission.

You have at least two choices:

• On the host: chmod --recursive o+r /path/to/confdir (allow world-read)
• On the host: chown --recursive 1000:1000 /path/to/confdir (duo user inside the container is 1000:1000)

[jumanjiman]

IOError: [Errno 13] Permission denied: 'log/authproxy.log'

Can you tell me what you did to resolve? Thx

@raldridgenctm

The image declares /opt/duoauthproxy/log as a volume with correct perms at
https://github.com/jumanjihouse/docker-duoauthproxy/blob/master/runtime/Dockerfile#L17-L19

If you mount a directory from the underlying host, you need to ensure correct perms and mode.
Inside the container, duo uid:gid is 1000:1000, so the underlying host would need to set perms on the underlying host directory for 1000:1000.

[jumanjiman]

I've run into this issue:

twisted.internet.error.CannotListenError: Couldn't listen on any:389: [Errno 13] Permission denied.

@raldridgenctm

The container is built to listen on ports higher than 1024.
The lower ports required elevated privileges, which the container does not have.

If you really need to run the authproxy on port 389, it's better to map the host port 389 to the container port > 1024.

If you can't do that for some reason, you have to run the container with admin privileges.

[jumanjiman]

0e3790cae16421a6c4bbd2d151034da81f6106af1d38bcc2c54a9c257b6f0c0a
docker: Error response from daemon: error while creating mount source path '/opt/duoauthproxy/conf': mkdir /opt/duoauthproxy: read-only file system.

@DJR-FP

That error seems odd. It definitely works in the test harness:
https://circleci.com/gh/jumanjihouse/docker-duoauthproxy/297

What command and options do you use to start the container?

[DJR-FP]

I just ran -

docker run -d
--name duoauthproxy
-p 1812:1812/udp
-p 18120:18120/udp
-v /opt/duoauthproxy/conf:/opt/duoauthproxy/conf:ro
--read-only
--cap-drop=all
--cap-add=setgid
--cap-add=setuid
jumanjiman/duoauthproxy:latest

[jumanjiman]

@DJR-FP

Does /opt/duoauthproxy/conf exist on the docker host and have a config in the directory?

What does env | grep -i docker show?

[DJR-FP]

/opt/duoauthproxy/conf doesn't exist on the host, I did create an directory and empty file but I still recieve the same error.

env | grep -i docker doesn't show anything

[DJR-FP]

I can get it to run by using the full path
docker run -d
--name duoauthproxy
-p 1812:1812/udp
-p 18120:18120/udp
-v /var/snap/docker/common/var-lib-docker/volumes/opt/duoauthproxy/conf:/var/snap/docker/common/var-lib-docker/volumes/opt/duoauthproxy/conf:ro
--read-only
--cap-drop=all
--cap-add=setgid
--cap-add=setuid
jumanjiman/duoauthproxy:latest

[DJR-FP]

although just brings me to another error

root@ubuntu-docker:/var/snap/docker/common/var-lib-docker/volumes# docker logs 9023518943e2cc1c9c9b2b0a5644681d8220b309719080843f6b6002662662da
Traceback (most recent call last):
File "/opt/duoauthproxy/bin/authproxy", line 21, in
application = proxy.create_application(args=sys.argv)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/proxy.py", line 307, in create_application
server_instance = server_module.Module(server_config, clients[client_name], section_name)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/modules/radius_server_auto.py", line 434, in init
secrets=parse_radius_secrets(config),
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/radius/server.py", line 443, in parse_radius_secrets
% (ip_config_key, ip, e),
duoauthproxy.lib.config_error.ConfigError: Invalid IP, network, or range for 'radius_ip_1': '' (invalid IPNetwork )

[DJR-FP]

after running the following command, it looks like for some reason the authproxy.cfg doesn't get created

root@ubuntu-docker:/home/donald# docker run -d \

--name duoauthproxy
-p 1812:1812/udp
-p 18120:18120/udp
-v /var/snap/docker/common/var-lib-docker/volumes/opt/duoauthproxy/conf:/opt/duoauthproxy/conf:ro
--read-only
--cap-drop=all
--cap-add=setgid
--cap-add=setuid
jumanjiman/duoauthproxy:latest
e41c304a02745d2298de787e52bb53e959ca8dcc237e74a7f034dad03ff42816
root@ubuntu-docker:/home/donald# docker logs e41c304a02745d2298de787e52bb53e959ca8dcc237e74a7f034dad03ff42816
Traceback (most recent call last):
File "/opt/duoauthproxy/bin/authproxy", line 21, in
application = proxy.create_application(args=sys.argv)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/proxy.py", line 121, in create_application
configuration = config_provider.get_config(config_filename)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/config_provider.py", line 255, in get_config
return _get_local_config(config_filename, apply_overrides=apply_overrides)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/lib/config_provider.py", line 273, in _get_local_config
raise ConfigError('Config file missing or unreadable: {0}'.format(config_filename))
duoauthproxy.lib.config_error.ConfigError: Config file missing or unreadable: conf/authproxy.cfg
root@ubuntu-docker:/home/donald#

[losojos27]

I also cannot get the container to stay up. My logs show the following:

Traceback (most recent call last):
File "/opt/duoauthproxy/bin/authproxy", line 21, in
application = proxy.create_application(args=sys.argv)
File "/opt/duoauthproxy/usr/local/lib/python2.7/site-packages/duoauthproxy/proxy.py", line 221, in create_application
with open(http_ca_certs_file, 'r') as bundle_fp:
IOError: [Errno 2] No such file or directory: 'conf/conf/ca-bundle.crt'

[pythoninthegrass]

Know this is ancient, but my authproxy.cfg was missing http_ca_certs_file=/etc/ssl/certs/ca-bundle.crt under the main section (cf. this commit):

[main]
# Provide meaningful output for `docker logs <cid>`.
log_stdout=true
# use the CA certificates file supplied by the OS
http_ca_certs_file=/etc/ssl/certs/ca-bundle.crt

after adding that, it started up as expected. Think that's where the SSL certs are sourced by the duoauthproxy-build install script from Duo.