ERROR unable to initialize repository: unable to initialize repository: error opening repository: unable to open repository: invalid repository password

[s-h-a-r-d]

I'm consistently get this error where first startup of kopia container works normally and I can setup B2 repo and syncing and everything else works fine, but the minute I restart the container I start getting this error in logs and container gets stuck in restart loop:

Server will allow connections from users whose accounts are stored in the repository.
User accounts can be added using 'kopia server user add'.
ERROR unable to initialize repository: unable to initialize repository: error opening repository: unable to open repository: invalid repository password

after that error, container restarts and gets the same error. And that loop continues indefinitely.
Happens with latest stable and unstable images.

Here is the docker-compose bit for kopia:

  kopia:
    image: kopia/kopia
    container_name: kopia
    user: "0"
    environment:
        KOPIA_PASSWORD: SuperSecretRepositoryPassword
        TZ: ${TZ}
    volumes:
        - ${DATADIR}/appdata/kopia/config:/app/config
        - ${DATADIR}/appdata/kopia/cache:/app/cache
        - ${DATADIR}/appdata/kopia/logs:/app/logs
        - ${DATADIR}/appdata/kopia/scripts:/app/scripts
        - ${NASDIR}/cloud:/app/backup:ro
    entrypoint: ["/app/kopia", "server", "--insecure", "--address=0.0.0.0:51515", "--override-username=kopia@localhost", "--server-username=kopia@localhost", "--server-password=SuperSecretPasswordForTheWebUI","--enable-actions"]
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.kopia.entrypoints=websecure"
      - "traefik.http.routers.kopia.rule=Host(`kopia.${DOMAIN}`)"
      - "traefik.http.routers.kopia.tls=true"
      - "traefik.http.services.kopia.loadbalancer.server.port=51515"
    restart: always

[Chifilly]

I have the same issue too. Here's my compose file:

services:
  kopia:
    container_name: kopia
    image: kopia/kopia:unstable # using unstable as I want to use bash scripts for actions
    command:
      - server
      - start
      - --ui
      - --insecure
      - --disable-csrf-token-checks
      - --address=0.0.0.0:51515
      - --server-username=${KOPIA_USERNAME}@${KOPIA_HOSTNAME}
      - --server-password=${KOPIA_PASSWORD}
      - --enable-actions
    user: "0:0"
    domainname: ${KOPIA_USERNAME}
    hostname: ${KOPIA_HOSTNAME}
    networks:
      main:
    ports:
      - "51515:51515"
    environment:
      TZ: Europe/London

      USER: ${KOPIA_USERNAME}
      KOPIA_PASSWORD: ${KOPIA_PASSWORD}
      KOPIA_PERSIST_CREDENTIALS_ON_CONNECT: true
    volumes:
      # ! Base mounts
      - ./volumes/kopia/config:/app/config
      - ./.tmp/kopia:/app/cache
      - ./volumes/kopia/logs:/app/logs

      # ! Extra mounts
      - ./scripts/pipes/kopia.pipe:/app/docker.pipe
      - ./extra/scripts/kopia:/app/scripts

      # ! Backup mounts
      - ./secrets:/app/backup/secrets:ro
      - ./volumes:/app/backup/volumes:ro
    restart: unless-stopped

Looking at repository.config it has all the correct information, and base64 decoding the contents of repository.config.kopia-password returns the correct password. There is also a repository.config.mlock which I don't know the purpose of but is empty

---

After looking properly at my compose file again after pasting it here, I realised I had the wrong password in the KOPIA_PASSWORD environment variable (I was using the server password password variable instead of the repository password one) so I don't actually have the issue anymore

[adamensler]

After looking properly at my compose file again after pasting it here, I realised I had the wrong password in the KOPIA_PASSWORD environment variable (I was using the server password password variable instead of the repository password one) so I don't actually have the issue anymore

I came here with the same issue, and this fixed it for me as well.

[s-h-a-r-d]

Ok same thing seems to be the issue for me as well. But in my defense the entering repository password in the WebUI is a bit unintuitive. This is how it looks:

since you are asked to enter the password and then confirm it, that step makes it seem like you are creating a new password specifically for that repository. BUT in reality what it is asking for is the same password you supplied to KOPIA_PASSWORD in docker compose file. For some reason it just asks you to enter it twice.

I'm also not sure why the repository password is asked in the first place during the UI setup, as you have already provided it via environment variable.

[remus-selea]

I have the same issue too. Here's my compose file:

services:
  kopia:
    container_name: kopia
    image: kopia/kopia:unstable # using unstable as I want to use bash scripts for actions
    command:
      - server
      - start
      - --ui
      - --insecure
      - --disable-csrf-token-checks
      - --address=0.0.0.0:51515
      - --server-username=${KOPIA_USERNAME}@${KOPIA_HOSTNAME}
      - --server-password=${KOPIA_PASSWORD}
      - --enable-actions
    user: "0:0"
    domainname: ${KOPIA_USERNAME}
    hostname: ${KOPIA_HOSTNAME}
    networks:
      main:
    ports:
      - "51515:51515"
    environment:
      TZ: Europe/London

      USER: ${KOPIA_USERNAME}
      KOPIA_PASSWORD: ${KOPIA_PASSWORD}
      KOPIA_PERSIST_CREDENTIALS_ON_CONNECT: true
    volumes:
      # ! Base mounts
      - ./volumes/kopia/config:/app/config
      - ./.tmp/kopia:/app/cache
      - ./volumes/kopia/logs:/app/logs

      # ! Extra mounts
      - ./scripts/pipes/kopia.pipe:/app/docker.pipe
      - ./extra/scripts/kopia:/app/scripts

      # ! Backup mounts
      - ./secrets:/app/backup/secrets:ro
      - ./volumes:/app/backup/volumes:ro
    restart: unless-stopped

Looking at repository.config it has all the correct information, and base64 decoding the contents of repository.config.kopia-password returns the correct password. There is also a repository.config.mlock which I don't know the purpose of but is empty

After looking properly at my compose file again after pasting it here, I realised I had the wrong password in the KOPIA_PASSWORD environment variable (I was using the server password password variable instead of the repository password one) so I don't actually have the issue anymore

Thanks, this was helpful in my setup.

version: '3.3'
services:
  kopia:
    image: 'kopia/kopia:latest'
    container_name: kopia
    hostname: '${KOPIA_HOSTNAME}'
    restart: unless-stopped
    user: '1000:1000'
    ports:
      - '51515:51515'
    command:
      - server
      - start
      - '--ui'
      - '--insecure'
      - '--disable-csrf-token-checks'
      - '--address=0.0.0.0:51515'
      - '--server-username=${KOPIA_USERNAME}@${KOPIA_HOSTNAME}'
      - '--server-password=${KOPIA_REPOSITORY_PASSWORD}'
    environment:
      - TZ=Europe/Bucharest
      - USER=${KOPIA_USERNAME}
      - 'KOPIA_PASSWORD=${KOPIA_USER_PASSWORD}'
      - KOPIA_PERSIST_CREDENTIALS_ON_CONNECT=true
    volumes:
      # ! Base mounts
      - './config:/app/config'
      - './cache/dir:/app/cache'
      - './logs:/app/logs'
      # ! Backup mounts
      - '/mnt/host-data:/backuproot:ro'
    networks:
      - proxy-network

networks:
  proxy-network:
    external: true

I found it strange how the passwords are mapped.
In my case KOPIA_PASSWORD is actually the password of the user I have added with kopia server users add to be able to connect to the server, which Is why I have it as KOPIA_USER_PASSWORD.

Then the --server-password is actually the password I set for the repository when I have created it, but also of the Web UI.
Lastly, in my case the USER is the name of the user with UID:GID 1000:1000.

[ntolia]

I'm closing this one out as this was reported on Slack as having been addressed/answered. Please feel free to ping me or reopen if there is still an open question.

[louwers]

This is a UX bug. Since there are multiple repositories, why do we only need to supply one password?

[maxime1992]

Hello, I'm really struggling with all this. If anyone could help out that'd be much appreciated, it's driving me insane 🙃.

I've picked up the default docker compose file here.

When I start the container the first time, it's all good. If I boot it up for the first time, and restart it, it's all good.
But then, if I add a S3 repo and I can see on the UI I've got access to previous backups, without doing anything else, if I put down my docker compose and up it up straight after, I always end up with this error:

ERROR unable to initialize repository: unable to initialize repository: error opening repository: get password: password prompt error: inappropriate ioctl for device
Enter password to open repository: 
Server will allow connections from users whose accounts are stored in the repository.
User accounts can be added using 'kopia server user add'.

I suspect I'm missing something with the environment for both KOPIA_PASSWORD and USER. What is this for?! I understand the server-username argument and the server-password which both seem to be for the web UI.

But the env variables KOPIA_PASSWORD and USER? I've got no clue 🤯. Am I supposed to put the password I've used to encrypt my data before sending to S3? But then what about the user? The S3 user?

I'm tried so many configurations and nothing worked for me, it's a shame I'm quite desperate to switch to Kopia but this is really holding me back as I'm not able to make it work after a restart.

Any help would be much appreciated.

If that helps, my docker compose is like this:

version: '3.7'

services:
  kopia:
    image: kopia/kopia:latest
    hostname: my-hostname
    container_name: kopia
    restart: unless-stopped
    ports:
      - 51515:51515
    # Setup the server that provides the web gui
    command:
      - server
      - start
      - --disable-csrf-token-checks
      - --insecure
      - --address=0.0.0.0:51515
      - --server-username=my-username
      - --server-password=ui-password
    environment:
      - KOPIA_PASSWORD=SOME_PASSWORD
      - USER=User
    volumes:
      # Mount local folders needed by kopia
      - ${PWD}/kopia/config/dir:/app/config
      - ${PWD}/kopia/cache/dir:/app/cache
      - ${PWD}/kopia/logs/dir:/app/logs
      # Mount local folders to snapshot
      - ${PWD}/kopia-files:/data:ro
      # Mount repository location
      - ${PWD}/kopia/repository/dir:/repository
      # Mount path for browsing mounted snaphots
      - ${PWD}/kopia/tmp/dir:/tmp:shared

Then:

• docker compose up -d
• connect to S3 backend (can use local Minio for example)
• docker compose down
• docker compose up -d
• docker compose logs kopia --> you'll see errors in the logs 🤷

[ntolia]

Reopening this as there are folks still running into issues.

[lupusA]

Hi @maxime1992
the environment variable KOPIA_PASSWORD is the repository password you need to provide to the docker container in case it should connect after a restart.

You can ping me on slack and we will get this :-)

Cheers,

[vmorganp]

I was having this same issue and was able to get it working.
After having a look through the code, it seems like we have some redundant credential setting.
the --server-password flag and KOPIA_PASSWORD environment variable seems to be causing some weird behavior when used together.

Here are my steps:

1. Stop Kopia container
2. Remove environment variable KOPIA_PASSWORD, make sure to set password in --server-password flag
3. Remove environment variable USER, make sure to set password in --server-username flag
4. I opted to nuke my full Kopia config volume at this point
5. Restart Kopia container
6. Configure s3 repository
7. Run task to verify function
8. Stop Kopia container
9. Restart Kopia container
10. Run task to verify function

Works (on my machine anyway)

[maxime1992]

Yup sorry I forgot to report back here but thanks to @lupusA on the slack channel I was able to get it working.

Also, I believe that if #2976 is agreed on, the ambiguous flag should be gone and this issue might be closed as a side effect

[lupusA]

Hi @vmorganp,

in general, "server-password" is used to provide a password to the basic authentification which you need to enter (see https://kopia.io/docs/reference/command-line/common/server-start/)

The environment variable KOPIA_PASSWORD contains the password for the repository the docker container should connect to.
From my experience, both variables should be independet and not interfere with another.

One is used for the basic authentification, the other is used for the repository.

Cheers,

[mitohund]

UPDATE 2: Scratch my previous update. This still works. My issue was with my password - I must have used a character that caused problems. I set everything up from scratch with a different password and now things work as they should.

---

UPDATE: Ignore the following. I was sure I had tested everything and that my issue was solved. But it wasn't. The error reappeared. I'm still looking for a solution. As it stands, Kopia is unusable for me. :-(

---

since you are asked to enter the password and then confirm it, that step makes it seem like you are creating a new password specifically for that repository. BUT in reality what it is asking for is the same password you supplied to KOPIA_PASSWORD in docker compose file. For some reason it just asks you to enter it twice.

This hint solved it for me! Once I set everything up fresh and used KOPIA_PASSWORD in the web UI, everything is fine.

I'm also not sure why the repository password is asked in the first place during the UI setup, as you have already provided it via environment variable.

I guess the environment variable only becomes relevant AFTER the repository has been set up in the web UI. Then, after a container restart, it is required to access the repository.

Considering how many people are running into this issue, it should probably be documented better somewhere. A hint in the web UI to use the password from KOPIA_PASSWORD could already be enough.

[laglink17]

I was having the same issue but was able to solve it after checking the answers here.

I believe the variable naming is confusing in the current description and examples.

Here is how I have set it, to avoid confusion.

version: '3.7'
services:
    kopia:
        image: kopia/kopia:latest
        hostname: $HOSTNAME
        container_name: kopia
        restart: unless-stopped
        env_file: .env
        cap_add:
            - SYS_ADMIN
        security_opt:
            - apparmor:unconfined
        devices:
            - /dev/fuse:/dev/fuse:rwm
        ports:
            - 51515:51515
        # Setup the server that provides the web gui
        command:
            - server
            - start
            - --disable-csrf-token-checks
            #- --insecure
            - --tls-generate-cert
            - --address=0.0.0.0:51515
            - --log-level=debug 
            - --server-username=$WEB_USER
            - --server-password=$WEB_PASS
        environment:
            ## Set repository password
            KOPIA_PASSWORD: $KOPIA_PASSWORD
            TZ: $TZ
        volumes:
            # Mount local folders needed by kopia
            - .docker/kopia/config:/app/config
            - .docker/kopia/cache:/app/cache
            - .docker/kopia/logs:/app/logs
            - .docker/kopia/rclone:/app/rclone
            # Mount local folders to snapshot
            - /mnt/media:/data:ro
            # Mount repository location
            - /mnt/snapshots:/repository
            # Mount path for browsing mounted snaphots
            #- /path/to/tmp/dir:/tmp:shared

A .env file is also needed, with the actual values for all those variables.

I also would like to ask if it is possible to run the docker without having to open a repository, or setting a password as a variable. I can see that when the docker runs for the first time, the web-server asks you to create or open an existing repository. Either way, this password MUST be used as the KOPIA_PASSWORD variable.

I think it might be better if this password is stored in the configuration file in Kopia, after being created through the web (or access it if it's an existing one). If there's an error when trying to connect everytime the containers starts, it must promt to the same page as it was the first time running it. This might also help in cases when using different repositories, from the same server.

In my case, I really don't mind having to access again the repository, from the web interface, everytime the container is started (as this usually won't happen unless an error with the server itself).