Can't start docker container, acquis.yaml is a directory

yami · June 21, 2024, 8:44pm

I’m following this guide to set up CrowdSec for the first time for NPM. I did the initial launch, generated the CROWDSEC_BOUNCER_APIKEY, added it to .env, and restarted the container, but it keep restarting itself with the following in the log:

crowdsec  | time="2024-06-21T20:22:03Z" level=info msg="Loaded 48 scenarios"
crowdsec  | time="2024-06-21T20:22:03Z" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml"
crowdsec  | time="2024-06-21T20:22:03Z" level=fatal msg="crowdsec init: while loading acquisition config: failed to yaml decode /etc/crowdsec/acquis.yaml: yaml: input error: read /etc/crowdsec/acquis.yaml: is a directory"

acquis.yaml was indeed a directory that it created, so I tried deleting that and creating it as a file myself. When I try to launch the compose file after that, I get this from Docker:

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/home/user/yami/npm/crowdsec/acquis.yaml" to rootfs at "/etc/crowdsec/acquis.yaml": mount /home/user/yami/npm/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

So Docker doesn’t like when it’s a file, and CrowdSec doesn’t like when it’s a directory. What should I do from here?

For reference, this is my docker-compose.yml:

name: nginx-proxy-manager
services:
  npm:
    image: 'lepresidente/nginxproxymanager:latest'
    container_name: npm
    hostname: npm
    restart: unless-stopped
    ports:
      # These ports are in format <host-port>:<container-port>
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
    environment:
      DB_MYSQL_HOST: "npm"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm"
      DB_MYSQL_PASSWORD: ${DATABASE_PASSWORD}
      DB_MYSQL_NAME: "npm"
      CROWDSEC_OPENRESTY_BOUNCER: |
        ENABLED=true
        API_URL=http://crowdsec:8080
        API_KEY=${CROWDSEC_BOUNCER_APIKEY}
    volumes:
      - /home/user/yami/npm/data:/data
      - /home/user/yami/npm/letsencrypt:/etc/letsencrypt
    depends_on:
      db:
        condition: service_healthy
    security_opt:
      - no-new-privileges=true
    networks:
      - crowdsec-net
      - npm-net

  db:
    image: 'mariadb:lts'
    restart: unless-stopped
    networks:
      npm-net:
    environment:
      MYSQL_ROOT_PASSWORD: ${ROOT_DATABASE_PASSWORD}
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm'
      MYSQL_PASSWORD: "${DATABASE_PASSWORD}"
    volumes:
      - /home/user/yami/npm/npm-db:/var/lib/mysql
    security_opt:
      - no-new-privileges=true
    healthcheck:
      test: ['CMD', '/usr/local/bin/healthcheck.sh', '--innodb_initialized']
      start_period: 5s
      timeout: 5s
      interval: 5s
      retries: 5

  crowdsec:
    image: docker.io/crowdsecurity/crowdsec:latest
    container_name: crowdsec
    environment:
      - COLLECTIONS=crowdsecurity/nginx-proxy-manager
    volumes:
      - /home/user/yami/npm/crowdsec/db:/var/lib/crowdsec/data/
      - /home/user/yami/npm/crowdsec/config:/etc/crowdsec/
      - /home/user/yami/npm/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - /home/user/yami/npm/data/logs/:/var/log/npm:ro
    networks:
      crowdsec-net:
    restart: unless-stopped
    security_opt:
      - no-new-privileges=true

networks:
  crowdsec-net:
    driver: bridge
    name: crowdsec-net
  npm-net:
    driver: bridge
    name: npm-net

iiAmLoz · June 24, 2024, 7:05am

So docker is trying to mount /{local_path}/ as the value itself since there is no $ infront of the { so it doesn’t know its an environment variable you want to use. By default docker creates directories when the file does not exist on the host itself so as long as you define local_path in your .env and update the compose to use ${local_path} and the file exists it should work as expected. However, if local_path is the full path then you can drop the pre pending / within the definitions.

yami · June 24, 2024, 8:13am

Sorry I wasn’t clear, me using /{local_path} was just for convenience here, not literally what is in the compose file. Treat where you see that as if it were /home/user/yami/npm. I’ll edit the post to remove this confusing thought I had.

iiAmLoz · June 24, 2024, 8:25am

Ahh my bad, I presumed incorrectly. Is docker running as root?

TheGroxEmpire · June 24, 2024, 1:25pm

I have the same issue as this and I have been stuck for weeks. This is only a problem with Crowdsec image, other images are able to correctly create a yaml file through docker compose volume.

I’ll also note that if I try to manually add acquis.yaml in the host, it’ll give another error:

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/home/opc/docker/crowdsec/acquis.yaml" to rootfs at "/etc/crowdsec/acquis.yaml": mount /home/opc/docker/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

iiAmLoz · June 24, 2024, 2:09pm

Yeah I just had the same error via docker on my production system (another application but its the same error), it seems file mappings seems to be very fragile. The only way I managed to get it running is mapping to the parent folder instead of the file itself.

This used to work so I dont know if there any open issues on docker compose.

TheGroxEmpire · June 24, 2024, 2:30pm

I created a docker issue for it, hopefully it’ll be resolved.

github.com/docker/compose

[BUG] Docker Compose volume creating directory instead of file

opened 02:29PM - 24 Jun 24 UTC

TheGroxEmpire

kind/bug status/0-triage

### Description I am trying to deploy Crowdsec with docker compose. The volumes… config requires it to create acquis.yaml file in its volumes. ```... volumes: - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml ``` However, docker created acquis.yaml file as directory instead of yaml file. I tried forcing the docker to create the yaml file by making an empty acquis.yaml file in the host. But it outputs an error instead: ``Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/home/opc/docker/crowdsec/acquis.yaml" to rootfs at "/etc/crowdsec/acquis.yaml": mount /home/opc/docker/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type`` ### Steps To Reproduce 1. Run ``docker compose up -d`` on this config https://github.com/crowdsecurity/example-docker-compose/blob/main/npm/docker-compose.yml. 2. Observe that it creates an acquis.yaml directory. 3. Delete that directory and create an acquis.yaml file yourself. 4. Run ``docker compose up -d`` again. 5. Observe the error. ### Compose Version ```Text Docker Compose version v2.27.1 ``` ### Docker Environment ```Text Client: Docker Engine - Community Version: 26.1.4 Context: default Debug Mode: false Plugins: buildx: Docker Buildx (Docker Inc.) Version: v0.14.1 Path: /usr/libexec/docker/cli-plugins/docker-buildx compose: Docker Compose (Docker Inc.) Version: v2.27.1 Path: /usr/libexec/docker/cli-plugins/docker-compose Server: Containers: 11 Running: 9 Paused: 0 Stopped: 2 Images: 16 Server Version: 26.1.4 Storage Driver: overlay2 Backing Filesystem: xfs Supports d_type: true Using metacopy: false Native Overlay Diff: false userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: d2d58213f83a351ca8f528a95fbd145f5654e957 runc version: v1.1.12-0-g51d5e94 init version: de40ad0 Security Options: seccomp Profile: builtin cgroupns Kernel Version: 5.15.0-206.153.7.el9uek.aarch64 Operating System: Oracle Linux Server 9.4 OSType: linux Architecture: aarch64 CPUs: 4 Total Memory: 22.98GiB Name: cronox ID: 3ec56814-2b56-4027-b205-9eb49cc1b34b Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false ``` ### Anything else? Other person encountering the same issue: https://discourse.crowdsec.net/t/cant-start-docker-container-acquis-yaml-is-a-directory/1891/6

iiAmLoz · June 24, 2024, 2:33pm

Hmm that is what docker does by default, it creates a directory if the file doesnt exist so its not a bug. The bug in question is if the file exists on host and tries mapping it, the daemon responds with an error for some reason.

The reason docker creates a directory as it doesnt know what you want since in unix you can have a directory named acquis.yaml so it just presumes that what you want.

Topic		Replies	Views
Container not creating files and folders when started crowdsec	7	3701	January 3, 2022
Issues with running on Docker crowdsec	1	1189	February 18, 2022
Ubuntu 20.04.3 LTS dashboard setup failure crowdsec	5	1551	September 20, 2021
Problem config for acquisition crowdsec	4	2243	April 20, 2023
Crowdsec been great i but container restart when configuring notifications	23	256	June 18, 2024

Can't start docker container, acquis.yaml is a directory

Related topics