在 docker 容器内使用带有 ssl 的自托管（Jetty）元数据库时出错

Question

I'm trying to setup a self hosted (Jetty) Metabase inside a docker container running with ssl enabled.

First I created the fullchain.pem and privkey.pem using the certbot , than converted to keystore.jks using this gist .

Then created a.env file that would be used for the --env-file docker flag:

MB_DB_FILE=/metabase/metabase.db
MB_JETTY_SSL=true
MB_JETTY_SSL_PORT=443
MB_JETTY_SSL_KEYSTORE=./keystore.jks
MB_JETTY_SSL_KEYSTORE_PASSWORD=my-pass

And tried to run:

docker run -p 80:3000 -v ~/metabase:/metabase --env-file "./prod.env" --name metabase metabase/metabase

But I got the following error:

ERROR metabase.core :: Metabase Initialization FAILED
java.net.SocketException: Permission denied
    at sun.nio.ch.Net.bind0(Native Method) ~[?:?]
    at sun.nio.ch.Net.bind(Unknown Source) ~[?:?]
    at sun.nio.ch.Net.bind(Unknown Source) ~[?:?]
    at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source) ~[?:?]
    at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source) ~[?:?]
    at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:345) ~[metabase.jar:?]
    at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:310) ~[metabase.jar:?]
    at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80) ~[metabase.jar:?]

Solved by changing the SSL_PORT to 8443, so the new env file looks like this:

MB_DB_FILE=/metabase/metabase.db
MB_JETTY_SSL=true
MB_JETTY_SSL_PORT=8443
MB_JETTY_SSL_KEYSTORE=./keystore.jks
MB_JETTY_SSL_KEYSTORE_PASSWORD=my-pass

Deleted the old container and started a new one with the env file above but now I'm stuck on this error:

ERROR metabase.core :: Metabase Initialization FAILED
java.lang.IllegalStateException: /"./keystore.jks" is not a valid keystore

I've double checked if my.jks file is valid using this . And it is.

My questions are:

1. Why can't I run it on 443
2. Why is my keystore not valid?

Edit 1:

Following up Joakim's suggestion:

Changed to the absute path

MB_DB_FILE=/metabase-prod-data/metabase.db
MB_JETTY_SSL=true
MB_JETTY_SSL_PORT=8443
MB_JETTY_SSL_KEYSTORE=/root/services/metabase/setup/keystore.jks
MB_JETTY_SSL_KEYSTORE_PASSWORD=my-pass

Got this error:

ERROR metabase.core :: Metabase Initialization FAILED
java.lang.IllegalStateException: /root/services/metabase/setup/keystore.jks is not a valid keystore

Answer 1

443 is a restricted port on most OS's that require root/superuser/admin rights to be able to bind to it.

Your keystore isn't found, that path is invalid.
The error is just confusing.

The configuration you have at

MB_JETTY_SSL_KEYSTORE=./keystore.jks

Try making that an absolute path, as the metabase is apparently just tacking what you give it onto the end of some other path / in your case.

Answer 2

why port 443 is not used is answered by @Joakim

I also faced this issue for metabase initialisation. The error I was facing was that the keystore file at host is not accessible inside the docker container.

I used docker-compose yml file. You can search for terminal based ways as well.

I made it accessible by adding folder at host which has the certificate by using volume attribute.

metabase:
   ...
    env_file:
      - ./config/metabase.env
    volumes:
      - <LOCAL_PATH>:<CONTAINER_PATH>

Inside the environment path:

MB_JETTY_SSL_KEYSTORE:<CONTAINER_PATH>/keystore.jks