[BUG Report] Failed to start

[shedowe19]

node:internal/process/promises:394
    triggerUncaughtException(err, true /* fromPromise */);
    ^
[nginx: [error] invalid PID number "" in "/usr/local/nginx/logs/nginx.pid"] {
  name: 'CommandError',
  previous: undefined,
  code: Error: Command failed: nginx -s reload
  nginx: [error] invalid PID number "" in "/usr/local/nginx/logs/nginx.pid"
  
      at genericNodeError (node:internal/errors:983:15)
      at wrappedFn (node:internal/errors:537:14)
      at ChildProcess.exithandler (node:child_process:414:12)
      at ChildProcess.emit (node:events:524:28)
      at maybeClose (node:internal/child_process:1101:16)
      at ChildProcess._handle.onexit (node:internal/child_process:304:5) {
    code: 1,
    killed: false,
    signal: null,
    cmd: 'nginx -s reload'
  },
  public: false
}
Node.js v22.13.1

[Zoey2936]

Full log please and more context

[shedowe19]

I have started the Containers.

-------------------------------------
 _ _  ___  __ __       _
| \ || . \|  \  \ ___ | | _ _  ___
|   ||  _/|     || . \| || | |[_-[
|_\_||_|  |_|_|_||  _/|_| \__|/__/
                 |_|
-------------------------------------
Version:  2.12.3+e345475
Date:     Tue Mar 25 10:19:23 CET 2025
-------------------------------------
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.21/community/x86_64/APKINDEX.tar.gz
OK: 104 MiB in 164 packages
DEFAULT_CERT set to /data/tls/custom/npm-1/fullchain.pem
DEFAULT_KEY set to /data/tls/custom/npm-1/privkey.pem
removed '/usr/local/nginx/logs/nginx.pid'
removed '/run/php84.sock'
-------------------------------------
User:     root
PUID:     0
User ID:  0
PGID:     0
Group ID: 0
-------------------------------------
Running in stand-alone mode...
LINEAGE	RESULT	REASON
Starting services...
reading config file /etc/logrotate
acquired lock on state file /data/logrotate.stateReading state from file: /data/logrotate.state
Allocating hash table for state file, size 64 entries
Creating new state
Creating new state
Creating new state
Handling 1 logs

rotating pattern: /data/nginx/*.log  after 1 days (3 rotations)
empty log files are not rotated, old logs are removed
considering log /data/nginx/access.log
  Now: 2025-03-25 10:19
  Last rotated at 2025-03-25 01:35
  log does not need rotating (log has been rotated at 2025-03-25 01:35, which is less than a day ago)
considering log /data/nginx/error.log
  Now: 2025-03-25 10:19
  Last rotated at 2025-03-25 01:35
  log does not need rotating (log has been rotated at 2025-03-25 01:35, which is less than a day ago)
considering log /data/nginx/stream.log
  Now: 2025-03-25 10:19
  Last rotated at 2025-03-24 21:00
  log does not need rotating (log is empty)
not running prerotate script, since no logs will be rotated
not running postrotate script, since no logs were rotated
2025/03/25 10:19:24 [notice] 247#247: parsed a resolver: "10.0.17.254" in /usr/local/nginx/conf/nginx.conf:91
[25-Mar-2025 10:19:24] NOTICE: fpm is running, pid 243
[25-Mar-2025 10:19:24] NOTICE: ready to handle connections
2025/03/25 10:19:24 [notice] 247#247: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/63/0)
2025/03/25 10:19:24 [notice] 247#247: parsed a resolver: "10.0.17.254" in /usr/local/nginx/conf/nginx.conf:183
**2025/03/25 10:19:24 [alert] 247#247: failed to create BPF map (1: Operation not permitted)
2025/03/25 10:19:24 [emerg] 247#247: ngx_quic_bpf_module failed to initialize, check limits**
[Global   ] › ℹ  info      Using Sqlite: /data/npmplus/database.sqlite
[Migrate  ] › ℹ  info      Current database version: none
[Global   ] › ⬤  debug     CMD: nginxbeautifier -s 4 /usr/local/nginx/conf/conf.d/default.conf
[IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[Global   ] › ⬤  debug     CMD: certbot-ocsp-fetcher.sh -c /data/tls/certbot/live -o /data/tls/certbot/live --no-reload-webserver --quiet
[SSL      ] › ℹ  info      Certbot Renewal Timer initialized
[IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[Global   ] › ℹ  info      Backend PID 249 listening on port 48681
[Global   ] › ⬤  debug     CMD: nginx -tq
[Nginx    ] › ℹ  info      Reloading Nginx
[Global   ] › ⬤  debug     CMD: nginx -s reload
node:internal/process/promises:394
    triggerUncaughtException(err, true /* fromPromise */);
    ^
[nginx: [error] invalid PID number "" in "/usr/local/nginx/logs/nginx.pid"] {
  name: 'CommandError',
  previous: undefined,
  code: Error: Command failed: nginx -s reload
  nginx: [error] invalid PID number "" in "/usr/local/nginx/logs/nginx.pid"
  
      at genericNodeError (node:internal/errors:983:15)
      at wrappedFn (node:internal/errors:537:14)
      at ChildProcess.exithandler (node:child_process:414:12)
      at ChildProcess.emit (node:events:524:28)
      at maybeClose (node:internal/child_process:1101:16)
      at ChildProcess._handle.onexit (node:internal/child_process:304:5) {
    code: 1,
    killed: false,
    signal: null,
    cmd: 'nginx -s reload'
  },
  public: false
}
Node.js v22.13.1

The container restarts only
this is the develop but the Failure is same in the latest.

[Zoey2936]

I can't reproduce, can you post your compose.yaml?

[shedowe19]

services:
  npmplus:
    container_name: npmplus
    image: ghcr.io/zoeyvid/npmplus:develop
    restart: always
    network_mode: host
    ipc: service:openappsec-agent # required when you want to use the openappsec attachment module
    privileged: true # required if you set NGINX_QUIC_BPF to true
    volumes:
      - "/opt/npmplus:/data"
      - "/var/www:/var/www" # optional, if you want to use NPMplus directly as webserver for html/php
#      - "/path/to/old/npm/letsencrypt/folder:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
    environment:
      - "TZ=Europe/Berlin" # set timezone, required, set it to one of the values from the "TZ identifier" https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
      - "ACME_EMAIL=----" # email address which should be used for acme, currently optional, may be required in the future, so I recommend you to enter your email here, optional for letsencrypt, but required for zerossl and google public ca
      - "ACME_SERVER=https://acme.zerossl.com/v2/DV90" # acme server used when requesting/renewing certs using certbot, default is set to: https://acme-v02.api.letsencrypt.org/directory (letsencrypt)
      - "ACME_EAB_KID=-----" # Key Identifier for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac
      - "ACME_EAB_HMAC_KEY=-----" # HMAC key for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac
#      - "ACME_MUST_STAPLE=true" # enables must-staple, default false, I recommend you to enable this if your CA supports it, supported by zerossl, google public ca ignores this, unsupported by letsencrypt (will fail), overrides ACME_OCSP_STAPLING to true
#      - "ACME_OCSP_STAPLING=false" # enables ocsp stapling, default true, I recommend you to enable this if your CA supports it, supported by zerossl and google public ca, unsupported by letsencrypt certs created after May 7, 2025 (will create warning in your log, default value will change then)
#      - "ACME_KEY_TYPE=rsa" # which key type to use ecdsa or rsa, default and recommended: ecdsa
#      - "ACME_SERVER_TLS_VERIFY=false" # enables checking if ACME_SERVER has a valid TLS cert, default true
#      - "CUSTOM_OCSP_STAPLING=true" # enables ocsp stapling for custom certs, default false, I recommend you to enable this if your custom certs support it
#      - "PUID=0" # set group id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root)
#      - "PGID=0" # set user id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root), requires PUID to be not 0
#      - "NIBEP=48682" # internal port of the NPMplus API, always bound to 127.0.0.1, default 48681, you need to change it, if you want to run multiple npm instances in network mode host
#      - "GOAIWSP=48692" # internal port of goaccess, always bound to 127.0.0.1, default 48691, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
#      - "NPM_PORT=82" # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
#      - "GOA_PORT=92" # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
#      - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all
#      - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM UI, defaults to all
#      - "GOA_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the goaccess, defaults to all
#      - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all
#      - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM UI, defaults to all
#      - "GOA_IPV6_BINDING=[::1]" # IPv6 address to bind for goaccess, defaults to all
#      - "DISABLE_IPV6=true" # fully disables listing on IPv6 and the IPv6 resolver of nginx, overrides IPV6_BINDING/NPM_IPV6_BINDING/GOA_IPV6_BINDING, default false
#      - "NPM_LISTEN_LOCALHOST=true" # Binds the NPM UI only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
#      - "GOA_LISTEN_LOCALHOST=true" # Binds goaccess only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
      - "DEFAULT_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
#      - "HTTP_PORT=8080" # tcp port to use for http traffic, changing this may breaks certbot http challenge, default 80
#      - "HTTPS_PORT=8443" # udp and tcp port to use for https traffic, changing this may breaks certbot http challenge, default 443
#      - "HTTP3_ALT_SVC_PORT=8443" # please change this if the udp port the clients connect to is not 443, default 443
#      - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
#      - "LISTEN_PROXY_PROTOCOL=true" # should listeners of http(s) hosts (proxy/redirect/dead and default) use proxy protocol instead of http(s)? default false, overrides DISABLE_H3_QUIC to true
#      - "DISABLE_H3_QUIC=true" # disables nginx to listen on port 443 udp for default host and all your hosts, this will fully disable HTTP/3 and QUIC, even if you enable it inside the UI, not recommended, default false
      - "NGINX_QUIC_BPF=true" # enables nginxs quic_bpf (https://nginx.org/en/docs/http/ngx_http_v3_module.html#quic_bpf), you also need to to give the NPMplus container privileged permissions to use this, default false
#      - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
#      - "NGINX_404_REDIRECT=true" # Redirect to / instead of showing a 404 error page, default false
#      - "NGINX_HSTS_SUBDMAINS=false" # when enabling security headers, also enable hsts for subdomains, default true
#      - "X_FRAME_OPTIONS=deny" # value to use for the X-Frame-Options header when enabling security headers, valid is deny, sameorigin and none (means unset), default sameorigin, since this applies to all hosts I recommend you to instead keep the default and only change it for hosts which need it using the advanced config and more_set_headers
#      - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy_buffering/proxy_request_buffering options of nginx, default false, may not work if you use crowdsec/appsec
#      - "NGINX_WORKER_PROCESSES=8" value of worker_processes, default and recommended: auto
#      - "DISABLE_NGINX_BEAUTIFIER=true" # disables nginxbeautifier, useful when it fails parsing non-standard configs, default false
#      - "FULLCLEAN=true" # Clean unused config folders, default false
#      - "SKIP_IP_RANGES=true" # Skip feteching/whitelisting ip ranges from cloudflare, default false
#      - "LOGROTATE=true" # Enables writing http access logs to /opt/npmplus/nginx/access.log, stream access logs to /opt/npmplus/nginx/stream.log and enables daily logrotation, default false
#      - "LOGROTATIONS=7" # Set how often the access.log should be rotated until it is deleted, default 3
#      - "CRT=36" # Set how many hours should be between certbot trying to renew your certs, default 24
#      - "IPRT=3" # Set how many hours should be between updating ip ranges from aws and cloudflare, default 1, ignored when SKIP_IP_RANGES is true
#      - "GOA=true" # Enables goaccess, requires LOGROTATE, default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npmplus/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also enable the geoipupdate container below (please change the timezone)
#      - "GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string" # Arguments that should be passed to goaccess, default: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string
#      - "PHP82=true" # Activate PHP82, default false
#      - "PHP82_APKS=php82-curl php82-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php82-*, default none, requires PHP82
#      - "PHP83=true" # Activate PHP83, default false
#      - "PHP83_APKS=php83-curl php83-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php83-*, default none, requires PHP83
      - "PHP84=true" # Activate PHP84, default false
#      - "PHP84_APKS=php84-curl php84-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php84-*, default none, requires PHP84
#      - "PHP_APKS=php-pecl-apcu php-pecl-redis" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php-*, default none, requires PHP82, PHP83 and/or PHP84, not recommended, please use PHP82_APKS, PHP83_APKS or PHP84_APKS
#      - "INITIAL_ADMIN_EMAIL=example@clawsucht.de" # email to use instead of admin@example.org on first start of NPMplus for the initial user
#      - "INITIAL_ADMIN_PASSWORD=Shedowe#9499" # password to use instead of a random password which is logged on first start of NPMplus for the initial user
#      - "INITIAL_DEFAULT_PAGE=444" # default page to set on first start of NPMplus for the initial user, default congratulations, can be one of: 404, 444, redirect, congratulations or html
#      - "ENABLE_PRERUN=true" # see readme, default off
      - "NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE=true" # loads the openappsec attachment module, you also need to set ipc for NPMplus in this composse file, this will fully disable brotli, even if you enable it inside the UI, default false
#      - "NGINX_LOAD_OPENTELEMETRY_MODULE=true" # loads the opentelemetry module, you need to configure this yourself, default false
#      - "NGINX_LOAD_FANCYINDEX_MODULE=true" # loads the fancyindex module, default false
#      - "NGINX_LOAD_GEOIP2_MODULE=true" # loads the geoip2 module, you need to configure this yourself, default false
#      - "NGINX_LOAD_NJS_MODULE=true" # loads the njs module (nginx JavaScript module), you need to configure this yourself, default false
#      - "NGINX_LOAD_NTLM_MODULE=true" # loads the ntml module, you need to configure this yourself, default false
#      - "NGINX_LOAD_VHOST_TRAFFIC_STATUS_MODULE=true" # loads the virtual host traffic status module, you need to configure this yourself, default false

  openappsec-agent:
    container_name: openappsec-agent
    image: ghcr.io/openappsec/agent:latest
    restart: always
    ipc: shareable
    volumes:
      - "/opt/openappsec/conf:/etc/cp/conf"
      - "/opt/openappsec/data:/etc/cp/data"
      - "/opt/openappsec/logs:/var/log/nano_agent"
#      - "/opt/openappsec/localconf:/ext/appsec" # if you don't set AGENT_TOKEN, then please put a local_policy.yaml in the /opt/openappsec/localconf folder before deploying
      - "/open-appsec-advance-model:/advanced-model" # optional, if you want to use a different model
    environment:
      - "TZ=Europe/Berlin" # needs to be changed
      - "autoPolicyLoad=true"
      - "registered_server=npmplus"
      - "user_email=-----" # optional, from theier docs: "This allows the open-appsec team to provide you easy assistance in case of any issues you might have with your specific deployment in the future and also to provide you information proactively regarding open-appsec in general or regarding your specific deployment. [...] If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future."
      - "AGENT_TOKEN=-----" # optional, can be set if you use theier webinterface, if you leave this commented, please uncomment all other openappsec containers below, see: https://docs.openappsec.io/getting-started/using-the-web-ui-saas/create-a-profile
    command: /cp-nano-agent

[brggmn]

I have exactly the same issue with the latest version.

[Zoey2936]

I have exactly the same issue with the latest version.

do you also use openappsec?

[shedowe19]

@Zoey2936 yes the WebUI from openappsec Website

[brggmn]

I have exactly the same issue with the latest version.

do you also use openappsec?

No I don't.

Here is my composefile

services:
  npmplus:
    container_name: npmplus
    image: zoeyvid/npmplus:latest
    restart: always
    network_mode: host
    volumes:
      - "/opt/npm:/data"
    environment:
      - "TZ=Europe/Brussels" # set timezone, required
      - "ACME_EMAIL=redacted@redacted.com"
      - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
      - "LOGROTATE=true" # Enables writing http access logs to /opt/npm/nginx/access.log, stream access logs to /opt/npm/nginx/stream.log and enables daily logrotation, default false
      - "LOGROTATIONS=7" # Set how often the access.log should be rotated until it is deleted, default 3
      - "GOA=true" # Enables goaccess, requires LOGROTATE, default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npm/etc/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also use the compose.geoip.yaml

      - "ACME_MUST_STAPLE=false"
      - "ACME_OCSP_STAPLING=false"
      - "DISABLE_IPV6=true"
      - "FULLCLEAN=true"
      - "CRT=36"
      - "IPRT=3"
      - "NGINX_LOAD_GEOIP2_MODULE=true"
      
  crowdsec:
    container_name: crowdsec
    image: crowdsecurity/crowdsec:latest
    restart: always
    network_mode: bridge
    ports:
      - "127.0.0.1:7422:7422"
      - "127.0.0.1:8080:8080"
    environment:
      - "TZ=Europe/Brussels"
      - "COLLECTIONS=ZoeyVid/npmplus"
      - "LEVEL_FATAL=true"
      - "LEVEL_ERROR=true"
      - "LEVEL_WARN=true"
      - "LEVEL_INFO=false"
      - "LEVEL_DEBUG=false"
      - "LEVEL_TRACE=false"
    volumes:
      - "/opt/crowdsec/conf:/etc/crowdsec"
      - "/opt/crowdsec/data:/var/lib/crowdsec/data"
      - "/opt/npm/nginx:/opt/npm/nginx:ro"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  geoipupdate:
    container_name: geoipupdate
    image: maxmindinc/geoipupdate:latest
    restart: always
    network_mode: bridge
    environment:
      - "TZ=Europe/Brussels"
      - "GEOIPUPDATE_EDITION_IDS=GeoLite2-Country GeoLite2-City GeoLite2-ASN"
      - "GEOIPUPDATE_ACCOUNT_ID=$GeoIPAccount"
      - "GEOIPUPDATE_LICENSE_KEY=$GeoIPLicenseKey"
      - "GEOIPUPDATE_FREQUENCY=24"
    volumes:
      - "/opt/npm/goaccess/geoip:/usr/share/GeoIP"

[Zoey2936]

does docker.io/zoeyvid/npmplus:447 work?

[brggmn]

That works indeed.
I've deleted my only stream host and now :latest also works.

Maybe some misconfiguration at my side I guess, or an extra trigger that caught a previously set misconfiguration...?

[Zoey2936]

does the develop tag also work?

[Zoey2936]

That works indeed. I've deleted my only stream host and now :latest also works.

Maybe some misconfiguration at my side I guess, or an extra trigger that caught a previously set misconfiguration...?

seems to also have fixed #1651, to all other people with this issue can you recreate the container please (recreate, not restart)

[shedowe19]

Yes the fix worked and develop Tag worked.

[Zoey2936]

interesting error... nothing changed, only the container was recreated

[shedowe19]

The Failure is always when i restart a machine.

when i deploy the container, the start works correctly

@Zoey2936

[shedowe19]

the problem only attemts when i restart a System, not when i restart a container!

[Zoey2936]

Which docker version do you run?

[shedowe19]

root@npmplus:~# docker --version
Docker version 28.0.2, build 0442a73

[Zoey2936]

can you update it and check if the issue still exists with the newets docker version, please?

[shedowe19]

I have checked. I have updated the Container and when i start the Container manuely, I recreated the Container and this work but when I re start the machine, the error becomes before I postet

[Zoey2936]

Ok, I will test next week

[Zoey2936]

sorry, took more than a week, I can't reproduce this, does this issue still exist for you?

[brggmn]

For me issue is solved as stated before.

[shedowe19]

Yes the Problem ist no more .