Passbolt in docker compose

Witty · April 29, 2024, 9:02am

Hi, I try install passbolt in docker whit docker compose, but i have a problem whit the ENV in docker compose:

DATASOURCES_DEFAULT_PASSWORD_FILE

I am trying to add as a secret inside a file the password for DATASOURCES_DEFAULT_PASSWORD_FILE
but every time I add it as a secret inside the compose ( whether I do it with compose or swarn, I get the same problem:

[Warning] Access denied for user ‘passbolt’@‘XXXXXX’ (using password: NO)

I think the compose not using the datasources variable correctly. I have tried with different versions of passbolt, with no success…

Does anyone have the same problem?
Ty

Termindiego25 · April 29, 2024, 1:50pm

Hello @Witty and welcome to the forum!
The environment variable you are asking for is available to use with docker secrets. If you are not using it, you have to use DATASOURCES_DEFAULT_PASSWORD instead.

To be able to help you in a better way, please follow the guide of the installation issues posts to get all the required information

Witty · April 29, 2024, 3:17pm

The problem is that I am using both docker secrets and password in file, and using this ENV inside a COMPOSE, but I get the same problem.

Termindiego25 · April 29, 2024, 5:00pm

Could you please send your Docker Compose (and environment variables file, if it exists) to check for errors?
You should change each credential or URL to avoid revealing sensitive information.

Witty · May 7, 2024, 7:29am

Sure…

Here my compose

version: “3.3”
services:
db:
image: mariadb:10.11
container_name: passbolt-mariadb-PRO
hostname: passbolt-db-pro01
restart: unless-stopped
environment:
# MYSQL_RANDOM_ROOT_PASSWORD: “true”
# MYSQL_ROOT_PASSWORD: “xxxxxxx”
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
MYSQL_DATABASE: “xxxxxx”
MYSQL_USER: “xxxxxx”
#MYSQL_PASSWORD: “xxxxxx”
MYSQL_PASSWORD_FILE: /run/secrets/db_password
secrets:
- db_root_password
- db_password
volumes:
- database_volume:/var/lib/mysql
networks:
- passbolt-pro

passbolt:
# image: passbolt/passbolt:4.4.2-1-pro
image: passbolt/passbolt:4.3.0-1-pro
container_name: passbolt-PRO
hostname: passbolt-pro01
restart: unless-stopped
environment:
# User y pass igual que la DB para que pueda instalar.
APP_FULL_BASE_URL: https://xxxxxxxxxxxxx.com
DATASOURCES_DEFAULT_HOST: “db”
DATASOURCES_DEFAULT_USERNAME: “xxxxxxxxxx”
#DATASOURCES_DEFAULT_PASSWORD: “xxxxxxxxxxxx”
DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/datasources
DATASOURCES_DEFAULT_DATABASE: “xxxxx”
PASSBOLT_SSL_FORCE: “true”

  # Passbolt environment
  PASSBOLT_REGISTRATION_PUBLIC: "false"
  PASSBOLT_SECURITY_SET_HEADERS: "true"
  PASSBOLT_PLUGINS_EXPORT_ENABLED: "true"
  PASSBOLT_PLUGINS_IMPORT_ENABLED: "true"
  # PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "null"
  # PASSBOLT_GPG_SERVER_KEY_FINGERPRINT_FORCE: "true"
  # PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "xxxxxxxxxxxxx"
  # PASSBOLT_KEY_NAME: "xxxxxxxxxxxxxx"
  # PASSBOLT_KEY_EMAIL: "xxxxxxx@xxx.com"

  # Email environment (Type Login)
  EMAIL_DEFAULT_FROM_NAME: "xxxxxx"
  EMAIL_DEFAULT_FROM: "xxxxxx@xxxxx.com"
  EMAIL_TRANSPORT_DEFAULT_HOST: "xxxxx"
  EMAIL_TRANSPORT_DEFAULT_PORT: "587"
  EMAIL_TRANSPORT_DEFAULT_TLS: "true"
  EMAIL_TRANSPORT_DEFAULT_USERNAME: "xxxxx"
  EMAIL_TRANSPORT_DEFAULT_PASSWORD: "xxxxxx"

  # Email environment (Type Anonymous)
  # EMAIL_DEFAULT_FROM_NAME: "xxxxxx"
  # EMAIL_DEFAULT_FROM: "xxxxxxt@xxxxxx.com"
  # EMAIL_TRANSPORT_DEFAULT_HOST: "xxx"
  # EMAIL_TRANSPORT_DEFAULT_PORT: "xxxxx"
  # EMAIL_TRANSPORT_DEFAULT_TLS: "null"

  # Other Options (Optional)
  # EMAIL_TRANSPORT_DEFAULT_CLIENT: "null"
  # EMAIL_TRANSPORT_DEFAULT_URL: "null"
  # EMAIL_TRANSPORT_DEFAULT_TIMEOUT: "30"

secrets:
  - datasources
networks:
  - passbolt-pro
depends_on:
  - db

volumes:
  - gpg_volume:/etc/passbolt/gpg
  - jwt_volume:/etc/passbolt/jwt
  - ./cert/xxxxxx.crt:/etc/ssl/certs/certificate.crt:ro
  - ./cert/xxxxxx.key:/etc/ssl/certs/certificate.key:ro
  - ${PWD}/subscription_key.txt:/etc/passbolt/subscription_key.txt:ro
command:
  - /bin/bash
  - -c
  - |
    # Uncomment line below if you are using ldap sync. Change '* * * * *' to your preferred sync schedule. More info: https://en.wikipedia.org/wiki/Cron
    # echo '* * * * * www-data exec /bin/bash -c "source /etc/environment && /usr/share/php/passbolt/bin/cake directory_sync all" >> /var/log/cron.log 2>&1' >> /etc/cron.d/passbolt-pro-server
    /usr/bin/wait-for.sh -t 0 db:3306 -- /docker-entrypoint.sh
ports:
  #- 80:80
  - 443:443

volumes:
database_volume:
gpg_volume:
jwt_volume:

networks:
passbolt-pro:

secrets:
db_root_password:
file: ./db_root_password.txt
db_password:
file: ./db_password.txt
datasources:
file: ./datasources.txt

Termindiego25 · May 7, 2024, 8:07am

Have you tried using the same file instead of different ones?
Try using the following:
db:

MYSQL_PASSWORD_FILE: /run/secrets/db_password

passbolt:

DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/db_password

max · May 7, 2024, 8:18am

Did you also have a look at the doc page: How can I use Docker Secrets? | Passbolt documentation.

Witty · May 7, 2024, 8:28am

As I said, the only problem I have is with the ENV.

DATASOURCES_DEFAULT_PASSWORD: ‘xxxxxxxxxxxxxx’
DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/datasources

If I use the first option without secret with the password of course, then it works, but if I use it as _FILE with a .txt and the password I get the same error every time as I added above…
What I really want is not to have any password in cleartext in the compose, that’s why I open this thread…

max · May 7, 2024, 9:04am

Hello,

I just spin a new docker compose with this

services:
  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      # MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/db_root
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      # MYSQL_PASSWORD: "P4ssb0lt"
      MYSQL_PASSWORD_FILE: /run/secrets/db_password
    secrets:
      - db_root
      - db_password
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://passbolt.local
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      # DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/db_password
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
    secrets:
      - db_password
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    ports:
      - 80:80
      - 443:443
    #Alternatively for non-root images:
    # - 80:8080
    # - 443:4433

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

secrets:
  db_root:
    file: db_root.txt
  db_password:
    file: db_password.txt

same level as the docker compose file I put 2 files
db_root.txt and db_password.txt with just the password inside

Then did a

docker compose -f docker-compose-ce.yaml \            ⬡ 20.11.1 
exec passbolt su -m -c "source /etc/environment && /usr/share/php/passbolt/bin/cake \
passbolt register_user \
-u admin@passbolt.com \
-f Admin \
-l User \
-r admin" -s /bin/bash www-data

And I was good to go

Witty · May 7, 2024, 10:22am

Nice job

Ok, I’ll try to run this compose to see if it works.
Thank you very much for the help

Witty · May 7, 2024, 11:23am

I am trying to deploy this compose with passbolt ce. but once it raises the containers, when trying to register a user I get the error again.
For some reason I think the variable:

   # DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
   DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/db_password

It still doesn’t work when deploying with compose…

docker exec passbolt_passbolt_1 su -m -c “bin/cake passbolt register_user -u admin_passbolt@xxxxx.com -f admin -l passbolt -r admin” -s /bin/sh www-data

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

2024-05-07 11:20:56 error: [Cake\Database\Exception\MissingConnectionException] Connection to Mysql could not be established: SQLSTATE[HY000] [1045] Access denied for user ‘passbolt’@‘172.26.0.3’ (using password: NO) in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php on line 144
Caused by: [PDOException] SQLSTATE[HY000] [1045] Access denied for user ‘passbolt’@‘172.26.0.3’ (using password: NO) in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php on line 132
2024-05-07 11:20:56 error: Could not connect to Database.

Passbolt | Error

max · May 7, 2024, 12:02pm

max:

docker compose -f docker-compose-ce.yaml \
exec passbolt su -m -c "source /etc/environment && /usr/share/php/passbolt/bin/cake \
passbolt register_user \
-u admin@passbolt.com \
-f Admin \
-l User \
-r admin" -s /bin/bash www-data

Please be careful here, to execute the command you need to do a source /etc/environment before the register_user

Topic		Replies	Views
This is not a valid passphrase Installation Issues	3	2271	October 21, 2018
Passbolt not accessible using docker-compose Installation Issues	8	3140	October 6, 2018
"DATASOURCES_DEFAULT_HOST" is ignored [modify wait-for] Installation Issues	2	805	April 12, 2023
Docker compose official image + docker nginx reverse proxy : blank page Installation Issues	6	1627	September 17, 2024
How to connect with own mysql server? Installation Issues	2	897	June 27, 2018

Passbolt in docker compose

Open source password manager for teams

Related topics