I am using Docker along with Docker Compose v2.5.0 to test whether the this is actually a bug within grafana or the compose CLI.
I provisioned the GF_SECURITY_ADMIN_USER and GF_SECURITY_ADMIN_PASSWORD via an .env file into the docker-compose.yml file.
Initial checks show that the password is accepted and I am able to login into Grafana.
I bring the container down
change the GF_SECURITY_ADMIN_PASSWORD to something else
re-generate the docker-compose.yml file to accept the updated env var
Bring the container up
The new password is not accepted into the container, and I still have to use the old credentials to login
The only possible solution is that I have purge my docker volume to accept the new password, which is not the right thing to do, because the volume might contain data that should not be deleted.
I have created a repository that one can use to reproduce the bug
I did docker inspect <container_name> to see if the container picked the changed password as env var and it does
I exec'd into the running grafana container using docker compose exec -it grafana /bin/bash and typed env and it still had the changed env variable
but the running instance has not actually picked up the change.
This seems like a bug. If it is not it should be clearly stated in the documentation that the env variable is not adaptable after initialization.
linking to the ongoing github issue:
opened 07:48AM - 17 May 22 UTC
area/auth
needs investigation
area/configuration
<!--
Please use this template to create your bug report. By providing as much i… nfo as possible you help us understand the issue, reproduce it and resolve it for you quicker. Therefore take a couple of extra minutes to make sure you have provided all info needed.
PROTIP: record your screen and attach it as a gif to showcase the issue.
- Questions should be posted to: https://community.grafana.com
- Use query inspector to troubleshoot issues: https://bit.ly/2XNF6YS
- How to record and attach gif: https://bit.ly/2Mi8T6K
-->
**What happened**:
1. Bring a Grafana Docker container up using the repository mentioned below. Use `make build` to generated `docker-compose.yml` file and then `make run` to bring the container up. The `GF_SECURITY_ADMIN_USER`, `GF_SECURITY_ADMIN_PASSWORD` are set via the `conf/grafana/.env`. Initial Values are set to `admin` and `supersecretpass` respectively
2. Grafana works and one can login with the credentials value as mentioned above on http://grafana.staged-by-discourse.com
3. Change the `GF_SECURITY_ADMIN_PASSWORD` in `conf/grafana/.env` to `supersecretpass123` and bring the container down using `make clean`
4. Create the updated `docker-compose.yml` file using `make build` and bring the container up using `make run`
5. This should make the container available on the same URL, however when one tries to login with the updated `GF_SECURITY_ADMIN_PASSWORD`, the login does not work. Grafana logs me in only with the previous password set
**What you expected to happen**:
Assuming the container is brought down and brought back up again, the new environment variables should be used to let the user login into Grafana.
Since `GF_SECURITY_ADMIN_PASSWORD` is now changed and is also reflected within the container's environment, the value should be the actual password for admin login and should not rely on the older password previously set.
**How to reproduce it (as minimally and precisely as possible)**:
- Test Environment Reproduction Repository: [Repo on GitHub](https://github.com/shantanoo-desai/compose-v2-env-vars-problem)
The repository provides a very simple example of reproducing the bug with all the relevant documentation necessary. It does not require any other dependency except an updated Docker Engine to v20.10.14 with the compose CLI v2.5.0 which is now shipped within the environment.
**Anything else we need to know?**:
The only possible way to overcome this bug, is to actually purge the docker volumes which may contain other valuable data. It is rather unfeasible to purge a complete docker volume to reset the new Admin password.
**Environment**:
- Grafana version: 8.4.0, 8.4.5
- Data source type & version: Docker Image: `grafana/grafana-oss:8.4.5` from Docker Hub
- OS Grafana is installed on: Tested with Docker on GNU/Linux, Docker with WSL2 on Windows 10
- User OS & Browser: Mozilla Firefox, Google Chrome
- Grafana plugins: N/A
- Others: docker version 20.10.14 and docker compose version v2.5.0
Output of `docker info` (if relevant)
```bash
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.8.2)
compose: Docker Compose (Docker Inc., v2.5.0)
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 16
Running: 1
Paused: 0
Stopped: 15
Images: 8
Server Version: 20.10.14
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 3df54a852345ae127d1fa3092b95168e4a88e2f8
runc version: v1.0.3-0-gf46b6ba
init version: de40ad0
Security Options:
seccomp
Profile: default
Kernel Version: 5.10.16.3-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 24.78GiB
Name: docker-desktop
ID: AM3A:EIDA:J3BS:FMN2:MZMR:3CBY:YHXN:US7Q:BIKM:7POA:WAGC:MRWX
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5000
127.0.0.0/8
Live Restore Enabled: false
```
