Skip to content

Fix password script in base container image #11547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ofahimIQSS merged 5 commits into from
Jun 4, 2025
Merged

Fix password script in base container image #11547

ofahimIQSS merged 5 commits into from
Jun 4, 2025
+97 −3

Conversation

@poikilotherm
Copy link
Contributor

@poikilotherm poikilotherm commented Jun 4, 2025
edited by pdurbin
Loading

What this PR does / why we need it:

This PR replaces #11463 as I couldn't push changes to the fork branch.

Fixing a problem of a Dataverse application container not starting when running on Docker due to an already set password in a previous run.

Which issue(s) this PR closes:

Special notes for your reviewer:
If you normally start the Docker image with docker-compose and Docker is configured to restart all running Docker instances upon a system restart, the error occurs. This happens because the script specifies that if a program does not return exit 0, the script should terminate, and as a result, the entire startup process fails.

Suggestions on how to test this:
During the normal start using Docker, all three or at least one of the following parameters must be specified: LINUX_PASSWORD, PAYARA_ADMIN_PASSWORD, DOMAIN_PASSWORD.
Then, stop the containers but don't delete them. Now start them again and see if the startup stop failing.

Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Nope

Is there a release notes update needed for this change?:
Nope

Additional documentation:
None

Benedikt Kruse and others added 4 commits May 2, 2025 08:53
fix reload docker by setting "LINUX_PASSWORD", "PAYARA_ADMIN_PASSWORD…
9ba8382 
…", "DOMAIN_PASSWORD"
Update init_1_change_passwords.sh
25bec63
@poikilotherm
style(ct): simplify password change scripts by removing unnecessary n…
bd45e31 
…ewlines in error handling blocks
@poikilotherm
fix(ct): backport error handling to password change operations
fa17e9f 
Ensure password-related commands properly handle failures and print warnings if changes cannot be applied. Backported changes to v6.4, v6.5, and v6.6.
@poikilotherm poikilotherm added this to the 6.7 milestone Jun 4, 2025
@poikilotherm poikilotherm self-assigned this Jun 4, 2025
@poikilotherm poikilotherm added Component: Containers Anything related to cloudy Dataverse, shipped in containers. Size: 0.5 A percentage of a sprint. 0.35 hours labels Jun 4, 2025
@poikilotherm poikilotherm marked this pull request as ready for review June 4, 2025 07:37
@poikilotherm poikilotherm moved this to Ready for Review ⏩ in IQSS Dataverse Project Jun 4, 2025
@poikilotherm
Copy link
Contributor Author

poikilotherm commented Jun 4, 2025
edited
Loading

@pdurbin this is ready for review. As it is very important for containers but not touching any app code at all it is a very small PR. IMHO it should be OK to take a shortcut unless @ofahimIQSS wants to play with images 😄

@poikilotherm
docs(ct): clarify restrictions on Payara Linux User password changes …
955c760 
…with ro rootfs

Added a note about incompatibility with read-only root filesystems when modifying `/etc/shadow`.
@cmbz cmbz added the FY25 Sprint 24 FY25 Sprint 24 (2025-05-21 - 2025-06-04) label Jun 4, 2025
@github-project-automation github-project-automation bot moved this from Ready for Review ⏩ to Ready for QA ⏩ in IQSS Dataverse Project Jun 4, 2025
@pdurbin pdurbin mentioned this pull request Jun 4, 2025
Closed
pdurbin
pdurbin approved these changes Jun 4, 2025
View reviewed changes
Copy link
Member

@pdurbin pdurbin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't test this but the fix looks reasonable (backports! fancy!).

I did tweak the "how to test" steps a bit for clarity.

@ofahimIQSS ofahimIQSS self-assigned this Jun 4, 2025
@ofahimIQSS ofahimIQSS moved this from Ready for QA ⏩ to QA ✅ in IQSS Dataverse Project Jun 4, 2025
@pdurbin
Copy link
Member

pdurbin commented Jun 4, 2025
edited
Loading

all three or at least one of the following parameters must be specified: LINUX_PASSWORD, PAYARA_ADMIN_PASSWORD, DOMAIN_PASSWORD

@poikilotherm are there rules for these password? I don't see anything at https://guides.dataverse.org/en/6.6/container/base-image.html#tunables

I tried "foo" and got an error that it was too short (dev_dataverse | passwd: Authentication token manipulation error).

Then I tried this:

% git diff
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
index 986c0a49f1..070317b071 100644
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -9,6 +9,9 @@ services:
     restart: on-failure
     user: payara
     environment:
+      LINUX_PASSWORD: "correct horse battery staple"
+      PAYARA_ADMIN_PASSWORD: "correct horse battery staple"
+      DOMAIN_PASSWORD: "correct horse battery staple"
       DATAVERSE_DB_HOST: postgres
       DATAVERSE_DB_PASSWORD: secret
       DATAVERSE_DB_USER: ${DATAVERSE_DB_USER}

(I hope I'm doing this right, by the way.)

I got this error:

dev_dataverse         | passwd: Authentication token manipulation error
dev_dataverse         | passwd: password unchanged
dev_dataverse         | Changing password for payara.
dev_dataverse exited with code 10

@pdurbin
Copy link
Member

pdurbin commented Jun 4, 2025

Nevermind. I was able to reproduce it on develop like this:

% git diff                                   
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
index 986c0a49f1..e8fc26f8c1 100644
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -9,6 +9,9 @@ services:
     restart: on-failure
     user: payara
     environment:
+      LINUX_PASSWORD: "F13D2435-CB9C-4F25-931C-92467A957374"
+      PAYARA_ADMIN_PASSWORD: "F13D2435-CB9C-4F25-931C-92467A957374"
+      DOMAIN_PASSWORD: "F13D2435-CB9C-4F25-931C-92467A957374"
       DATAVERSE_DB_HOST: postgres
       DATAVERSE_DB_PASSWORD: secret
       DATAVERSE_DB_USER: ${DATAVERSE_DB_USER}

docker compose -f docker-compose-dev.yml up works the first time.

Then I ctrl-c to stop it.

Then I run docker compose -f docker-compose-dev.yml up again and get this error:

dev_dataverse         | passwd: Authentication token manipulation error
dev_dataverse         | passwd: password unchanged
dev_dataverse         | Changing password for payara.
dev_dataverse exited with code 10

@pdurbin
Copy link
Member

pdurbin commented Jun 4, 2025

passwd: Authentication token manipulation error

https://documentation.ubuntu.com/server/how-to/security/user-management/#minimum-password-length says, "By default, Ubuntu requires a minimum password length of 6 characters, as well as some basic entropy checks."

@poikilotherm
Copy link
Contributor Author

poikilotherm commented Jun 4, 2025

Grml it worked on my machine. Might need to take another look and try to reproduce.

@ofahimIQSS
Copy link
Contributor

ofahimIQSS commented Jun 4, 2025

Was able to reproduce the issue by following Phil's steps above.
image

Now I'll try out the fix.

@ofahimIQSS
Copy link
Contributor

ofahimIQSS commented Jun 4, 2025

Fix looks good - no longer seeing the password errors. Merging.

@ofahimIQSS ofahimIQSS merged commit 2ce6955 into IQSS:develop Jun 4, 2025
9 checks passed
@github-project-automation github-project-automation bot moved this from QA ✅ to Merged 🚀 in IQSS Dataverse Project Jun 4, 2025
@ofahimIQSS ofahimIQSS removed their assignment Jun 4, 2025
@poikilotherm poikilotherm deleted the 10998-ct-fix-password-script branch June 5, 2025 06:04
@poikilotherm
Copy link
Contributor Author

poikilotherm commented Jun 5, 2025

Thanks for merging @ofahimIQSS, much appreciated! 😄

@pdurbin pdurbin moved this from Merged 🚀 to Done 🧹 in IQSS Dataverse Project Jun 5, 2025
@cmbz cmbz added the FY26 Sprint 4 FY26 Sprint 4 (2025-08-13 - 2025-08-27) label Aug 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pdurbin pdurbin pdurbin approved these changes

@landreev landreev landreev approved these changes

Assignees

No one assigned

Labels

Component: Containers Anything related to cloudy Dataverse, shipped in containers. FY25 Sprint 24 FY25 Sprint 24 (2025-05-21 - 2025-06-04) FY26 Sprint 4 FY26 Sprint 4 (2025-08-13 - 2025-08-27) Size: 0.5 A percentage of a sprint. 0.35 hours

Projects

Forschungszentrum Jülich
Status: Important
IQSS Dataverse Project
Status: Done 🧹

Milestone

6.7

Development

Successfully merging this pull request may close these issues.

Dead Dataverse after server restart

5 participants

@poikilotherm @pdurbin @ofahimIQSS @landreev @cmbz