Docker secrets don't get loaded when trying to execute CakePHP's register_user command #241
Description
Hi!
I stumbled into an issue when trying to execute the command for creating a new user on a fresh Passbolt instance.
When I try to run the following command against my instance:
docker compose -f docker-compose-ce.yaml \
exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
passbolt register_user \
-u YOUR_EMAIL \
-f YOUR_NAME \
-l YOUR_LASTNAME \
-r admin" -s /bin/sh www-data
I get the following response:
$ docker compose -f docker-compose-ce.yaml exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
passbolt register_user \
-u [email protected] \
-f John \
-l Doe \
-r admin" -s /bin/sh www-data
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
2025-06-27 11:39:08 error: [Cake\Database\Exception\MissingConnectionException] Connection to Mysql could not be established: SQLSTATE[HY000] [1045] Access denied for user ''@'172.18.0.3' (using password: NO) in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php on line 192
Caused by: [PDOException] SQLSTATE[HY000] [1045] Access denied for user ''@'172.18.0.3' (using password: NO) in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php on line 181
<!DOCTYPE html>
<html class="passbolt no-js no-passboltplugin version" lang="en">
<head>
<meta charset="utf-8">
<title>Passbolt | Error</title>
<!--
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ )__ ) /_/ / /_/ / / /_
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
Copyright (c) Passbolt SA (https://www.passbolt.com)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see http://www.gnu.org/licenses/.
-->
<meta name="description" content="Open source password manager for teams">
<meta name="keywords" content="Passbolt, password manager, online password manager, open source password manager">
<meta name="robots" content="noindex, nofollow">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/x-icon" href="https://passbolt.ascalab.internal/favicon.ico" />
<link rel="icon" href="https://passbolt.mycompany.internal/favicon.svg" />
<link rel="icon" href="https://passbolt.mycompany.internal/favicon_32.png" sizes="32x32" />
<link rel="icon" href="https://passbolt.mycompany.internal/favicon_57.png" sizes="57x57" />
<link rel="icon" href="https://passbolt.mycompany.internal/favicon_76.png" sizes="76x76" />
<link rel="icon" href="https://passbolt.mycompany.internal/favicon_96.png" sizes="96x96" />
<link rel="icon" href="https://passbolt.mycompany.internal/favicon_128.png" sizes="128x128" />
<link rel="icon" href="https://passbolt.mycompany.internal/favicon_192.png" sizes="192x192" />
<link rel="icon" href="https://passbolt.mycompany.internal/favicon_228.png" sizes="228x228" />
<base href="https://passbolt.mycompany.internal/">
<link rel="stylesheet" href="https://passbolt.mycompany.internal/css/themes/default/api_main.min.css?v=5.2.0"></head>
<body spellcheck="false">
<div id="container" class="error page error-500">
<!-- header navigation -->
<header>
<div class="header first ">
<nav>
<div class="top navigation primary">
<ul>
<li class="left"><a href="https://passbolt.mycompany.internal/"><span>home</span></a></li>
<li class="right"><a href="https://passbolt.mycompany.internal/auth/login"><span>login</span></a></li>
</ul>
</div>
</nav>
</div>
</header>
<div id="content">
<div class="grid">
<div class="row">
<h2>An Internal Error Has Occurred</h2>
<p class="error">
An Internal Error Has Occurred. </p>
</div>
</div>
</div>
</div>
<footer>
<div class="footer">
<ul class="footer-links">
<li><a href="https://www.passbolt.com/terms">Terms</a></li>
<li><a href="https://www.passbolt.com/credits">Credits</a></li>
<li id="version">
<a href="https://www.passbolt.com/credits" class="tooltip-left" data-tooltip="5.2.0">
<i class="fa fa-heart-o"></i>
<span class="visuallyhidden">Versions</span>
</a>
</li>
</ul>
</div>
</footer>
</div>
</body>
</html>
The actual problem
As it is visible from the output, the username value does not get loaded when executing the command: Access denied for user ''@'172.18.0.3'.
What I've tried
- attaching to Passbolt container's terminal, downloading the mysql client and trying to connect to the database manually: it works
- hardcoding the secrets and removing
_FILEpostfix, then running the instance again: it works - attached to both services and checked whether secret files do exist and are part of environment variables
Steps to reproduce
- Simply create a following Docker Compose file:
services:
db:
image: mariadb:10.11
restart: unless-stopped
environment:
MARIADB_DATABASE_FILE: /run/secrets/db_name
MARIADB_USER_FILE: /run/secrets/db_username
MARIADB_PASSWORD_FILE: /run/secrets/db_password
MARIADB_ROOT_PASSWORD_FILE: /run/secrets/db_root_password
volumes:
- database_volume:/var/lib/mysql
secrets:
- db_name
- db_username
- db_password
- db_root_password
networks:
- passbolt-network
passbolt:
image: passbolt/passbolt:5.2.0-1-ce
restart: unless-stopped
depends_on:
- db
environment:
APP_FULL_BASE_URL: https://myinstance.example.com
DATASOURCES_DEFAULT_HOST: "db"
DATASOURCES_DEFAULT_USERNAME_FILE: /run/secrets/db_username
DATASOURCES_DEFAULT_PASSWORD_FILE: /run/secrets/db_password
DATASOURCES_DEFAULT_DATABASE_FILE: /run/secrets/db_name
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"db:3306",
"--",
"/docker-entrypoint.sh",
]
ports:
- 80:80
- 443:443
secrets:
- db_name
- db_username
- db_password
networks:
- passbolt-network
secrets:
db_name:
file: db_name.txt
db_username:
file: db_username.txt
db_password:
file: db_password.txt
db_root_password:
file: db_root_password.txt
volumes:
database_volume:
gpg_volume:
jwt_volume:
networks:
passbolt-network:
driver: bridge- Create dummy data for secrets:
echo passbolt > db_name.txt
echo SomeStrongPassword1 > db_password.txt
echo SomeStrongRootPassword > db_root_password.txt
echo passboltuser > db_username.txt- lift the docker instance:
docker compose up
- try to execute the following command:
docker compose -f docker-compose.yaml \
exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
passbolt register_user \
-u YOUR_EMAIL \
-f YOUR_NAME \
-l YOUR_LASTNAME \
-r admin" -s /bin/sh www-data
Does anyone have an idea how to resolve this?