Problem with docker compose environment

[trickert76]

Hi, first thanks for this image!

Since some days I have a problem with it inside a docker-compose environment. The environment is:

# Ansible managed
version: '2.1'

services:
  icinga2:
    image: jordan/icinga2
    restart: always
    hostname: icinga2
    env_file:
      - .env
    volumes:
      - ./conf/icinga/etc/icinga2:/etc/icinga2
      - ./conf/icinga/etc/icingaweb2:/etc/icingaweb2
    ports:
      - "80:80"
      - "5667:5665"
    depends_on:
      - mysql
      - graphite

  graphite:
    image: graphiteapp/graphite-statsd:latest
    restart: always
    hostname: graphite

  mysql:
    image: mariadb:10.1
    restart: always
    env_file:
      - .env
    volumes:
      - ./data/mysql:/var/lib/mysql

networks:
  default:
    driver: bridge
    enable_ipv6: true
    ipam:
      config:
        - subnet: 172.19.0.0/24
        - subnet: fc00:1900::/96

(I removed all irrelevant parts). The environment file contains:

MYSQL_ROOT_PASSWORD=rootpwd

ICINGA2_FEATURE_GRAPHITE=1
ICINGA2_FEATURE_GRAPHITE_HOST=graphite
ICINGA2_FEATURE_GRAPHITE_PORT=2003
ICINGA2_FEATURE_GRAPHITE_URL=http://graphite
ICINGA2_FEATURE_GRAPHITE_SEND_METADATA=true
ICINGA2_FEATURE_DIRECTOR=false

DIRECTOR_KICKSTART=false

ICINGAWEB2_ADMIN_USER=admin
ICINGAWEB2_ADMIN_PASS=password
ICINGA2_USER_FULLNAME=Icinga2 Docker Monitoring Instance

DEFAULT_MYSQL_HOST=mysql

MYSQL_INITDB_SKIP_TZINFO=1

After the first start (I removed data/mysql) I'm getting a running service - but, when I restart the service, I'm getting a:

...
icinga2_1   | warning/cli: Feature 'command' already enabled.
icinga2_1   | ERROR 1045 (28000): Access denied for user 'icinga2'@'fc00:1900::4' (using password: YES)
icinga2_1   | run-parts: /opt/setup/50-icinga2 exited with return code 1

This is strange, because the password for the icinga2 mysql user, which is stored in conf/icinga/etc/icingaweb2/resources.ini and in conf/icinga/etc/icinga2/features-enabled/ido-mysql.conf can be used to log into the mysql container.:

$> docker-compose exec mysql mysql -u icinga2 -p<pwd-from-file> icinga2idomysql -e 'show tables'
$> docker-compose exec mysql mysql -u icinga2 -p<pwd-from-file> icingaweb2 -e 'show tables'

Also, when I look into mysql.user, I can see it, and the user is configured as icinga2@%

When I remove the database again, the service runs - so, it works only, when the initialize script generates a new secret during that run.

It seems to me, that the second run doesn't know about the "old" password.

[trickert76]

When I explictly set DEFAULT_MYSQL_PASS inside the .env file, it works.

I'm not sure, if this is recommended. The /opt/run script is reading the value from that envvar or generates a new one. But the run script never reads the already defined value from inside the container.

[jjethwa]

Hi @trickert76

Yes, this is the expected behaviour. It won't try to read the password from the config files generated in a prior run, but will try to replace it if DEFAULT_MYSQL_PASS is not set 😃

[trickert76]

Am I wrong, or should this be documented? Otherwise nobody could restart the container.

[jjethwa]

Hi @trickert76

Yes, I'll make sure to do that 👍

[jasongordon]

I see you documented this in the README but I had to come find this thread to figure out what to do.

I created my secrets_sql.env file and initially put in:
MYSQL_ROOT_PASSWORD=myfancyrootpw

I saw your note about setting DEFAULT_MYSQL_PASS, so after the initial startup I added to the secrets_sql.env
DEFAULT_MYSQL_PASS=myfancyrootpw

But it would not come up. I has to go find the generated password in conf/icinga/etc/icingaweb2/resources.ini

Then I put that generated password into the secrets_sql.env file as DEFAULT_MYSQL_PASS and it works on restart.

I think you need to make the procedure clearer in the README.

[jjethwa]

Hey @jasongordon thanks for the update, do you have any suggestions on the wording that might make it easier?

[jasongordon]

Hey @jasongordon thanks for the update, do you have any suggestions on the wording that might make it easier?

I am not even sure I did the right thing. I would suggest explain the difference between the MYSQL_ROOT_PASSWORD and DEFAULT_MYSQL_PASS variables and where to get the value for each. Now that I took the password I found in conf/icinga/etc/icingaweb2/resources.ini and put it in the config as DEFAULT_MYSQL_PASS, does what I have for MYSQL_ROOT_PASSWORD even matter anymore?

[jjethwa]

@jasongordon that's right, DEFAULT_MYSQL_PASS is the database password for the icinga user and MYSQL_ROOT_PASSWORD is the database admin user password. By setting MYSQL_ROOT_PASSWORD the container run scripts will attempt to reset the icinga user database password if possible.