How to change admin password for Docker after initial start (persisted data)?

Description of your problem

For the life of me, I cannot change the password from the default of ‘admin’ to something else. I started with ‘admin’ since I was only playing with it, set up Docker volumes to persist data, went and configured some streams, events, notifications, etc. Now I want to productize this, so I need a more secure password. Since I have a decent amount of configuration, I’d rather not restart from scratch.

To avoid storing this password in version control, my docker-compose.yml file uses an environment variable of the same name:

    environment:
      - GRAYLOG_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET}
      - GRAYLOG_ROOT_PASSWORD_SHA2=${GRAYLOG_ROOT_PASSWORD_SHA2}

These two variables are set in a Systemd override that is only visible to root on the Docker host.

If I set GRAYLOG_ROOT_PASSWORD_SHA2 to the sha256sum for admin, I can log in just fine. If I set it to anything else, no dice.

Description of steps you’ve taken to attempt to solve the issue

I tried the following:

1. Change the value of the GRAYLOG_ROOT_PASSWORD_SHA2 env. variable in my Systemd override file.
2. In addition, change the value of root_password_sha2 in the Docker persistent volume for Graylog (the file located at /usr/share/graylog/data/config/graylog.conf inside the container) to match the value above.

It looks to me that there’s a third location that needs updating… In the Mongo DB, maybe?

Environmental information

Operating system information

• Host OS: CentOS Linux release 7.6.1810 (Core)
• Docker version: Docker version 20.10.10, build b485636

Package versions

The versions are in the (redacted) docker-compose.yml file below:

version: '3'
services:
  caddy:
    image: "caddy:latest"
    volumes:
      - ./caddy-etc/ssl:/root/certs # to sync certificates to Caddy
      - ./caddy-etc/caddy:/etc/caddy  # to mount custom Caddyfile
    networks:
      - graylog
    environment:
      - CADDY_INGRESS_NETWORKS=graylog
    ports:
      - "80:80"
      - "443:443"
  # MongoDB: https://hub.docker.com/_/mongo/
  mongo:
    image: mongo:4.2
    volumes:
      - mongo_data:/data/db
    networks:
      - graylog
  # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    deploy:
      resources:
        limits:
          memory: 1g
    networks:
      - graylog
  # Graylog: https://hub.docker.com/r/graylog/graylog/
  graylog:
    image: graylog/graylog:4.2.1
    volumes:
      - graylog_data:/usr/share/graylog/data
      # Graylog plugins on top of the default ones - only the MS Teams plugin for now
      - ./graylog-plugins:/usr/share/graylog/plugin
    environment:
      - GRAYLOG_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET}
      - GRAYLOG_ROOT_PASSWORD_SHA2=${GRAYLOG_ROOT_PASSWORD_SHA2}
      - GRAYLOG_HTTP_EXTERNAL_URI=https://XXXXXXXXXXXXXXX/
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    networks:
      - graylog
    restart: always
    depends_on:
      - mongo
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      # Handled through Caddy, see above
      # - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
      # RAW TCP
      - 5555:5555
    expose:
      - 9000
networks:
  graylog:
    driver: bridge
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_data:
    driver: local

Hello && Welcome @woopla

Sorry to hear about your issue but fair warning I’m unfamiliar with Docker setups.

I did a quick google search about this and may have found a solution for you in this link.

hope that helps

Thanks @gsmith - I found that one too, but it’s from 2015 and the graylog-ctl is nowhere to be found in the container. There’s graylogctl in /usr/share/graylog/bin but it does not have set-admin-password nor reconfigure options…

After making the systemd change are you running

sudo systemctl daemon-reload

Also on a side note, not sure on the detail of how you have it set up - found this interesting note about systemd Environment= vs EnvironmentFile=

Yes @tmacgbay I reload the Systemd config - you get a warning from Systemd as a nice reminder if you don’t do that

Good catch on the password being visible with an override, I had not thought about this. I will switch to an EnvironmentFile then.

Well that was a pretty dumb mistake : I was generating the SHA2 password with echo "$password"| sha256sum, causing an extra newline to be taken into account when computing the SHA2.

Replaced with echo -n, life is good!

Full suggested command from instructions in case people are searching and found this topic:

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Except that I’m automating this @tmacgbay so I’m not asking for a password. Here’s what my deploy script does to generate the EnvironmenFile:

admin_password=$(pwgen -N 1 -y -r '`"'\''()&[]' -s 40)
hashed_password=$(echo -n "$admin_password" | sha256sum | cut -f1 -d" ")
cat >/etc/graylog.conf <<EOF
GRAYLOG_PASSWORD_SECRET=$(pwgen -N 1 -s 96)
# Admin password: $admin_password
GRAYLOG_ROOT_PASSWORD_SHA2=$hashed_password
EOF
# Secure it since it contains the admin password
chmod 0600 /etc/graylog.conf

That way the admin password is visible to root on the system, and that can be used for the initial login - we use LDAP afterwards, so it’s only going to be used a couple times by one person.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.