POSTGRES_PASSWORD concerns

[perrotuerto]

Hi, I am wondering if I have to be concerned on leaving POSTGRES_PASSWORD env with the default password (hackmdpass), because everytime I change the passwords in docker-compose.yml the container doesn't work. Is it secure to leave it like that?

[SISheogorath]

You can easily change the postgres password, just update the CMD_DB_URL accordingly. :)

[perrotuerto]

So I think something is happening because even though I do also change the password in CMD_DB_URL, the password authentication fails.

I am on commit b77eace86f91d4db983cb53f1062211c4f1b1260 of master branch.

# cat docker-compose.yml 
# Using version 3 to provide play-with-docker badge
# You can change to version 2 without breaking.
#version: '2'
version: '3'
services:
  database:
    # Don't upgrade PostgreSQL by simply changing the version number
    # You need to migrate the Database to the new PostgreSQL version
    image: postgres:9.6-alpine
    #mem_limit: 256mb         # version 2 only
    #memswap_limit: 512mb     # version 2 only
    #read_only: true          # not supported in swarm mode please enable along with tmpfs
    #tmpfs:
    #  - /run/postgresql:size=512K
    #  - /tmp:size=256K
    environment:
      - POSTGRES_USER=hackmd
      - POSTGRES_PASSWORD=samplepass
      - POSTGRES_DB=hackmd
    volumes:
      - database:/var/lib/postgresql/data
    networks:
      backend:
    restart: always
  app:
    # Uncomment the following section to build the image yourself:
    #build:
    #  context: .
    #  dockerfile: debian/Dockerfile
    #  args:
    #    - "VERSION=master"
    #    - "CODIMD_REPOSITORY=https://github.com/codimd/server.git"
    image: quay.io/codimd/server:1.6.0
    #mem_limit: 256mb         # version 2 only
    #memswap_limit: 512mb     # version 2 only
    #read_only: true          # not supported in swarm mode, enable along with tmpfs
    #tmpfs:
    #  - /tmp:size=512K
    #  - /codimd/tmp:size=1M
    #  # Make sure you remove this when you use filesystem as upload type
    #  - /codimd/public/uploads:size=10M
    environment:
      # DB_URL is formatted like: <databasetype>://<username>:<password>@<hostname>/<database>
      # Other examples are:
      # - mysql://hackmd:samplepass@database:3306/hackmd
      # - sqlite:///data/sqlite.db (NOT RECOMMENDED)
      # - For details see the official sequelize docs: http://docs.sequelizejs.com/en/v3/
      - CMD_DB_URL=postgres://hackmd:samplepass@database:5432/hackmd
      - CMD_ALLOW_PDF_EXPORT=true
      - CMD_ALLOW_FREEURL=true
      - CMD_DEFAULT_PERMISSION=freely
    ports:
      # Ports that are published to the outside.
      # The latter port is the port inside the container. It should always stay on 3000
      # If you only specify a port it'll published on all interfaces. If you want to use a
      # local reverse proxy, you may want to listen on 127.0.0.1.
      # Example:
      # - "127.0.0.1:3000:3000"
      - "3333:3000"
    networks:
      backend:
    restart: always
    depends_on:
      - database

# Define networks to allow best isolation
networks:
  # Internal network for communication with PostgreSQL/MySQL
  backend:

# Define named volumes so data stays in place
volumes:
  # Volume for PostgreSQL/MySQL database
  database:

# docker-compose logs
Attaching to codimd-container_test_app_1, codimd-container_test_database_1
app_1       | 2020/06/13 22:29:22 Waiting for: tcp://database:5432
app_1       | 2020/06/13 22:29:22 Connected to tcp://database:5432
app_1       | 
app_1       | Sequelize CLI [Node: 12.16.2, CLI: 5.5.1, ORM: 5.21.4]
app_1       | 
app_1       | Parsed url postgres://hackmd:*****@database:5432/hackmd
app_1       | 
app_1       | ERROR: password authentication failed for user "hackmd"
app_1       | 
app_1       | 2020-06-13T22:29:26.219Z warn:    Neither 'domain' nor 'CMD_DOMAIN' is configured. This can cause issues with various components.
app_1       | Hint: Make sure 'protocolUseSSL' and 'urlAddPort' or 'CMD_PROTOCOL_USESSL' and 'CMD_URL_ADDPORT' are configured properly.
app_1       | 2020-06-13T22:29:26.222Z warn:    Session secret not set. Using random generated one. Please set `sessionSecret` in your config.js file. All users will be logged out.
app_1       | 2020-06-13T22:29:26.222Z warn:    PDF export was disabled for this release to mitigate a critical security issue. This feature will hopefully become available again in future releases.
app_1       | Sat, 13 Jun 2020 22:29:26 GMT hsts deprecated The "includeSubdomains" parameter is deprecated. Use "includeSubDomains" (with a capital D) instead. at app.js:85:18
app_1       | Unhandled rejection SequelizeConnectionError: password authentication failed for user "hackmd"
app_1       |     at /codimd/node_modules/sequelize/lib/dialects/postgres/connection-manager.js:182:24
app_1       |     at Connection.connectingErrorHandler (/codimd/node_modules/pg/lib/client.js:194:14)
app_1       |     at Connection.emit (events.js:310:20)
app_1       |     at Socket.<anonymous> (/codimd/node_modules/pg/lib/connection.js:134:12)
app_1       |     at Socket.emit (events.js:310:20)
app_1       |     at addChunk (_stream_readable.js:286:12)
app_1       |     at readableAddChunk (_stream_readable.js:268:9)
app_1       |     at Socket.Readable.push (_stream_readable.js:209:10)
app_1       |     at TCP.onStreamRead (internal/stream_base_commons.js:186:23)
database_1  | 
database_1  | PostgreSQL Database directory appears to contain a database; Skipping initialization
database_1  | 
database_1  | LOG:  database system was interrupted; last known up at 2020-06-13 22:22:59 UTC
database_1  | LOG:  database system was not properly shut down; automatic recovery in progress
database_1  | LOG:  invalid record length at 0/1561770: wanted 24, got 0
database_1  | LOG:  redo is not required
database_1  | LOG:  MultiXact member wraparound protections are now enabled
database_1  | LOG:  database system is ready to accept connections
database_1  | LOG:  autovacuum launcher started
database_1  | LOG:  incomplete startup packet
database_1  | FATAL:  password authentication failed for user "hackmd"
database_1  | DETAIL:  Password does not match for user "hackmd".
database_1  |   Connection matched pg_hba.conf line 95: "host all all all md5"
database_1  | FATAL:  password authentication failed for user "hackmd"
database_1  | DETAIL:  Password does not match for user "hackmd".
database_1  |   Connection matched pg_hba.conf line 95: "host all all all md5"

Thanks for the help.

[ErikMichelson]

We ship the default database values in the config.json in the object-style. Could it be that sequelize just prefers this object over the database-url?

If so, that's a problem because environment variables should always take precedence.

[SISheogorath]

Ah,I think you try to change the password of an existing database. That's something you have to do with traditional postgres tooling.

Iirc the container image doesn't automatically update this config. If it's just a test setup and you don't mind removing all existing data, you can run docker-compose down -v to shutdown the environment.otherwise I recommend to check the postgres config or who/whatever you trust with postgres knowledge about how to change a user password. :)

[perrotuerto]

I should have read with more detail the main README.md#custom-build and also the docker-compose.yml file. Now it is fixed. As @SISheogorath said, it was an old database. I change the password with psql inside my db + in the files docker-compose.yml, resources/config.json and resources/docker-entrypoint.sh (I dunno if I should have changed this one). Now is up and ready. Thanks for your help!

[SISheogorath]

You shouldn't need to touch anything in the resources folder as long as you don't build the container image yourself, as those are only used for that. But I'm happy to hear that it worked :)