Password protection

[Shadow27374]

I have a problem with password protection for Docker.

I do not fully understand the instructions: https://glances.readthedocs.io/en/latest/docker.html#how-to-protect-your-dockerized-server-or-web-server-with-a-login-password

In option 1 you have to create a password file, so far so good, but what is the format of this file? I can't find anything about this.

Option 2 I do not understand at all. It talks about a localhost password. What is that supposed to be? I would like to add a user myself, e.g. admin:pass.

In the Config are only the following:
#localhost=abc
#default=defaultpassword

No matter what I enter it has no effect.
That the # must be gone is already clear...

[RazCrimson]

@Shadow27374
Docs does seems bit cryptic around this.

AFAIK,
Option 1:
You use glances on docker container to create a secrets password file (one-time) and then move it over to your host and mount that as a secret to back to the container. Now you get can use the creds u entered when u generated the secrets file to authenticate yourself on the WebUI. I think it should be possible to do this on a plain install too.

Option 2:
You specify the password in plain text in the config file, the host=password format means you can have difference password for different host address (domains or IPs) you use to access the WebUI. default would be used when no explicit password is specified for that host.

[Shadow27374]

Thanks already for that, I probably got it.
Unfortunately, since it still does not work, I suspect that the glances.conf is not loaded.

I have now taken the example configuration and only the line for the default password:
default=test

docker-compose looks like this:

volumes:
  - /var/run/docker.sock:/var/run/docker.sock:ro
  - /home/sysadmin/docker/glances/glances.conf:/glances/conf/glances.conf:ro
environment:
  GLANCES_OPT: "-C /glances/conf/glances.conf -w"

Have I missed anything?

[Shadow27374]

I have now played around a bit and found that the config is loaded very well. If I disable any feature and restart Glances it is disabled.

However, the password protection can not be activated. No matter what I enter as password in the config, the page loads without asking for a password.

[ABEIDO]

@Shadow27374

I had your questions aswell. Im running on docker via Unraid so everything wasnt fitting my setup and im kinda novice. Maybe not how one should do it but atleast i got it to work.

-Changed to own conf file as you did and stored it on custom location "/mnt/user/appdata/glances", that i confirmed was working as u did.

-Created the pwd file and copied to other location as documentation said and i think u did as well. I opted for moving it to custom location (in my case same as conf: /mnt/user/appdata/glances). with file name "yourusername".pwd.

• Added a new path to glances container:
  container path = /glances
  host path = /mnt/user/appdata/glances

• Edited my conf file to point to my custom location:
  local_password_path=/mnt/user/appdata/glances

-Then edited GLANCES_OPT to:
-C /mnt/user/appdata/glances/glances.conf -w -u yourusername --password

First i didnt seem to work as it let me in without auth but i think it was cached in the browser i was using during testing. But it worked as i needed to use user/pass when setting up integration to Home Assistant and when i tested in other browser.

[Shadow27374]

What you describe would be option 1 without changing the config. Anyway, I tried it again now and it works.
Whatever I do differently now, never mind, thanks!

Since option 1 now works, I let that stay with option 2.

[RazCrimson]

@Shadow27374
So right not Option 1 seems to be working and Option 2 is not.

Did I get that right?

[Shadow27374]

Yes, exactly.

• Option 1 works
• Option 2 does not work

Option 2 actually looked easier but somehow I am too stupid.
But I am satisfied with option 1.

[walkertr0n]

This was confusing me too, thanks for investigating it.

Edit: It's actually not working for me, Portainer is giving this error when I try to update the stack (docker-compose.yml): Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /data/compose/2/secrets/glances_password

Here is my stack:

version: '3'

services:
  monitoring:
    container_name: glances
    image: nicolargo/glances:dev
    restart: always
    pid: host
    ports:
      - "61208-61209:61208-61209"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /srv/dev-disk-by-uuid-34c4bb27-af08-4a8d-a921-3d66c4500b1b/Configs/glances/glances.conf:/etc/glances.conf:ro
    environment:
      - GLANCES_OPT="-w --password"
    secrets:
      - source: glances_password
        target: /root/.config/glances/glances.pwd

secrets:
  glances_password:
    file: ./secrets/glances_password

Did either of you encounter something like this?

[RazCrimson]

@walkertr0n
The Portainer error is just trying to inform you that Portainer (docker to be exact) can't find the file located at /data/compose/2/secrets/glances_password

I am not sure if Portainer uses the same working directory as the one used when docker-compose is used to create a stack manually.

Maybe try using an absolute path for the password file?
That might help.

[mglowinski93]

@RazCrimson
For it doesn't work neither.

services:
  glances:
    image: nicolargo/glances:latest
    restart: always
    environment:
      - GLANCES_OPT="-w --password"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    pid: host
    secrets:
      - source: glances_password
        target: /root/.config/glances/glances.pwd

secrets:
  glances_password:
    file: ./secrets/glances_password

For such configuration, I'm getting information that ``--password` flag is not accessible.
I saw #2034, but it still doesn't work for me. Any tip what can be wrong?

Maybe I need to start docker container as nonroot user somehow?

[RazCrimson]

@mglowinski93
Currently, --password option is only supported for RPC server mode (-s) not for web server mode (-w)

Corresponding Issue for that: #2142

EDIT: My bad, didn't know that it had support for webserver mode

[nicolargo]

--password currently work for the Web Server mode.

Just tested on my side with the latest version.

The issue came from the "containerisation"...

[mglowinski93]

OK, i will wait for a fix then. Thanks for feedback.

[walkertr0n]

@nicolargo thank you for testing. To clarify, -w --password works in CLI (#2142) but not as an env variable in Docker Compose? If there's a separate GH issue for that I'd love to follow it for updates.

[mmomjian]

Just want to add my voice to this, the [passwords] section within glances.conf does not seem to have any effect. The webserver does not ask for a password even with the below options set. Other settings within glances.conf work as expected, such as [influxdb], [containers], and [ports]. I am using the instructions from . The docker logs are empty.

[passwords]
localhost=testpassword
default=testpassword

Run commmand:
docker run -d --restart unless-stopped --name glances-web --net=host --privileged -v /home/user/.glances/glances.conf:/glances.conf:ro -v /var/run/docker.sock:/var/run/docker.sock:ro --pid host -e GLANCES_OPT='-w -q -C /glances.conf'

[andrejmonteiro]

as of aug 2023 i tried this and still can't get my glances page to ask for a password.

[jessielw]

Just tried to set this up, config password has no effect.

[mzrimsek]

I also cannot get the passwords block in the config file to work which is really unfortunate because it's objectively the more easily reproducible deployment strategy with just being a config file.

Hopefully it gets fixed soon but glad to get confirmation here I'm not crazy.

[winnie-sg]

It sounds like I'm not the only one facing this problem.
And unfortunately, the first option does not work for me either.