Portainer admin password in a docker-compose environment

README.md

Portainer compose deployment with admin password preset

This file aims to explain how to deploy Portainer inside a compose file with the admin password already set.

Generate the admin password

For this example, we'll use the password superpassword.

Use the following command to generate a hash for the password:

docker run --rm httpd:2.4-alpine htpasswd -nbB admin 'superpassword' | cut -d ":" -f 2

The output of that command is the hashed password, it should be something similar to $2y$05$w5wsvlEDXxPjh2GGfkoe9.At0zj8r7DeafAkXXeubs0JnmxLjyw/a.

Define the password in the compose file

If you try to use the hashed password in this form directly in your Compose file, the following error will be raised:

ERROR: Invalid interpolation format for "command" option in service "portainer": "--admin-password '$2y$05$ZBq/6oanDzs3iwkhQCxF2uKoJsGXA0SI4jdu1PkFrnsKfpCH5Ae4G'"

You need to escape each $ character inside the hashed password with another $:

$$2y$$05$$ZBq/6oanDzs3iwkhQCxF2uKoJsGXA0SI4jdu1PkFrnsKfpCH5Ae4G

Example of valid Compose file:

version: '2'

services:
  portainer:
    image: portainer/portainer:latest
    ports:
      - "9000:9000"
    command: --admin-password '$$2y$$05$$ZBq/6oanDzs3iwkhQCxF2uKoJsGXA0SI4jdu1PkFrnsKfpCH5Ae4G'
    networks:
      - local
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer-data:/data

networks:
  local:
    driver: bridge

volumes:
  portainer-data:

Output of docker-compose up:

docker-compose up                                                                                           !10023
Creating network "porcomp_local" with driver "bridge"
Creating volume "porcomp_portainer-data" with default driver
Creating porcomp_portainer_1 ... 
Creating porcomp_portainer_1 ... done
Attaching to porcomp_portainer_1
portainer_1  | 2018/03/08 01:18:37 Creating admin user with password hash $2y$05$ZBq/6oanDzs3iwkhQCxF2uKoJsGXA0SI4jdu1PkFrnsKfpCH5Ae4G
portainer_1  | 2018/03/08 01:18:37 Starting Portainer 1.16.3 on :9000

Now you can login to the Portainer instance using the credentials admin / superpassword.

Nice explanation, thanks a lot!

Is there any way to simplify that process (e.g. usage of an .env file with the unhashed password)?

Best
Joshua

@jgoerner You might want to have a look at the --admin-password-file flag usage along secrets: http://portainer.readthedocs.io/en/stable/configuration.html#inside-a-file

Thanks!

Thanks man, but how to change the user admin to something else?

This doesn't seem to work anymore. I can't figure out why exactly but my best guess is that this argument needs to be after the image in the command formed but maybe isn't, I can't see the actual formed command from the compose file

When I run the following (PW: password) in the cmd it works:

docker run -d -p 9000:9000 -p 8000:8000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer --admin-password $2y$05$b0DgtG94LtpeuqEKHRYYreEf2rqBI5.4Rin.38.ENaAlL/7TeKX2q
8599d1d2f92cffbfd9a419ad4307c1e98d29990ce16c95f82a6737410d34e84c

But this fails as does all the single/double/no quote and $ escape approaches I can think of.

version: '3.8'

services:
  MGMT:
    restart: always
    image: "portainer/portainer:latest"
    ports:
    - "9000:9000"
    volumes:
    - "portainer_data:/data"
    - "/var/run/docker.sock:/var/run/docker.sock"
    container_name: Managers
    command: --admin-password $$2y$$05$$b0DgtG94LtpeuqEKHRYYreEf2rqBI5.4Rin.38.ENaAlL/7TeKX2q
volumes:
  portainer_data:

EDIT - SOLVED: Problem Found - "./portainer/portainer_data:/data"

I set the admin password directly on Dockerfile!

1. Create a script to generate your password:

$ cat <<EOF > portainer-pass.sh
#!/usr/bin/env bash
    
if [ -z "\$1" ]; then
    echo -e "\\nPlease call '\$0 <password>' to run this command!\\n"
    exit 1
fi
    
htpasswd -nb -B admin \$1 | cut -d ":" -f 2
EOF

2. Give your permission:

chmod u+x portainer-pass.sh

3. generate your password:

./portainer-pass.sh c7e694055489cb2051195a2be1740992

Output: $2y$05$bGljp9ThZkfNaZuKvDUB3uKpXecI5SDZ6s6Xga8azv4JQUDXmHV82

4. Put in "CMD" of the Dockerfile:

# Set fixed portainer image
FROM portainer/portainer-ce:latest

# Set default admin password at startup
CMD ["--admin-password", "$2y$05$bGljp9ThZkfNaZuKvDUB3uKpXecI5SDZ6s6Xga8azv4JQUDXmHV82"]

# Default portainer web port
EXPOSE 9443

Here you NOT need to be replace $ to $$!

As @MuriloChianfa commented, at one point Portainers behavior changed. You no longer need to escape the $. Seeing the comment first would have saved me quite some time.

The explanation is awesome.
But I try it as:

version: '3'
services:
    portainer-ce:
        ports:
            - '8001:8000'
            - '9443:9443'
            - '9091:9000'
        restart: always
        command: --admin-password '$<password-encrypted>'
        container_name: portainer
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock"
            - "portainer_data:/data"
        image: 'portainer/portainer-ce:2.9.3'

volumes:
  portainer_data:

and I got this error:

ERROR: Invalid interpolation format for "command" option in service "portainer-ce": "--admin-password '$<password-encrypted>'"

Did I do something wrong?

Did I do something wrong?

I notice my error, in the encrypted for each $ we need to escape them as $$

Thanks man, but how to change the user admin to something else?

I am having the same issue.

Thanks man, but how to change the user admin to something else?谢谢伙计，但是如何将用户 admin 更改为其他内容？

I am having the same issue.我遇到了同样的问题。

y, me 2.

I use this and it works fine:

docker run --rm httpd:2.4-alpine htpasswd -nbB admin YourPassword | cut -d ":" -f 2 | sed 's/\$/\$\$/g'

Thank you for sharing the information!

@kaltokri Thank you

Unable to login, tried both escaped and non escaped password.