-
-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 [Portainer] Not possible to perform Initial Setup #1587
Comments
Hi, thanks I see your point. I'll check tomorrow (an update will also likely come this night as a new version exists) |
The issue is that if there is no password it is less convenient for novice users for whom it would be easier to have the password set by default in the HA options. Perhaps I could add a specific boolean that would be automatically reset to false on boot, allowing to circumvent the whole password feature for one single boot... |
Based on the documentation for addon configuration,
I tried this change locally and it did not work as I expected. It did allow reaching the Initial Setup screen for Portainer.... because password was no longer being used from options at all. With password in options and not schema:
At this point I figured that the documentation was incorrect. There was a relevant line showing in Supervisor logs I found the relevant HA code: The other part of the code that is important to the functionality that is trying to be achieved with the password field is here: Well the problem is in the edge case as always. It never actually makes it to that point because of an earlier validation called just before it checks for missing options: The last piece is pretty obvious. It is not possible to just remove the field from the addon options (which I guess is how all optional fields currently work) because it is populated with the default value before the schema validation is even performed: To circle back around, the documentation was not clear enough to me on the several times I read it before looking at the actual implementation. The defining part for this use case is "If any default value is given, the option becomes a required value.", which didn't really sink in until going down this rabbit hole. T.L.D.R. ^ None of which is a bug inside of your addon, with the small caveat that the optional flag for password won't work with a default value. Right back where I started: hassio-addons/portainer/config.json Line 44 in 25e8a1c
|
Now you are a very comprehensive person in your search and documentation! My slight concern in removing the default value is that it makes things less "beginner-proof" as the password will need to be set by them though an action. Would a middle ground : typing "blank" in the password field be an acceptable workaround? And I'll update the documentation as such. This would allow both the use case of starting without a password (resetting the database), and setting a default value for beginners to have a ready-to-use add-on. Second option for me is to remove the default option tag but make a big warning in the log that the password was not set in the options |
I understand the intention behind the feature, but I would like to point out that when starting Portainer without setting the password results in the Initial Setup being shown to the user immediately on first startup. So my prefence would be to make use of the Portainers built-in onboarding. One downside to relying on Portainers Initial Setup exclusively is that a beginner user has no way of easily retrieving or reseting the password outside of Portainer. The easiest resolution for such a user in that situation would likely be to simply reinstall the addon and perform initial setup again. This obviously results in their configuration being lost, but that is not materially different than the current implementation that wipes when the password is changed through the password field. Still, this could be addressed by changing to a reset_password field which when set results in the current behavior of a password change and is then cleared with bashio. The other caveat with this approach is that there is a 5 minute window to complete the Initial Setup. If this timeout is reached it results in a rather unhelpful page that only displays '404: Not Found'. It is easily resolvable though by looking at the log: The alternative middle ground you suggested would certainly work. However, for a feature targeted at beginners I believe it has some downsides. First, that it is not obvious that changing the password in this manner will reset Portainer, which is currently mitigated with the backup and log messages indicating such after the fact (this behaviour should probably be included with the documentation change if you decide to go with this approach). I would argue, however, that a beginner who needs this feature would not easily be able to restore to the backup inside the container. The other pitfall that exists is that the password is kept in the config directly and currently is being logged: hassio-addons/.templates/00-global_var.sh Lines 57 to 60 in 38a9814
But, it is intentional behaviour for this addon in particular.
Since the container is reversed proxied behind the HA interface, and therefore a valid HA login, it is not immediately abusable if leaked. But for a beginner it would be fairly easy to accidently leak either through sharing their config (unlikely to be using secrets.yaml) or sharing their log which could be a problem if it is a credential they are reusing. Regardless, my understanding is that this addon specifically meant for more advanced users due to the potential for footguns: The description provided with the addon (and I believe the stated reason for its removal from the community addons). Thanks for your work maintaining this addon and being so responsive! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Argh, I forgot about this one, sorry - I had seen your text and instead of answering directly, thought that it warranted a bit more reflection. So here it comes : Indeed I see your point - I usually try to make things as easy as possible and indeed in this case perhaps it is not warranted. "One downside to relying on Portainers Initial Setup exclusively is that a beginner user has no way of easily retrieving or reseting the password outside of Portainer." > I agree, either they can uninstall or reinstall, or simply setting the addon in the addon options does this too. "The other caveat with this approach is that there is a 5 minute window to complete the Initial Setup" > now this is a bigger issue. I can put a warning at the bottom of the log. I'll try to push a version with the new logic, and hopefully will have time to try it before other people update ! Worst case is that all users would loose their databases which would not be the best outcome. thanks for your very comprehensive descriptions! |
No worries! With the changes in the commits that I see, I don't believe that it should cause anyone who has already set the addon up previously to reset their database unless they change or clear the password from their options (which was already how it worked). I should have some time later today to test though. I noticed that you changed the addon script to not log the password set in the options, however it would still be logged by the shared global_var script. Changing this to be case insensitive should be enough to prevent logging it there as well: hassio-addons/.templates/00-global_var.sh Lines 57 to 60 in 38a9814
|
EDIT : ok, I've rolled back the update. As I feared, changing the default setting removed my password and resetted my database. Therefore, for user continuity I can't remove |
It seems that HA considers that if a default value was set in the addon options and removed in a further update, it should delete it from the user config (which of course seems like a very bad idea ;-) ) Then I'll have to use the second option : manually type "empty" in password to trigger the startup without password ... |
Ah, yeah if HA clears it then it would result in a wipe. What happens if, when adding the logic to check for the magic string "empty", you also change the default to "empty". Does a different default override a value a user had set previously? If not that would allow the onboarding process to be the new default. Another approach would be to use a migration process to a new option such as "password_override" where you could manage existing users while still removing the default. This would be more work though so not necessarily worth it. |
I've tried setting default to "empty" and it resets again my database. So I think I'll keep the default to "homeassistant" and allow initial boot by setting the option to "empty", and write that in the README |
Description
Currently it is not possible to perform Initial Setup of Portainer which prevents restoring from backup.
hassio-addons/portainer/config.json
Line 44 in 25e8a1c
This line is preventing removing the password from the addon configuration options, which is the way to cause a full database reset and allow initial setup.
hassio-addons/portainer/README.md
Line 76 in 25e8a1c
hassio-addons/portainer/rootfs/etc/services.d/portainer/run
Lines 53 to 61 in 25e8a1c
This behavior of not allowing matches HA documentation for the options and schema fields, which results in this behavior
When simply removing the password field from the addon options it will be repopulated to the default value of 'homeassistant'.
hassio-addons/portainer/config.json
Line 28 in 25e8a1c
Removing the line first referenced from schema in config.json should result in the intended behavior of allowing not setting a password in the addon options.
Willing to submit a PR for this change if requested, but it would obviously be a trivial one.
Reproduction steps
1. Remove password from addon options 2. Password option is auto populated to the default value of 'homeassistant'
Addon Logs
Architecture
No response
OS
No response
The text was updated successfully, but these errors were encountered: