Password protection

[Shadow27374]

I have a problem with password protection for Docker.

I do not fully understand the instructions: https://glances.readthedocs.io/en/latest/docker.html#how-to-protect-your-dockerized-server-or-web-server-with-a-login-password

In option 1 you have to create a password file, so far so good, but what is the format of this file? I can't find anything about this.

Option 2 I do not understand at all. It talks about a localhost password. What is that supposed to be? I would like to add a user myself, e.g. admin:pass.

In the Config are only the following:
#localhost=abc
#default=defaultpassword

No matter what I enter it has no effect.
That the # must be gone is already clear...

[RazCrimson]

@Shadow27374
Docs does seems bit cryptic around this.

AFAIK,
Option 1:
You use glances on docker container to create a secrets password file (one-time) and then move it over to your host and mount that as a secret to back to the container. Now you get can use the creds u entered when u generated the secrets file to authenticate yourself on the WebUI. I think it should be possible to do this on a plain install too.

Option 2:
You specify the password in plain text in the config file, the host=password format means you can have difference password for different host address (domains or IPs) you use to access the WebUI. default would be used when no explicit password is specified for that host.

[Shadow27374]

Thanks already for that, I probably got it.
Unfortunately, since it still does not work, I suspect that the glances.conf is not loaded.

I have now taken the example configuration and only the line for the default password:
default=test

docker-compose looks like this:

volumes:
  - /var/run/docker.sock:/var/run/docker.sock:ro
  - /home/sysadmin/docker/glances/glances.conf:/glances/conf/glances.conf:ro
environment:
  GLANCES_OPT: "-C /glances/conf/glances.conf -w"

Have I missed anything?

[Shadow27374]

I have now played around a bit and found that the config is loaded very well. If I disable any feature and restart Glances it is disabled.

However, the password protection can not be activated. No matter what I enter as password in the config, the page loads without asking for a password.

[ABEIDO]

@Shadow27374

I had your questions aswell. Im running on docker via Unraid so everything wasnt fitting my setup and im kinda novice. Maybe not how one should do it but atleast i got it to work.

-Changed to own conf file as you did and stored it on custom location "/mnt/user/appdata/glances", that i confirmed was working as u did.

-Created the pwd file and copied to other location as documentation said and i think u did as well. I opted for moving it to custom location (in my case same as conf: /mnt/user/appdata/glances). with file name "yourusername".pwd.

• Added a new path to glances container:
  container path = /glances
  host path = /mnt/user/appdata/glances

• Edited my conf file to point to my custom location:
  local_password_path=/mnt/user/appdata/glances

-Then edited GLANCES_OPT to:
-C /mnt/user/appdata/glances/glances.conf -w -u yourusername --password

First i didnt seem to work as it let me in without auth but i think it was cached in the browser i was using during testing. But it worked as i needed to use user/pass when setting up integration to Home Assistant and when i tested in other browser.

[Shadow27374]

What you describe would be option 1 without changing the config. Anyway, I tried it again now and it works.
Whatever I do differently now, never mind, thanks!

Since option 1 now works, I let that stay with option 2.

[RazCrimson]

@Shadow27374
So right not Option 1 seems to be working and Option 2 is not.

Did I get that right?

[Shadow27374]

Yes, exactly.

• Option 1 works
• Option 2 does not work

Option 2 actually looked easier but somehow I am too stupid.
But I am satisfied with option 1.

[walkertr0n]

This was confusing me too, thanks for investigating it.

Edit: It's actually not working for me, Portainer is giving this error when I try to update the stack (docker-compose.yml): Error response from daemon: invalid mount config for type "bind": bind source path does not exist: /data/compose/2/secrets/glances_password

Here is my stack:

version: '3'

services:
  monitoring:
    container_name: glances
    image: nicolargo/glances:dev
    restart: always
    pid: host
    ports:
      - "61208-61209:61208-61209"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /srv/dev-disk-by-uuid-34c4bb27-af08-4a8d-a921-3d66c4500b1b/Configs/glances/glances.conf:/etc/glances.conf:ro
    environment:
      - GLANCES_OPT="-w --password"
    secrets:
      - source: glances_password
        target: /root/.config/glances/glances.pwd

secrets:
  glances_password:
    file: ./secrets/glances_password

Did either of you encounter something like this?

[RazCrimson]

@walkertr0n
The Portainer error is just trying to inform you that Portainer (docker to be exact) can't find the file located at /data/compose/2/secrets/glances_password

I am not sure if Portainer uses the same working directory as the one used when docker-compose is used to create a stack manually.

Maybe try using an absolute path for the password file?
That might help.

[mglowinski93]

@RazCrimson
For it doesn't work neither.

services:
  glances:
    image: nicolargo/glances:latest
    restart: always
    environment:
      - GLANCES_OPT="-w --password"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    pid: host
    secrets:
      - source: glances_password
        target: /root/.config/glances/glances.pwd

secrets:
  glances_password:
    file: ./secrets/glances_password

For such configuration, I'm getting information that ``--password` flag is not accessible.
I saw #2034, but it still doesn't work for me. Any tip what can be wrong?

Maybe I need to start docker container as nonroot user somehow?

[RazCrimson]

@mglowinski93
Currently, --password option is only supported for RPC server mode (-s) not for web server mode (-w)

Corresponding Issue for that: #2142

EDIT: My bad, didn't know that it had support for webserver mode

[nicolargo]

--password currently work for the Web Server mode.

Just tested on my side with the latest version.

The issue came from the "containerisation"...

[mglowinski93]

OK, i will wait for a fix then. Thanks for feedback.

[walkertr0n]

@nicolargo thank you for testing. To clarify, -w --password works in CLI (#2142) but not as an env variable in Docker Compose? If there's a separate GH issue for that I'd love to follow it for updates.

[kankaristo]

You cannot use quotes with GLANCES_OPT in the compose file or it will interpret both arguments as one (unrecognized) argument.

So, use - GLANCES_OPT=-w --password

[mmomjian]

Just want to add my voice to this, the [passwords] section within glances.conf does not seem to have any effect. The webserver does not ask for a password even with the below options set. Other settings within glances.conf work as expected, such as [influxdb], [containers], and [ports]. I am using the instructions from . The docker logs are empty.

[passwords]
localhost=testpassword
default=testpassword

Run commmand:
docker run -d --restart unless-stopped --name glances-web --net=host --privileged -v /home/user/.glances/glances.conf:/glances.conf:ro -v /var/run/docker.sock:/var/run/docker.sock:ro --pid host -e GLANCES_OPT='-w -q -C /glances.conf'

[andrejmonteiro]

as of aug 2023 i tried this and still can't get my glances page to ask for a password.

[jessielw]

Just tried to set this up, config password has no effect.

[mzrimsek]

I also cannot get the passwords block in the config file to work which is really unfortunate because it's objectively the more easily reproducible deployment strategy with just being a config file.

Hopefully it gets fixed soon but glad to get confirmation here I'm not crazy.

[winnie-sg]

It sounds like I'm not the only one facing this problem.
And unfortunately, the first option does not work for me either.

[Aditya-Rajgor]

Ahh, any update on this! March 2025

[kankaristo]

I got "option 1" working, but Glances is a bit too picky about all of this... I didn't even try "option 2", because I don't want a plaintext password in with the rest of the config...

Sometimes I got no output at all if the arguments were a bit off. For example:

• using --password without -w quietly ignores --password (it should complain about -w being required with --password)
• when running with -w --password before generating the password file, there will be no output in the Docker logs, since Glances is "stuck" interactively asking for a password

Also, the official docs (for version 4.3.0.7) say that the password file is a (plain) SHA hash, but it's not, it's a PBKDF2 salt and hash (using SHA256). It's good that it's not a plain SHA256 hash, but the docs are a bit misleading.

And the password file cannot have a trailing newline, so it's difficult to create the file manually with most text editors (a simple .trim() in Python would fix that)...

Below are the steps that I took to get this working.

---

My compose.yaml file (note that you cannot use quotes with GLANCES_OPT or it interprets both arguments as one unrecognized argument):

services:
  glances:
    container_name: glances
    hostname: glances
    image: nicolargo/glances:latest-full
    restart: unless-stopped
    environment:
      - TZ=Europe/Helsinki
      - GLANCES_OPT=-w --password
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Enable the below line after copying the password file out of the container
      #- ./glances.pwd:/root/.config/glances/glances.pwd:ro
    pid: host
    stdin_open: true
    tty: true
    security_opt:
      - apparmor=unconfined
    network_mode: host
    # Ports for reference only (not needed with network_mode: host)
    #ports:
    #  - 61208:61208
    #  - 61209:61209

NOTE: With the above compose file, you will get no output in the Docker logs, because Glances is "stuck" asking interactively for a password. You can initially remove --password from GLANCES_OPT if you want to, but it's not necessary.

First, start the container with Docker Compose.

Then, to generate the password file, run these commands (if you're using a different Docker image, change the image tag, or just get the container ID from docker ps):

# Start another instance of Glances inside the container, to generate the password file
docker exec -it "$(docker ps -q --filter ancestor=nicolargo/glances:latest-full)" glances -w --password

# Input your password, choose "Yes" to save it to a file, then Ctrl+C to quit Glances

# Copy the generated file from the container to the host machine
docker cp "$(docker ps -q --filter ancestor=nicolargo/glances:latest-full)":/root/.config/glances/glances.pwd glances.pwd

After running the above commands, enable the volume mount for the password file in the compose file:

volumes:
  - ./glances.pwd:/root/.config/glances/glances.pwd

Then recreate the container, and password login should be working. But if Glances quietly (for this too, no logs in Docker) rejects your password, check the volume mount and that the password file doesn't have a trailing newline...

[EpicLPer]

Can confirm this worked
However uncommenting the docker-compose lines

# Enable the below line after copying the password file out of the container
#- ./glances.conf:/root/.config/glances/glances.conf:ro

generated a directory for me somehow and then Glances crashed cause it didn't expect a directory. Simply didn't uncomment it, added

volumes:
  - ./glances.pwd:/root/.config/glances/glances.pwd

and now everything is working as it should! Cheers mate :) Saved me an hour of back and forth!

[kankaristo]

@EpicLPer Thanks, looks like the commented out line was wrong, I edited my original message to fix that.

Docker always creates a directory if a mounted file/directory doesn't exist in the container or the host. I wish there would be some flag for Docker to treat it as a file, but it always assumes it's a directory...

[EpicLPer]

@kankaristo Generating a directory simply cause "Docker thinks it should create one" is the most Docker thing I've heard so far... gods... thanks for the tip

[Destarianon]

I submitted a pull request to fix the line ending behavior.

#3151

[nicolargo]

Pull request merged into develop :)