Docker web password handling

[PromoFaux]

Gotcha, thank you @PromoFaux.
Wasn't immediately obvious that 'setting an empty password' with pihole setpassword wasn't "setting a password". Though personally, this feels more like a workaround.

If this is expected behavior, this needs further clarification because pihole setpassword allows an empty password and restarts will generate a random password, or this isn't expected behavior, and should be looked at.
I.e. "If this variable is not detected, and you have not already set one previously inside the container via pihole setpassword or pihole-FTL --config webserver.api.password"
Should then read "If this variable is not detected, and you have not already set a non-empty password inside the container …" - emphasis on non-empty instead of "set one".

Originally posted by @AliveDevil in #5959

[PromoFaux]

@AliveDevil - moved your comment to the appropriate repo.

Here is the relevant code from the container startup script:

docker-pi-hole/src/bash_functions.sh

Lines 191 to 218 in d82ce16

	setup_web_password() {
	# If FTLCONF_webserver_api_password is not set
	if [ -z "${FTLCONF_webserver_api_password+x}" ]; then
	# Is this already set to something other than blank (default) in FTL's config file? (maybe in a volume mount)
	if [[ $(pihole-FTL --config webserver.api.pwhash) ]]; then
	echo " [i] Password already set in config file"
	return
	else
	# If we are here, the password is set in neither the environment nor the config file
	# We will generate a random password.
	RANDOMPASSWORD=$(tr -dc _A-Z-a-z-0-9 </dev/urandom | head -c 8)
	echo " [i] No password set in environment or config file, assigning random password: $RANDOMPASSWORD"
	# Explicitly turn off bash printing when working with secrets
	{ set +x; } 2>/dev/null
	pihole-FTL --config webserver.api.password "$RANDOMPASSWORD" >/dev/null
	# To avoid printing this if conditional in bash debug, turn off debug above..
	# then re-enable debug if necessary (more code but cleaner printed output)
	if [ "${PH_VERBOSE:-0}" -gt 0 ]; then
	set -x
	fi
	fi
	else
	echo " [i] Assigning password defined by Environment Variable"
	fi
	}

It's a tricky balance with persistence in these things. When purley checking against the set value in the config file, it's nearly impossible to tell whether it is blank because:

• User has set it like this
• it's the FTL default (empty)

The policy of the container, much like a bare metal install, is to set a random password to prevent someone from accidentally having an insecure interface - especially if they just spin it up on cloud infrastructure and don't think about port forwarding/security.

Personally I'd say that environment variables are the best way to persist configuration between container builds, with the exception of the databases obviously.

Perhaps the documentation just needs emphasising that the way to explicitly set an empty password is to use the environment variable.

[AliveDevil]

that the way to explicitly set an empty password

Yeah, something along those lines - make it abundantly clear that on docker this must be a non-empty password, and the mere existence of the env-variable disables all automatic password generation.

[pfremm]

Agree with environment variable or some how avoid overriding if it's set to blank in pihole.toml.

[PromoFaux]

@pfremm - the environment variable method already works per the README.

However I will look to make it even clearer

[pfremm]

Thanks. I was trying to modify the hash based on the pihole.toml and had not read that on the readme.