Redis authentication error

[Jesse-Millwood]

After running docker compose up I receive this error:

zulip-1      |   File "/srv/zulip-venv-cache/41efcec5630d3f53c9f2bd1f3b5f6a9921c0197f/zulip-py3-venv/lib/python3.12/site-packages/redis/_parsers/resp2.py", line 38, in _read_response
zulip-1      |     raise error
zulip-1      | redis.exceptions.AuthenticationError: AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?
zulip-1      |   Applying zerver.0260_missed_message_addresses_from_redis_to_db...Zulip first start database initi failed in "initialize-database" exit code 1. Exiting.
zulip-1 exited with code 1

I have set all of the passwords.

I do see this earlier in the log though:

zulip-1      | Empty var for key "EMAIL_HOST".
zulip-1      | Setting key "EMAIL_HOST_USER", type "string" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "EMAIL_PORT", type "integer" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "EMAIL_USE_SSL", type "bool" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "EMAIL_USE_TLS", type "bool" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "EXTERNAL_HOST", type "string" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "MEMCACHED_LOCATION", type "string" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "RABBITMQ_HOST", type "string" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "RABBITMQ_USER", type "string" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "RATE_LIMITING", type "bool" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "REDIS_HOST", type "string" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "REDIS_PORT", type "integer" in file "/etc/zulip/settings.py".
zulip-1      | Setting key "ZULIP_ADMINISTRATOR", type "string" in file "/etc/zulip/settings.py".
zulip-1      | Zulip configuration succeeded.
zulip-1      | Auto backup enabled.

I have copied this almost verbatim over to run in HomeLabOs. The only difference really is that I'm mapping the volumes to specific local directories and I've added traefik labels.

[Jesse-Millwood]

For what it's worth, this is a redacted version of my compose file with homelab os template variables filled in:

---
version: '3'

networks:
  traefik_network:
    external:
      name: homelabos_traefik
  zulip:

services:
  database:
    image: zulip/zulip-postgresql:14
    restart: unless-stopped
    networks:
      - zulip
    environment:
      POSTGRES_DB: 'zulip'
      POSTGRES_USER: 'zulip'
      POSTGRES_PASSWORD: "<postgres-password>"
    volumes:
      - '/var/homelabos/zulip/postgresql:/var/lib/postgresql/data:rw'

  memcached:
    image: 'memcached:alpine'
    networks:
      - zulip
    restart: unless-stopped
    command:
      - "sh"
      - "-euc"
      - |
        echo 'mech_list: plain' > "$$SASL_CONF_PATH"
        echo "zulip@$$HOSTNAME:$$MEMCACHED_PASSWORD" > "$$MEMCACHED_SASL_PWDB"
        echo "zulip@localhost:$$MEMCACHED_PASSWORD" >> "$$MEMCACHED_SASL_PWDB"
        exec memcached -S
    environment:
      SASL_CONF_PATH: "/home/memcache/memcached.conf"
      MEMCACHED_SASL_PWDB: "/home/memcache/memcached-sasl-db"
      MEMCACHED_PASSWORD: "<memcached-password>"

  rabbitmq:
    image: rabbitmq:3.12.14
    networks:
      - zulip
    hostname: zulip-rabbit
    restart: unless-stopped
    environment:
        RABBITMQ_DEFAULT_USER: 'zulip'
        RABBITMQ_DEFAULT_PASS: "<rabbitmq-password>"
    volumes:
      - '/var/homelabos/zulip/rabbitmq:/var/lib/rabbitmq:rw'

  redis:
    image: "redis:alpine"
    networks:
      - zulip
    volumes:
      - '/var/homelabos/zulip/redis:/var/lib/redis:rw'
    command:
      - "sh"
      - "-euc"
      - |
        echo "requirepass '$$REDIS_PASSWORD'" > /etc/redis.conf
        exec redis-server /etc/redis.conf
    environment:
      REDIS_PASSWORD: "<redis-password>"

  zulip:
    image: zulip/docker-zulip:9.2-0
    networks:
      - traefik_network
      - zulip
    environment:
      DB_HOST: 'database'
      DB_HOST_PORT: '5432'
      DB_USER: 'zulip'
      SSL_CERTIFICATE_GENERATION: 'self-signed'
      DISABLE_HTTPS: 'True'
      SETTING_MEMCACHED_LOCATION: 'memcached:11211'
      SETTING_RABBITMQ_HOST: 'rabbitmq'
      SETTING_REDIS_HOST: 'redis'
      SECRETS_email_password: '123456789'
      SECRETS_rabbitmq_password: "<rabbitmq-password>"
      SECRETS_postgres_password: "<postgres-password>"
      SECRETS_memcached_password: "<memcached-password>"
      SECRETS_redis_password: "<redis-password>"
      SECRETS_secret_key: "<secrets-key>"
      SETTING_EXTERNAL_HOST: 'zulip.homelab.<my-domain>.com'
      SETTING_ZULIP_ADMINISTRATOR: '[email protected]'
      SETTING_EMAIL_HOST: ''  # e.g. smtp.example.com
      SETTING_EMAIL_HOST_USER: '[email protected]'
      SETTING_EMAIL_PORT: '587'
      # It seems that the email server needs to use ssl or tls and can't be used without it
      SETTING_EMAIL_USE_SSL: 'False'
      SETTING_EMAIL_USE_TLS: 'True'
      ZULIP_AUTH_BACKENDS: 'EmailAuthBackend'
      # Uncomment this when configuring the mobile push notifications service
      # SETTING_PUSH_NOTIFICATION_BOUNCER_URL: 'https://push.zulipchat.com'
    volumes:
      - '/var/homelabos/zulip/zulip:/data:rw'
    ulimits:
      nofile:
        soft: 40000
        hard: 50000
    labels:
      - "traefik.http.services.zulip.loadbalancer.server.scheme=http"
      - "traefik.http.services.zulip.loadbalancer.server.port=80"
      - "traefik.enable=true"
      - "traefik.docker.network=homelabos_traefik"
      - "traefik.http.routers.zulip-http.service=zulip"
      - "traefik.http.routers.zulip-http.rule=Host(`zulip.homelab.<my-domain>.com`)"
      - "traefik.http.routers.zulip-http.entrypoints=http"
      - "traefik.http.routers.zulip-http.middlewares=customFrameHomelab@file"
      - "traefik.http.routers.zulip.service=zulip"
      - "traefik.http.routers.zulip.rule=Host(`zulip.homelab.<my-domain>.com`)"
      - "traefik.http.routers.zulip.entrypoints=https"
      - "traefik.http.routers.zulip.middlewares=customFrameHomelab@file"
      - "traefik.http.routers.zulip.tls=true"
      - "traefik.http.routers.zulip.tls.certresolver=http"

[timabbott]

Have you checked whether the password you set is being correctly written into /etc/redis/zulip-redis.conf on the redis container and /etc/zulip/zulip-secrets.conf in the zulip container?

[Jesse-Millwood]

Have you checked whether the password you set is being correctly written into /etc/redis/zulip-redis.conf on the redis container and /etc/zulip/zulip-secrets.conf in the zulip container?

I was able to perform docker exec -it zulip-redis-1 sh to open a shell in the redis container spun up by docker compose up. I did not see an /etc/redis/zulip-redis.conf file but there is an /etc/redis.conf file that does have the requirepass line with the password that does match what I have in my docker compose yaml file. This configuration file seems to line up with what is happening in the docker compose file in this repo

docker-zulip/docker-compose.yml

Line 44 in f445fc5

echo "requirepass '$$REDIS_PASSWORD'" > /etc/redis.conf

.

I was then able to also drop to a shell in the zulip container before it died and print out the /etc/zulip/zulip-secrets.conf file. The redis_password line here matches the requirepass line in the redis container's /etc/redis.conf file.

[timabbott]

Puzzling. redis/redis#13437 and my understanding of the Redis configuration system suggests that Redis should really be using the password there... Is it possible the password contains characters that redis can't parse? Maybe worth checking the logs there.

[Jesse-Millwood]

Puzzling. redis/redis#13437 and my understanding of the Redis configuration system suggests that Redis should really be using the password there... Is it possible the password contains characters that redis can't parse? Maybe worth checking the logs there.

The password that I generated is all alpha-numeric. I ended up opening a shell into the redis container with docker exec -it zulip-redis-1 sh and then used the redis-cli to start a cli session:

redis-cli -h 127.0.0.1 -p 6379
127.0.0.1:6379> AUTH <mypassword>
OK
127.0.0.1:6379> config get requirepass
1) "requirepass"
2) "<mypassword>"

So it seems like the password is fine for redis.

I feel like my compose file is the same as the one in this repo. Is there something else people do to deploy using the compose file in this repo?

I didn't see any logs written anywhere. I looked in /var/log in the container and it was empty.

[timabbott]

I'm pretty sure the compose file here just works.

Very puzzling. Well, a few thoughts:

• This particular trace will not be possible in Zulip 10.0, since we squashed the migration in question.
• You might be able to get past this failure by just adding a return statement at the start of move_missed_message_addresses_to_database in 0260_missed_message_addresses_from_redis_to_db.py; that's the only migration file that uses redis. I could imagine that there's some sort of initialization order failure here, though I don't think it's likely.
• I would double-check for typos and for having substituted properly. Like, if your redis password is abcd1234, you want abcd1234, not <abcd1234> to appear everywhere.

From a Zulip perspective, I think our fix is going to be something like #272 for making the secret generation/substitution automated.

[Jesse-Millwood]

I'm pretty sure the compose file here just works.

Very puzzling. Well, a few thoughts:

* This particular trace will not be possible in Zulip 10.0, since we squashed the migration in question.

* You might be able to get past this failure by just adding a `return` statement at the start of `move_missed_message_addresses_to_database` in `0260_missed_message_addresses_from_redis_to_db.py`; that's the only migration file that uses `redis`. I could imagine that there's some sort of initialization order failure here, though I don't think it's likely.

* I would double-check for typos and for having substituted properly. Like, if your redis password is `abcd1234`, you want `abcd1234`, not `<abcd1234>` to appear everywhere.

From a Zulip perspective, I think our fix is going to be something like #272 for making the secret generation/substitution automated.

Interesting,
Thanks for looking into this. Maybe I'll wait for 10.0. I'm positive the passwords are the same here because HomelabOS uses templating so the password is inserted from one source. I might be doing something wrong too if I'm the only one having this issue.

[timabbott]

We did merge some PRs upgrading dependency versions not long ago, so maybe it's worth someone else testing that main in this repo works for them. Though I guess you're not using exactly the Kubernetes or docker-compose configs that we distribute?

[Jesse-Millwood]

We did merge some PRs upgrading dependency versions not long ago, so maybe it's worth someone else testing that main in this repo works for them. Though I guess you're not using exactly the Kubernetes or docker-compose configs that we distribute?

I did basically copy the docker compose file from this repo and just added the HomelabOS stuff, which is really just the templated fields and traefik labels. I posted my file earlier but it doesn't differ much beyond that. Maybe I'll try a simpler version outside of the HomelabOS environment. Thanks for your help, I'll report back here.