password-file: Error: Unable to open pwfile

[Kra-tor]

Hello all,
I'm trying to create a simple test setup with mosquitto and docker, but I'm getting a lot of trouble with the password file.
I'm creating it within the container, but as soon as I insert it into the config file, the container won't start any more.
Apologies in advance for all the text, I'm trying to make this as clear as possible; Here the steps I have done:

0. Structure:

/srv/mosquitto/
├── compose.yaml
├── config
│   └── mosquitto.conf
├── data
└── log

1. compose.yaml:

services:
  mosquitto:
    image: eclipse-mosquitto
    container_name: mosquitto
    volumes:
      - ./config:/mosquitto/config
      - ./data:/mosquitto/data
      - ./log:/mosquitto/log
    ports:
      - 1883:1883
      - 9001:9001
    stdin_open: true 
    tty: true

2. config/mosquitto.conf:

listener 1883
listener 9001
protocol websockets
persistence true
persistence_file mosquitto.db
persistence_location /mosquitto/data/

#Authentication
allow_anonymous false
#password_file /mosquitto/config/pwfile

-> Note that password_file is commented out at this point

Now i ran it with docker compose up -d
4. log:

mosquitto  | 1773868970: Info: running mosquitto as user: mosquitto.
mosquitto  | 1773868970: mosquitto version 2.1.2 starting
mosquitto  | 1773868970: Config loaded from /mosquitto/config/mosquitto.conf.
mosquitto  | 1773868970: Bridge support available.
mosquitto  | 1773868970: Persistence support available.
mosquitto  | 1773868970: TLS support available.
mosquitto  | 1773868970: TLS-PSK support available.
mosquitto  | 1773868970: Websockets support available.
mosquitto  | 1773868970: Opening ipv4 listen socket on port 1883.
mosquitto  | 1773868970: Opening ipv6 listen socket on port 1883.
mosquitto  | 1773868970: Opening ipv4 listen socket on port 9001.
mosquitto  | 1773868970: Opening ipv6 listen socket on port 9001.
mosquitto  | 1773868970: mosquitto version 2.1.2 running

-> so far so good
5. Switch inside the container and create an password file:

root@mycomputer:/srv/mosquitto# docker exec -it mosquitto sh
/ # cd mosquitto/config/
/mosquitto/config # ls -alF
total 12
drwxr-xr-x    2 root     root          4096 Mar 18 21:28 ./
drwxr-xr-x    5 mosquitto mosquitto      4096 Feb  9 20:01 ../
-rw-r--r--    1 root     root           212 Mar 18 21:19 mosquitto.conf
/mosquitto/config # mosquitto_passwd -c -b ./pwfile secretuser verysecretpassword
Adding password for user secretuser
/mosquitto/config # ls -alF
total 16
drwxr-xr-x    2 root     root          4096 Mar 18 21:29 ./
drwxr-xr-x    5 mosquitto mosquitto      4096 Feb  9 20:01 ../
-rw-r--r--    1 root     root           212 Mar 18 21:19 mosquitto.conf
-rw-------    1 root     root           197 Mar 18 21:29 pwfile
/mosquitto/config # exit

6. enable password file in mosquito.conf:

listener 1883
listener 9001
protocol websockets
persistence true
persistence_file mosquitto.db
persistence_location /mosquitto/data/

#Authentication
allow_anonymous false
password_file /mosquitto/config/pwfile

7. When I'm trying to fire up the container, it creates this log:

mosquitto  | 1773869758: Info: running mosquitto as user: mosquitto.
mosquitto  | 1773869758: Restored 0 base messages
mosquitto  | 1773869758: Restored 0 retained messages
mosquitto  | 1773869758: Restored 0 clients
mosquitto  | 1773869758: Restored 0 subscriptions
mosquitto  | 1773869758: Restored 0 client messages
mosquitto  | 1773869758: mosquitto version 2.1.2 starting
mosquitto  | 1773869758: Config loaded from /mosquitto/config/mosquitto.conf.
mosquitto  | 1773869758: Bridge support available.
mosquitto  | 1773869758: Persistence support available.
mosquitto  | 1773869758: TLS support available.
mosquitto  | 1773869758: TLS-PSK support available.
mosquitto  | 1773869758: Websockets support available.
mosquitto  | 1773869758: password-file: Error: Unable to open pwfile "/mosquitto/config/pwfile".
mosquitto  | 1773869758: mosquitto version 2.1.2 terminating
mosquitto  | 1773869758: Saving in-memory database to /mosquitto/data//mosquitto.db.
mosquitto exited with code 13

8. After doing chmod 0700 pwfile:

mosquitto  | 1773869919: Info: running mosquitto as user: mosquitto.
mosquitto  | 1773869919: Restored 0 base messages
mosquitto  | 1773869919: Restored 0 retained messages
mosquitto  | 1773869919: Restored 0 clients
mosquitto  | 1773869919: Restored 0 subscriptions
mosquitto  | 1773869919: Restored 0 client messages
mosquitto  | 1773869919: mosquitto version 2.1.2 starting
mosquitto  | 1773869919: Config loaded from /mosquitto/config/mosquitto.conf.
mosquitto  | 1773869919: Bridge support available.
mosquitto  | 1773869919: Persistence support available.
mosquitto  | 1773869919: TLS support available.
mosquitto  | 1773869919: TLS-PSK support available.
mosquitto  | 1773869919: Websockets support available.
mosquitto  | 1773869919: password-file: Error: Unable to open pwfile "/mosquitto/config/pwfile".
mosquitto  | 1773869919: mosquitto version 2.1.2 terminating
mosquitto  | 1773869919: Saving in-memory database to /mosquitto/data//mosquitto.db.
mosquitto exited with code 13

9 Additionally chown mosquitto:mosquitto pwfile:

root@mycomputer:/srv/mosquitto# ls -alF config/
total 16
drwxr-xr-x 2 root      root      4096 Mar 18 22:34 ./
drwxr-xr-x 5 root      root      4096 Mar 18 21:53 ../
-rw-r--r-- 1 root      root       211 Mar 18 22:34 mosquitto.conf
-rwx------ 1 mosquitto mosquitto  197 Mar 18 22:29 pwfile*
root@mycomputer:/srv/mosquitto# docker compose up
Attaching to mosquitto
mosquitto  | 1773870429: Info: running mosquitto as user: mosquitto.
mosquitto  | 1773870429: Restored 0 base messages
mosquitto  | 1773870429: Restored 0 retained messages
mosquitto  | 1773870429: Restored 0 clients
mosquitto  | 1773870429: Restored 0 subscriptions
mosquitto  | 1773870429: Restored 0 client messages
mosquitto  | 1773870429: mosquitto version 2.1.2 starting
mosquitto  | 1773870429: Config loaded from /mosquitto/config/mosquitto.conf.
mosquitto  | 1773870429: Bridge support available.
mosquitto  | 1773870429: Persistence support available.
mosquitto  | 1773870429: TLS support available.
mosquitto  | 1773870429: TLS-PSK support available.
mosquitto  | 1773870429: Websockets support available.
mosquitto  | 1773870429: password-file: Error: Unable to open pwfile "/mosquitto/config/pwfile".
mosquitto  | 1773870429: mosquitto version 2.1.2 terminating
mosquitto  | 1773870429: Saving in-memory database to /mosquitto/data//mosquitto.db.
mosquitto exited with code 13

Also when I'm running the container with disabled file in the config, switch the container terminal and do cat /mosquitto/config/pwfile it can access the file without any problem (I've copied the path from the error message)

I’ve already read and tried several troubleshooting tips for this; either I don’t understand what ultimately led to the solution, or the solution didn’t work for me, which is why I’ve tried to describe the issue in as much detail as possible, so sorry again for the long text

[reubenmiller]

@Kra-tor How did you create the password file (pwfile)? There is a utility called mosquitto_passwd which can be used to create a more secure password file which has usernames and password but stores the password hash instead of plain text.

I ran you above setup and just created the pwfile with a user called foo.

mosquitto_passwd -c pwfile foo

Then after restarting the mosquito container, I could connect to it using mosquitto_sub:

mosquitto_sub -p 1883 -t '#' -u foo -P bar

[Kra-tor]

Hey @reubenmiller thank you for the response

5. Switch inside the container and create an password file:

root@mycomputer:/srv/mosquitto# docker exec -it mosquitto sh
/ # cd mosquitto/config/
/mosquitto/config # ls -alF
total 12
drwxr-xr-x    2 root     root          4096 Mar 18 21:28 ./
drwxr-xr-x    5 mosquitto mosquitto      4096 Feb  9 20:01 ../
-rw-r--r--    1 root     root           212 Mar 18 21:19 mosquitto.conf
/mosquitto/config # mosquitto_passwd -c -b ./pwfile secretuser verysecretpassword
Adding password for user secretuser
/mosquitto/config # ls -alF
total 16
drwxr-xr-x    2 root     root          4096 Mar 18 21:29 ./
drwxr-xr-x    5 mosquitto mosquitto      4096 Feb  9 20:01 ../
-rw-r--r--    1 root     root           212 Mar 18 21:19 mosquitto.conf
-rw-------    1 root     root           197 Mar 18 21:29 pwfile
/mosquitto/config # exit

I did it with the utility you mentioned, I also tried it once without the -b parameter but ended with the same results.

Did you enabled the pwfile inside the mosquitto.conf with the line password_file /mosquitto/config/pwfile before restarting the container? I am able to start the container when it is not enabled, and also subscribe and publish messages when allow_anonymous is set to true, so maybe that is the case in your setup?

[reubenmiller]

Did you enabled the pwfile inside the mosquitto.conf with the line password_file /mosquitto/config/pwfile before restarting the container? I am able to start the container when it is not enabled, and also subscribe and publish messages when allow_anonymous is set to true, so maybe that is the case in your setup?

I ran the mosquitto_passwd on the host put the file under config/pwfile, then restart the docker compose. I also disabled the allow_anonymous and also checked that it would reject the connection if the wrong password/username was used.

This was the mosquitto.conf that I used.

$ cat config/mosquitto.conf
listener 1883
listener 9001
protocol websockets
persistence true
persistence_file mosquitto.db
persistence_location /mosquitto/data/

#Authentication
allow_anonymous false
password_file /mosquitto/config/pwfile

And the output from the docker compose (not running in the background). It shows a client successfully connecting (with the correct password), and once with the wrong password where the connection is rejected.

docker compose up
[+] Running 2/2
 ✔ Network mosquitto-debug_default  Created                                                                          0.0s
 ✔ Container mosquitto              Created                                                                          0.1s
Attaching to mosquitto
mosquitto  | 1773946939: Info: running mosquitto as user: mosquitto.
mosquitto  | 1773946939: Restored 0 base messages
mosquitto  | 1773946939: Restored 0 retained messages
mosquitto  | 1773946939: Restored 0 clients
mosquitto  | 1773946939: Restored 0 subscriptions
mosquitto  | 1773946939: Restored 0 client messages
mosquitto  | 1773946939: mosquitto version 2.1.2 starting
mosquitto  | 1773946939: Config loaded from /mosquitto/config/mosquitto.conf.
mosquitto  | 1773946939: Bridge support available.
mosquitto  | 1773946939: Persistence support available.
mosquitto  | 1773946939: TLS support available.
mosquitto  | 1773946939: TLS-PSK support available.
mosquitto  | 1773946939: Websockets support available.
mosquitto  | 1773946939: Plugin builtin-security has registered to receive 'basic-auth' events.
mosquitto  | 1773946939: Opening ipv4 listen socket on port 1883.
mosquitto  | 1773946939: Opening ipv6 listen socket on port 1883.
mosquitto  | 1773946939: Opening ipv4 listen socket on port 9001.
mosquitto  | 1773946939: Opening ipv6 listen socket on port 9001.
mosquitto  | 1773946939: mosquitto version 2.1.2 running
mosquitto  | 1773946953: New connection from 172.21.0.1:41606 on port 1883.
mosquitto  | 1773946953: New client connected from 172.21.0.1:41606 as auto-18156CEB-EA09-601F-8051-BF7983F498D4 (p4, c1, k60, u'foo').
mosquitto  | 1773946957: Client auto-18156CEB-EA09-601F-8051-BF7983F498D4 [172.21.0.1:41606] disconnected.
mosquitto  | 1773946959: New connection from 172.21.0.1:41614 on port 1883.
mosquitto  | 1773946959: Client auto-D7F83743-7831-272F-3C7F-766BB17DE98F [172.21.0.1:41614] disconnected: not authorised.
Gracefully Stopping... press Ctrl+C again to force
 Container mosquitto  Stopping
mosquitto  | 1773946960: mosquitto version 2.1.2 terminating
mosquitto  | 1773946960: Saving in-memory database to /mosquitto/data//mosquitto.db.
 Container mosquitto  Stopped

[reubenmiller]

Sorry I missed your first posting where you already mentioned that you were using the mosquitto password utility.

So I guess it comes down to this problem:

password-file: Error: Unable to open pwfile "/mosquitto/config/pwfile"

And looking at your output, I think the problem is that the pwfile is owned by root (and only readable by root). By default the mosquitto image will run under the mosquitto user (uid=1883), so that is probably why the file isn't readable.

Technically you could just open up the permissions of the file, chmod 744 config/pwfile, then that should work, but you'll get a warning that it is "world readable" from mosquitto and saying that it won't be supported in the future.

[Kra-tor]

Yeah I finally got it working, thank you!
It turned out that the user mosquitto does not have UID 1883 (for whatever reason), so you also need to use chown with 1883:1883.
When I created the pwfile using "docker exec...", it was created with the user and group set to root. After I ran chown 1883:1883 pwfile, it worked.

For anyone reading this in the future:
The same applies to the logfile, if you have any specified inside the mosquitto.conf