Unable to authenticate with master password after docker container is rebuilt

I am getting locked out of my account and am unable to authenticate with my master password after rebuilding the bitwarden_rs container.

I am running bitwarden_rs via docker-compose with traefik as a reverse proxy, mariadb as my database, and a docker volume is mounted to /data/ in the container. After the initial docker-compose up -d I am able to create an account and everything seems to work. If I then make any changes to the container via docker-compose.yml then recreate the container with another docker-compose up -d, I am no longer able to authenticate with my master password. I am trying to disable registration with the environment variable "SIGNUPS_ALLOWED=false" in my docker-compose.yml, which is what prompts the container to be rebuilt. I believe I can get around this by using the admin panel, but unless I am misunderstanding the service should keep working after destroying and rebuilding the container. I was having the same issue before I switched to using mariadb as my database.

Below is my docker-compose.yml config for bitwarden:

    ##bitwarden setup 

     bitwarden_mariadb:
       image: "mariadb"
       container_name: "bitwarden_mariadb"
       hostname: "bitwarden_mariadb"
       restart: always
       env_file:
        - ".env"
       volumes:
        - "bitwarden_mariadb_vol:/var/lib/mysql"
        - "/etc/localtime:/etc/localtime:ro"
       environment:
        - "MYSQL_ROOT_PASSWORD=${DB_PASS}"
        - "MYSQL_PASSWORD=${DB_PASS}"
        - "MYSQL_DATABASE=bitwarden-database"
        - "MYSQL_USER=bitwarden-user"
       networks:
        - "bitwarden_net"

     bitwarden:
      image: "bitwardenrs/server:latest"
      container_name: "bitwarden"
      hostname: "bitwarden"
      restart: always
      env_file:
       - ".env"
      environment:
    ## set to true if you need to setup a new account
       - "SIGNUPS_ALLOWED=false"
       - "DATABASE_URL='mysql://bitwarden-user:${DB_PASS}@bitwarden_mariadb'"
       - "ADMIN_TOKEN=${BITWARDEN_ADMIN}"
      labels:
       - "traefik.enable=true"
       - "traefik.docker.network=${PRJCT_PREFIX}_traefik_net"
       - "traefik.http.services.bitwarden.loadbalancer.server.port=80"
       - "traefik.http.routers.bitwarden.rule=Host(`bitwarden.${MY_DOMAIN}`)"
       - "traefik.http.routers.bitwarden.entrypoints=websecure"
       - "traefik.http.routers.bitwarden.tls.certresolver=letsencrypt"
       - "traefik.http.routers.bitwarden.service=bitwarden"
      networks:
       - "traefik_net"
       - "bitwarden_net"
      volumes:
       - "bitwarden_vol:/data/"

Here is the output of docker logs bitwarden after trying to login with my master password.

/--------------------------------------------------------------------\
|                       Starting Bitwarden_RS                        |
|                           Version 1.17.0                           |
|--------------------------------------------------------------------|
| This is an *unofficial* Bitwarden implementation, DO NOT use the   |
| official channels to report bugs/features, regardless of client.   |
| Send usage/configuration questions or feature requests to:         |
|   https://vaultwarden.discourse.group/                             |
| Report suspected bugs/issues in the software itself at:            |
|   https://github.com/dani-garcia/bitwarden_rs/issues/new           |
\--------------------------------------------------------------------/

[WARNING] The following environment variables are being overriden by the config file,
[WARNING] please use the admin panel to make changes to them:
[WARNING] ADMIN_TOKEN

Running migration 20180114171611
Running migration 20180217205753
Running migration 20180427155151
Running migration 20180508161616
Running migration 20180525232323
Running migration 20180601112529
Running migration 20180711181453
Running migration 20180827172114
Running migration 20180910111213
Running migration 20180919144557
Running migration 20181127152651
Running migration 20190526216651
Running migration 20191010083032
Running migration 20191117011009
Running migration 20200313205045
Running migration 20200409235005
Running migration 20200701214531
Running migration 20200802025025
[2020-10-28 20:43:25.837][start][INFO] Rocket has launched from http://0.0.0.0:80
[2020-10-28 20:53:38.765][request][INFO] POST /api/accounts/prelogin
[2020-10-28 20:53:38.793][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2020-10-28 20:53:39.079][request][INFO] POST /identity/connect/token
[2020-10-28 20:53:39.081][error][ERROR] Username or password is incorrect. Try again. IP: <MY_IP>. Username: <MY_USER_NAME>.
[2020-10-28 20:53:39.081][response][INFO] POST /identity/connect/token (login) => 400 Bad Request

When you restart, it looks like bitwarden_rs is running all the migrations. This suggests it thinks your database is uninitialized, which probably means your MariaDB data was not carried across the restart.

You probably need to add a top-level volumes definition like

volumes:
  bitwarden_mariadb_vol:
  bitwarden_vol:

Or just use bind mounts instead of named volumes. See the docs for details:

I may mistake, but I think here was the problem with password special chars with docker and MySQL. Try to use a simple pass.

THANKS!! I totally missed the percentage encoding thing in the wiki

Anyone have a good resource for setting up percentage encoding in mysql? Does this have to manually be done to the table to swap out the special characters for a percentage encoding?

EDIT:
I was mistaken, this is not the issue

Percent encoding only relates to how your password needs to be written in the connection URL; it has nothing to do with the database tables. And if this were actually the issue, your instance wouldn’t have been working before the container restart as it would never have successfully connected to the database server.

Yeah, I jumped the gun in my test, changing my password did not fix the issue. Thanks for the info!

Does the default docker image bitwardenrs/server:latest support connecting to a mysql database? Now that I am re-reading the wiki, would I need to use the mysql version docker image to have bitwarden use a mariadb container as its database backend? At first I thought the bitwardenrs/server-mysql had mysql built into the container, but is this actually just the bitwardenrs server built with mysql support enabled and you still need to supply the database?

See https://github.com/dani-garcia/bitwarden_rs/wiki/Which-container-image-to-use. The bitwarden_rs images don’t include the MySQL server itself.