Cannot connect to mysql database: Access denied

[mildred]

I have issues connecting to the mysql database spawned by this docker container. I ger repeated access denied errors. I tried multiple ways:

• use nsenter to enter the mysql container and then the mysql client to connect as root or as user (as configured with the environment variables): nsenter --target $(docker inspect --format {{.State.Pid}} etc_mysql_1) --mount --uts --ipc --net --pid /bin/bash
• use a linked container as the documentation shows: run -it --link some-mysql:mysql --rm mysql sh -c 'exec mysql -h"$MYSQL_PORT_3306_TCP_ADDR" -P"$MYSQL_PORT_3306_TCP_PORT" -uroot -p"$MYSQL_ENV_MYSQL_ROOT_PASSWORD"'
• in my application container, run the mysql client and connect from there

I tried with and without a password. With the root user and with $MYSQL_USER. With the -h localhost or -h mysql or without. Each time, I get an error similar to this:

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

This is the environment of the mysqld process:

root@07632642725f:/# tr '\0' '\n' </proc/1/environ 
HOSTNAME=07632642725f
MYSQL_VERSION=5.6.23
MYSQL_DATABASE=webmail
MYSQL_PASSWORD=webmailpasswd
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=0
HOME=/root
MYSQL_MAJOR=5.6
MYSQL_USER=webmail
MYSQL_ROOT_PASSWORD=rootpasswd

Do you have an idea why it fails?

Thank you

[ltangvald]

The error usually means the password supplied is incorrect.
Did you start the container in any particular way, or just as specified in the documentation?

[mildred]

The container is started with docker-compose. The yaml script is :

mysql:
  image: mysql
  environment:
    - MYSQL_ROOT_PASSWORD=rootpasswd
    - MYSQL_DATABASE=webmail
    - MYSQL_USER=webmail
    - MYSQL_PASSWORD=webmailpasswd

[yosifkit]

Have you changed the passwords since you first tried running the containers? docker-compose does extra work to preserve volumes between runs (thus preserving the database); you may want to try docker-compose rm -v to delete everything and try starting it up again.

[sformisano]

@yosifkit +1 I had the exact same issue and figured it out thanks to your answer. Is the -v flag even documented in the compose cli docs? I saw no mention of it on the rm command.

[yosifkit]

Glad I could help. It doesn't seem to have anything (https://docs.docker.com/compose/cli/#rm). I think I verified it with docker-compose rm --help or something. It is a mirror of the regular docker rm. You should totally file an issue to improve the documentation 😉.

[etoews]

I have to +1 here. I had my MySQL files in a data volume container that had stuck around and this discussion helped me realize it.

[faceleg]

This got me as well, opened an issue. Thanks @yosifkit!

[paulredmond]

you may want to try docker-compose rm -v to delete everything and try starting it up again.

@yosifkit thank you so much for your advice, you saved me ❤️

[marcellodesales]

@yosifkit Thanks again... However, another detail here is that if you use a data container with docker-compose, you need to delete the ENTIRE directory before running again.

qgMysqlData:
  image: busybox
  volumes:
    - ./mysql-data:/var/lib/mysql

qgMySQLServer:
  image: mysql
  environment:
    MYSQL_ROOT_PASSWORD: *******
    MYSQL_USER: *****
    MYSQL_PASSWORD: ******
    MYSQL_DATABASE: ****
  ports:
    - "3306:3306"
  volumes_from:
    - "qgMysqlData"

qgPhpMyAdmin:
  image: nazarpc/phpmyadmin
  ports:
    - "8090:80"
  links:
    - qgMySQLServer:mysql

The command docker-compose rm -v reflects in the containers, but NOT in the volume mapped. So, the following command will remove the containers and since it doesn't delete the volumes, the command files to create a new user.

$ docker-compose rm -v
Going to remove backendphp_qgPhpMyAdmin_1, backendphp_qgMySQLServer_1, backendphp_qgMysqlData_1
Are you sure? [yN] y
Removing backendphp_qgMysqlData_1...
Removing backendphp_qgMySQLServer_1...
Removing backendphp_qgPhpMyAdmin_1...

At this point, the only way to make it right is to delete the directory that you mapped your mysql data.

$ sudo rm -rf mysql-data

Only after that, the command created a new database with the users correctly set!

Good luck!

[yosifkit]

You are correct; docker-compose rm -v does delete docker managed volumes, but not bind mounted "volumes". They have similar properties and act mostly the same, but the bind mounts are directories controlled by the user so docker is not just going to delete them for you. Thanks for the input, hopefully it will help someone in the future.

[strarsis]

I had the same error but from a different cause:
The environment variable MYSQL_PWD was set to the same value as MYSQL_PASSWORD,
so mysql client commands run against this container would use the correct password.
This causes the mysql container init script to log in too early
with that password which user hadn't been set up yet.
The same issue also occurs when MYSQL_PWD is set to the MYSQL_ROOT_PASSWORD.

[geerlingguy]

Note also that if you have a non-named volume (e.g. something like below in your docker-compose.yml), then you have to manually delete it (The Compose file doesn't track it for deletion, and preserves it silently).

In docker-compose.yml:

...
volumes:
  data_volume:

If you run docker volume ls, you'll see a volume like projectfolder_data_volume. To delete it, run docker volume rm projectfolder_data_volume.

[blachawk]

I have to give a + 1 on this discussion because I had different passwords going on for 2 containers trying to connect to mysql with WORDPRESS_DB_PASSWORD, when i should of been using the same password on both containers.

Thanks

[benhtn]

yes @marcellodesales you're a star! thank you!!

[glaux]

Another possible resolution to the 'access denied' issue is provided in this issue: #241.
In short, add MYSQL_ROOT_HOST=% as an environment variable.

[stingus]

I was facing this issue, not related to Docker, but found it while using docker-compose with multiple mysql instances on localhost:

You can specify a port number for connections to a local server, too. However, as indicated previously, connections to localhost on Unix will use a socket file by default. You will need to force a TCP/IP connection as already described or any option that specifies a port number will be ignored.

I am using OSX, so all my connections using -h localhost went straight to the MySQL instance on the host itself (via socket, --port is ignored). Using 127.0.0.1 instead of localhost forces a TCP connection on the right port, thus on the right container.

[erikverheij]

We ran into this issue because we used the env var MYSQL_PWD. It was intended to be used by another container but the mysql container also uses it when the init queries are executed.

[Rukeith]

I just still got this error even I use docker-compose rm -v

[yosifkit]

@Rukeith, rm -v only removes anonymous volumes; if you have a named volume for /var/lib/mysql, you would also need to delete that. (Assuming that it contains a misconfigured database and you are trying to start over.)

[Rukeith]

@yosifkit I didn't mount any volume

[amir5121]

I had similar problem apparently some characters aren't allowed in the password..

after changing the password environment variable and removing the volume the issue was resolved

[taha-moghaddam]

I had this problem, too. docker-compose down -v solved my problem.
This command removed all corresponding volume, network and containers.

[hayatoise]

I had this problem, too. docker-compose down -v solved my problem.
This command removed all corresponding volume, network and containers.

@taha-moghaddam I solved it with this command. Thank you 👍

[pourya2374]

Have you changed the passwords since you first tried running the containers? docker-compose does extra work to preserve volumes between runs (thus preserving the database); you may want to try docker-compose rm -v to delete everything and try starting it up again.

I didn't see it coming!

[rahulsingh336]

Hello, clearing the data volumes made by app to connect to mysql using docker-compose.
I have one question, I think there is not password for default image for mysql 5.7.20, thats why without specifying password anywhere it is allowing to connect ?
or, when we link container then some magic happens, could you please explain this behaviour?

[mohamed-aiman]

in my case it was a permission issue to the mounted volume.
what worked for me was
run docker-compose down -v
which deleted all networks(if not external), volumes and containers.
I previously tried docker-compose rm -v and it didn't work as the problem was with volumes and not with the containers, it removes only containers but not the volumes.

[celovivas]

Have you changed the passwords since you first tried running the containers? docker-compose does extra work to preserve volumes between runs (thus preserving the database); you may want to try docker-compose rm -v to delete everything and try starting it up again.

Acctually, the command that resolved for me was docker-compose down -v

[boyaziqi]

I have a similar problem（changing MYSQL_USER)。I tried to run docker-compose rm -v and docker-compose down -v. but I just still got this error.

[sfmok]

Note also that if you have a non-named volume (e.g. something like below in your docker-compose.yml), then you have to manually delete it (The Compose file doesn't track it for deletion, and preserves it silently).

In docker-compose.yml:

...
volumes:
  data_volume:

If you run docker volume ls, you'll see a volume like projectfolder_data_volume. To delete it, run docker volume rm projectfolder_data_volume.

Thank you

[DJStress]

Thanks @sfmok this worked for me. Also as thank you @amir5121 as you stated some characters are not accepted and I found this to be spot on with an error I was receiving, so I decided to go with a basic password. In addition to removing the data directory I used the "docker volume prune" command to remove all volumes associated on the host machine. Thank you again guys!

[SaveYourTime]

Note also that if you have a non-named volume (e.g. something like below in your docker-compose.yml), then you have to manually delete it (The Compose file doesn't track it for deletion, and preserves it silently).

In docker-compose.yml:

...
volumes:
  data_volume:

If you run docker volume ls, you'll see a volume like projectfolder_data_volume. To delete it, run docker volume rm projectfolder_data_volume.

You save my life!!! 🥺

[ladaposamuel]

Note also that if you have a non-named volume (e.g. something like below in your docker-compose.yml), then you have to manually delete it (The Compose file doesn't track it for deletion, and preserves it silently).
In docker-compose.yml:

...
volumes:
  data_volume:

If you run docker volume ls, you'll see a volume like projectfolder_data_volume. To delete it, run docker volume rm projectfolder_data_volume.

Thank you

You saved my life

[wischi-chr]

I ran into the same problem a few minutes ago. Keep in mind that there must not be a space after the "-p" argument.

[cristianmonsalve]

Note also that if you have a non-named volume (e.g. something like below in your docker-compose.yml), then you have to manually delete it (The Compose file doesn't track it for deletion, and preserves it silently).

In docker-compose.yml:

...
volumes:
  data_volume:

If you run docker volume ls, you'll see a volume like projectfolder_data_volume. To delete it, run docker volume rm projectfolder_data_volume.

Man, u're the best, u saved my life !!

[livthomas]

I my case, I had to execute all these steps to solve this problem:

1. Stop and remove containers and volumes:

   docker-compose down -v
   

2. Remove my db volume folder:

   sudo rm -rf db
   

3. Remove all affected Docker images:

   docker rmi IMAGE_ID
   

[jp-git1986]

faced same issue.Seems the problem is with volumes with originally created when there is no mysql_root_password was defined in docker-compose.yaml file.After removed using docker volume rm(since named volumes not removed while running docker-compose rm -v) and reran docker-compose up after updated yaml file with mysql_root_password,it was working properly

[sontd-0882]

docker-compose down -v will delete your mounted data, my database has gone away 😢

[ericpitcher]

I got the access denied error because I had a dollar sign in my password, which the docker compose file parses as variable substitution (I've only seen the ${} syntax) on this page you will read "Both $VARIABLE and ${VARIABLE} syntax are supported." https://docs.docker.com/compose/compose-file/#variable-substitution

Therefore if I had for example this as my database password in the docker compose file: hello$world, the world variable would get substituted, of course I don't have a 'world' variable, the password that would be set in that case would be 'hello', so without knowing the docker compose syntax you would be trying to log in with 'hello$world', and you'd be denied access.

[leonardosdias]

Eu tive esse problema também. docker-compose down -vresolveu meu problema.
Este comando removeu todo o volume, rede e contêineres correspondentes.

This command solved my problem, thank you very much.
Then I ran docker-compose up -d to create the environment.

[Rafarel]

Have you changed the passwords since you first tried running the containers? docker-compose does extra work to preserve volumes between runs (thus preserving the database); you may want to try docker-compose rm -v to delete everything and try starting it up again.

It makes so much sense now !!!
You saved my life, I lost a full day on this yesterday !
Hero of my day :) Thanks a million times

[elchroy]

Note also that if you have a non-named volume (e.g. something like below in your docker-compose.yml), then you have to manually delete it (The Compose file doesn't track it for deletion, and preserves it silently).

In docker-compose.yml:

...
volumes:
  data_volume:

If you run docker volume ls, you'll see a volume like projectfolder_data_volume. To delete it, run docker volume rm projectfolder_data_volume.

Thank you! This saved me.

[GABAnich]

docker system prune     

helped me

[Yelfive]

I was facing this issue, not related to Docker, but found it while using docker-compose with multiple mysql instances on localhost:

You can specify a port number for connections to a local server, too. However, as indicated previously, connections to localhost on Unix will use a socket file by default. You will need to force a TCP/IP connection as already described or any option that specifies a port number will be ignored.

I am using OSX, so all my connections using -h localhost went straight to the MySQL instance on the host itself (via socket, --port is ignored). Using 127.0.0.1 instead of localhost forces a TCP connection on the right port, thus on the right container.

And I ran brew stop mysql, it worked.

[gurpreetsingh087]

docker-compose rm -v did not work for me.
I manually removed volume directory then restarted using docker-compose up.

This only worked for me.

[ryanjanborja]

OS: MacOS Catalina 10.15.3
Docker: 2.2.0.3

db:
  container_name: app_db
  image: mysql:5.7
  volumes:
    - app_db:/var/lib/mysql
  ports:
    - 3306:3306
  environment:
    - MYSQL_ROOT_PASSWORD="passwd"

volumes:
  app_db:

I wen't inside the mysql container to login

docker exec -ti app_db bash
mysql -u root -p
Enter password: passwd
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

I did docker-compose down -v and manually removed the container and volume but no luck

[yosifkit]

@iryanjan18, you need to remove the quotes in your yaml, switch to a map (instead of a list), or use them in your password to mysql.

# either of these should work
  environment:
    - MYSQL_ROOT_PASSWORD=passwd

  environment:
    MYSQL_ROOT_PASSWORD: "passwd"

[askme23]

you may want to try docker-compose rm -v to delete everything and try starting it up again.
@yosifkit it's work for me, thank you so much )

[shaktals]

I had same issue with a running mysql instance in a docker container.
What happened it that I updated some system packages, that restarted the local mysql instance.
Thus the docker mysql was dropped.
But when trying docker-compose up it would not throw any errors.
After `docker-compose rm -v', it indicated a connection error, which lead to the root cause.

[brenaandring]

Note also that if you have a non-named volume (e.g. something like below in your docker-compose.yml), then you have to manually delete it (The Compose file doesn't track it for deletion, and preserves it silently).

In docker-compose.yml:

...
volumes:
  data_volume:

If you run docker volume ls, you'll see a volume like projectfolder_data_volume. To delete it, run docker volume rm projectfolder_data_volume.

Wish I could get you a beer! Thank you!!!

[strarsis]

It seems it works differently with WSL 2, has anyone tried?
Edit: With WSL 2 it is possible to set the permissions/owner of the native Windows directory and these also translate into the mounted directory inside the container, so it should work in WSL 2 with direct mount.

[pmutua]

Note also that if you have a non-named volume (e.g. something like below in your docker-compose.yml), then you have to manually delete it (The Compose file doesn't track it for deletion, and preserves it silently).

In docker-compose.yml:

...
volumes:
  data_volume:

If you run docker volume ls, you'll see a volume like projectfolder_data_volume. To delete it, run docker volume rm projectfolder_data_volume.

Worked for me thanks, saved me a lot of time.

[vit-lebediev]

My case was trivial, but I spent a lot of time searching for an answer, including carefully reading through this thread, so it might be helpful for someone in the future.

In my case, I was starting a container with docker-compose up -d, meaning I didn't see logs, and was still getting this error after trying all the suggestions. After that I went to take a look at a dockerfile, saw that there's pretty detailed log about what's going on during container startup.

Then I tried to start it without -d detached mode, and searched for Creating user ${MYSQL_USER} log line.

It turned out, my user was not created because username was 1 character too long, and I got String '<redacted_username>' is too long for user name (should be no longer than 16)

[oyepez003]

Make sure you has the next config, remove the volume and try again...

db_service:
    ...
    environment:
      MYSQL_DATABASE: 'mydb'
      MYSQL_USER: 'custom_user'
      MYSQL_PASSWORD: 'custom_password'
      MYSQL_ALLOW_EMPTY_PASSWORD: 'true'
      MYSQL_ROOT_PASSWORD: ''
      MYSQL_ROOT_HOST: '%'
   ...

Of course, the empty password is only to make easy the management for the development environment.

[amjadataallah]

Unfortunately, I tried all of the solutions above and none worked for me.
I am working on Laravel for APIs and Angular as frontend.

This is the docker-compose file I have:

version: "3.7"
services:
app:
build:
args:
user: dfs
uid: 1000
context: ./
dockerfile: Dockerfile
image: gaming
container_name: gaming-app
restart: unless-stopped
working_dir: /var/www
volumes:
- ./:/var/www
networks:
- gaming
ports:
- 9000:80
depends_on:
- db

db:
image: mysql:5.7
container_name: gaming-db
restart: unless-stopped
environment:
MYSQL_PORT: ${DB_PORT}
MYSQL_DATABASE: ${DB_DATABASE}
MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}
MYSQL_PASSWORD: ${DB_PASSWORD}
MYSQL_USER: ${DB_USERNAME}
#SERVICE_TAGS: dev
#SERVICE_NAME: mysql
volumes:
- ./docker-compose/mysql:/docker-entrypoint-initdb.d
- ./docker-compose/data:/var/lib/mysql
- ./docker-compose/log/:/var/log/
networks:
- gaming
ports:
- 3306:3306

nginx:
image: nginx:alpine
container_name: gaming-nginx
restart: unless-stopped
ports:
- 8000:80
- 8080:8080
volumes:
- ./:/var/www/
- ./docker-compose/nginx:/etc/nginx/conf.d/
networks:
- dfsgt
depends_on:
- db

networks:
gaming:
driver: bridge

[tianon]

These sorts of questions/requests for support would be more appropriately posted to the Docker Community Forums, the Docker Community Slack, or Stack Overflow.