ElasticSearch(8.15.0) Docker setup, ENV not able to reset built in user-elastic's password

Hi team, trying to create a custom elasticsearch docker image base image is set as 8.15.0, following is my Dockerfile which is getting built-:

# Use the official Elasticsearch 8.15 base image
FROM docker.elastic.co/elasticsearch/elasticsearch:8.15.0

# Set environment variables (you can customize these)
# Ensure the directory for data persistence is set correctly
ENV discovery.type=single-node
ENV ELASTIC_PASSWORD=elastic123
ENV xpack.security.enabled=true
ENV xpack.security.http.ssl.enabled=false
ENV xpack.security.transport.ssl.enabled=false
ENV xpack.license.self_generated.type=trial
ENV ES_PORT=9200

# Create a mount point for the data volume to persist indices
VOLUME ["/usr/share/elasticsearch/data"]

# Expose Elasticsearch port
EXPOSE 9200

# Run Elasticsearch
CMD ["/bin/bash", "-c", "/usr/share/elasticsearch/bin/elasticsearch"]

image is built successfully and the expectancy is that when this image runs it should allow me a basic auth with the username as -: elastic and password as we can see provided above in ENV as elastic123 but that does not happen? it gives me a following response when trying to hit the cluster health api-:

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "unable to authenticate user [elastic] for REST request [/_cluster/health]",
                "header": {
                    "WWW-Authenticate": [
                        "Basic realm=\"security\", charset=\"UTF-8\"",
                        "ApiKey"
                    ]
                }
            }
        ],
        "type": "security_exception",
        "reason": "unable to authenticate user [elastic] for REST request [/_cluster/health]",
        "header": {
            "WWW-Authenticate": [
                "Basic realm=\"security\", charset=\"UTF-8\"",
                "ApiKey"
            ]
        }
    },
    "status": 401
}

I only need basic-auth no requirement of any kind of ssl.
Please need urgent support, where i am going wrong in my configurations? Thanks in advance.

Hello,
Storing passwords as ARG or ENV is highly discouraged. Instead, consider removing the line about setting the password, and runt the password reset tool after the image is running to obtain the password (user is still default elastic):

$ docker exec -it <container_name> /bin/bash
# once inside the container bash:
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

This will prompt you to verify your action, then it will display a password to the console.

Got ur point @Justin_Castilla , but my requirement is once the image is created and is ready to be deployed it should have set a password known on my side, as I have another application connecting to elasticsearch via these credentials..so for that is there any other way round?

Perhaps try an .env file and reference the password:

.env file:

ELASTIC_PASSWORD=elastic123

Dockerfile:

...
ENV ELASTIC_PASSWORD=$ELASTIC_PASSWORD
...

This is lifted from what I found here.

This is your problem.

The standard elasticsearch docker image uses a docker-specific entrypoint that implements the ELASTIC_PASSWORD behaviour.
You've configured your dockerfile to skip that entrypoint and run elasticsearch directly.

I don't think there's any reason for you to override the CMD here

Thanks @Justin_Castilla and @TimV for your responses, @TimV you were right, after removing the CMD line from my docker file i was able to reset my password directly once i ran the built image, thanks for the immediate support.