7.0 fails to generate config files for graylog container

[bglk21]

So I'm running a docker swarm with 3 nodes, using microceph for keep data available on all nodes.
Now I wanted to try and set up graylog 7.0 with the datanode container, but I keep runnning into the issue were the graylog container fails to generate any files in my bind mounted directories. It does however create directories. (config, contentpacks, journal, log, plugin).
I've found you have to set the permissions to user/group permissions to 1100:1100 with the permission map of 755, but despite this there are no files created. I've also tried to set root as the owner, but then I get an error saying it failed to create the directories, which makes sense.

Both the mongodb and datanodes do seem to work fine.

When looking at the graylog container logs I get:

2025-11-30T20:06:21.134596072Z main ERROR Reconfiguration failed: No configuration found for '73d4cc9e' at 'null' in 'null'
2025-11-30T20:06:21.255620465Z main INFO Added converter factory com.github.joschi.jadconfig.guava.GuavaConverterFactory@5a755cc1
2025-11-30T20:06:21.255950443Z main INFO Added converter factory com.github.joschi.jadconfig.jodatime.JodaTimeConverterFactory@49ff7d8c
2025-11-30T20:06:21.256235833Z main ERROR Couldn't load configuration: Properties file /usr/share/graylog/data/config/graylog.conf doesn't exist!

From what I understand graylog.conf should be auto generated by the envs I've set in my compose file.

So am I doing something wrong or is this a bug?

This is my docker compose:

networks:
  docker-proxy:
    name: docker-proxy
    external: true
  graylog_network:
    name: graylog_network

services:
  graylog-db:
    image: mongo:7.0
    volumes:
      - /mnt/cephfs/docker/graylog/db-data:/data/db
      - /mnt/cephfs/docker/graylog/db-config:/data/configdb
    networks:
      - graylog_network

  datanode:
    image: graylog/graylog-datanode:7.0.1
    hostname: "datanode"
    environment:
      # GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
      - GRAYLOG_DATANODE_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET}
      - GRAYLOG_DATANODE_MONGODB_URI=mongodb://graylog-db:27017/graylog
    ulimits:
      memlock:
        hard: -1
        soft: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - /mnt/cephfs/docker/graylog/datanode:/var/lib/graylog-datanode
      - /etc/localtime:/etc/localtime:ro
    networks:
      - graylog_network

  graylog:
    hostname: "server"
    image: graylog/graylog:7.0.1
    entrypoint: "/usr/bin/tini --  /docker-entrypoint.sh"
    depends_on:
      - graylog-db
      - datanode
    environment:
      - GRAYLOG_NODE_ID_FILE="/usr/share/graylog/data/data/node-id"
      - GRAYLOG_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET}
      - GRAYLOG_ROOT_PASSWORD_SHA2="${GRAYLOG_ROOT_PASSWORD_SHA2}"
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
      - GRAYLOG_HTTP_EXTERNAL_URI=http://${WebGUIAddress}:9000/
      - GRAYLOG_MONGODB_URI=mongodb://graylog-db:27017/graylog
      - GRAYLOG_TZ=${TZ}
      - GRAYLOG_TIMEZONE=${TZ}
      - GRAYLOG_ROOT_TIMEZONE=${TZ}
      ### EMAIL ###
      - GRAYLOG_TRANSPORT_EMAIL_PROTOCOL=smtp
      - GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL=https://${WebGUIAddress}
      - GRAYLOG_TRANSPORT_EMAIL_HOSTNAME=${EmailServer}
      - GRAYLOG_TRANSPORT_EMAIL_ENABLED=true
      - GRAYLOG_TRANSPORT_EMAIL_PORT=465
      - GRAYLOG_TRANSPORT_EMAIL_USE_AUTH=true
      - GRAYLOG_TRANSPORT_EMAIL_AUTH_USERNAME=${GRAYLOG_EMAIL_USERNAME}
      - GRAYLOG_TRANSPORT_EMAIL_AUTH_PASSWORD=${GRAYLOG_EMAIL_PASSWORD}
      - GRAYLOG_TRANSPORT_EMAIL_USE_TLS=false
      - GRAYLOG_TRANSPORT_EMAIL_USE_SSL=true
      - GRAYLOG_TRANSPORT_FROM_EMAIL=${GRAYLOG_EMAIL_USERNAME}
      - GRAYLOG_TRANSPORT_SUBJECT_PREFIX=${GRAYLOG_TRANSPORT_SUBJECT_PREFIX}
    volumes:
      - /mnt/cephfs/docker/graylog/data:/usr/share/graylog/data:rw
      - /etc/localtime:/etc/localtime:ro
    networks:
      - docker-proxy
      - graylog_network
    deploy:
      replicas: 1
      labels:
      - traefik.enable=true # enable traefik
      - traefik.http.routers.graylog.rule=Host(`${WebGUIAddress}`)
      - traefik.http.routers.graylog.entrypoints=websecure # Define entry point
      - traefik.http.services.graylog.loadbalancer.server.port=9000
    ports:
      - 514:514/tcp   # Syslog 514 TCP
      - 514:514/udp   # Syslog 514 UDP

[napalmz]

The Graylog server path is different on given compose.
They map "graylog_data:/usr/share/graylog/data/data"
At first it seamed to me a typo.
But if current to "graylog_data:/usr/share/graylog/data" nothing works.

If I keep the /data/data path, I can reach the initial config but after that, nothing is inside my graylog_data volume, only the "node-id".
If I dive into the container, the internal path /usr/share/graylog/data contains all the stuff.
/usr/share/graylog/data/config contains the graylog.conf but it's not persistent nor correctly evaluated (the GRAYLOG_ROOT_PASSWORD_SHA2 is empty but it's valued on the environments).

I guess it's something related to path and volumes but I didn't figured out yet.

[lazyest]

any official opinion?

[lazyest]

I've removed any volumes mapping to allow graylog operate inside of container to see what will happen but
graylog-1 | 2025-12-03 05:53:23,711 ERROR: org.graylog2.bootstrap.CmdLineTool - Invalid configuration
graylog-1 | com.github.joschi.jadconfig.ValidationException: Parent path "/usr/share/graylog/data/data for Node ID file at "/usr/share/graylog/data/data/node-id" is not a directory

so I think this is something inside docker image itself. Can someone from inside bring some light on it?

PS: tried 7.0.0 and 7.0.1 both

[bglk21]

I've removed any volumes mapping to allow graylog operate inside of container to see what will happen but graylog-1 | 2025-12-03 05:53:23,711 ERROR: org.graylog2.bootstrap.CmdLineTool - Invalid configuration graylog-1 | com.github.joschi.jadconfig.ValidationException: Parent path "/usr/share/graylog/data/data for Node ID file at "/usr/share/graylog/data/data/node-id" is not a directory

so I think this is something inside docker image itself. Can someone from inside bring some light on it?

PS: tried 7.0.0 and 7.0.1 both

Have you tried 6.x, I’m thinking of trying that just to get it working.

[lazyest]

I've removed any volumes mapping to allow graylog operate inside of container to see what will happen but graylog-1 | 2025-12-03 05:53:23,711 ERROR: org.graylog2.bootstrap.CmdLineTool - Invalid configuration graylog-1 | com.github.joschi.jadconfig.ValidationException: Parent path "/usr/share/graylog/data/data for Node ID file at "/usr/share/graylog/data/data/node-id" is not a directory
so I think this is something inside docker image itself. Can someone from inside bring some light on it?
PS: tried 7.0.0 and 7.0.1 both

Have you tried 6.x, I’m thinking of trying that just to get it working.

6.0 had a bit different compose file but its working

[napalmz]

I managed to start graylog by manually editing graylog.conf inside container, basically it was missing data from env variables (salt and sha2 password).
Now it's working but it's no how is supposed to be.

[bglk21]

I managed to start graylog by manually editing graylog.conf inside container, basically it was missing data from env variables (salt and sha2 password). Now it's working but it's no how is supposed to be.
Could you post what settings you set in the conf file?

[napalmz]

I simply manually added the GRAYLOG_PASSWORD_SECRET and GRAYLOG_ROOT_PASSWORD_SHA2 to the /usr/share/graylog/data/config/graylog.conf
But, as I redeployed the whole stack, these became empty and I needed to do it again.
This is not a solution, we need something from the development team.
Thank you.

[leuchtrakete666]

i managed to start the swarm stack without errors. using volumes. i use glusterfs for my swarm. the glusterfs is mounted to $HOME/docker/persistence. with the driver_opts it's possible to link the local volume to a path on the shared filesystem. with this option you get easy local volumes on shared filesystems for swarm.

but the graylog container refuses to finish starting. i get an dockerexec: unhealthy container in docker stack ps

but the logs look perfect. no errors.

thats my volumes section:

volumes:
  mongodb_data:
    driver_opts:
      type: none
      device: "$HOME/docker/persistence/graylog/volumes/mongodb_data"
      o: bind
  mongodb_config:
    driver_opts:
      type: none
      device: "$HOME/docker/persistence/graylog/volumes/mongodb_config"
      o: bind
  graylog-datanode:
    driver_opts:
      type: none
      device: "$HOME/docker/persistence/graylog/volumes/graylog-datanode"
      o: bind
  graylog_data:
    driver_opts:
      type: none
      device: "$HOME/docker/persistence/graylog/volumes/graylog_data"
      o: bind

docker service logs graylog_graylog -f --raw

2026-01-16 21:38:02,077 INFO : org.graylog2.featureflag.ImmutableFeatureFlagsCollector - Following feature flags are used: {default properties file=[show_security_events_in_pedt=off, data_tiering_cloud=off, preflight_web=on, configurable_value_units=on, setup_mode=on, cloud_inputs=on, investigation_report_by_ai=on, show_executive_dashboard_page=off, collections=on, composable_index_templates=off, data_node_migration=on, remote_reindex_migration=off, instant_archiving=off, data_lake_search=on, widget_summary=on, threat_coverage=on, external_data_lake_search=on]}
2026-01-16 21:38:04,420 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded plugin: AWS plugins 7.0.3+cf37d91 [org.graylog.aws.AWSPlugin]
2026-01-16 21:38:04,424 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Integrations 7.0.3+cf37d91 [org.graylog.integrations.IntegrationsPlugin]
2026-01-16 21:38:04,427 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Threat Intelligence Plugin 7.0.3+cf37d91 [org.graylog.plugins.threatintel.ThreatIntelPlugin]
2026-01-16 21:38:04,430 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded plugin: Elasticsearch 7 Support 7.0.3+cf37d91 [org.graylog.storage.elasticsearch7.Elasticsearch7Plugin]
2026-01-16 21:38:04,432 INFO : org.graylog2.bootstrap.CmdLineTool - Loaded plugin: OpenSearch 2 Support 7.0.3+cf37d91 [org.graylog.storage.opensearch2.OpenSearch2Plugin]
2026-01-16 21:38:04,548 INFO : org.graylog2.bootstrap.CmdLineTool - Running with JVM arguments: -Dlog4j2.formatMsgNoLookups=true -Djdk.tls.acknowledgeCloseNotify=true -XX:+UnlockExperimentalVMOptions -XX:-OmitStackTraceInFastThrow -XX:+UseG1GC -Dlog4j.configurationFile=/usr/share/graylog/data/config/log4j2.xml -Dgraylog2.installation_source=docker
2026-01-16 21:38:05,227 INFO : org.mongodb.driver.client - MongoClient with metadata {"driver": {"name": "mongo-java-driver|legacy", "version": "5.6.1"}, "os": {"type": "Linux", "name": "Linux", "architecture": "amd64", "version": "6.8.0-90-generic"}, "platform": "Java/Eclipse Adoptium/21.0.9+10-LTS", "env": {"container": {"runtime": "docker"}}} created with settings MongoClientSettings{readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, journal=null}, retryWrites=true, retryReads=true, readConcern=ReadConcern{level=null}, credential=null, transportSettings=null, commandListeners=[], codecRegistry=ProvidersCodecRegistry{codecProviders=[ValueCodecProvider{}, BsonValueCodecProvider{}, DBRefCodecProvider{}, DBObjectCodecProvider{}, DocumentCodecProvider{}, CollectionCodecProvider{}, IterableCodecProvider{}, MapCodecProvider{}, GeoJsonCodecProvider{}, GridFSFileCodecProvider{}, Jsr310CodecProvider{}, JsonObjectCodecProvider{}, BsonCodecProvider{}, com.mongodb.client.model.mql.ExpressionCodecProvider@77865933, com.mongodb.Jep395RecordCodecProvider@480ad82c, com.mongodb.KotlinCodecProvider@4d18b73a, EnumCodecProvider{}]}, loggerSettings=LoggerSettings{maxDocumentLength=1000}, clusterSettings={hosts=[mongodb:27017], srvServiceName=mongodb, mode=SINGLE, requiredClusterType=UNKNOWN, requiredReplicaSetName='null', serverSelector='null', clusterListeners='[]', serverSelectionTimeout='30000 ms', localThreshold='15 ms'}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=10000, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, connectionPoolSettings=ConnectionPoolSettings{maxSize=1000, minSize=0, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=[], maxConnecting=2}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverMonitoringMode=AUTO, serverListeners='[]', serverMonitorListeners='[]'}, sslSettings=SslSettings{enabled=false, invalidHostNameAllowed=false, context=null}, applicationName='null', compressorList=[], uuidRepresentation=UNSPECIFIED, serverApi=null, autoEncryptionSettings=null, dnsClient=null, inetAddressResolver=null, contextProvider=null, timeoutMS=null}
2026-01-16 21:38:05,233 INFO : org.mongodb.driver.client - MongoClient with metadata {"driver": {"name": "mongo-java-driver|legacy", "version": "5.6.1"}, "os": {"type": "Linux", "name": "Linux", "architecture": "amd64", "version": "6.8.0-90-generic"}, "platform": "Java/Eclipse Adoptium/21.0.9+10-LTS", "env": {"container": {"runtime": "docker"}}} created with settings MongoClientSettings{readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, journal=null}, retryWrites=true, retryReads=true, readConcern=ReadConcern{level=null}, credential=null, transportSettings=null, commandListeners=[], codecRegistry=ProvidersCodecRegistry{codecProviders=[ValueCodecProvider{}, BsonValueCodecProvider{}, DBRefCodecProvider{}, DBObjectCodecProvider{}, DocumentCodecProvider{}, CollectionCodecProvider{}, IterableCodecProvider{}, MapCodecProvider{}, GeoJsonCodecProvider{}, GridFSFileCodecProvider{}, Jsr310CodecProvider{}, JsonObjectCodecProvider{}, BsonCodecProvider{}, com.mongodb.client.model.mql.ExpressionCodecProvider@77865933, com.mongodb.Jep395RecordCodecProvider@480ad82c, com.mongodb.KotlinCodecProvider@4d18b73a, EnumCodecProvider{}]}, loggerSettings=LoggerSettings{maxDocumentLength=1000}, clusterSettings={hosts=[mongodb:27017], srvServiceName=mongodb, mode=SINGLE, requiredClusterType=UNKNOWN, requiredReplicaSetName='null', serverSelector='null', clusterListeners='[]', serverSelectionTimeout='30000 ms', localThreshold='15 ms'}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=10000, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, connectionPoolSettings=ConnectionPoolSettings{maxSize=1000, minSize=0, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=[], maxConnecting=2}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverMonitoringMode=AUTO, serverListeners='[]', serverMonitorListeners='[]'}, sslSettings=SslSettings{enabled=false, invalidHostNameAllowed=false, context=null}, applicationName='null', compressorList=[], uuidRepresentation=UNSPECIFIED, serverApi=null, autoEncryptionSettings=null, dnsClient=null, inetAddressResolver=null, contextProvider=null, timeoutMS=null}
2026-01-16 21:38:05,291 INFO : org.mongodb.driver.cluster - Monitor thread successfully connected to server with description ServerDescription{address=mongodb:27017, type=STANDALONE, cryptd=false, state=CONNECTED, ok=true, minWireVersion=0, maxWireVersion=21, maxDocumentSize=16777216, logicalSessionTimeoutMinutes=30, roundTripTimeNanos=56688887, minRoundTripTimeNanos=0}
2026-01-16 21:38:05,478 INFO : org.graylog2.bootstrap.preflight.MongoDBPreflightCheck - Connected to MongoDB version 7.0.28
2026-01-16 21:38:07,159 INFO : org.mongodb.driver.client - MongoClient with metadata {"driver": {"name": "mongo-java-driver|legacy", "version": "5.6.1"}, "os": {"type": "Linux", "name": "Linux", "architecture": "amd64", "version": "6.8.0-90-generic"}, "platform": "Java/Eclipse Adoptium/21.0.9+10-LTS", "env": {"container": {"runtime": "docker"}}} created with settings MongoClientSettings{readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, journal=null}, retryWrites=true, retryReads=true, readConcern=ReadConcern{level=null}, credential=null, transportSettings=null, commandListeners=[], codecRegistry=ProvidersCodecRegistry{codecProviders=[ValueCodecProvider{}, BsonValueCodecProvider{}, DBRefCodecProvider{}, DBObjectCodecProvider{}, DocumentCodecProvider{}, CollectionCodecProvider{}, IterableCodecProvider{}, MapCodecProvider{}, GeoJsonCodecProvider{}, GridFSFileCodecProvider{}, Jsr310CodecProvider{}, JsonObjectCodecProvider{}, BsonCodecProvider{}, com.mongodb.client.model.mql.ExpressionCodecProvider@77865933, com.mongodb.Jep395RecordCodecProvider@480ad82c, com.mongodb.KotlinCodecProvider@4d18b73a, EnumCodecProvider{}]}, loggerSettings=LoggerSettings{maxDocumentLength=1000}, clusterSettings={hosts=[mongodb:27017], srvServiceName=mongodb, mode=SINGLE, requiredClusterType=UNKNOWN, requiredReplicaSetName='null', serverSelector='null', clusterListeners='[]', serverSelectionTimeout='30000 ms', localThreshold='15 ms'}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=10000, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, connectionPoolSettings=ConnectionPoolSettings{maxSize=1000, minSize=0, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=[], maxConnecting=2}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverMonitoringMode=AUTO, serverListeners='[]', serverMonitorListeners='[]'}, sslSettings=SslSettings{enabled=false, invalidHostNameAllowed=false, context=null}, applicationName='null', compressorList=[], uuidRepresentation=UNSPECIFIED, serverApi=null, autoEncryptionSettings=null, dnsClient=null, inetAddressResolver=null, contextProvider=null, timeoutMS=null}
2026-01-16 21:38:07,166 INFO : org.mongodb.driver.client - MongoClient with metadata {"driver": {"name": "mongo-java-driver|legacy", "version": "5.6.1"}, "os": {"type": "Linux", "name": "Linux", "architecture": "amd64", "version": "6.8.0-90-generic"}, "platform": "Java/Eclipse Adoptium/21.0.9+10-LTS", "env": {"container": {"runtime": "docker"}}} created with settings MongoClientSettings{readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, journal=null}, retryWrites=true, retryReads=true, readConcern=ReadConcern{level=null}, credential=null, transportSettings=null, commandListeners=[], codecRegistry=ProvidersCodecRegistry{codecProviders=[ValueCodecProvider{}, BsonValueCodecProvider{}, DBRefCodecProvider{}, DBObjectCodecProvider{}, DocumentCodecProvider{}, CollectionCodecProvider{}, IterableCodecProvider{}, MapCodecProvider{}, GeoJsonCodecProvider{}, GridFSFileCodecProvider{}, Jsr310CodecProvider{}, JsonObjectCodecProvider{}, BsonCodecProvider{}, com.mongodb.client.model.mql.ExpressionCodecProvider@77865933, com.mongodb.Jep395RecordCodecProvider@480ad82c, com.mongodb.KotlinCodecProvider@4d18b73a, EnumCodecProvider{}]}, loggerSettings=LoggerSettings{maxDocumentLength=1000}, clusterSettings={hosts=[mongodb:27017], srvServiceName=mongodb, mode=SINGLE, requiredClusterType=UNKNOWN, requiredReplicaSetName='null', serverSelector='null', clusterListeners='[]', serverSelectionTimeout='30000 ms', localThreshold='15 ms'}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=10000, receiveBufferSize=0, proxySettings=ProxySettings{host=null, port=null, username=null, password=null}}, connectionPoolSettings=ConnectionPoolSettings{maxSize=1000, minSize=0, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=[], maxConnecting=2}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverMonitoringMode=AUTO, serverListeners='[]', serverMonitorListeners='[]'}, sslSettings=SslSettings{enabled=false, invalidHostNameAllowed=false, context=null}, applicationName='null', compressorList=[], uuidRepresentation=UNSPECIFIED, serverApi=null, autoEncryptionSettings=null, dnsClient=null, inetAddressResolver=null, contextProvider=null, timeoutMS=null}
2026-01-16 21:38:07,166 INFO : org.mongodb.driver.cluster - Monitor thread successfully connected to server with description ServerDescription{address=mongodb:27017, type=STANDALONE, cryptd=false, state=CONNECTED, ok=true, minWireVersion=0, maxWireVersion=21, maxDocumentSize=16777216, logicalSessionTimeoutMinutes=30, roundTripTimeNanos=7065693, minRoundTripTimeNanos=0}
2026-01-16 21:38:07,189 INFO : org.mongodb.driver.cluster - Waiting for server to become available for operation { ping: 1 } with ID 12. Remaining time: 29988 ms. Selector: ReadPreferenceServerSelector{readPreference=primary}, topology description: {type=UNKNOWN, servers=[{address=mongodb:27017, type=UNKNOWN, state=CONNECTING}].
2026-01-16 21:38:07,804 INFO : org.graylog2.configuration.IndexerDiscoveryProvider - No indexer hosts configured, using fallback http://127.0.0.1:9200
2026-01-16 21:38:09,099 INFO : org.graylog2.bootstrap.ServerBootstrap - Running 2 migrations of type PREFLIGHT...
2026-01-16 21:38:09,169 INFO : org.graylog2.bootstrap.ServerBootstrap - Fresh installation detected, starting configuration webserver
2026-01-16 21:38:09,172 INFO : org.graylog2.shared.initializers.PeriodicalsService - Starting 3 periodicals ...
2026-01-16 21:38:09,173 INFO : org.graylog2.periodical.Periodicals - Starting [org.graylog2.bootstrap.preflight.GraylogCertificateProvisioningPeriodical] periodical in [2s], polling every [2s].
2026-01-16 21:38:09,174 INFO : org.graylog2.periodical.Periodicals - Starting [org.graylog2.events.ClusterEventPeriodical] periodical in [0s], polling every [1s].
2026-01-16 21:38:09,175 INFO : org.graylog2.periodical.Periodicals - Starting [org.graylog2.events.ClusterEventCleanupPeriodical] periodical in [0s], polling every [86400s].
2026-01-16 21:38:10,597 INFO : org.hibernate.validator.internal.util.Version - HV000001: Hibernate Validator 9.0.1.Final
2026-01-16 21:38:11,287 INFO : org.glassfish.grizzly.http.server.NetworkListener - Started listener bound to [0.0.0.0:9000]
2026-01-16 21:38:11,293 INFO : org.glassfish.grizzly.http.server.HttpServer - [HttpServer] Started.
2026-01-16 21:38:11,301 INFO : org.graylog2.bootstrap.preflight.PreflightJerseyService - 
                                                             ---
                                                             ---
                                                             ---
    ########  ###   ######### ##########   ####         #### ---         .----               ----
  ###############   ###################### #####       ####  ---      ------------       .----------- --
 #####     ######   #####              #### ####      ####   ---     ---        ---     ---        -----
####         ####   ####       ############  ####     ####   ---    --           ---   ---           ---
###           ###   ####     ##############   ####   ####    ---   ---            --   --             --
####         ####   ####    ####       ####    #### ####     ---   ---            --   --            .--
#####       #####   ####    ####       ####     #######      ---    ---          ---   ---           ---
 ################   ####     ##############     ######-       --     ----      ----      ---       -----
   ##############   ####      #############      #####        -----   -----------         ----------  --
             ####                                ####                                                ---
#####       ####                                ####                                     -          .--
  #############                                ####                                     -----     ----
     ######                                   ####                                          -------

========================================================================================================

It seems you are starting Graylog for the first time. To set up a fresh install, a setup interface has
been started. You must log in to it to perform the initial configuration and continue.

Initial configuration is accessible at 0.0.0.0:9000, with username 'admin' and password 'IXkXYheOSd'.
Try clicking on http://admin:IXkXYheOSd@0.0.0.0:9000

========================================================================================================

docker service ps graylog_graylog --no-trunc

ID                          NAME                    IMAGE                                                                                           NODE            DESIRED STATE   CURRENT STATE                 ERROR                                                          PORTS
tvwb2enw9kovr1xu0jxniambl   graylog_graylog.1       graylog/graylog:7.0.3@sha256:9c84d97480b1bedcb0751e01e8bdc4998ae1d4161c34678d0e173c4d91de32bd   prx1-swarm-w1   Running         Starting about a minute ago                                                                  
47hpg9wwlhvx1fgfg0erdqvtr    \_ graylog_graylog.1   graylog/graylog:7.0.3@sha256:9c84d97480b1bedcb0751e01e8bdc4998ae1d4161c34678d0e173c4d91de32bd   prx1-swarm-w1   Shutdown        Failed about a minute ago     "task: non-zero exit (143): dockerexec: unhealthy container"   
wui2pd95qq0d7usv90y95wo4t    \_ graylog_graylog.1   graylog/graylog:7.0.3@sha256:9c84d97480b1bedcb0751e01e8bdc4998ae1d4161c34678d0e173c4d91de32bd   prx1-swarm-w1   Shutdown        Failed 3 minutes ago          "task: non-zero exit (143): dockerexec: unhealthy container"   
lzmrmo94chpbi5nwp1s9j56fh    \_ graylog_graylog.1   graylog/graylog:7.0.3@sha256:9c84d97480b1bedcb0751e01e8bdc4998ae1d4161c34678d0e173c4d91de32bd   prx1-swarm-w1   Shutdown        Failed 5 minutes ago          "task: non-zero exit (143): dockerexec: unhealthy container"   
l8nc6pecue4mjz1c3nsu94zvm    \_ graylog_graylog.1   graylog/graylog:7.0.3@sha256:9c84d97480b1bedcb0751e01e8bdc4998ae1d4161c34678d0e173c4d91de32bd   prx1-swarm-w1   Shutdown        Failed 7 minutes ago          "task: non-zero exit (143): dockerexec: unhealthy container"   

[boomam]

Coming up against this issue myself, too.

Hopefully we'll get a response/recognition of the issue soon.

[bernd]

@bglk21 There are two problems in your Docker Compose file.

  graylog:
    hostname: "server"
[...]
    environment:
      - GRAYLOG_NODE_ID_FILE="/usr/share/graylog/data/data/node-id"
      #                       ^-- Problem 1 ----------------------^
      - GRAYLOG_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET}
      - GRAYLOG_ROOT_PASSWORD_SHA2="${GRAYLOG_ROOT_PASSWORD_SHA2}"
      #                            ^-- Problem 1 ----------------^
      - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
    volumes:
      - /mnt/cephfs/docker/graylog/data:/usr/share/graylog/data:rw
      # ^-- Problem 2 ----------------^
      - /etc/localtime:/etc/localtime:ro

Problem 1: Quoting

You are using quotes in the environment section. The quotes are literally exported into the container's environment.

Solution 1

Remove the quotes from GRAYLOG_NODE_ID_FILE and GRAYLOG_ROOT_PASSWORD_SHA2.

    environment:
      - GRAYLOG_NODE_ID_FILE=/usr/share/graylog/data/data/node-id
      - GRAYLOG_PASSWORD_SECRET=${GRAYLOG_PASSWORD_SECRET}
      - GRAYLOG_ROOT_PASSWORD_SHA2=${GRAYLOG_ROOT_PASSWORD_SHA2}

Solution 2

Use the object syntax to specify the environment variables.

    environment:
      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/data/node-id"
      GRAYLOG_PASSWORD_SECRET: "${GRAYLOG_PASSWORD_SECRET}"
      GRAYLOG_ROOT_PASSWORD_SHA2: "${GRAYLOG_ROOT_PASSWORD_SHA2}"

Problem 2: Bind mount vs volume mount

You use a bind mount instead of a volume mount. Volume mounts preserve existing data in the directories; bind mounts don't.

If you mount an empty volume into a directory in the container in which files or directories exist, these files or directories are propagated (copied) into the volume by default.

See: https://docs.docker.com/engine/storage/volumes/#mounting-a-volume-over-existing-data

If you bind mount file or directory into a directory in the container in which files or directories exist, the pre-existing files are obscured by the mount.

See: https://docs.docker.com/engine/storage/bind-mounts/#bind-mounting-over-existing-data

The Graylog container image has the following files in /usr/share/graylog/data:

• /usr/share/graylog/data/config/graylog.conf
• /usr/share/graylog/data/config/log4j2.xml

When you use a volume like graylog-data:/usr/share/graylog/data, Docker will copy existing files in /usr/share/graylog/data into the volume on startup.

When you use a bind mount like /mnt/cephfs/docker/graylog/data:/usr/share/graylog/data:rw Docker does not copy existing files to the bind mount.

So, in your case, you are "hiding" the existing (and required) graylog.conf and log4j2.xml files. That's why you get the ERROR Couldn't load configuration: Properties file /usr/share/graylog/data/config/graylog.conf doesn't exist! error.

The volume definition in #99 (comment) is a workaround for that behavior. You tell Docker to use a bind volume instead of a bind mount.

It's confusing.

Unfortunately, our image doesn't handle the two different mount types well. The image shouldn't rely on the volume mount behavior of copying the existing files into the new volume.

As noted in #99 (comment), our example Docker Compose files are wrong, too. We will get that fixed.

We will also work on improving the images to ensure data persistence behaves the same for both persistence options. But we have to be careful not to break existing setups.