Nerdctl client sometimes wants both a populated auths field when credsStore gives credentials

[ericpromislow]

Description

A Rancher Desktop user can get into a state where when they run nerdctl run SOME_IMAGE, they see the error message

FATA[0000] expected ac.ServerAddress ("") to be "https://index.docker.io/v1/"

This was exposed when PR #1270 was merged into master.

Steps to reproduce the issue

1. Run Rancher Desktop 1.5.0 after an install or FactoryReset (or delete /root/.docker/config.json on the VM)
2. Choose moby/docker mode
3. docker login
4. Switch to containerd/nerdctl
5. nerdctl pull busybox

This triggers the above error message

Describe the results you received and expected

I expected to see an image get pulled.

FATA[0000] expected ac.ServerAddress ("") to be "https://index.docker.io/v1/"

What version of nerdctl are you using?

0.22.0

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

Rancher Desktop for macOS

Host information

Client:
 Namespace:	default
 Debug Mode:	false

Server:
 Server Version: v1.6.6
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Log: fluentd journald json-file
  Storage: native overlayfs
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.15.57-0-virt
 Operating System: Alpine Linux v3.16
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.846GiB
 Name: lima-rancher-desktop
 ID: d28cfc71-d41b-4077-891c-c78648e76494

[fahedouch]

Why you expect uname -a , what is the relation ?

[ericpromislow]

Actually, uname -a had nothing to do with it. It's just a matter of running the code at dockerconfigresolver.NewAuthCreds

[ericpromislow]

We have more of a repro:

# Run Rancher Desktop in docker/moby mode
$ docker login ...
# Switch to containerd
$ nerdctl pull busybox

Even then it depends on the state of /root/.docker/config.json on the Rancher Desktop VM

I think the error happens when I see this from a linux host:

$ cat /root/.docker/config.json
{
"auths": {},
"credsStore": "pass"
}

and ~/.password/docker-credential-helpers has a dir that's base64 for https://index.docker.io/v1/

The problem is that ac.Username and ac.Password are correctly retrieved via pass, but the config-file loader reports that ac.ServerAddress is the empty string, possibly because of the empty auths hash in the above config.json.

Now.... all of the code called by ac, err := dockerConfigFile.GetAuthConfig(authConfigHostname) is in the github.com/docker/cli@.../cli/config/ subtree, which means the Docker CLI probably runs this same code and doesn't get confused.

So I would guess that the interpretation is incorrect -- if we have a username & password for the well-known docker serverAddress, we don't need a serverAddress from the config resolution.