-
Notifications
You must be signed in to change notification settings - Fork 76
registry credentials
DockMon supports authentication with private container registries, enabling you to monitor and update containers from registries that require authentication.
- Registry credentials are encrypted using Fernet symmetric encryption before being stored in the database
- The encryption key is stored in
/app/data/encryption.keywithin the Docker volume - This protects against:
- ✅ Accidental database dumps or exports
- ✅ Database file being shared or backed up separately
- ✅ Direct database access without the encryption key
Important: Understand these limitations before adding credentials:
- ❌ Does NOT protect against full container compromise - If an attacker gains access to both the database file AND the encryption key, they can decrypt credentials
- ❌ Does NOT protect against volume compromise - Both the database and encryption key are stored in the same Docker volume (
/app/data) - ❌ Does NOT protect against memory dumps - Credentials are decrypted in memory during update checks
To minimize security risks:
-
Use read-only access tokens instead of passwords when possible
- Most registries support creating tokens with pull-only permissions
- This limits damage if credentials are compromised
-
Use service accounts with minimal permissions
- Don't use personal credentials
- Create dedicated service accounts for DockMon
-
Rotate credentials regularly
- Change passwords/tokens periodically
- Update credentials in DockMon settings after rotation
-
Delete unused credentials promptly
- Remove credentials when no longer needed
- Reduce attack surface
-
Secure your Docker volumes
- Use proper file permissions
- Regular backup security audits
- Consider encrypted host volumes for sensitive environments
-
Use Docker's config.json for high-security environments
- Store credentials outside DockMon's database
- Future feature: import from Docker config.json (planned)
DockMon works with any OCI-compliant container registry, including:
- Docker Hub (docker.io)
- GitHub Container Registry (ghcr.io)
- Google Container Registry (gcr.io)
- AWS Elastic Container Registry (ECR)
- Azure Container Registry (ACR)
- Harbor (self-hosted)
- Quay.io (Red Hat Quay)
- Self-hosted Docker Registry
- Any other OCI-compliant registry
- Navigate to Settings → Container Updates
- Scroll to Registry Credentials section
- Click Add Credential
- Fill in the form:
-
Registry URL: The registry hostname (e.g.,
ghcr.io,registry.example.com)- Do NOT include
http://orhttps://- just the hostname - Include port if non-standard (e.g.,
registry.example.com:5000)
- Do NOT include
- Username: Your registry username or service account
- Password: Your password or access token
-
Registry URL: The registry hostname (e.g.,
- Click Create
| Registry | URL to Enter |
|---|---|
| Docker Hub | docker.io |
| GitHub Container Registry | ghcr.io |
| Google Container Registry | gcr.io |
| Harbor (custom) | harbor.example.com |
| Self-hosted Registry | registry.example.com:5000 |
Note: The registry URL is normalized to lowercase and protocols are stripped automatically.
To change username or password:
- Go to Settings → Container Updates → Registry Credentials
- Click the Edit icon (pencil) next to the credential
- Modify the username and/or enter a new password
- Click Update
Note: You cannot change the registry URL. If you need a different URL, delete the credential and create a new one.
To remove credentials:
- Go to Settings → Container Updates → Registry Credentials
- Click the Delete icon (trash) next to the credential
- Confirm deletion
Warning: After deletion, update checks for containers using this registry will fail if authentication is required.
When DockMon checks a container for updates:
-
Extract registry from image name
- Example:
ghcr.io/user/app:latest→ registry isghcr.io
- Example:
-
Look up credentials
- Query database for matching registry URL
- If found, decrypt the password
-
Authenticate with registry
- Pass username and password to registry API
- Obtain auth token (cached for 4 minutes)
-
Check for updates
- Query registry for latest image digest
- Compare with current running image
Credentials are matched by exact registry URL:
- ✅ Image
ghcr.io/user/app:latestmatches credential forghcr.io - ✅ Image
registry.example.com:5000/app:v1matchesregistry.example.com:5000 - ❌ Image
nginx:1.25(Docker Hub) matchesdocker.io(must add Docker Hub credentials)
- Go to GitHub Settings → Developer settings → Personal access tokens
- Generate new token (classic)
- Select scopes:
read:packages - Copy the token
- In DockMon:
- Registry URL:
ghcr.io - Username: Your GitHub username
- Password: Paste the token
- Registry URL:
- Go to Docker Hub → Account Settings → Security
- Create New Access Token
- Select permissions: Public Repo Read-only (or appropriate level)
- Copy the token
- In DockMon:
- Registry URL:
docker.io - Username: Your Docker Hub username
- Password: Paste the token
- Registry URL:
- Log in to Harbor web UI
- Go to User Profile → User Settings
- Copy CLI secret or create Robot Account
- In DockMon:
- Registry URL: Your Harbor hostname
- Username: Your Harbor username or robot account name
- Password: CLI secret or robot account token
Symptoms: Container shows "Update check failed" or no update information
Possible causes:
-
Incorrect credentials
- Verify username and password are correct
- Try logging in manually:
docker login <registry>
-
Wrong registry URL
- Check the image name in container details
- Ensure registry URL matches exactly (case-insensitive)
-
Token expired
- Some tokens have expiration dates
- Generate new token and update credentials
-
Insufficient permissions
- Token needs
readorpullpermissions - Check token permissions in registry UI
- Token needs
Symptoms: Logs show "Failed to decrypt credentials"
Possible causes:
-
Encryption key changed or deleted
- If
/app/data/encryption.keyis deleted, credentials cannot be decrypted - You must re-add all credentials
- If
-
Database corruption
- Restore from backup
- Re-add credentials
Solution: Delete and re-create the affected credential.
Q: Should I add credentials for Docker Hub public images?
A: No, public images don't require authentication. However, Docker Hub has rate limits for anonymous users (100 pulls/6 hours). Adding credentials increases this to 200 pulls/6 hours for free accounts.
Q: Can I use the same credentials for multiple registries?
A: Each registry requires separate credentials. You cannot reuse credentials across registries.
Q: What happens if I lose the encryption key?
A: All encrypted credentials become unrecoverable. You must delete and re-create all credentials.
For automation or custom integrations:
curl -X GET https://dockmon.example.com/api/registry-credentials \
-H "Cookie: session_id=..."curl -X POST https://dockmon.example.com/api/registry-credentials \
-H "Cookie: session_id=..." \
-H "Content-Type: application/json" \
-d '{
"registry_url": "ghcr.io",
"username": "myuser",
"password": "my_token_here"
}'curl -X PUT https://dockmon.example.com/api/registry-credentials/1 \
-H "Cookie: session_id=..." \
-H "Content-Type: application/json" \
-d '{
"password": "new_token_here"
}'curl -X DELETE https://dockmon.example.com/api/registry-credentials/1 \
-H "Cookie: session_id=..."Note: Passwords are NEVER returned in API responses for security.
Planned features for future releases:
- Import from Docker config.json - Automatically detect and import credentials from Docker's config file
-
Credential helpers support - Integration with Docker credential helpers (e.g.,
docker-credential-gcr) - Per-host credentials - Different credentials for the same registry on different Docker hosts
- Credential testing - Test button to verify credentials work before saving
- Audit logging - Track credential access and usage
- Automatic Updates - Update detection and tracking modes
- Update Validation Policies - Validation rules for protected containers
- Security Best Practices - General security recommendations
Last updated: 2025-01-21
Getting Started
User Guide
- Dashboard
- Managing Hosts
- Container Operations
- Container Tagging
- Bulk Operations
- Stacks
- Auto-Restart
- Event Viewer
- Container Logs
Configuration
- Alert Rules
- Notifications
- Blackout Windows
- Automatic Updates
- Private Registry Credentials
- Health Checks
- Settings
Remote Monitoring
Access Control
Advanced
Development
Help