Document how to initialize docker-credentials-pass #102
Comments
|
Hi. I`m sorry for my English. After spending some time, i was able to setup credential store and maybe my experience will help you. I used ubuntu 18.04 and did all action as root user.
I'm not a guru on unux based OS and some actions can be done better. I hope someone will help my answer. |
|
@pasih, here is what i did to get my docker client working with docker-credentials-pass. I have slight variations from what @Ayrat-Kh did.
References: |
|
Another slight variation, as I needed to use /dev/urandom |
I had to follow these steps of @Ayrat-Kh's to get |
|
If the passphrase is not empty while generating gpg key, got following error message when running The error was thrown by pass_linux.go#L64 which the script is trying to run Caused by a prompt popped out for asking the passphrase, due to there is no input, error message Thus, entering passphrase by running the command above manually could temporally solve the problem. |
|
@nathanfiscus thanks for the steps mentioned #102 (comment), I didn't find it was very clear from the docs at 👍 ❤️ |
|
@nathanfiscus Excellent. Thanks for the steps. I would like to handle entering the passphrase through bash script for the following command. |
|
If you follow this guide and somehow you can't generate gpg key because gpg process is hanging, please install |
@Ayrat-Kh Sorry, but where did you get this "secret knowledge" from?) |
|
Hi using Fedora 28 and Docker version 18.09.0, build 4d60db4.
Here's my output after @Ayrat-Kh steps: pass llst pass show docker-credential-helpers/docker-pass-initialized-check
I see the plan is to add pass as default docker-archive/docker-ce@9337e13 but right now I can't get it working |
|
any ideas? @n4ss |
|
@jmliz I was able to solve this by running
and then not setting a passphrase. I just left it empty It has been working since. |
|
@makville I'm still getting the same error with an empty passphrase. |
|
I'm getting the same error, I followed the steps for docker-credential-helper, they worked the 1st time, but after restarting the computer, same behavior continues, even if I retrace the steps for generating keys and docker login, as soon as I hit |
|
@jmliz @dabio I just experienced the same problem as you. Once I restarted the server it was all back to square one again. Oh well. |
|
@makville restarting doesn't help. I wasn't ever able to get it working in the first place. |
|
this plugin doesn't even have proper documentation. no contributor ever replied to this issue. |
|
Those of you still having issues might try one of these below. I haven't looked through all the code for docker-credential-pass, but I think that the plugin is not properly triggering the gpg-agent (in all instances) that pass uses to login to and decrypt the store. Essentially the password store is locking after the default 10 minutes. I have two workarounds for this until/if the issue gets fixed:
That is 400 days. This obviously is just as insecure as using the default plain text file, but gets around the warning. You will have to trigger this the first time and after 400 days or whatever you set.
I put this in my Usage would be something like: |
|
@nathanfiscus I don't understand when you say "Essentially the password store is locking after the default 10 minutes". I immediately try to login after I set up pass and it doesn't work. I will give it a try though. |
|
I also have issues using this even immediately afterwards running In my case I can run Maybe it depends on the version of Docker you are running? Newer versus older? I have:
In my case I am building everything, but Docker and GnuPG, as I am trying to get this working on a CoreOS linux system. |
|
I figured out the issue in my case. This still feels a bit like a bug, but of a different sort. Using docker login against a registry that does not currently support auth (we are turning it on in a few days after some testing) works fine. It seems to log you in no matter what you use as the username/password, but docker logout breaks, as no credential is stored during login, so when you logout, and it tries to deleted the credential you get an error saying that the credential delete failed. |
|
@spkane how can login work if you dont have authentication? I'm not aware of docker internals but that sounds strange. nothing worked so far for me. |
|
We're going to be coming up on the 4 year anniversary of this issue soon. When is this going to be added to the official docs? People are linking to this issue as a tutorial. |
You're not a guru but still helping. |
You saved my life. Thank you so much. |
You are welcome, brother! And good thing you read my solution. Keep up the good work! :) |
Took me an hour to find this thread after going through official docs for docker and pass and nothing worked except this thread. |
|
Please note that all |
|
I mistakenly deleted the GPG key that I used for docker desktop login. I had passed it in |
i still can't login docker and the error is Error saving credentials: error storing credentials - err: exit status 1, out: |
|
Fellow users, does anyone know what the credential helper actually does when used with pass? I was expecting it to store my password, but after following the instructions above I'm required to login to docker and enter the registry password every time I have a new ssh session. May be that's exactly what it is intended to do - keep credentials cached in memory until reconnect - I can confirm that they are no longer stored in config.json, but surely, they would not need |
The purpose is to make sure your password is not stored in a plain text file like config.json. If you don't want to enter a password for ssh, just don't use a password for your ssh key, although this is less secure so I recommend continuing to use your password for ssh. |
ssh password is out of the picture, I do not believe it has anything to do at all with docker-credential-pass helper. I was referring to docker registry password, not sure why it needs to be entered every time after re-establishing ssh session. |
|
Does anyone else find it odd that to plug this "plain-text password security hole" you are in some back-alley github issue copy/pasting bash code to download rando unsigned binary code, make it executable, and add it to your path? Here's another option |
|
@MichaelJCole you might have got it wrong: this is not "some back-alley GitHub issue" - this is the official docker credential helper repository hosted under the docker organisation. And it is not "rando unsigned binary code" it is the official binaries of the said repository. What you linked is not an option if you do not want unencrypted credentials, and most people who end up here do not want that. |
Thank you, so much |
|
Edit: Fixed I have a hunch this might not be the correct repo to ask this question, but here goes anyway. I've searched this repo and the web for similar questions but haven't been able to find any. I have experimented with Docker Desktop on Arch following the Docker documentation:
Everything is working fine except credential verification. I'm able to log in manually by following the instructions in this comment with I have Does anyone know how I can make |
|
I was able to solve my problem above. The With the fix above, |
|
|
|
These kind of thorough / clear / super helpful responses never fail to strengthen my faith in humankind. Thank you! |
|
If for some reasons, after installing export GPG_TTY=$(tty) |
Now, it still works |
|
For me (Ubuntu 20.04) the .docker config directory is located at |
|
For Linux users who are lazy enough to manually install sudo curl -o /usr/bin/docker-credential-pass -LO $(curl -s https://api.github.com/repos/docker/docker-credential-helpers/releases/latest | grep browser_download_url | grep docker-credential-pass | grep linux-amd64 | cut -d '"' -f 4); sudo chmod a+x /usr/bin/docker-credential-pass |
Genial!!! Me ayudaste un monton!!! Muchas gracias por tu aporte! |
I believe this is obsolete?
Should we be using gpg2?
I see some references to "Your name", some to the This is my solution (part of this gist): #!/bin/bash
set -exu
set -o pipefail
# Based on https://github.com/docker/docker-credential-helpers/issues/102
# Check for sudo
if [[ $EUID -eq 0 ]]; then
echo "This script must not be run as root"
exit 1
fi
# vars
arch=$(dpkg --print-architecture)
rel=$(. /etc/os-release && echo "$VERSION_CODENAME")
# Install docker if needed
if ! command -v docker > /dev/null; then
docker_gpg_path="/etc/apt/keyrings/docker.gpg"
sudo install -m 0755 -d $(dirname "$docker_gpg_path")
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --yes --dearmor -o "$docker_gpg_path"
sudo chmod a+r "$docker_gpg_path"
echo "deb [arch="$arch" signed-by="$docker_gpg_path"] https://download.docker.com/linux/ubuntu "$rel" stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
fi
# Add user to docker group
sudo groupadd docker || true
sudo usermod -aG docker $USER
newgrp docker
docker run hello-world
# Install dependencies for securing docker credentials
sudo apt-get update
sudo apt-get install -y ca-certificates gnupg gnupg2 pass
# Install docker-credential-pass
docker_creds_pass_version="v0.8.0"
docker_creds_pass_url="https://github.com/docker/docker-credential-helpers/releases/download/$docker_creds_pass_version/docker-credential-pass-$docker_creds_pass_version.linux-$arch"
docker_creds_pass_path="/usr/local/bin/docker-credential-pass"
sudo wget "$docker_creds_pass_url" -O "$docker_creds_pass_path"
sudo chown $USER "$docker_creds_pass_path"
sudo chmod u+x "$docker_creds_pass_path"
# Make docker use the docker-credential-pass
docker_config_path="$HOME/.docker.config.json"
docker_creds_config='"credsStore": "pass"'
if [[ -f "$docker_config_path" ]]; then
if ! grep -qF "$docker_creds_config" "$docker_config_path"; then
# Append to config
sed -i "0,/{/s|{|{\n\t$docker_creds_config,|" "$docker_config_path"
fi
else
# Create config
printf "{\n\t$docker_creds_config\n}\n" > "$docker_config_path"
fi
# Generate GPG key and add to pass
gpg_id=$(gpg2 --generate-key | grep -oP '^\s*\K[[:alnum:]]+$')
pass init $gpg_id
docker-credential-pass list >/dev/null # errors out if not setup properly
# Enable TTY pinentry when there is no display
# https://superuser.com/questions/520980/how-to-force-gpg-to-use-console-mode-pinentry-to-prompt-for-passwords
tty_comment="\n# Enable TTY pinentry for GPG password when there is no display\n"
fish_tty_cmd='set -gx GPG_TTY $(tty)'
fish_config_path="$HOME/.config/fish/config.fish"
bash_tty_cmd='export GPG_TTY=$(tty)'
bash_config_path="$HOME/.bashrc"
if ! grep -qF "$fish_tty_cmd" "$fish_config_path"; then
printf "${tty_comment}${fish_tty_cmd}\n" >> "$fish_config_path"
fi
if ! grep -qF "$bash_tty_cmd" "$bash_config_path"; then
printf "${tty_comment}${bash_tty_cmd}\n" >> "$bash_config_path"
fi |
|
Anyone else who keep getting prompted for the passphrase? docker/desktop-linux#115 |
You're either not using the correct binary or downloading the binary incorrectly. Check the size of the download to verify you're downloading correctly. If using curl be sure to pass e.g. for arm64 curl -L "https://github.com/docker/docker-credential-helpers/releases/download/v0.8.1/docker-credential-pass-v0.8.1.linux-arm64" -o "docker-credential-pass" |
This has sometimes allowed me to type the GnuPG passphrase in the pinentry TUI when headless, and other times the SSH session appears to crash due to terminal corruption. When it "crashes," the pinentry TUI appears, but passphrase keystrokes result in literal characters printed at bottom left, not as masked |
|
I've been banging my head against this problem for 3 days and the only way I found to properly secure docker was by resorting to installing Docker Desktop. The essential problem is that you are never prompted to enter the passkey once you have successfully used pass etc to store the pass token. What if I want to install Docker on a very small device without a Desktop GUI? I think more work needs to be done around the docker-credential-helper for pass. |
and others
Hi,
the README currently says:
"pass needs to be configured for docker-credential-pass to work properly. It must be initialized with a gpg2 key ID. Make sure your GPG key exists is in gpg2 keyring as pass uses gpg2 instead of the regular gpg."
However, I could not find any documentation whatsoever on the initialization. There doesn't seem to be a
docker-credentials-pass initcommand? It would be helpful to actually document the steps how to initialize the pass store.(I can create a pull request for README changes once I figure out how to actually do the initialization)
The text was updated successfully, but these errors were encountered: