Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document how to initialize docker-credentials-pass #102

Open
pasih opened this issue May 11, 2018 · 48 comments
Open

Document how to initialize docker-credentials-pass #102

pasih opened this issue May 11, 2018 · 48 comments

Comments

@pasih
Copy link

@pasih pasih commented May 11, 2018

Hi,

the README currently says:
"pass needs to be configured for docker-credential-pass to work properly. It must be initialized with a gpg2 key ID. Make sure your GPG key exists is in gpg2 keyring as pass uses gpg2 instead of the regular gpg."

However, I could not find any documentation whatsoever on the initialization. There doesn't seem to be a docker-credentials-pass init command? It would be helpful to actually document the steps how to initialize the pass store.

(I can create a pull request for README changes once I figure out how to actually do the initialization)

@Ayrat-Kh
Copy link

@Ayrat-Kh Ayrat-Kh commented May 13, 2018

Hi. I`m sorry for my English. After spending some time, i was able to setup credential store and maybe my experience will help you.

I used ubuntu 18.04 and did all action as root user.

  1. download "docker-credential-pass".
    wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.0/docker-credential-pass-v0.6.0-amd64.tar.gz

  2. unpack tar -xf docker-credential-pass-v0.6.0-amd64.tar.gz

  3. i couldn`t configure $PATH environment variable, so i copied unpacked file to /usr/bin directory.

  4. check that docker-credential-pass work. To do this, run command docker-credential-pass. You should see: "Usage: docker-credential-pass <store|get|erase|list|version>".

  5. install gpg and pass. apt install gpg pass

  6. gpg --generate-key. Enter your name, mail, etc. You will get gpg-id like "5BB54DF1XXXXXXXXF87XXXXXXXXXXXXXX945A". Copy it to clipboard.

  7. pass init (paste from clipboard)

  8. pass insert docker-credential-helpers/docker-pass-initialized-check and set the next password "pass is initialized" (without quotes).

  9. pass show docker-credential-helpers/docker-pass-initialized-check. You should see pass is initialized.

  10. docker-credential-pass list. You should see {} or another data. You shouldn`t see error like "pass store is uninitialized".

  11. nano ~/.docker/config.json. Set in root node the next line "credsStore": "pass" save ctrl+o.

  12. after docker login and etc.

I'm not a guru on unux based OS and some actions can be done better. I hope someone will help my answer.

@nathanfiscus
Copy link

@nathanfiscus nathanfiscus commented May 14, 2018

@pasih, here is what i did to get my docker client working with docker-credentials-pass. I have slight variations from what @Ayrat-Kh did.

  1. Install pass
sudo apt-get install pass
  1. Download, extract, make executable, and move docker-credential-pass
wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.0/docker-credential-pass-v0.6.0-amd64.tar.gz && tar -xf docker-credential-pass-v0.6.0-amd64.tar.gz && chmod +x docker-credential-pass && sudo mv docker-credential-pass /usr/local/bin/
  1. Create a new gpg2 key.
gpg2 --gen-key
  1. Follow prompts from gpg2 utility

  2. Initialize pass using the newly created key

pass init "<Your Name>"
  1. Add credsStore to your docker config. This can be done with sed if you don't already have credStore added to your config or you can manually add "credStore":"pass" to the config.json.
sed -i '0,/{/s/{/{\n\t"credsStore": "pass",/' ~/.docker/config.json
  1. Login to docker
docker login

References:
https://hackernoon.com/getting-rid-of-docker-plain-text-credentials-88309e07640d
https://www.passwordstore.org/

@visualex
Copy link

@visualex visualex commented May 29, 2018

Another slight variation, as I needed to use /dev/urandom
apparently I was running out of entropy and gpg2 --gen-key was hanging on the "generating random numbers .... " part

wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.0/docker-credential-pass-v0.6.0-amd64.tar.gz && tar -xf docker-credential-pass-v0.6.0-amd64.tar.gz && chmod +x docker-credential-pass && sudo mv docker-credential-pass /usr/local/bin/

yes | sudo apt install pass
yes | sudo apt install rng-tools
yes | sudo apt install rng-tools5
gpg-agent --daemon --use-standard-socket --pinentry-program /usr/bin/pinentry-curses
sudo rngd -r /dev/urandom
gpg2 --gen-key
pass init "Your Name"
sed -i '0,/{/s/{/{\n\t"credsStore": "pass",/' ~/.docker/config.json
docker login your-registry:5000

@CodingKoopa
Copy link

@CodingKoopa CodingKoopa commented Jun 27, 2018

  1. pass insert docker-credential-helpers/docker-pass-initialized-check and set the next password "pass is initialized" (without quotes).
  2. pass show docker-credential-helpers/docker-pass-initialized-check. You should see pass is initialized.
  3. docker-credential-pass list. You should see {} or another data. You shouldn`t see error like "pass store is uninitialized".

I had to follow these steps of @Ayrat-Kh's to get docker-credential-pass list to print anything other than "pass store is uninitialized". After doing this, though, I was able to rm ~/.password-store, run pass init $ID again, and have it as expected, without having to do steps 8-10 again.

@edingroot
Copy link

@edingroot edingroot commented Jul 26, 2018

If the passphrase is not empty while generating gpg key, got following error message when running docker login your-registry:5000 with version v0.6.1.

Error saving credentials: error storing credentials - err: exit status 1, out: `error fetching password during initialization: exit status 2: gpg: cancelled by user
gpg: decryption failed: No secret key`

The error was thrown by pass_linux.go#L64 which the script is trying to run

pass show ~/.password-store/docker-pass-initialized-check

Caused by a prompt popped out for asking the passphrase, due to there is no input, error message
exit status 2: gpg: cancelled by user was caught.

Thus, entering passphrase by running the command above manually could temporally solve the problem.

@neomatrix369
Copy link

@neomatrix369 neomatrix369 commented Aug 6, 2018

@nathanfiscus thanks for the steps mentioned #102 (comment), I didn't find it was very clear from the docs at
#102 - I did the extra step of downloading the docker-credentials-pass and it worked fine. I'm thinking docker-credentials-pass is the wrapper around pass so we need both of them present

👍 ❤️

@krisbalaa
Copy link

@krisbalaa krisbalaa commented Aug 16, 2018

@nathanfiscus Excellent. Thanks for the steps. I would like to handle entering the passphrase through bash script for the following command.
pass show ~/.password-store/docker-pass-initialized-check
Is it possible?

@mkjmdski
Copy link

@mkjmdski mkjmdski commented Sep 25, 2018

If you follow this guide and somehow you can't generate gpg key because gpg process is hanging, please install rng-tools and run its deamon by rngd -r /dev/urandom to generate enough random noise in your system to generate the key. You can observe your noise by cat /proc/sys/kernel/random/entropy_avail. Also using gnupg2 could help.

@olekszhel
Copy link

@olekszhel olekszhel commented Nov 9, 2018

Hi. I`m sorry for my English. After spending some time, i was able to setup credential store and maybe my experience will help you.

I used ubuntu 18.04 and did all action as root user.

  1. download "docker-credential-pass".
    wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.0/docker-credential-pass-v0.6.0-amd64.tar.gz
  2. unpack tar -xf docker-credential-pass-v0.6.0-amd64.tar.gz
  3. i couldn`t configure $PATH environment variable, so i copied unpacked file to /usr/bin directory.
  4. check that docker-credential-pass work. To do this, run command docker-credential-pass. You should see: "Usage: docker-credential-pass <store|get|erase|list|version>".
  5. install gpg and pass. apt install gpg pass
  6. gpg --generate-key. Enter your name, mail, etc. You will get gpg-id like "5BB54DF1XXXXXXXXF87XXXXXXXXXXXXXX945A". Copy it to clipboard.
  7. pass init (paste from clipboard)
  8. pass insert docker-credential-helpers/docker-pass-initialized-check and set the next password "pass is initialized" (without quotes).
  9. pass show docker-credential-helpers/docker-pass-initialized-check. You should see pass is initialized.
  10. docker-credential-pass list. You should see {} or another data. You shouldn`t see error like "pass store is uninitialized".
  11. nano ~/.docker/config.json. Set in root node the next line "credsStore": "pass" save ctrl+o.
  12. after docker login and etc.

I'm not a guru on unux based OS and some actions can be done better. I hope someone will help my answer.

@Ayrat-Kh Sorry, but where did you get this "secret knowledge" from?)

@ghost
Copy link

@ghost ghost commented Dec 16, 2018

Hi using Fedora 28 and Docker version 18.09.0, build 4d60db4.

pass is not the password store by default. Docker stores passwords bas64 encoded. The instructions above by @Ayrat-Kh and @nathanfiscus are not working for me. I keep getting the error:

Error saving credentials: error storing credentials - err: exit status 1, out: \pass store is uninitialized``

Here's my output after @Ayrat-Kh steps:

pass llst

Password Store
└── docker-credential-helpers
    └── docker-pass-initialized-check

pass show docker-credential-helpers/docker-pass-initialized-check

pass is initialized

I see the plan is to add pass as default

docker/docker-ce@9337e13

but right now I can't get it working

@ghost
Copy link

@ghost ghost commented Dec 16, 2018

any ideas? @n4ss

@makville
Copy link

@makville makville commented Dec 26, 2018

@jmliz I was able to solve this by running

pass insert docker-credential-helpers/docker-pass-initialized-check

and then not setting a passphrase. I just left it empty

It has been working since.

@ghost
Copy link

@ghost ghost commented Dec 26, 2018

@makville I'm still getting the same error with an empty passphrase.

@dabiddo
Copy link

@dabiddo dabiddo commented Jan 1, 2019

I'm getting the same error, I followed the steps for docker-credential-helper, they worked the 1st time, but after restarting the computer, same behavior continues, even if I retrace the steps for generating keys and docker login, as soon as I hit docker-compose up , I get the credentials error :(

@makville
Copy link

@makville makville commented Jan 1, 2019

@jmliz @dabio I just experienced the same problem as you. Once I restarted the server it was all back to square one again. Oh well.

@ghost
Copy link

@ghost ghost commented Jan 1, 2019

@makville restarting doesn't help. I wasn't ever able to get it working in the first place.

@ghost
Copy link

@ghost ghost commented Jan 1, 2019

this plugin doesn't even have proper documentation. no contributor ever replied to this issue.

@nathanfiscus
Copy link

@nathanfiscus nathanfiscus commented Jan 8, 2019

Those of you still having issues might try one of these below. I haven't looked through all the code for docker-credential-pass, but I think that the plugin is not properly triggering the gpg-agent (in all instances) that pass uses to login to and decrypt the store. Essentially the password store is locking after the default 10 minutes. I have two workarounds for this until/if the issue gets fixed:

  1. Set the timeout for the gpg-agent conf to a ridiculously high number:
$ cat ~/.gnupg/gpg-agent.conf
max-cache-ttl 60480000
default-cache-ttl 60480000

That is 400 days. This obviously is just as insecure as using the default plain text file, but gets around the warning. You will have to trigger this the first time and after 400 days or whatever you set.

  1. Manually trigger the pass store to unlock before performing a docker command that requires authentication like docker login or docker push. I have been experimenting with this bash script (this is a work in progress and bash is not a strength of mine, so feel free to clean this up. 😄)
INITMSG="$(pass show docker-credential-helpers/docker-pass-initialized-check)"
ERRMSG="Error"
LISTMSG=""

if [ "$INITMSG" = *$ERRMSG* ]
then
LISTMSG="$(docker-credential-pass list)"
else
LISTMSG="Initialized"
fi

ERRMSG2="pass store is uninitialized"
EMPTY=""

if [ "$LISTMSG" = "$ERRMSG2" ]
then
exit 1
elif [ "$LISTMSG" = "$EMPTY" ]
then
exit 1
else
exit 0
fi

I put this in my /usr/bin directory and made it executable.

Usage would be something like:

docker-pass && docker login

@ghost
Copy link

@ghost ghost commented Jan 8, 2019

@nathanfiscus I don't understand when you say "Essentially the password store is locking after the default 10 minutes". I immediately try to login after I set up pass and it doesn't work. I will give it a try though.

@spkane
Copy link

@spkane spkane commented Jan 10, 2019

I also have issues using this even immediately afterwards running docker-credential-pass list and getting {} returned.

In my case I can run docker login and it works, but it seems that the password is not actually saved into the store, and when I docker logout I get an error about it not being there, and sure enough, another list still shows everything as empty.

Maybe it depends on the version of Docker you are running? Newer versus older?

I have:

  • gpg (GnuPG) 2.2.7
  • pass version v1.7.3
  • tree v1.8.0 # which is needed by pass unfortunately.
  • Docker version 18.06.1-ce, build e68fc7a
  • docker-credential-pass 0.6.0

In my case I am building everything, but Docker and GnuPG, as I am trying to get this working on a CoreOS linux system.

@spkane
Copy link

@spkane spkane commented Jan 11, 2019

I figured out the issue in my case. This still feels a bit like a bug, but of a different sort. Using docker login against a registry that does not currently support auth (we are turning it on in a few days after some testing) works fine. It seems to log you in no matter what you use as the username/password, but docker logout breaks, as no credential is stored during login, so when you logout, and it tries to deleted the credential you get an error saying that the credential delete failed.

@ghost
Copy link

@ghost ghost commented Jan 11, 2019

@spkane how can login work if you dont have authentication? I'm not aware of docker internals but that sounds strange. nothing worked so far for me.

@javabrett
Copy link

@javabrett javabrett commented Apr 17, 2019

It appears that docker-credential-helpers can easily reach a state where it has marked the pass path as initialised, and this can be hard to reset. I found the following to work:

pass rm -r docker-credential-helpers
pass init -p docker-credential-helpers <GPGID>

pass ls
Password Store
└── docker-credential-helpers

docker login <registry>
Username: <username>
Password: <password>

$ pass ls
Password Store
└── docker-credential-helpers
    └── <CREDHASH>
        └── <username>

@javabrett
Copy link

@javabrett javabrett commented Apr 17, 2019

OK here's another essential tip if you find your pass repo constantly corrupted by incomplete docker-pass-initialized-check:

export GPG_TTY=$(tty)

... so that gpg properly prompts for key passphrase, assuming you have one.

@mcallaghan-bsm
Copy link

@mcallaghan-bsm mcallaghan-bsm commented Apr 27, 2019

@javabrett

pass init -p docker-credential-helpers <GPGID>

-p is not a valid flag to pass init

$ pass init -p docker-credential-helpers
pass: invalid option -- 'p'
Usage: pass init [--reencrypt,-e] gpg-id

@javabrett
Copy link

@javabrett javabrett commented Apr 27, 2019

@mcallaghan-bsm which platform/version are you running?

tee Dockerfile <<EOF
> FROM debian
> RUN apt-get update && apt-get install -y pass
> EOF

docker build -t pass .

docker run -it --rm pass bash -c "pass version;pass init;pass init -p foo ABC123"

============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.6.5                  =
=                                          =
=             Jason A. Donenfeld           =
=               Jason@zx2c4.com            =
=                                          =
=      http://www.passwordstore.org/       =
============================================
Usage: pass init [--path=subfolder,-p subfolder] gpg-id...
mkdir: created directory '/root/.password-store'
mkdir: created directory '/root/.password-store/foo'
Password store initialized for ABC123

@mcallaghan-bsm
Copy link

@mcallaghan-bsm mcallaghan-bsm commented Apr 29, 2019

@javabrett
We're not running it in a docker, raw host.

$ cat /etc/issue
Ubuntu 14.04.5 LTS \n \l

$ pass version;pass init;pass init -p foo ABC123
|-----------------------|
|   Password Store      |
|       v.1.4.2         |
|       by zx2c4        |
|                       |
|    Jason@zx2c4.com    |
|  Jason A. Donenfeld   |
|-----------------------|
Usage: pass init [--reencrypt,-e] gpg-id
pass: invalid option -- 'p'
Usage: pass init [--reencrypt,-e] gpg-id

hmmm, I suppose this super old version of Ubuntu 14.04 LTS is not pulling in latest pass. (thought technically this is still in support)

So presumably the -p is only available in a subsequent version.

@mcallaghan-bsm
Copy link

@mcallaghan-bsm mcallaghan-bsm commented Apr 29, 2019

Also there's a small chicken/egg problem. If one is using pass + docker-credential-helper to docker login using pass, it is a bit funny to pull down the latest pass inside of a debian-based docker in order to run pass inside a docker to auth against a private docker registry to run a docker :)

@javabrett
Copy link

@javabrett javabrett commented Apr 29, 2019

hmmm, I suppose this super old version of Ubuntu 14.04 LTS is not pulling in latest pass. (thought technically this is still in support)

It is getting-on in age and I think is in final-phase of support. Support/LTS doesn't mean you are going to get the latest version of packages - usually quite the opposite - you will get stability and bugfixes/security-fixes, but not new and potentially incompatible upgrades.

Also there's a small chicken/egg problem.

No, sorry - I should have explained what I was doing there ... I just used Docker as a super-fast and reproducible way to install a current pass to show you that -p is supported in the latest version. I use Docker often this way to answer questions or reproduce problems, since it is always reproducible then.

So presumably the -p is only available in a subsequent version.

Correct.

@precious-coder
Copy link

@precious-coder precious-coder commented Jun 21, 2019

For the people who get here by Googling:

Since the ratio effort/gain leans to "more hassle to set the stuff up to gain a little bit of secure password storage. It's more worth taking the risk to keep it in base64 than trying on and on and on and on and on".

The file permissions of ~/.docker/config.json are set to "only owner can read and write". And when you encrypt your filesystem or drive, there is enough time to reset your password in case your machine get stolen.

@edvardm
Copy link

@edvardm edvardm commented Jul 11, 2019

Also note that d6c1f13 removed checking of that initialized password, so there is no need to create 'docker-pass-initialized-check` entry anymore with version 0.6.0. Don't know yet why it doesn't work though, so using base64-encoded version for now :/

@fttriquet
Copy link

@fttriquet fttriquet commented Jul 23, 2019

For the people who get here by Googling:

Since the ratio effort/gain leans to "more hassle to set the stuff up to gain a little bit of secure password storage. It's more worth taking the risk to keep it in base64 than trying on and on and on and on and on".

The file permissions of ~/.docker/config.json are set to "only owner can read and write". And when you encrypt your filesystem or drive, there is enough time to reset your password in case your machine get stolen.

It's been such a hassle to configure docker-credential-pass to work on my centos server, that I am seriously considering doing this. Going through docker pull or docker-compose to pull image from gitlab registry just doesn't work.

Did anyone solve that on centos ?

@FrozenSync
Copy link

@FrozenSync FrozenSync commented Sep 13, 2019

I've followed the steps from the first two comments and I still cannot get this to work. After all this effort I'll give up as well. Why does a fairly basic feature like this cost this much effort to setup in 2019 for a technology as big as Docker?

@knallfr0sch
Copy link

@knallfr0sch knallfr0sch commented Oct 28, 2019

This definitely needs more visibility. It is quite confusing with sudo, user being in docker group and what not.

@Tokenyet
Copy link

@Tokenyet Tokenyet commented Dec 30, 2019

I think docker should not make this warning without the document prepared properly. There is even no steps for linux users to use docker-credential-pass, so this would cause the frustrations...
By the way, Ayrat-Kh 's steps works on Ubuntu 18.04 in my test.

Notice: If you want to pass ~/.docker/config.json to some cloud service (openshift...etc), you must not use docker-credentials-helper, there is no guarentee to support this with those providers, so I changed back to normal way.

@mkindika
Copy link

@mkindika mkindika commented May 13, 2020

I've followed the steps from the first two comments and I still cannot get this to work. After all this effort I'll give up as well. Why does a fairly basic feature like this cost this much effort to setup in 2019 for a technology as big as Docker?

You need to trust your key. Also, try removing passphrase.
https://steinbaugh.com/posts/docker-credential-pass.html
https://stackoverflow.com/questions/33361068/gnupg-there-is-no-assurance-this-key-belongs-to-the-named-user/34132924#34132924

@thnk2wn
Copy link

@thnk2wn thnk2wn commented Sep 10, 2020

I took a stab at automating this a little further in case useful for anyone else..

#!/bin/sh

# Sets up a docker credential helper so docker login credentials are not stored encoded in base64 plain text.
# Uses the pass secret service as the credentials store.
# If previously logged in w/o cred helper, docker logout <registry> under each user or remove ~/.docker/config.json.

# Tested on Ubuntu 18.04.5 LTS.

if ! [ $(id -u) = 0 ]; then
   echo "This script must be run as root"
   exit 1
fi

echo "Installing dependencies"
apt update && apt-get -y install gnupg2 pass rng-tools jq

# Check for later releases at https://github.com/docker/docker-credential-helpers/releases
version="v0.6.3"
archive="docker-credential-pass-$version-amd64.tar.gz"
url="https://github.com/docker/docker-credential-helpers/releases/download/$version/$archive"

# Download cred helper, unpack, make executable, and move it where Docker will find it.
wget $url \
    && tar -xf $archive \
    && chmod +x docker-credential-pass \
    && mv -f docker-credential-pass /usr/local/bin/

# Done with the archive
rm -f $archive

config_path=~/.docker
config_filename=$config_path/config.json

# Could assume config.json isn't there or overwrite regardless and not use jq (or sed etc.)
# echo '{ "credsStore": "pass" }' > $config_filename

if [ ! -f $config_filename ]
then
    if [ ! -d $config_path ]
    then
        mkdir -p $config_path
    fi

    # Create default docker config file if it doesn't exist (never logged in etc.). Empty is fine currently.
    cat > $config_filename <<EOL
{
}
EOL
    echo "$config_filename created with defaults"
else
    echo "$config_filename already exists"
fi

# Whether config is new or existing, read into variable for easier file redirection (cat > truncate timing)
config_json=`cat $config_filename`

if [ -z "$config_json" ]; then
    # Empty file will prevent jq from working
    $config_json="{}"
fi

# Update Docker config to set the credential store. Used sed before but messy / edge cases.
echo "$config_json" | jq --arg credsStore pass '. + {credsStore: $credsStore}' > $config_filename

# Output / verify contents
echo "$config_filename:"
cat $config_filename | jq

# Help with entropy to prevent gpg2 full key generation hang
# Feeds data from a random number generator to the kernel's random number entropy pool
rngd -r /dev/urandom

# To cleanup extras from multiple runs: gpg --delete-secret-key <key-id>; gpg --delete-key <key-id>
echo "Generating GPG key, accept defaults but consider key size to 2048, supply user info"
gpg2 --full-generate-key

echo "Adjusting permissions"
sudo chown -R $USER:$USER ~/.gnupg
sudo find ~/.gnupg -type d -exec chmod 700 {} \;
sudo find ~/.gnupg -type f -exec chmod 600 {} \;

# List keys
gpg2 -k

key=$(gpg2 --list-secret-keys | grep uid -B 1 | head -n 1 | sed 's/^ *//g')

echo "Initializing pass with key $key"
pass init $key

echo "Leave this password blank (important):"
pass insert docker-credential-helpers/docker-pass-initialized-check

# Just a verification. Don't need to show actual password, mask it.
echo "Password verification:"
pass show docker-credential-helpers/docker-pass-initialized-check | sed -e 's/\(.\)/\*/g'

echo "Docker credential password list (empty initially):"
docker-credential-pass list

echo "Done. Ready to test. Run: sudo docker login <registry>"
echo "Afterwards run: sudo docker-credential-pass list; sudo cat ~/.docker/config.json"

@thnk2wn
Copy link

@thnk2wn thnk2wn commented Sep 14, 2020

@jmliz I was able to solve this by running

pass insert docker-credential-helpers/docker-pass-initialized-check

and then not setting a passphrase. I just left it empty

It has been working since.

Thanks @makville, not setting the pass initialized password was key for this working for me. Otherwise images could not be found when Swarm tried to pull the image.

@lyz-code
Copy link

@lyz-code lyz-code commented May 14, 2021

I've spent 3 hours trying to set this up, and once I managed to be logged in, I wasn't able to push images.

Out of frustration I've gathered the steps I followed here, in case it helps anyone.

Seriously, docker-credential-pass is broken and unmaintained, don't use it.

@blitzdex27
Copy link

@blitzdex27 blitzdex27 commented Jun 17, 2021

I made this work! See if it will work out for you as well. I'm using MX Linux, this should work on other versions.

By default, when you use docker login will look for .docker/config.json from the root of your system. Specifically, $cd /root/.docker. However, you cannot access this just by adding sudo on cd.

Enough with the appetizer, here is the main dish:

From your terminal, you can start anywhere even in your $HOME directory (Ctrl + Alt + T):

  1. Download, extract, make executable, and move to make it available to $PATH
    $ wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.4/docker-credential-pass-v0.6.4-amd64.tar.gz
    $ tar -xf docker-credential-pass-v0.6.4-amd64.tar.gz
    $ chmod +x docker-credential-pass
    $ mv docker-credential-pass /usr/local/bin
  2. Change directory to system root
    $ sudo su
    $ cd /root
  3. Edit the docker config.json using nano, or if you have better options
    $ nano .docker/config.json
    Your file should look like this:
    { 
            "credsStore": "pass",
            "auths": {}
    }
    Generate gpg key and copy the ID. It is a bit long strings of character all in caps (e.g. KJSADUSN831RHAM)
    $ gpg --gen-keys
    Initialize pass
    $ pass init
  4. Lastly, login to docker
    $ sudo docker login
    You will finally see the password store tree by using pass command. Make sure you are in the system /root directory and have sudo su activated.
    $ pass
    It should look like this:
    └── docker-credential-helpers
       └── aHR0cHM7Ly9pbmrleC5kb2NrZXIuaW8vdjEv
          └── blitzdex27

That's it! I hope it worked for you too.

Note that you do not need to intentionally create the docker-credential-helpers by using pass insert docker-credential-helpers. Docker will do that for you. I realized this after reading the passwordstore documentation and trying it out myself, and I felt strange too when I had to create it intentionally.

Reference:

PS: This is my first time posting here so please tell me how to improve. Thank you :)

@d-led
Copy link

@d-led d-led commented Jun 17, 2021

Superb write-up, @blitzdex27

@khaledamiri
Copy link

@khaledamiri khaledamiri commented Sep 5, 2021

@Ayrat-Kh thank you very much you save my life :)

@Nikolay-Ch
Copy link

@Nikolay-Ch Nikolay-Ch commented Oct 2, 2021

@Ayrat-Kh, thanks!

  1. pass insert docker-credential-helpers/docker-pass-initialized-check and set the next password "pass is initialized" (without quotes).
  2. pass show docker-credential-helpers/docker-pass-initialized-check. You should see pass is initialized.

Without these two points, I can't push into/pull from an image of my own registry...
Docker spoke: "no basic auth credentials" despite login succeeded (login command worked normally)...

@camilova
Copy link

@camilova camilova commented Oct 19, 2021

Hi, no one solutions presented here worked for me, but I found the root cause why is this happening in my case.
First, I use Linux ElementaryOS and I installed pass following this post on this thead. Installation and configuration success and login success too, but when I tried to push some image always stop due denied: requested access to the resource is denied message.

So, first, I remove pass and undo its configuration and try without password manager, and all worked, then the error was in something related with pass or its wrapper docker-credential-pass. Second, I reinstall and configure pass again but this time I dont set a password for the key, I leave it blank, and all worked like a charm, but blank password for the key is something that sounds insecure... then, third, I setup again pass and set a password, and again, pushing fails with the same error message, so, fourth, before pushing I show the passwords for docker that I have on the pass manager with command sudo pass show docker-credential-helpers and it outputs a tree like:

sudo pass show docker-credential-helpers:
-------------xxxx:
--------docker-username

Executing sudo pass show docker-credential-helpers/xxxx/docker-username where xxxx and docker-username are the id and your docker username.
It will prompt a password input to unlock this password from pass
If you run the command again, it will not prompt for password and will show you the password directly because was previously success unlocked.
Run now the pushing command to docker and all will work!

So, I think, the problem is that inside the process of docker pushing, when it tries to get the password from pass it doesnt prompt password input and then fails due lack of credential when attempt to push. The bad new for me is that I dont know how fix it and require a deeper undertanding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet