~/.docker/config.json reverts to default settings after a Docker Desktop restart

[ldebrouwer]

• I have tried with the latest version of Docker Desktop
• I have tried disabling enabled experimental features
• I have uploaded Diagnostics
• Diagnostics ID: n/a

Expected behavior

~/.docker/config.json remains unchanged after restarting Docker Desktop.

Actual behavior

~/.docker/config.json reverts to its default content.

Information

I use docker-credential-helper-ecr, and noticed that as of recently (I'd say version 4.7.0) whenever I restart Docker Desktop, the contents of ~/.docker/config.json are reset to its default.

For the Amazon ECR Docker Credential Helper I set credsStore in ~/.docker/config.json to ecr-login, but after a Docker Desktop restart it will revert back to desktop.

This is occurring for me and several of my team members, on Intel and Apple chips, across a variety of macOS 12 versions.

• macOS Version: multiple macOS 12 versions (including 12.3.1 21E258)
• Intel chip or Apple chip: both
• Docker Desktop Version: noticed as of 4.7.0 (though could be earlier), confirmed for 4.7.1 (77678) and 4.7.0 (77141)

Output of /Applications/Docker.app/Contents/MacOS/com.docker.diagnose check

Starting diagnostics

[PASS] DD0027: is there available disk space on the host?
[PASS] DD0028: is there available VM disk space?
[PASS] DD0031: does the Docker API work?
[PASS] DD0004: is the Docker engine running?
[PASS] DD0011: are the LinuxKit services running?
[PASS] DD0016: is the LinuxKit VM running?
[PASS] DD0001: is the application running?
[PASS] DD0018: does the host support virtualization?
[PASS] DD0017: can a VM be started?
[PASS] DD0015: are the binary symlinks installed?
[PASS] DD0003: is the Docker CLI working?
[PASS] DD0013: is the $PATH ok?
[PASS] DD0007: is the backend responding?
[PASS] DD0014: are the backend processes running?
[PASS] DD0008: is the native API responding?
[PASS] DD0009: is the vpnkit API responding?
[PASS] DD0010: is the Docker API proxy responding?
[FAIL] DD0012: is the VM networking working? network checks failed: failed to ping host: exit status 1
[2022-04-27T07:52:48.007814000Z][com.docker.diagnose][I] ipc.NewClient: ed64d1bb-diagnose-network -> <HOME>/Library/Containers/com.docker.docker/Data/diagnosticd.sock diagnosticsd
[common/pkg/diagkit/gather/diagnose.runIsVMNetworkingOK()
[	common/pkg/diagkit/gather/diagnose/network.go:34 +0xd4
[common/pkg/diagkit/gather/diagnose.(*test).GetResult(0x100cd82a0)
[	common/pkg/diagkit/gather/diagnose/test.go:46 +0x44
[common/pkg/diagkit/gather/diagnose.Run.func1(0x100cd82a0)
[	common/pkg/diagkit/gather/diagnose/run.go:17 +0x44
[common/pkg/diagkit/gather/diagnose.walkOnce.func1(0x2?, 0x100cd82a0)
[	common/pkg/diagkit/gather/diagnose/run.go:140 +0x84
[common/pkg/diagkit/gather/diagnose.walkDepthFirst(0x1, 0x100cd82a0, 0x14000613738)
[	common/pkg/diagkit/gather/diagnose/run.go:146 +0x3c
[common/pkg/diagkit/gather/diagnose.walkDepthFirst(0x0, 0x20?, 0x14000613738)
[	common/pkg/diagkit/gather/diagnose/run.go:149 +0x78
[common/pkg/diagkit/gather/diagnose.walkOnce(0x1007b1ca0?, 0x140003df8a0)
[	common/pkg/diagkit/gather/diagnose/run.go:135 +0x8c
[common/pkg/diagkit/gather/diagnose.Run(0x100cd8120, 0x100077654?, {0x140003dfb08, 0x1, 0x1})
[	common/pkg/diagkit/gather/diagnose/run.go:16 +0x178
[main.checkCmd({0x140001b8010?, 0x6?, 0x4?}, {0x0, 0x0})
[	common/cmd/com.docker.diagnose/main.go:131 +0xe0
[main.main()
[	common/cmd/com.docker.diagnose/main.go:97 +0x308
[2022-04-27T07:52:48.007895000Z][com.docker.diagnose][I] (8d20de0a) ed64d1bb-diagnose-network C->S diagnosticsd POST /check-network-connectivity: {"ips":["10.16.79.68","10.200.209.30"]}
[2022-04-27T07:52:48.532936000Z][com.docker.diagnose][E] (8d20de0a) ed64d1bb-diagnose-network C<-S b6579fcd-diagnosticsd POST /check-network-connectivity (524.986291ms): failed to ping host: exit status 1
[common/pkg/diagkit/gather/diagnose.runIsVMNetworkingOK()
[	common/pkg/diagkit/gather/diagnose/network.go:35 +0x144
[common/pkg/diagkit/gather/diagnose.(*test).GetResult(0x100cd82a0)
[	common/pkg/diagkit/gather/diagnose/test.go:46 +0x44
[common/pkg/diagkit/gather/diagnose.Run.func1(0x100cd82a0)
[	common/pkg/diagkit/gather/diagnose/run.go:17 +0x44
[common/pkg/diagkit/gather/diagnose.walkOnce.func1(0x2?, 0x100cd82a0)
[	common/pkg/diagkit/gather/diagnose/run.go:140 +0x84
[common/pkg/diagkit/gather/diagnose.walkDepthFirst(0x1, 0x100cd82a0, 0x14000613738)
[	common/pkg/diagkit/gather/diagnose/run.go:146 +0x3c
[common/pkg/diagkit/gather/diagnose.walkDepthFirst(0x0, 0x20?, 0x14000613738)
[	common/pkg/diagkit/gather/diagnose/run.go:149 +0x78
[common/pkg/diagkit/gather/diagnose.walkOnce(0x1007b1ca0?, 0x140003df8a0)
[	common/pkg/diagkit/gather/diagnose/run.go:135 +0x8c
[common/pkg/diagkit/gather/diagnose.Run(0x100cd8120, 0x100077654?, {0x140003dfb08, 0x1, 0x1})
[	common/pkg/diagkit/gather/diagnose/run.go:16 +0x178
[main.checkCmd({0x140001b8010?, 0x6?, 0x4?}, {0x0, 0x0})
[	common/cmd/com.docker.diagnose/main.go:131 +0xe0
[main.main()
[	common/cmd/com.docker.diagnose/main.go:97 +0x308

[PASS] DD0032: do Docker networks overlap with host IPs?
[SKIP] DD0030: is the image access management authorized?
[PASS] DD0019: is the com.docker.vmnetd process responding?
[PASS] DD0033: does the host have Internet access?

Please investigate the following 1 issue:

1 : The test: is the VM networking working?
    Failed with: network checks failed: failed to ping host: exit status 1

VM seems to have a network connectivity issue. Please check your host firewall and anti-virus settings in case they are blocking the VM.

I believe the network check error to be unrelated/a red herring.

Steps to reproduce the behavior

• Update ~/.docker/config.json to set the credStore to ecr-login.

cat <<EOF > ~/.docker/config.json
{
    "credsStore": "ecr-login"
}
EOF

• Restart Docker Desktop
• Observe that the default ~/.docker/config.json has been reinstated.

[mjlangan]

My teammates are also affected by this. Seems similar to the Windows bug docker/for-win#9843

[aykutersoy]

I'm having the same issue and it's very annoying to keep updating config.json file every time I restart.

[jt-rockinswat]

Noted in every version on macOS till the current latest (4.7.1). If it's still deemed necessary to reset the file upon updating Docker Desktop, it's be nice to have a setting to prevent it from doing so.

[AndreSilva1993]

Hi everyone, thank you for reporting this issue. We were able to replicate it and already created a ticket to look into this.

[pwalch]

@AndreSilva1993 Thanks for looking into it! Did you get a chance to solve the issue?

For the time being, I am using the following alias after starting Docker for Mac:

alias docker-configure-ecr="echo '{\"credsStore\": \"ecr-login\"}' > ~/.docker/config.json"

Are there other known workarounds we can use until the problem is fixed?

[cerireyhan]

Is there any updates on this ticket? This has been annoying many users for a while. Making the config immutable seems to be the only workaround so far.

[footballanalyticscffc]

@pwalch you can create an "Automator app" per these instructions such that you don't have to execute your alias manually upon restarting. I have done this and tested it and it appears to work properly.

[dbyingtonjc]

Hi everyone, thank you for reporting this issue. We were able to replicate it and already created a ticket to look into this.

@AndreSilva1993 can you provide details please?

This is a constant irritant due to having to restart Desktop because hyperkit has gone off reservation or even for OS patches.
I'm especially curious about the justification for this behavior in the first place. What good is a config file if the config is constantly reset?

Thanks.

[zerog2k]

Also having this issue, latest Docker Desktop for Mac v4.14.0, macOS 12.3.1
The issue is only when docker desktop is completely quit and then opened new, we observe that ~/.docker/config.json is modified or created, always having credsStore modified/changed to desktop whether it exists or has another value like osxkeychain. (This only happens when it's started new, not during a simple docker desktop restart.)

This is interfering with our ability to also login to AWS ECR and other repositories, because as soon as we login to those repositories, docker desktop throws an error and seems to get logged out of Docker business or whatever the new required/enforced subscription sign in, which seems to have started recently in the past few weeks. Once signed back into Docker Desktop, it's functional until you attempt to do docker login to ECR, at which point you get signed out of Docker Desktop and this process repeats. I have an open case into Docker support, and pointed them to this issue.
Many of my colleagues started running into this in the past week or so.

The workaround for us is to change the config.json credsStore back to osxkeychain (or delete the file), and then try to log back into ECR. This works until Docker Desktop is started up again.

[ragumix]

Hello!
Any news?

[djs55]

Thanks all for your patience on this issue.

Docker Desktop adds a "pass-through" credential helper to .docker/config.json so that the UI gets notified on docker login and docker logout. If you need to use a different credential helper could you try editing ~/Library/Group\ Containers/group.com.docker/settings.json and change the key:

  "credentialHelper": "docker-credential-osxkeychain",

to whichever credential helper you'd like to use? docker-credential-desktop reads this settings file and execs whichever credentialHelper is set.

Let me know if this works for you (or not).

[Crow-EH]

Hello @djs55,

I just tested it for https://github.com/awslabs/amazon-ecr-credential-helper.

And it works, even after restarting ! 🎉

• Desktop version: 4.16.2
• Engine version: 20.10.22

Just make sure you set the full executable name: I've been had by setting only "ecr-login" instead of "docker-credential-ecr-login". I guess it's the same for the other credential helpers.

My setup for example

Previously

~/.docker/config.json:

{
        "auths": {},
        "credsStore": "ecr-login",
        "currentContext": "desktop-linux"
}

Now

~/.docker/config.json, just the default:

{
        "auths": {},
        "credsStore": "desktop",
        "currentContext": "desktop-linux"
}

~/Library/Group\ Containers/group.com.docker/settings.json:

{
  ...
  "credentialHelper": "docker-credential-ecr-login",
  ...
}

[ragumix]

Yes, it works for me too! Thank you so much!

[jacob-r-g]

The fix did not work for me :( I am running Docker Desktop 4.18.0 (104112) on Mac OS 12.5.1 (21G83). The settings.json file did not exist in ~/Library/Group\ Containers/group.com.docker/ so i tried creating it but that did not work. Is there another location i should be looking in @djs55 ?

This Fix worked for me! Thank you @djs55

[jcranfordupgrade]

I don't think the workaround suggestion would work for me. My issue is not credsStore or currentContext, it is that I have many auths in my ~/.docker/config.json:

{
	"auths": {
                "foo1.intra": {
                        "auth": "base64"
                 },
                "foo2.intra": {
                        "auth": "base64"
                 },
                "foo3.intra": {
                        "auth": "base64"
                 },
	},
	"credsStore": "desktop",
	"currentContext": "desktop-linux"
}

If there a credentialHelper that will allow reading those auths from a different config file?

[zaq42]

credsStore: desktop does not work when using aws ecr get-login-password | docker login within an SSH session.
In my case the mac is part of a build pipeline which breaks every time the config file is rewritten (restarting or upgrading docker, restarting the machine).

It's my config file, please don't change it!

It seems ridiculous to have to add a sed command to my pipeline just to delete that line if it's there, but that's my workaround:

sed -i '' '/"credsStore": "desktop"/d' ~/.docker/config.json

I can live with the warning:

WARNING! Your password will be stored unencrypted in /Users/.../.docker/config.json.
Configure a credential helper to remove this warning```

[MihaelaStoica]

The issue originally reported here - that the credsStore in ~/.docker/config.json is reverted back to desktop after a Docker Desktop restart - has been fixed in Docker Desktop 4.19 (see release note), with an additional fix in Docker Desktop 4.27 (see release note). Closing this ticket as resolved.
There is still an unresolved issue, that if credsStore is set to "" or removed completely, restarting docker will reset this value to "desktop". For this we have docker/for-win#9843 (reported on Windows, but noted that it affects all systems).