Docker Desktop 4.19.0 breaks CreateImageAsync if part of an enforced organization sign-in.

[ddevoogt]

Output of dotnet --info:

.NET SDK:
 Version:   7.0.203
 Commit:    5b005c19f5

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  13.3
 OS Platform: Darwin
 RID:         osx.13-arm64
 Base Path:   /usr/local/share/dotnet/sdk/7.0.203/

Host:
  Version:      7.0.5
  Architecture: arm64
  Commit:       8042d61b17

.NET SDKs installed:
  6.0.402 [/usr/local/share/dotnet/sdk]
  6.0.405 [/usr/local/share/dotnet/sdk]
  7.0.203 [/usr/local/share/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 6.0.10 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 6.0.13 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.5 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.10 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.13 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.5 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
  x64   [/usr/local/share/dotnet/x64]
    registered at [/etc/dotnet/install_location_x64]

Environment variables:
  Not set

global.json file:
  Not found

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

What version of Docker.DotNet?:

3.125.14

Output of docker version

Client:
 Cloud integration: v1.0.31
 Version:           23.0.5
 API version:       1.42
 Go version:        go1.19.8
 Git commit:        bc4487a
 Built:             Wed Apr 26 16:12:52 2023
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.19.0 (106363)
 Engine:
  Version:          23.0.5
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.8
  Git commit:       94d3ad6
  Built:            Wed Apr 26 16:17:14 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.20
  GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc:
  Version:          1.1.5
  GitCommit:        v1.1.5-0-gf19387a
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Steps to reproduce the issue:

1. Be part of a docker organization
2. Have the sign-in be enforced
   • See Enforce sign-in for Desktop
3. Sign out and shut down docker
4. Start up (it should require you to sign in now)
5. Sign in to desktop
6. For good measure, open your command line and sign in using docker login
7. Now run this section of code

// put this in main method
var _dockerClient = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ?
new DockerClientConfiguration(new Uri("npipe://./pipe/docker_engine")).CreateClient() :
new DockerClientConfiguration(new Uri("unix:///var/run/docker.sock")).CreateClient();
var parameters = new ImagesCreateParameters();
parameters.FromImage = "amazon/dynamodb-local";
parameters.Tag = "latest";
var dockerClientImages = _dockerClient.Images;
var progress = new Progress<JSONMessage>();
// new AuthConfig() or null still produces the same result
await dockerClientImages.CreateImageAsync(parameters, new AuthConfig(), progress);

What actually happened?:
Exception occured:

Docker.DotNet.DockerApiException
Docker API responded with status code=ProxyAuthenticationRequired, response=Please run 'docker login'

What did you expect to happen?:
It should pull down the image without an exception.

Has this worked before?
In docker desktop 4.18 it has worked previously.

Additional information
Since we are already logged in with docker desktop, and docker engine, i'd assume that we'd all ready be logged in?

[HofmeisterAn]

In docker desktop 4.18 it has worked previously.

Are you sure? I can hardly imagine that.

The code example you provided doesn't pass the credentials to CreateImageAsync(ImagesCreateParameters, AuthConfig, IProgress<JSONMessage>, CancellationToken). Docker.DotNet doesn't automatically read and configure private Docker registry credentials from the config.json. To properly configure the credentials, you need to obtain them and set them accordingly in the AuthConfig instance. Docker offers several methods to configure credentials for private registries. The way you obtain the credentials from config.json may vary slightly depending on the configuration.

[ddevoogt]

Are you sure? I can hardly imagine that.

Here is some proof to help your uncertainty

➜  Dynamo.csharp git:(main) ✗ docker version | grep Desktop
Server: Docker Desktop 4.19.0 (106363)
➜  Dynamo.csharp git:(main) ✗ dotnet test test/Dynamo.IntegrationTests --filter "DependentEntityDataStoreTests.DeleteItemAsync_ByEntity_DeleteExistingItem_ItemDoesNotExist" | grep Docker.DotNet.DockerApiException
[xUnit.net 00:00:00.62]     xxxx.Dynamo.IntegrationTests.DependentEntityDataStoreTests.DeleteItemAsync_ByEntity_DeleteExistingItem_ItemDoesNotExist [FAIL]
[xUnit.net 00:00:00.63]     xxxx.Dynamo.IntegrationTests.IndependentEntityDataStoreTests.DeleteItemAsync_ByEntity_DeleteExistingItem_ItemDoesNotExist [FAIL]
-------- Docker.DotNet.DockerApiException : Docker API responded with status code=ProxyAuthenticationRequired, response=Please run 'docker login'
-------- Docker.DotNet.DockerApiException : Docker API responded with status code=ProxyAuthenticationRequired, response=Please run 'docker login'
[xUnit.net 00:00:00.55]     xxxx.Dynamo.IntegrationTests.DependentEntityDataStoreTests.DeleteItemAsync_ByEntity_DeleteExistingItem_ItemDoesNotExist [FAIL]
[xUnit.net 00:00:00.56]     xxxx.Dynamo.IntegrationTests.IndependentEntityDataStoreTests.DeleteItemAsync_ByEntity_DeleteExistingItem_ItemDoesNotExist [FAIL]
-------- Docker.DotNet.DockerApiException : Docker API responded with status code=ProxyAuthenticationRequired, response=Please run 'docker login'
-------- Docker.DotNet.DockerApiException : Docker API responded with status code=ProxyAuthenticationRequired, response=Please run 'docker login'
➜  Dynamo.csharp git:(main) ✗ open ~/Downloads/Docker_4.18.dmg
➜  Dynamo.csharp git:(main) ✗ echo "stop docker, installs old docker"
stop docker, installs old docker
➜  Dynamo.csharp git:(main) ✗ docker version | grep Desktop
Cannot connect to the Docker daemon at unix:///Users/xxxxx/.docker/run/docker.sock. Is the docker daemon running?
➜  Dynamo.csharp git:(main) ✗ open /Applications/Docker.app   
➜  Dynamo.csharp git:(main) ✗ docker version | grep Desktop
Server: Docker Desktop 4.18.0 (104112)
➜  Dynamo.csharp git:(main) ✗ dotnet test test/Dynamo.IntegrationTests --filter "DependentEntityDataStoreTests.DeleteItemAsync_ByEntity_DeleteExistingItem_ItemDoesNotExist"                                        
  Determining projects to restore...
  All projects are up-to-date for restore.
  Dynamo.TestUtilities -> /Users/xxxxx/dev/Dynamo.csharp/src/Dynamo.TestUtilities/bin/Debug/net7.0/xxxx.Dynamo.TestUtilities.dll
  Dynamo -> /Users/xxxxx/dev/Dynamo.csharp/src/Dynamo/bin/Debug/net6.0/xxxx.Dynamo.dll
  Dynamo.TestUtilities -> /Users/xxxxx/dev/Dynamo.csharp/src/Dynamo.TestUtilities/bin/Debug/net6.0/xxxx.Dynamo.TestUtilities.dll
  Dynamo -> /Users/xxxxx/dev/Dynamo.csharp/src/Dynamo/bin/Debug/net7.0/xxxx.Dynamo.dll
  Dynamo.TestData -> /Users/xxxxx/dev/Dynamo.csharp/test/Dynamo.TestData/bin/Debug/net7.0/xxxx.Dynamo.TestData.dll
  Dynamo.IntegrationTests -> /Users/xxxxx/dev/Dynamo.csharp/test/Dynamo.IntegrationTests/bin/Debug/net7.0/xxxx.Dynamo.IntegrationTests.dll
  Dynamo.TestData -> /Users/xxxxx/dev/Dynamo.csharp/test/Dynamo.TestData/bin/Debug/net6.0/xxxx.Dynamo.TestData.dll
  Dynamo.IntegrationTests -> /Users/xxxxx/dev/Dynamo.csharp/test/Dynamo.IntegrationTests/bin/Debug/net6.0/xxxx.Dynamo.IntegrationTests.dll
Test run for /Users/xxxxx/dev/Dynamo.csharp/test/Dynamo.IntegrationTests/bin/Debug/net7.0/xxxx.Dynamo.IntegrationTests.dll (.NETCoreApp,Version=v7.0)
Microsoft (R) Test Execution Command Line Tool Version 17.5.0 (arm64)
Copyright (c) Microsoft Corporation.  All rights reserved.

Starting test execution, please wait...
A total of 1 test files matched the specified pattern.

Passed!  - Failed:     0, Passed:     2, Skipped:     0, Total:     2, Duration: 19 ms - xxxx.Dynamo.IntegrationTests.dll (net7.0)
Test run for /Users/xxxxx/dev/Dynamo.csharp/test/Dynamo.IntegrationTests/bin/Debug/net6.0/xxxx.Dynamo.IntegrationTests.dll (.NETCoreApp,Version=v6.0)
Microsoft (R) Test Execution Command Line Tool Version 17.5.0 (arm64)
Copyright (c) Microsoft Corporation.  All rights reserved.

Starting test execution, please wait...
A total of 1 test files matched the specified pattern.

Passed!  - Failed:     0, Passed:     2, Skipped:     0, Total:     2, Duration: 16 ms - xxxx.Dynamo.IntegrationTests.dll (net6.0)
➜  Dynamo.csharp git:(main) ✗ 

[ddevoogt]

Also, this is a public image.

[HofmeisterAn]

Are you using a corporate proxy? Could you please test what happens if you include the credentials in the AuthConfig instance? You should be able to get the credentials via echo https://index.docker.io/v1/ | docker-credential-desktop get. I have tested the Docker login (without enforcing the sign-up) and it worked fine. Although Docker Desktop has made a few changes regarding the Docker login and proxy, I have not found any obvious change that would break the behavior.

[ddevoogt]

echo https://index.docker.io/v1/ | docker-credential-desktop get
{"ServerURL":"https://index.docker.io/v1/","Username":"me","Secret":"my_Password_That_I_replaced"}

[ddevoogt]

Does Docker.Dotnet have a call to make the echo https://index.docker.io/v1/ | docker-credential-desktop get call or to get the currently logged in user on the machine? That might work.

[ddevoogt]

It works with with the AuthConfig on both versions.

await dockerClientImages.CreateImageAsync(
				parameters,
				new AuthConfig()
					{ ServerAddress = "https://index.docker.io/v1/", Username = "meMySelfAndI", Password = "StopSniffingYo!I_REPLACED_THIS!!!!!" },
				progress);

[HofmeisterAn]

Does Docker.Dotnet have a call to make the echo https://index.docker.io/v1/ | docker-credential-desktop get call or to get the currently logged in user on the machine? That might work.

No, it is not built-in. You need to gather the information yourself.

[ddevoogt]

how do we request a feature that uses the same credentials for the docker login? At least with say aws login, you can can use any api/cli with "default" credentials and it goes through the credential chain (Envs, .confs, etc). Any suggestions?

[HofmeisterAn]

I am not sure if I understand you correctly. Are you asking how to implement the mechanism to receive credentials? Docker (docker login) supports different ways to store credentials. Essentially, you need to implement the reverse process. Perhaps this implementation will help you understand how to implement different credential providers.