Score:0

System-wide Docker login?

ua flag

Is there any way to log a whole machine / Docker daemon into a registry?

Everything I see about docker login and various proprietary credentials helpers uses ~/.docker/config.json, i.e. is per-user.

I have a situation where I would like to pull images from a private registry; multiple people have both arbitrary sudo access on those machines and should be able to use Docker against our registry.

Since Docker access should be read as root access to a machine anyway (i.e. user credentials are not mutually safe if they can run Docker), and sudo access is same but directly, I would like to just cut to the chase and log the whole machine in without every user having to jump through hoops.

I could provide one file that everyone could link to their config.json, but I would prefer if it was just taken care of from the first login on each machine.

Score:3
co flag

Three options come to mind:

  1. Don't make the image private, and instead allow anyone to pull the image that can access the registry server. This is fairly common in environments since the image should only contain the libraries and binaries to run the application, not configuration files, secrets, or data, that would be injected at runtime or stored in a volume.

  2. If everyone has sudo access, run the docker commands from sudo, including the login. The credentials will be stored under the root user's ~/.docker/config.json

  3. Make your own credential helper that just outputs the login to the host. The credential helper interface is pretty simple, 4 operations (store, get, list, erase) that could be implemented on a shell script. And for logins, you'd probably only need the get operation.

That credential helper script could look like a script called docker-credential-your-helper (where your-helper can be a name of your choosing):

#!/bin/sh

your_registry='
{ "ServerURL": "your-registry",
  "Username": "your-user",
  "Secret": "your-pass"
}
'

if [ "$1" = "get" ]; then
  read hostname
  case "$hostname" in
    your-registry)
      echo "${your_registry}"
      exit 0
      ;;
  esac
elif [ "$1" = "list" ]; then
  echo "your-registry"
fi
# everything else is unhandled
exit 1

Make that file executable and place it in the path. Then every user's ~/.docker/config.json would have a credential helper entry (note that docker-credential- is not included in this file, only the portion of the filename after that):

{
  "credHelpers": {
    "your-host": "your-helper"
  }
}
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.