search

docker / docker-credential-helpers

Programs to keep Docker login credentials safe by storing in platform keystores
MIT License
1.1k stars 173 forks source link

Need to do "pass init" repeatedly in order to make authorization work #217

Open svdHero opened 2 years ago

svdHero commented 2 years ago

Hi there,

after having installed Docker Credential Helpers on my Ubuntu machine, I did the following steps

# Configure password manager:
sudo apt-get -y install pass
gpg --generate-key
pass init harbor-user

# Setup container registry login:
tee .docker/config.json > /dev/null <<EOT
{
  "credHelpers": {
    "harbor.mycompany.com": "pass"
  }
}
EOT

docker login --username=harbor-user harbor.mycompany.com

The login succeeded and I could download protected images from my local harbor-registry just fine.

However, every now and then when I do a

docker pull harbor.mycompany.com/project/foo

I get the error message

Error response from daemon: unauthorized: unauthorized to access repository: project/foo, action: pull: unauthorized to access repository: project/foo, action: pull

Same thing for a docker-compose up, where I would get a

Pulling foo (harbor.mycompany.com/project/foo:1.0.1.40141)...
Traceback (most recent call last):
  File "docker/credentials/store.py", line 80, in _execute
  File "subprocess.py", line 411, in check_output
  File "subprocess.py", line 512, in run
subprocess.CalledProcessError: Command '['docker-credential-pass', 'get']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker/auth.py", line 264, in _resolve_authconfig_credstore
  File "docker/credentials/store.py", line 35, in get
  File "docker/credentials/store.py", line 93, in _execute
docker.credentials.errors.StoreError: Credentials store docker-credential-pass exited with "exit status 2: gpg: decryption failed: No secret key".

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker-compose", line 3, in <module>
  File "compose/cli/main.py", line 81, in main
  File "compose/cli/main.py", line 203, in perform_command
  File "compose/metrics/decorator.py", line 18, in wrapper
  File "compose/cli/main.py", line 1186, in up
  File "compose/cli/main.py", line 1182, in up
  File "compose/project.py", line 664, in up
  File "compose/service.py", line 358, in ensure_image_exists
  File "compose/service.py", line 1251, in pull
  File "compose/progress_stream.py", line 99, in get_digest_from_pull
  File "compose/service.py", line 1218, in _do_pull
  File "docker/api/image.py", line 411, in pull
  File "docker/auth.py", line 48, in get_config_header
  File "docker/auth.py", line 324, in resolve_authconfig
  File "docker/auth.py", line 235, in resolve_authconfig
  File "docker/auth.py", line 281, in _resolve_authconfig_credstore
docker.errors.DockerException: Credentials store error: StoreError('Credentials store docker-credential-pass exited with "exit status 2: gpg: decryption failed: No secret key".')
[64079] Failed to execute script docker-compose

The errors will NOT go away when I log in again. The only way to solve the problem is to do a

pass init harbor-user

again.

What's wrong here? I would be grateful for any advice.

My docker version: 20.10.12, build e91ed57 My docker compose version: 1.29.2, build 5becea4c My docker credentials helpers version: v0.6.4 OS: Ubuntu Server 20.04 LTS

romain-trotard commented 2 years ago

Hello @svdHero I encounter the same problem. Did you find any solution ?

Edit: On my side, I have to do all the step again from gpg --generate-key (I tried with gpg2 but same problem each time)

dmitrii-kalashnikov commented 2 years ago

first, install the list of libs below: wget libsecret gpg pass gpg-agent

 - wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3- 
   amd64.tar.gz
- tar xvzf docker-credential-pass-v0.6.3-amd64.tar.gz
- chmod a+x docker-credential-pass
- mv docker-credential-pass /usr/local/bin/
- docker-credential-pass list
- mkdir ~/.docker
- |
  gpg2 --generate-key --batch <<eoGpgConf
   %echo Started!
   Key-Type: default
   Key-Length: default
   Subkey-Type: default
   Name-Real: Docker
   Name-Comment: Something funny
   Name-Email: user@example.com
   Expire-Date: 0
   Passphrase: Yousuperstrongpassword
   %commit
   %echo Done.
  eoGpgConf
- gpg2 -k user@example.com| sed -e '/^pub/{N;s/.*\(.\{40\}\)/\1/;p;s/^.\{40\}//;q};d' >> gpgpub.txt
- gpg2 --list-secret-keys
- GPGPUBKEY=$(cat gpgpub.txt)
- pass init $GPGPUBKEY
- touch ~/.docker/config.json
- |
  echo $'{\n"credsStore": "pass"\n}' >> ~/.docker/config.json