Login to a private registry using command line arguments

[Monnoroch]

Right now the dockerfile.v0 frontend reads the docker config file. This means I either need to generate it using docker login, or manually, which is not great.

Perhaps I just didn't find the flag, but this is what README.md says as well.

[tonistiigi]

@AkihiroSuda Any suggestions?

Overall we should move away from the text files and use os keychain logic. It would be easy to provide a script for this well.

[Monnoroch]

docker login has cli arguments -u XX -p YY. Why not support the same thing?

[xsbreakaway]

The same problem. What should I do now? To login to my private registry by buidlctl without run "docker login". OS:centos7.2

[AkihiroSuda]

img login can be used as well as docker login

It should be also easy to port over img login to buildctl https://github.com/genuinetools/img/blob/master/login.go

[walbertus]

Does this issue still relevant? Would like to try implementing this For buildkit, -u and -p should not create or store credentials, right? It only used for a single execution by storing it as variables in authprovider, is this approach correct?

[tonistiigi]

buildkit can access multiple registries for a single build so if we are talking about cli flags that would fill in authprovider they need to be a combination of host+user+pw/token .

[walbertus]

It doesn't need to store the credentials into file or os keychain right? For handling multiple registries, how do you suggest the flags would look like? We can use multiple --username, --host and --password or using comma separated

[chang-andrew]

Hi there, @walbertus are you still working on this issue? If not, would it be alright if I tried to take on this issue with a group of fellow students from UT Austin? We are taking a Virtualization class and would like to contribute to this issue, as it's a part of our course requirement.

[walbertus]

@chang-andrew Please go ahead

[Xplouder]

@chang-andrew Any progress? @tonistiigi Is there any kind of workaround for this until it is implemented?

Thank you.

[tuananh]

@chang-andrew Any progress? @tonistiigi Is there any kind of workaround for this until it is implemented?

Thank you.

you can create secret and mount it. buildkit will pick it up

[Xplouder]

@tuananh can you provide a snippet?

[tuananh]

You can do docker login from any machine. Then create secret from that docker config json. Then mount it in buildkit container

On Sun, 20 Dec 2020 at 08:26 João Silva notifications@github.com wrote:

@tuananh https://github.com/tuananh can you provide a snippet?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/moby/buildkit/issues/565#issuecomment-748549074, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEZETVQCR7U2WMYIWIVZ6DSVVHDPANCNFSM4FOSR6IQ .

[maxwellb]

You can do docker login from any machine. Then create secret from that docker config json. Then mount it in buildkit container

Does this create a requirement that the frontend image is only local? I would like to be able to specify a syntax image from a private registry:

# syntax=privateregistry.example/ns/repo:1.2
FROM alpine
# ...

How can I mount this secret in the buildkit container so that it has access to privateregistry.example? Docker in docker?

[maxwellb]

Stating this as a separate concern, but motivation for the above:

With docker registry pull limits, it becomes difficult to adopt new frontend syntaxes if the act of building the image (even targeting a private registry or local) is throttled.

[Alexander-Bartosh]

Since this is not implemented yet sharing my script to generate config.json for Azure acr identity without docker installed:

azAcrLogin=$(az acr login --name zylab -t) && mkdir -p ~/.docker && echo "{\"auths\": {$(echo $azAcrLogin| jq '.loginServer'): {\"auth\": \"MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwOg==\",\"identitytoken\": $(echo $azAcrLogin| jq '.accessToken')}}}" > ~/.docker/config.json
trap "rm -f ~/.docker/config.json" EXIT

You only need az and jq and of course running in a context of an azure identity

[tennox]

Using this successfully in my buildkit GitLab CI template:

BASE64_AUTH=`echo -n "$CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD" | base64`
mkdir -p ~/.docker
echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json

[minedetector]

Same but for AWS, a bit of a beginner to BASH so improvements are most welcome

#!/usr/bin/env bash

set -euo pipefail

pwd=$(AWS_PROFILE=<aws-profile> aws --region=eu-west-1 ecr get-login-password)
pwd_base64=$(printf "AWS:%s" $pwd | tr -d '\n' | base64)

if [ -f ~/.docker/config.json ] && [ -s ~/.docker/config.json ]; then
  config_json=$(jq -r --arg pass $pwd_base64 ' del(.credsStore) | .auths += {"<Account-id>.dkr.ecr.eu-west-1.amazonaws.com": {"auth": $pass}}' < ~/.docker/config.json)
else
  config_json=$(jq -r --arg pass $pwd_base64 ' .auths += {"<Account-id>.dkr.ecr.eu-west-1.amazonaws.com": {"auth": $pass}}' <<< '{"auths":{}}')
fi

jq -r '.' <<< $config_json > ~/.docker/config.json.temp && mv ~/.docker/config.json.temp ~/.docker/config.json

[usernameisnull]

jesus，If I use the image moby/buildkit:v0.10.4, then I have to mount the login information of the docker in the host when running the container？

[OJFord]

For what it's worth, slightly tidier jq perhaps:

mkdir -p ~/.docker
registry="$(aws ecr describe-registry --query=registryId --output=text).dkr.ecr.eu-west-1.amazonaws.com"
auth="$(echo -n "AWS:$(aws ecr get-login-password)" | base64 --wrap=0)"
jq -n "{auths:{\"$registry\": {auth: \"$auth\"}}}" > ~/.docker/config.json

[maxsargentdev]

Is it correct that we have to mount dockerconfigjson into the buildx builder, after its creation, in order to provide docker credentials different to the hosts default config?

[tuffacton]

Would love to re-engage here and see if anyone has made this work.