Fix: Login breaks Docker config (closes #87)

[pmeinhardt]

Setting the "credHelpers" setting to an empty string breaks authentication for the current version of Docker for Mac – 2.1.0.5 (40693).

Since this setting of the "credHelpers" for the "pierone" domain was originally introduced to fix authentication specifically for Docker on Mac (see tag 1.1.41), it looks like it is safe to remove it again.

For context, here's the PR that introduced the "credHelpers" modification in the first place: https://github.com/zalando-stups/pierone-cli/pull/82

I tested with the current Docker for Mac app and it works for me™️ ✌️

[coveralls]

Coverage decreased (-0.1%) to 79.859% when pulling 2debf7b6f44c983fcc48de153a9fdb6b806a5b57 on bitcrowd:bug/87-login-breaks-docker-config into dc7a7328b557fd16f4ae799c4d166bcb657c6398 on zalando-stups:master.

[pmeinhardt]

Not quite sure how to go about coveralls failing here. 🤷‍♂ I could add a test for some other random part of the code, but that wouldn't really fit into this PR. 🤔

[hjacobs]

I can't test (happy Linux user), waiting for feedback from Mac users...

[pmeinhardt]

Maybe @aermakov-zalando could cross-check this against a current version of Docker for Mac, since they opened the original PR introducing the setting of "credHelpers"?

Cheers 🙂

[aermakov-zalando]

No, that still doesn't work if the "Securely store Docker logins in macOS keychain" is checked (which is enabled by default):

$ pierone login                                                         
Getting OAuth2 token "pierone".. OK
Storing Docker client configuration in /Users/aermakov/.docker/config.json.. OK

$ docker pull pierone.stups.zalan.do/teapot/k8s-on-aws-manager:master-31
Error response from daemon: Get https://pierone.stups.zalan.do/v2/teapot/k8s-on-aws-manager/manifests/master-31: no basic auth credentials

[aermakov-zalando]

Also, I'm running 2.1.0.5 as well and I haven't experienced any issues. What doesn't work for you?

[pmeinhardt]

Also, I'm running 2.1.0.5 as well and I haven't experienced any issues. What doesn't work for you?

Trying to pull an image form the registry after running pierone login gives me:

docker-credential- not installed or not available in PATH

Apparently Docker pieces together the name for the helper command and expects something like "desktop" or "osxkeychain" for the "credHelpers" and can't handle the empty string (see https://docs.docker.com/engine/reference/commandline/login/#credential-helpers).

Several other people form my current project team have run into the same issue.

So far we've usually removed the "credHelpers" entry that pierone login adds manually to resolve the issue, but somehow our setups must be different?

🤔

[aermakov-zalando]

How do you pull the image? docker pull?

[pmeinhardt]

How do you pull the image? docker pull?

Yes. Both docker pull and docker-compose pull have been failing for me in the past. I'll see whether I can do some more digging some time this week to try and narrow it down further (see what other things in the environment etc. might be affecting Docker's behavior).

Thanks for the quick feedback already ✌️

[pmeinhardt]

Okay, here's a quick update. A colleague just ran into this issue again (and removing the empty entry fixed it for her).

She got:

Traceback (most recent call last):
  File "docker-compose", line 6, in <module>
  File "compose/cli/main.py", line 71, in main
  File "compose/cli/main.py", line 127, in perform_command
  File "compose/cli/main.py", line 1085, in up
  File "compose/cli/main.py", line 1081, in up
  File "compose/project.py", line 527, in up
  File "compose/service.py", line 344, in ensure_image_exists
  File "compose/service.py", line 1084, in build
  File "site-packages/docker/api/build.py", line 260, in build
  File "site-packages/docker/api/build.py", line 307, in _set_auth_headers
  File "site-packages/docker/auth.py", line 310, in get_all_credentials
  File "site-packages/docker/auth.py", line 262, in _resolve_authconfig_credstore
  File "site-packages/docker/auth.py", line 287, in _get_store_instance
  File "site-packages/dockerpycreds/store.py", line 25, in __init__
dockerpycreds.errors.InitializationError: docker-credential- not installed or not available in PATH

Which corresponds to this check here: https://github.com/shin-/dockerpy-creds/blob/0.4.0/dockerpycreds/store.py#L23-L27

So I am wondering whether this might actually be a difference between the docker CLI (written in Go) and docker-compose (written in Python)? 🤔

[aermakov-zalando]

Thanks! I'll have another look, I think there's a way to fix it properly. Sorry about the bad experience!

[pmeinhardt]

Thanks! I'll have another look, I think there's a way to fix it properly. Sorry about the bad experience!

Hey, no worries at all. ✌️ Thanks a lot for taking the time and looking into it. 💚

[aermakov-zalando]

Should be fixed by #93. You also won't need to run pierone login every hour anymore. I've tested with docker-compose as well, but please open an issue if it doesn't work on your machine.

[pmeinhardt]

Sounds great @aermakov-zalando. Thank you! ❤️