The way to obtain Docker credentials is not compatible with Docker CLI #102

l-qing · 2023-11-21T15:55:14Z

I upgraded oras from 0.16 to 1.1 and found an incompatible change.

I expect the old format credentials to work normally as well.

The analysis is as follows:

1. Logic in `oras` 0.16

In oras 0.16.0, we use docker cli get credentials.

https://github.com/oras-project/oras/blob/release-0.16/internal/credential/store.go#L61C1-L62

	return &Store{
		configs: configs,
	}, nil

authConf, err := c.GetCredentialsStore(registry).Get(registry)

https://github.com/docker/cli/blob/1401f9108517b33fe38fb3acd59557dcdf4d603d/cli/config/credentials/file_store.go#L39-L81

// ConvertToHostname converts a registry url which has http|https prepended
// to just an hostname.
// Copied from github.com/docker/docker/registry.ConvertToHostname to reduce dependencies.
func ConvertToHostname(url string) string {
	stripped := url
	if strings.HasPrefix(url, "http://") {
		stripped = strings.TrimPrefix(url, "http://")
	} else if strings.HasPrefix(url, "https://") {
		stripped = strings.TrimPrefix(url, "https://")
	}

	hostName, _, _ := strings.Cut(stripped, "/")
	return hostName
}

2. Logic in `oras` 1.1

In oras 1.1.0, we use oras-credentials-go get credentials.

https://github.com/oras-project/oras/blob/release-1.1/internal/credential/store.go#L31-L38

import (
	credentials "github.com/oras-project/oras-credentials-go"
)

// NewStore generates a store based on the passed-in config file paths.
func NewStore(configPaths ...string) (credentials.Store, error) {
	opts := credentials.StoreOptions{AllowPlaintextPut: true}
	if len(configPaths) == 0 {
		// use default docker config file path
		return credentials.NewStoreFromDocker(opts)
	}

	var stores []credentials.Store
	for _, config := range configPaths {
		store, err := credentials.NewStore(config, opts)
		if err != nil {
			return nil, err
		}
		stores = append(stores, store)
	}
	return credentials.NewStoreWithFallbacks(stores[0], stores[1:]...), nil
}

3. actual

If such content is in my credentials, incompatible changes will occur.

{
    "auths": {
        "https://xxx.dkr.ecr.us-west-2.amazonaws.com": {
            "username": "AWS",
            "password": "",
            "auth": "",
            "email": "[email protected]"
        }
    }
}

4. expected

I can only alter the credentials into the following format for the new oras to recognize.

{
    "auths": {
        "xxx.dkr.ecr.us-west-2.amazonaws.com": {
            "username": "AWS",
            "password": "",
            "auth": "",
            "email": "[email protected]"
        }
    }
}

The text was updated successfully, but these errors were encountered:

l-qing · 2023-11-21T15:59:47Z

This may be a duplicate of this issue:

legacy docker config is not supported: legacy docker config is not supported oras#1143
build(deps): bump github.com/oras-project/oras-credentials-go from 0.2.0 to 0.3.1 oras#1145

l-qing closed this as completed Nov 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The way to obtain Docker credentials is not compatible with Docker CLI #102

The way to obtain Docker credentials is not compatible with Docker CLI #102

l-qing commented Nov 21, 2023

l-qing commented Nov 21, 2023

The way to obtain Docker credentials is not compatible with Docker CLI #102

The way to obtain Docker credentials is not compatible with Docker CLI #102

Comments

l-qing commented Nov 21, 2023

I upgraded oras from 0.16 to 1.1 and found an incompatible change.

The analysis is as follows:

1. Logic in oras 0.16

2. Logic in oras 1.1

3. actual

4. expected

l-qing commented Nov 21, 2023

1. Logic in `oras` 0.16

2. Logic in `oras` 1.1