1berry/docker-cli
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cli/command/container: --use-api-socket: don't write empty credentials

Browse Source 
Before this patch, a valid, but empty set of credentials would still
write a config-file to the container and set `DOCKER_CONFIG`:

    mkdir -p tmpConfig
    export DOCKER_CONFIG=$PWD/tmpConfig

    echo '{}' > "${DOCKER_CONFIG}/config.json"
    docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json
    {
        "auths": {}
    }

    echo '{"auths": {}}' > "${DOCKER_CONFIG}/config.json"
    docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json
    {
        "auths": {}
    }

    echo '{"auths": {"https://index.docker.io/v1/": {"auth": "am9lam9lOmhlbGxv"}}}' > "${DOCKER_CONFIG}/config.json"
    docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json
    {
        "auths": {
            "https://index.docker.io/v1/": {
                "auth": "am9lam9lOmhlbGxv"
            }
        }
    }

With this patch, the `DOCKER_CONFIG` env-var and config-file are only created
if we have credentials to set;

    mkdir -p tmpConfig
    export DOCKER_CONFIG=$PWD/tmpConfig

    echo '{}' > "${DOCKER_CONFIG}/config.json"
    docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json
    cat: can't open '/run/secrets/docker/config.json': No such file or directory

    echo '{"auths": {}}' > "${DOCKER_CONFIG}/config.json"
    docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json
    cat: can't open '/run/secrets/docker/config.json': No such file or directory

    echo '{"auths": {"https://index.docker.io/v1/": {"auth": "am9lam9lOmhlbGxv"}}}' > "${DOCKER_CONFIG}/config.json"
    docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json
    {
        "auths": {
            "https://index.docker.io/v1/": {
                "auth": "am9lam9lOmhlbGxv"
            }
        }
    }

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2025-04-17 11:32:17 +02:00
parent 79ab3cb0e8
commit 711fcaeb25
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cli/command/container/create.go
View File

@ -304,16 +304,17 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
// If the DOCKER_CONFIG env var is already present, we assume the client knows
// what they're doing and don't inject the creds.
if !envvarPresent {
// Set our special little location for the config file.
containerCfg.Config.Env = append(containerCfg.Config.Env,
"DOCKER_CONFIG="+path.Dir(dockerConfigPathInContainer))
// Resolve this here for later, ensuring we error our before we create the container.
creds, err := dockerCli.ConfigFile().GetAllCredentials()
if err != nil {
return "", fmt.Errorf("resolving credentials failed: %w", err)
}
apiSocketCreds = creds // inject these after container creation.
if len(creds) > 0 {
// Set our special little location for the config file.
containerCfg.Config.Env = append(containerCfg.Config.Env, "DOCKER_CONFIG="+path.Dir(dockerConfigPathInContainer))
apiSocketCreds = creds // inject these after container creation.
}
}
}
@ -371,7 +372,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
}
err = containerIDFile.Write(containerID)
if options.useAPISocket && apiSocketCreds != nil {
if options.useAPISocket && len(apiSocketCreds) > 0 {
// Create a new config file with just the auth.
newConfig := &configfile.ConfigFile{
AuthConfigs: apiSocketCreds,