From 711fcaeb2506bed9497e0b0d90d719f62098901c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 17 Apr 2025 11:32:17 +0200 Subject: [PATCH] cli/command/container: --use-api-socket: don't write empty credentials Before this patch, a valid, but empty set of credentials would still write a config-file to the container and set `DOCKER_CONFIG`: mkdir -p tmpConfig export DOCKER_CONFIG=$PWD/tmpConfig echo '{}' > "${DOCKER_CONFIG}/config.json" docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json { "auths": {} } echo '{"auths": {}}' > "${DOCKER_CONFIG}/config.json" docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json { "auths": {} } echo '{"auths": {"https://index.docker.io/v1/": {"auth": "am9lam9lOmhlbGxv"}}}' > "${DOCKER_CONFIG}/config.json" docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json { "auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv" } } } With this patch, the `DOCKER_CONFIG` env-var and config-file are only created if we have credentials to set; mkdir -p tmpConfig export DOCKER_CONFIG=$PWD/tmpConfig echo '{}' > "${DOCKER_CONFIG}/config.json" docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json cat: can't open '/run/secrets/docker/config.json': No such file or directory echo '{"auths": {}}' > "${DOCKER_CONFIG}/config.json" docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json cat: can't open '/run/secrets/docker/config.json': No such file or directory echo '{"auths": {"https://index.docker.io/v1/": {"auth": "am9lam9lOmhlbGxv"}}}' > "${DOCKER_CONFIG}/config.json" docker run --rm --use-api-socket alpine cat /run/secrets/docker/config.json { "auths": { "https://index.docker.io/v1/": { "auth": "am9lam9lOmhlbGxv" } } } Signed-off-by: Sebastiaan van Stijn --- cli/command/container/create.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/cli/command/container/create.go b/cli/command/container/create.go index bba18880aa..8d29cbf2a5 100644 --- a/cli/command/container/create.go +++ b/cli/command/container/create.go @@ -304,16 +304,17 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c // If the DOCKER_CONFIG env var is already present, we assume the client knows // what they're doing and don't inject the creds. if !envvarPresent { - // Set our special little location for the config file. - containerCfg.Config.Env = append(containerCfg.Config.Env, - "DOCKER_CONFIG="+path.Dir(dockerConfigPathInContainer)) - // Resolve this here for later, ensuring we error our before we create the container. creds, err := dockerCli.ConfigFile().GetAllCredentials() if err != nil { return "", fmt.Errorf("resolving credentials failed: %w", err) } - apiSocketCreds = creds // inject these after container creation. + if len(creds) > 0 { + // Set our special little location for the config file. + containerCfg.Config.Env = append(containerCfg.Config.Env, "DOCKER_CONFIG="+path.Dir(dockerConfigPathInContainer)) + + apiSocketCreds = creds // inject these after container creation. + } } } @@ -371,7 +372,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c } err = containerIDFile.Write(containerID) - if options.useAPISocket && apiSocketCreds != nil { + if options.useAPISocket && len(apiSocketCreds) > 0 { // Create a new config file with just the auth. newConfig := &configfile.ConfigFile{ AuthConfigs: apiSocketCreds,