Is there any way to log a whole machine / Docker daemon into a registry?
Everything I see about docker login and various proprietary credentials helpers uses ~/.docker/config.json
, i.e. is per-user.
I have a situation where I would like to pull images from a private registry; multiple people have both arbitrary sudo access on those machines and should be able to use Docker against our registry.
Since Docker access should be read as root access to a machine anyway (i.e. user credentials are not mutually safe if they can run Docker), and sudo access is same but directly, I would like to just cut to the chase and log the whole machine in without every user having to jump through hoops.
I could provide one file that everyone could link to their config.json
, but I would prefer if it was just taken care of from the first login on each machine.
Three options come to mind:
Don't make the image private, and instead allow anyone to pull the image that can access the registry server. This is fairly common in environments since the image should only contain the libraries and binaries to run the application, not configuration files, secrets, or data, that would be injected at runtime or stored in a volume.
If everyone has sudo access, run the docker commands from sudo, including the login. The credentials will be stored under the root user's
~/.docker/config.json
Make your own credential helper that just outputs the login to the host. The credential helper interface is pretty simple, 4 operations (store, get, list, erase) that could be implemented on a shell script. And for logins, you'd probably only need the get operation.
That credential helper script could look like a script called
docker-credential-your-helper
(whereyour-helper
can be a name of your choosing):Make that file executable and place it in the path. Then every user's
~/.docker/config.json
would have a credential helper entry (note thatdocker-credential-
is not included in this file, only the portion of the filename after that):