Commit Graph

1691 Commits

Author SHA1 Message Date
Sebastiaan van Stijn f75abad8a1
Merge pull request #5401 from laurazard/login-non-tty-standardize
login: handle non-tty scenario consistently
2024-09-03 16:36:14 +02:00
Laura Brehm bbb6e7643d
login: handle non-tty scenario consistently
Running `docker login` in a non-interactive environment sometimes errors
out if no username/pwd is provided. This handling is somewhat
inconsistent – this commit addresses that.

Before:
| `--username` | `--password` | Result                                                             |
|:------------:|:------------:| ------------------------------------------------------------------ |
|            |            |                                                                  |
|            |            | `Error: Cannot perform an interactive login from a non TTY device` |
|            |            | `Error: Cannot perform an interactive login from a non TTY device` |
|            |            | hangs                                                              |

After:
| `--username` | `--password` | Result                                                             |
|:------------:|:------------:| ------------------------------------------------------------------ |
|            |            |                                                                  |
|            |            | `Error: Cannot perform an interactive login from a non TTY device` |
|            |            | `Error: Cannot perform an interactive login from a non TTY device` |
|            |            | `Error: Cannot perform an interactive login from a non TTY device` |

It's worth calling out a separate scenario – if there are previous,
valid credentials, then running `docker login` with no username or
password provided will use the previously stored credentials, and not
error out.

```console
cat ~/.docker/config.json
{
        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "xxxxxxxxxxx"
                }
        }
}
⭑ docker login 0>/dev/null
Authenticating with existing credentials...

Login Succeeded
```

This commit also applies the same non-interactive handling logic to the
new web-based login flow, which means that now, if there are no prior
credentials stored and a user runs `docker login`, instead of initiating
the new web-based login flow, an error is returned.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-09-03 14:26:11 +01:00
Sebastiaan van Stijn e3676d233e
Merge pull request #5386 from dvdksn/docker-login-docs-touchup
docs: update docker login reference
2024-09-03 12:15:08 +02:00
David Karlsson 2f206fff3c docs: update docker login reference
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
2024-09-03 11:38:05 +02:00
Laura Brehm e532eead91
login: use normalized hostname when storing
Normalization/converting the registry address to just a hostname happens
inside of `command.GetDefaultAuthConfig`. Use this value for the rest of
the login flow/storage.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-08-30 15:43:20 +01:00
Laura Brehm dab9674db9
Revert "login: normalize `registry-1.docker.io`"
This reverts commit e6624676e0.

Since e6624676e0, during login, we started
normalizing `registry-1.docker.io` to `index.docker.io`. This means that
if a user logs in with `docker login -u [username]
registry-1.docker.io`, the user's credentials get stored in
credhelpers/config.json under `https://index.docker.io/v1/`.

However, while the registry code normalizes an image reference without
registry (`docker pull alpine:latest`) and image references explicitly for
`index.docker.io` (`docker pull index.docker.io/library/alpine:latest`)
to the official index server (`https://index.docker.io/v1/`), and
fetches credentials for that auth key, it does not normalize
`registry-1.docker.io`, which means pulling explicitly from there
(`docker pull registry-1.docker.io/alpine:latest`) will not use
credentials stored under `https://index.docker.io/v1/`.

As such, until changes are made to the registry/pull/push code to
normalize `registry-1.docker.io` to `https://index.docker.io/v1/`, we
should not normalize this during login.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-08-29 12:16:05 +01:00
Sebastiaan van Stijn f101f07a7b
cli/command: fix n-constant format string in call (govet)
cli/command/utils.go:225:29: printf: non-constant format string in call to github.com/pkg/errors.Wrapf (govet)
                return errors.Wrapf(err, fmt.Sprintf("invalid output path: %q must be a directory or a regular file", path))
                                         ^
    cli/command/manifest/cmd.go:21:33: printf: non-constant format string in call to fmt.Fprintf (govet)
                fmt.Fprintf(dockerCli.Err(), "\n"+cmd.UsageString())
                                             ^
    cli/command/service/remove.go:45:24: printf: non-constant format string in call to github.com/pkg/errors.Errorf (govet)
            return errors.Errorf(strings.Join(errs, "\n"))
                                 ^
    cli/command/service/scale.go:93:23: printf: non-constant format string in call to github.com/pkg/errors.Errorf (govet)
        return errors.Errorf(strings.Join(errs, "\n"))
                             ^
    cli/command/stack/swarm/remove.go:74:24: printf: non-constant format string in call to github.com/pkg/errors.Errorf (govet)
            return errors.Errorf(strings.Join(errs, "\n"))
                                 ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-08-26 13:52:49 +02:00
Sebastiaan van Stijn cc1d7b7ac9
cli/command/system: remove redundant nil-check (gosimple)
cli/command/system/info.go:375:5: S1009: should omit nil check; len() for []github.com/docker/docker/api/types/system.NetworkAddressPool is defined as zero (gosimple)
        if info.DefaultAddressPools != nil && len(info.DefaultAddressPools) > 0 {
           ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-08-26 13:44:42 +02:00
Sebastiaan van Stijn d47c36debb
Merge pull request #5363 from akerouanton/fix-ps-pbs
cli/formatter: bracket IPv6 addrs prepended to ports
2024-08-20 17:51:14 +02:00
Albin Kerouanton 964155cd27 cli/formatter: bracket IPv6 addrs prepended to ports
On `docker ps`, port bindings with an IPv6 HostIP should have their
addresses put into brackets when joining them to their ports.

RFC 3986 (Section 3.2.2) stipulates that IPv6 addresses should be
enclosed within square brackets. This RFC is only about URIs. However,
doing so here helps user identifier what's part of the IP address and
what's the port. It also makes it easier to copy/paste that
'[addr]:port' into other software (including browsers).

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-08-20 17:32:27 +02:00
Laura Brehm 986b077a53
Merge pull request #5361 from laurazard/add-oauth-login-escape-hatch
login: add oauth escape hatch
2024-08-20 12:31:07 +01:00
Laura Brehm 846ecf59ff
login: add oauth escape hatch
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-08-20 11:16:55 +01:00
Paweł Gronowski 7b91647943
list/tree: No extra spacing for graphdriver
Don't output the extra spacing around the images when none of the
top-level image entries has any children.

This makes the list look better when ran against the graphdrivers image
store.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-19 12:09:37 +02:00
Paweł Gronowski 351249dce9
list/tree: Print <untagged> as dangling image name
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 16:36:33 +02:00
Paweł Gronowski 6979ab073c
list/tree: Fix some escape codes included in nonTTY
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 16:35:46 +02:00
Paweł Gronowski a9b78da546
list/tree: Add spacing before the content and first image
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 15:10:00 +02:00
Paweł Gronowski 0242a1e3c6
list/tree: Capitalize column headers
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 15:09:59 +02:00
Paweł Gronowski d417d06682
list/tree: Add an experimental warning
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 15:09:57 +02:00
Paweł Gronowski b1a08f7841
list/tree: Sort by created date
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 15:09:55 +02:00
Paweł Gronowski 18ab78882c
list/tree: Align number right, text left
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 15:09:54 +02:00
Paweł Gronowski ea8aafcd9e
cli/tree: Add `Content size` column
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 15:09:52 +02:00
Paweł Gronowski be11b74ee9
image/list: Add `--tree` flag
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-16 15:09:51 +02:00
Laura Brehm c3fe7bc336
fallback to regular login if oauth login fails to start
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-08-14 19:48:09 +01:00
Laura Brehm e6624676e0
login: normalize `registry-1.docker.io`
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-08-14 19:48:07 +01:00
Laura Brehm 6e4818e7d6
Refactor `cli/command/registry`
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-08-14 19:48:05 +01:00
Laura Brehm fcfdd7b91f
auth: add support for oauth device-code login
This commit adds support for the oauth [device-code](https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow)
login flow when authenticating against the official registry.

This is achieved by adding `cli/internal/oauth`, which contains code to manage
interacting with the Docker OAuth tenant (`login.docker.com`), including launching
the device-code flow, refreshing access using the refresh-token, and logging out.

The `OAuthManager` introduced here is also made available through the `command.Cli`
interface method `OAuthManager()`.

In order to maintain compatibility with any clients manually accessing
the credentials through `~/.docker/config.json` or via credential
helpers, the added `OAuthManager` uses the retrieved access token to
automatically generate a PAT with Hub, and store that in the
credentials.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-08-14 19:48:04 +01:00
Laura Brehm ddd4c39930
Merge pull request #5303 from laurazard/fix-flaky-runattach-test
tests/run: fix flaky `RunAttachTermination` test
2024-07-29 13:43:31 +01:00
Laura Brehm eac83574c1
tests/run: fix flaky `RunAttachTermination` test
This test was just incorrect (and testing incorrect
behavior): it was checking that `docker run` exited with a `context
canceled` error after signalling the CLI/cancelling the command's
context, but this was incorrect (and was fixed in
991b1303da - which was when this test
started failing).

However, since this test assertion was happening inside of a goroutine,
it would sometimes pass if this assertion didn't get to run before the
test suite terminated. It was flaky because sometimes this assertion
inside the goroutine did get to execute, but after the test finished
execution, which is a big no-no.

As an aside, assertions inside goroutines are generally bad, and `govet`
even has a linter for this (but it only catches `t.Fatal` and `t.FailNow`
calls and not `assert.Xx`.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-29 13:29:12 +01:00
Laura Brehm 7b46bfc5ac
attach: wait for exit code from `ContainerWait`
Such as with `docker run`, if a user CTRL-Cs while attached to a
container, we should forward the signal and wait for the exit from
`ContainerWait`, instead of just returning.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-26 14:05:31 +01:00
Laura Brehm 66aa0f672c
attach: don't return context cancelled error
In 3f0d90a2a9 we introduced a global
signal handler and made sure all the contexts passed into command
execution get (appropriately) cancelled when we get a SIGINT.

Due to that change, and how we use this context during `docker attach`,
we started to return the context cancelation error when a user signals
the running `docker attach`.

Since this is the intended behavior, we shouldn't return an error, so
this commit adds checks to ignore this specific error in this case.

Also adds a regression test.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-25 00:49:33 +01:00
Laura Brehm 8f20c9a238
Merge pull request #5259 from thaJeztah/move_file_warning
cli/config/credentials: move warning to fileStore
2024-07-22 17:59:14 +01:00
Sebastiaan van Stijn d5f90ed547
Merge pull request #5236 from thaJeztah/cleanup_run_errors
cli/command/container: remove reportError, and put StatusError to use
2024-07-22 17:56:16 +02:00
Sebastiaan van Stijn 6559d86217
Merge pull request #5145 from psaintlaurent/ENGINE-903
Add OomScoreAdj to "docker service create" and "docker compose"
2024-07-19 19:09:28 +02:00
plaurent aa2c2cd906 Allow for OomScoreAdj
Signed-off-by: plaurent <patrick@saint-laurent.us>
2024-07-19 13:02:01 -04:00
Sebastiaan van Stijn 6638deb9d6
add support for DOCKER_CUSTOM_HEADERS env-var (experimental)
This environment variable allows for setting additional headers
to be sent by the client. Headers set through this environment
variable are added to headers set through the config-file (through
the HttpHeaders field).

This environment variable can be used in situations where headers
must be set for a specific invocation of the CLI, but should not
be set by default, and therefore cannot be set in the config-file.

WARNING: If both config and environment-variable are set, the environment
variable currently overrides all headers set in the configuration file.
This behavior may change in a future update, as we are considering the
environment variable to be appending to existing headers (and to only
override headers with the same name).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 15:04:26 +02:00
Sebastiaan van Stijn ab80ea355f
cli/config/credentials: move warning to fileStore
The fileStore itself is aware that it's insecure, so we can make it
responsible for printing the warning. It's not "perfect", as we use
`os.Stderr` unconditionally (not `dockerCli.Err()`), but probably won't
make a difference in _most_ cases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 01:42:01 +02:00
Sebastiaan van Stijn fcefe44bda
login: slightly cleanup warning about unencrypted store
- Add an empty line before the warning to separate it from the command's output
- Use the `/go/` redirect URL that we have available.
- Put quotes around the filename used for storage.
- Use present tense for the message, as the message is printed while saving.
- User "credentials" instead of "password" for consistency with "credentials-store"

Before:

    docker login myregistry.example.com
    Username: thajeztah
    Password:
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credential-stores

    Login Succeeded

After:

    docker login myregistry.example.com
    Username: thajeztah
    Password:

    WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/go/credential-store/

    Login Succeeded

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-18 18:22:13 +02:00
Sebastiaan van Stijn a78ab63801
login: don't print "unencrypted" warning when failing to save credentials
If we fail to save credentials, make sure that the error about saving
doesn't get lost in the warning about credentials being stored unencrypted.

Also discard errors about printing the warning, as those would be unlikely,
and if they would occur, probably would fail to be printed as well.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-18 18:15:12 +02:00
Sebastiaan van Stijn 90058df305
cli/command/container: remove reportError, and put StatusError to use
The `reportError` utility was present because cli.StatusError would print
the error decorated with `Status: <error-message>, Code: <exit-code>`.
That was not desirable in many cases as it would mess-up the output. To
prevent this, the CLI had code to check for an empty `Status` (error message)
in which case the error would be "ignored" (and only used for the exit-status),
and the `reportError` utility would be used to manually print a custom error
message before returning the error.

Now that bca2090061 fixed the output format
of `cli.StatusError`, and 3dd6fc365d and
350a0b68a9 no longer discard these error,
we can get rid of this utility, and just set the error-message for
the status-error.

This patch:

- Introduces a `withHelp` which takes care of decorating errors with
  a "Run --help" hint for the user.
- Introduces a `toStatusError` utility that detects certain errors in
  the container to assign a corresponding exit-code (these error-codes
  can be used to distinguish "client" errors from "container" errors).
- Removes the `reportError` utility, and removes code that manually
  printed errors before returning.

Behavior is mostly unmodified, with the exception of some slight reformatting
of the errors:

- `withHelp` adds a `docker:` prefix to the error, to indicate the error
  is produced by the `docker` command. This prefix was already present
  in most cases.
- The "--help" hint is slightly updated ("Run 'docker run --help' for
  more information" instead of "See 'docker run --help'"), to make it
  more clear that it's a "call to action".
- An empty is added before the "--help" hint to separate it better from
  the error-message.

Before this patch:

    $ docker run --pull=invalid-option alpine
    docker: invalid pull option: 'invalid-option': must be one of "always", "missing" or "never".
    See 'docker run --help'.
    $ echo $?
    125

    $ docker run --rm alpine nosuchcommand
    docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "nosuchcommand": executable file not found in $PATH: unknown.
    $ echo $?
    127

With this patch:

    $ docker run --pull=invalid-option alpine
    docker: invalid pull option: 'invalid-option': must be one of "always", "missing" or "never"

    Run 'docker run --help' for more information
    $ echo $?
    125

    $ docker run --rm alpine nosuchcommand
    docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "nosuchcommand": executable file not found in $PATH: unknown.

    Run 'docker run --help' for more information
    $ echo $?
    127

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 15:59:30 +02:00
Sebastiaan van Stijn b1c0ddca02
cli/command/container: add completion for --stop-signal
With this patch:

    docker run --stop-signal <TAB>
    ABRT  IOT      RTMAX-4   RTMIN     RTMIN+11  TSTP
    ALRM  KILL     RTMAX-5   RTMIN+1   RTMIN+12  TTIN
    BUS   PIPE     RTMAX-6   RTMIN+2   RTMIN+13  TTOU
    CHLD  POLL     RTMAX-7   RTMIN+3   RTMIN+14  URG
    CLD   PROF     RTMAX-8   RTMIN+4   RTMIN+15  USR1
    CONT  PWR      RTMAX-9   RTMIN+5   SEGV      USR2
    FPE   QUIT     RTMAX-10  RTMIN+6   STKFLT    VTALRM
    HUP   RTMAX    RTMAX-11  RTMIN+7   STOP      WINCH
    ILL   RTMAX-1  RTMAX-12  RTMIN+8   SYS       XCPU
    INT   RTMAX-2  RTMAX-13  RTMIN+9   TERM      XFSZ
    IO    RTMAX-3  RTMAX-14  RTMIN+10  TRAP

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:34 +02:00
Sebastiaan van Stijn d6f78cdbb1
cli/command/container: add completion for --volumes-from
With this patch:

    docker run --volumes-from amazing_nobel
    amazing_cannon     boring_wozniak         determined_banzai
    elegant_solomon    reverent_booth         amazing_nobel

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:34 +02:00
Sebastiaan van Stijn 7fe7223c2c
cli/command/container: add completion for --restart
With this patch:

    docker run --restart <TAB>
    always  no  on-failure  unless-stopped

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:34 +02:00
Sebastiaan van Stijn f30158dbf8
cli/command/container: add completion for --cap-add, --cap-drop
With this patch:

    docker run --cap-add <TAB>
    ALL                     CAP_KILL                CAP_SETUID
    CAP_AUDIT_CONTROL       CAP_LEASE               CAP_SYSLOG
    CAP_AUDIT_READ          CAP_LINUX_IMMUTABLE     CAP_SYS_ADMIN
    CAP_AUDIT_WRITE         CAP_MAC_ADMIN           CAP_SYS_BOOT
    CAP_BLOCK_SUSPEND       CAP_MAC_OVERRIDE        CAP_SYS_CHROOT
    CAP_BPF                 CAP_MKNOD               CAP_SYS_MODULE
    CAP_CHECKPOINT_RESTORE  CAP_NET_ADMIN           CAP_SYS_NICE
    CAP_CHOWN               CAP_NET_BIND_SERVICE    CAP_SYS_PACCT
    CAP_DAC_OVERRIDE        CAP_NET_BROADCAST       CAP_SYS_PTRACE
    CAP_DAC_READ_SEARCH     CAP_NET_RAW             CAP_SYS_RAWIO
    CAP_FOWNER              CAP_PERFMON             CAP_SYS_RESOURCE
    CAP_FSETID              CAP_SETFCAP             CAP_SYS_TIME
    CAP_IPC_LOCK            CAP_SETGID              CAP_SYS_TTY_CONFIG
    CAP_IPC_OWNER           CAP_SETPCAP             CAP_WAKE_ALARM

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:33 +02:00
Sebastiaan van Stijn 162d9748b9
cli/command/container: provide flag-completion for "docker create"
"docker run" and "docker create" are mostly identical, so we can copy
the same completion functions,

We could possibly create a utility for this (similar to `addFlags()` which
configures both commands with the flags they share). I considered combining
his with `addFlags()`, but that utility is also used in various tests, in
which we don't need this feature, so keeping that for a future exercise.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:33 +02:00
Sebastiaan van Stijn 5e7bcbeac6
cli/command/completion: add FromList utility
It's an alias for cobra.FixedCompletions but takes a variadic list
of strings, so that it's not needed to construct an array for this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:33 +02:00
Sebastiaan van Stijn e3427f341b
cli/command/completion: add EnvVarNames utility
EnvVarNames offers completion for environment-variable names. This
completion can be used for "--env" and "--build-arg" flags, which
allow obtaining the value of the given environment-variable if present
in the local environment, so we only should complete the names of the
environment variables, and not their value. This also prevents the
completion script from printing values of environment variables
containing sensitive values.

For example;

    export MY_VAR=hello
    docker run --rm --env MY_VAR alpine printenv MY_VAR
    hello

Before this patch:

    docker run --env GO
    GO111MODULE=auto        GOLANG_VERSION=1.21.12  GOPATH=/go              GOTOOLCHAIN=local

With this patch:

    docker run --env GO<tab>
    GO111MODULE     GOLANG_VERSION  GOPATH          GOTOOLCHAIN

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:32 +02:00
Sebastiaan van Stijn 9207ff1046
cli/command/completion: add FileNames utility
This is just a convenience function to allow defining completion to
use the default (complete with filenames and directories).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:32 +02:00
Sebastiaan van Stijn eed0e5b02a
cli/command/container: NewRunCommand: slight cleanup of completion
- explicitly suppress unhandled errors
- remove names for unused arguments

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 01:25:32 +02:00
Sebastiaan van Stijn ce4469a696
Merge pull request #5234 from thaJeztah/nicer_missing_commands
cli: improve output and consistency for unknown (sub)commands
2024-07-17 01:22:03 +02:00
Paweł Gronowski dc23e77507
Merge pull request #5247 from Benehiko/hotfix-sigterm-container
fix: container stream should not be terminated by ctx
2024-07-12 14:44:10 +02:00