mirror of https://github.com/docker/cli.git
d6ce04640f
The Docker CLI supports storing/managing credentials without a credential-helper, in which case credentials are fetched from/saved to the CLI config file (`~/.docker/config.json`). This is all managed entirely by the CLI itself, without resort to a separate binary. There are a few issues with this approach – for one, saving the credentials together with all the configurations make it impossible to share one without the other, so one can't for example bind mount the config file into a container without also including all configured credentials. Another issue is that this has made it so that any other clients accessing registry credentials (such as https://github.com/google/go-containerregistry) all have to both: - read/parse the CLI `config.json`, to check for credentials there, which also means they're dependent on this type and might break if the type changes/we need to be careful not to break other codebases parsing this file, and can't change the location where plaintext credentials are stored. - support the credential helper protocol, so that they can access credentials when users do have configured credential helpers. This means that if we want to do something like support oauth credentials by having credential-helpers refresh oauth tokens before returning them, we have to both implement that in each credential-helper and in the CLI itself, and any client directly reading `config.json` will also need to implement this logic. This commit turns the Docker CLI binary into a multicall binary, acting as a standalone credentials helper when invoked as `docker-credential-file`, while still storing/fetching credentials from the configuration file (`~/.docker/config.json`), and without any further changes. This represents a first step into aligning the "no credhelper"/plaintext flow with the "credhelper" flow, meaning that instead of this being an exception where credentials must be read directly from the config file, credentials can now be accessed in the exact same way as with other credential helpers – by invoking `docker-credential-[credhelper name]`, such as `docker-credential-pass`, `docker-credential-osxkeychain` or `docker-credential-wincred`. This would also make it possible for any other clients accessing credentials to untangle themselves from things like the location of the credentials, parsing credentials from `config.json`, etc. and instead simply support the credential-helper protocol, and call the `docker-credential-file` binary as they do others. Signed-off-by: Laura Brehm <laurabrehm@hey.com> |
||
|---|---|---|
| .github | ||
| cli | ||
| cli-plugins | ||
| cmd/docker | ||
| contrib/completion | ||
| dockerfiles | ||
| docs | ||
| e2e | ||
| experimental | ||
| hack/otel | ||
| internal/test | ||
| man | ||
| opts | ||
| pkg/kvfile | ||
| scripts | ||
| service/logs | ||
| templates | ||
| vendor | ||
| .dockerignore | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| .mailmap | ||
| AUTHORS | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| LICENSE | ||
| MAINTAINERS | ||
| Makefile | ||
| NOTICE | ||
| README.md | ||
| SECURITY.md | ||
| TESTING.md | ||
| VERSION | ||
| codecov.yml | ||
| docker-bake.hcl | ||
| docker.Makefile | ||
| vendor.mod | ||
| vendor.sum | ||
README.md
Docker CLI
About
This repository is the home of the Docker CLI.
Development
docker/cli is developed using Docker.
Build CLI from source:
docker buildx bake
Build binaries for all supported platforms:
docker buildx bake cross
Build for a specific platform:
docker buildx bake --set binary.platform=linux/arm64
Build dynamic binary for glibc or musl:
USE_GLIBC=1 docker buildx bake dynbinary
Run all linting:
docker buildx bake lint shellcheck
Run test:
docker buildx bake test
List all the available targets:
make help
In-container development environment
Start an interactive development environment:
make -f docker.Makefile shell
Legal
Brought to you courtesy of our legal counsel. For more context, see the NOTICE document in this repo.
Use and transfer of Docker may be subject to certain restrictions by the United States and other governments.
It is your responsibility to ensure that your use and/or transfer does not violate applicable laws.
For more information, see https://www.bis.doc.gov
Licensing
docker/cli is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.