desktop-linux icon indicating copy to clipboard operation
desktop-linux copied to clipboard
verified publisher icon docker

Docker Desktop Credential Sync Issue with docker login on Linux

Open Perpetue237 opened this issue 11 months ago • 4 comments

Description

I’m encountering a frustrating issue with Docker Desktop and the CLI on my Linux machine when trying to push images to my private registry. I’m using Docker Desktop and Docker CLI on Linux to interact with my private registry (private host). The docker login command works perfectly fine, and I can authenticate successfully using my credentials. However, when I try to push an image to the registry, Docker uses the wrong credentials, resulting in a 403 Forbidden error during the push.

Observations:

  • When I use Docker CLI alone, everything works as expected.
  • However, when using Docker Desktop, it seems to override or use different credentials stored elsewhere, causing the push to fail.
  • I suspect Docker Desktop and the CLI are not sharing the same ~/.docker/config.json or credential management system.

What I Tried:

  1. Re-logged in multiple times using the correct credentials via the CLI. Login works, but the push fails.
  2. Deleted and recreated ~/.docker/config.json to ensure it’s fresh, but it doesn’t seem to affect the credentials used by Docker Desktop.
  3. In Docker Desktop, I’m logged in with a different account. I suspect it’s overriding the credentials I configure in the CLI.
  4. Checked if Docker Desktop is using a credential helper for storing credentials differently, but I couldn’t find a clear explanation of how it works.
  5. If I don’t use Docker Desktop and rely only on the CLI, pushing works perfectly.

How can I ensure Docker Desktop and the CLI use the same credentials for my private registry? If Docker Desktop uses a separate credential store, how can I force it to use the credentials for my private registry?

Any advice would be greatly appreciated! Best,

Reproduce

  1. docker context use desktop-linux
  2. docker login URL -u username -p password
  3. docker tag imageID URL/image:tag
  4. docker push URL/image:tag `

Expected behavior

pushed

docker version

docker version
Client: Docker Engine - Community
 Version:           27.4.1
 API version:       1.47
 Go version:        go1.22.10
 Git commit:        b9d17ea
 Built:             Tue Dec 17 15:45:42 2024
 OS/Arch:           linux/amd64
 Context:           desktop-linux

Server: Docker Desktop 4.37.1 (178610)
 Engine:
  Version:          27.4.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.10
  Git commit:       92a8393
  Built:            Sat Dec  7 10:38:57 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.21
  GitCommit:        472731909fa34bd7bc9c087e4c27943f9835f111
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    27.4.1
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  ai: Ask Gordon - Docker Agent (Docker Inc.)
    Version:  v0.5.1
    Path:     /usr/lib/docker/cli-plugins/docker-ai
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.19.2-desktop.1
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.31.0-desktop.2
    Path:     /usr/lib/docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.37
    Path:     /usr/lib/docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Beta) (Docker Inc.)
    Version:  v0.1.0
    Path:     /usr/lib/docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /usr/lib/docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.27
    Path:     /usr/lib/docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /usr/lib/docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.4.0
    Path:     /usr/lib/docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /usr/lib/docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.15.1
    Path:     /usr/lib/docker/cli-plugins/docker-scout

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: 27.4.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 472731909fa34bd7bc9c087e4c27943f9835f111
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.14-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 7.408GiB
 Name: docker-desktop
 ID: 56372fe8-4df0-4e2a-9a29-1bf39351017b
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///home/user/.docker/desktop/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

E5466145-6613-49D5-BEB3-25CFB4B69B82/20250110150102

Additional Info

Ubuntu 24.04

Perpetue237 avatar Jan 10 '25 15:01 Perpetue237

Hi @Perpetue237 , Docker Desktop uses pass to store the passwords in a secure way. Can you check the official documentation?

jpbriend avatar Jan 13 '25 09:01 jpbriend

Hello, Yes I know about using this method and this works well to authenticate on private registries hosted on the docker hub. How ever, our registry is hosted on another server. And the authentication requires the user name and the password. This works well when I run docker login url while using other context (for example docker context use default). But it does not work when the context is set to dekstop-lunix.

Perpetue237 avatar Jan 13 '25 09:01 Perpetue237

When I use Docker CLI alone, everything works as expected. Can you clarify this sentence?

The Docker CLI can't do barely anything by itself. It is mostly interacting with the Docker Daemon.

  • when using Docker Desktop, the daemon is running inside a virtual machine, spawned and managed by Docker Desktop
  • when not using Docker Desktop (meaning you have installed docker-ce), the Docker Daemon is running as a Linux service on the machine.

Both versions use ~/.docker/config.json. However the content is different. For example, cresdStore is different (Docker Desktop is not configured by default to store credentials in a plain text file). currentContext is also different. On Desktop, it should be desktop-linux.

Have you tried to install docker-ce and docker-desktop? It is not required (and will probably not work). Stick to 1 application .

jpbriend avatar Jan 16 '25 14:01 jpbriend

Hello, Yes, I worked with Docker CE for a while before switching to Docker Desktop. I start it using systemctl --user start docker-desktop. According to the documentation here:

When Docker Desktop starts, it creates a dedicated context that the Docker CLI can use as a target and sets it as the current context in use. This is to avoid a clash with a local Docker Engine that may be running on the Linux host and using the default context. On shutdown, Docker Desktop resets the current context to the previous one.

The problem I am facing is that when Docker is using the desktop-linux context (which happens when I start Docker Desktop), I cannot authenticate to my private registry hosted on another server. I authenticate to Docker Hub as username1 with password1. However, on my private registry, I use username2 with password2.

When I start Docker CE with systemctl start docker, I can successfully authenticate to my private registry using: docker login [URL of private registry]

After authenticating, I am able to push and pull images from it without any issues.

However, when I start Docker Desktop and log in to my private registry using the same credentials, I cannot perform any operations, even though I receive a "login successful" message. As mentioned in the first post, it seems like the Docker CLI under Docker Desktop is not handling different user credentials properly.

Is there another way to log in to a private registry when Docker is using the desktop-linux context? Or could this be a bug with how Docker Desktop handles authentication for multiple registries?

Perpetue237 avatar Jan 16 '25 14:01 Perpetue237

hello @Perpetue237 try with my step on https://github.com/docker/desktop-linux/issues/292#issuecomment-3121177440

muchfahmiarif avatar Jul 26 '25 05:07 muchfahmiarif