docker-credential-helpers icon indicating copy to clipboard operation
docker-credential-helpers copied to clipboard

Published 20 hours ago verified publisher icon docker

Need to do "pass init" repeatedly in order to make authorization work

Open svdHero opened this issue 3 years ago • 2 comments

Hi there,

after having installed Docker Credential Helpers on my Ubuntu machine, I did the following steps

# Configure password manager:
sudo apt-get -y install pass
gpg --generate-key
pass init harbor-user

# Setup container registry login:
tee .docker/config.json > /dev/null <<EOT
{
  "credHelpers": {
    "harbor.mycompany.com": "pass"
  }
}
EOT

docker login --username=harbor-user harbor.mycompany.com

The login succeeded and I could download protected images from my local harbor-registry just fine.

However, every now and then when I do a

docker pull harbor.mycompany.com/project/foo

I get the error message

Error response from daemon: unauthorized: unauthorized to access repository: project/foo, action: pull: unauthorized to access repository: project/foo, action: pull

Same thing for a docker-compose up, where I would get a

Pulling foo (harbor.mycompany.com/project/foo:1.0.1.40141)...
Traceback (most recent call last):
  File "docker/credentials/store.py", line 80, in _execute
  File "subprocess.py", line 411, in check_output
  File "subprocess.py", line 512, in run
subprocess.CalledProcessError: Command '['docker-credential-pass', 'get']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker/auth.py", line 264, in _resolve_authconfig_credstore
  File "docker/credentials/store.py", line 35, in get
  File "docker/credentials/store.py", line 93, in _execute
docker.credentials.errors.StoreError: Credentials store docker-credential-pass exited with "exit status 2: gpg: decryption failed: No secret key".

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker-compose", line 3, in <module>
  File "compose/cli/main.py", line 81, in main
  File "compose/cli/main.py", line 203, in perform_command
  File "compose/metrics/decorator.py", line 18, in wrapper
  File "compose/cli/main.py", line 1186, in up
  File "compose/cli/main.py", line 1182, in up
  File "compose/project.py", line 664, in up
  File "compose/service.py", line 358, in ensure_image_exists
  File "compose/service.py", line 1251, in pull
  File "compose/progress_stream.py", line 99, in get_digest_from_pull
  File "compose/service.py", line 1218, in _do_pull
  File "docker/api/image.py", line 411, in pull
  File "docker/auth.py", line 48, in get_config_header
  File "docker/auth.py", line 324, in resolve_authconfig
  File "docker/auth.py", line 235, in resolve_authconfig
  File "docker/auth.py", line 281, in _resolve_authconfig_credstore
docker.errors.DockerException: Credentials store error: StoreError('Credentials store docker-credential-pass exited with "exit status 2: gpg: decryption failed: No secret key".')
[64079] Failed to execute script docker-compose

The errors will NOT go away when I log in again. The only way to solve the problem is to do a

pass init harbor-user

again.

What's wrong here? I would be grateful for any advice.

My docker version: 20.10.12, build e91ed57 My docker compose version: 1.29.2, build 5becea4c My docker credentials helpers version: v0.6.4 OS: Ubuntu Server 20.04 LTS

svdHero avatar Feb 09 '22 14:02 svdHero

Hello @svdHero I encounter the same problem. Did you find any solution ?

Edit: On my side, I have to do all the step again from gpg --generate-key (I tried with gpg2 but same problem each time)

romain-trotard avatar Jul 25 '22 20:07 romain-trotard

first, install the list of libs below: wget libsecret gpg pass gpg-agent

 - wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3- 
   amd64.tar.gz
- tar xvzf docker-credential-pass-v0.6.3-amd64.tar.gz
- chmod a+x docker-credential-pass
- mv docker-credential-pass /usr/local/bin/
- docker-credential-pass list
- mkdir ~/.docker
- |
  gpg2 --generate-key --batch <<eoGpgConf
   %echo Started!
   Key-Type: default
   Key-Length: default
   Subkey-Type: default
   Name-Real: Docker
   Name-Comment: Something funny
   Name-Email: [email protected]
   Expire-Date: 0
   Passphrase: Yousuperstrongpassword
   %commit
   %echo Done.
  eoGpgConf
- gpg2 -k [email protected]| sed -e '/^pub/{N;s/.*\(.\{40\}\)/\1/;p;s/^.\{40\}//;q};d' >> gpgpub.txt
- gpg2 --list-secret-keys
- GPGPUBKEY=$(cat gpgpub.txt)
- pass init $GPGPUBKEY
- touch ~/.docker/config.json
- |
  echo $'{\n"credsStore": "pass"\n}' >> ~/.docker/config.json

dmitrii-kalashnikov avatar Oct 21 '22 12:10 dmitrii-kalashnikov