for-win
for-win copied to clipboard
docker
docker always restores credStore desktop
I don't want to use the default credStore "desktop" on my development machine. The issue https://github.com/docker/docker-credential-helpers/issues/95 guides me to set the credStore/credsStore value to "" instead of "desktop", but it doesn't seem to have any effect while docker is running. Restarting docker will reset this value to "desktop".
Please fix this.
Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.
Prevent issues from auto-closing with an /lifecycle frozen comment.
If this issue is safe to close now please do so.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale
/remove-lifecycle stale This is still very much a thing, as far as I know. It would be great if the maintainers of docker didn't simply solve issues by ignoring them for long enough...
Would be nice to be able to use the windows credential store similar to how git does it: git config --global credential.helper "/mnt/c/Program\ Files/Git/mingw64/libexec/git-core/git-credential-manager.exe"
Facing the exact same issue on Windows 10 (WSL2). I can not use private hosted containers because of this issue...
The windows credentials store does not work for us, because our build script runs elevated: https://github.com/docker/cli/issues/2682#issuecomment-675135899
It turns out you cannot Docker login via an elevated shell depending on your environment as it appears the credentials don't get passed through
It works when I manually remove the credStore from my config.json file, but on the next docker restart docker will replace it with desktop again.
Please either fix the bug that elevated shells can't login, or that credStore gets reset. Either would be fine, preferably both ...
Having the same issue. Resets the credStore to desktop every time a restart happens.
This no longer happens to me (I work on multiple windows PCs with WSL 2, and change computers often (reformat windows or get new PC so have to set up everything from scratch again) If it helps anyone, here is the content of my docker config.json in WSL
$ cat ~/.docker/config.json
{
"auths": {
"gitlab.redacted.com": {},
"gitlab.redacted.com:4567": {}
},
"credsStore": "desktop.exe"
}
I recommend anyone having issues to completely uninstall docker, (or try use the purge option in docker first) and/or remove WSL then reinstall WSL, and make sure you enable WSL2, then reinstall docker, and enable docker integration with WSL (inside the Docker desktop settings). After doing the above, docker in WSL uses Windows credential manager and works fine.
I just faced this issue, and found a workaround:
First edit config.json, then go to its file permissions, and deny 'Write' to all users. Then when restarting the Docker engine it actually seems to use what's in the file.
I tried a similar write protect approach however docker crashed on start...
Why don't you want to use the credentials store? Renaming or removing "credStore" makes it significantly easier to steal your credentials, which are then stored in plaintext...
Stolen credentials are not a concern in my use case, as there are no sensitive credentials stored (placeholder credentials in a dev environment). I wanted to share the credentials with a set of containers, without having to configure more than the path to the credential config file. Within the container context, the credStore is not available, so auth just fails.
@StevenLiekens
Why don't you want to use the credentials store? Renaming or removing "credStore" makes it significantly easier to steal your credentials, which are then stored in plaintext...
The windows credentials store does not work for us, because our build script runs elevated: https://github.com/docker/cli/issues/2682#issuecomment-675135899
It turns out you cannot Docker login via an elevated shell depending on your environment as it appears the credentials don't get passed through
It works when I manually remove the credStore from my config.json file, but on the next docker restart docker will replace it with desktop again.
Please either fix the bug that elevated shells can't login, or that credStore gets reset. Either would be fine, preferably both ...
And from a philosophical standpoint, the software should do what I tell it to, not the other way around. Why is there a config file if you're just gonna ignore and overwrite it yourself?
@StevenLiekens I am experiencing this issue using a corporate IT provisioned machine, the problem with the creds store is that it is somehow blocked by my IT policy:
If i go in and remove the credsStore field from this file and docker build again then all is well. We don't actually need creds at all, the images we are using are either all public or pulled from a private registry through the VPN without credentials, we only upload images through a CI pipeline so no creds are needed.
The problem is every time we restart docker it injects the credsStore back into the WSL environment. If it was possible to disable this feature via docker desktop config, or if it was possible to set the file in windows that was then copied to wsl so we could then update the file there that would be helpful.
As it is now we have to have a special script which wipes out the credsStore field before we docker build every time. Workaround welcome!
Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.
Prevent issues from auto-closing with an /lifecycle frozen comment.
If this issue is safe to close now please do so.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale
@justinmchase sadly this bot only reacts the exact comment /remove-lifecycle stale
I'm having the same issue. Is there any known workaround? Making the file read-only doesn't work for me as it causes docker to crash on start.
As a workaround, one can specify credential helpers for private registries explicitly. I did that because the default credential store does not support AWS ECR tokens (they are to long):
{
"auths": {},
"credHelpers": {
"myaccountid.ecr.eu-central-1.amazonaws.com": ""
},
"credsStore": "desktop.exe",
"currentContext": "default",
"stackOrchestrator": "swarm"
}
The token for the ECR registry will then be stored in plaintext in the config.json, so security wise this is problematic.
However, login then works as expected, i.e.
aws ecr get-login-password --region eu-central-1 --profile my-aws-profile | docker login --username AWS --password-stdin myaccountid.ecr.eu-central-1.amazonaws.com
From my experience, Docker Desktop usually does not overwrite custom credHelpers settings (i.e. not on every restart but maybe when resetting Docker Desktop or when doing a reinstall etc.).
I'm having the same issue. This seems like such a simple fix!!! Please correct me if I'm wrong: any developer feedback on this would be nice!
Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.
Prevent issues from auto-closing with an /lifecycle frozen comment.
If this issue is safe to close now please do so.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale
/lifecycle frozen damn solve this already
Sadly these commands only work without additional comments ;-) Good idea to freeze though. I doubt it'll ever be worked on. There's just no incentive.
I also got hit by this, as I had the credentials helper "ecr-login" for AWS Elastic Container Registry configured before.
An (ugly) workaround:
sudo chattr +i ~/.docker/config.json
sets the immutable attribute on the file, preventing changing it by anyone. Now every time Docker Desktop starts, an error message pops up (as it cannot change the file), which is still slightly less annoying than having to revert the config file manually. Of course, if you want to edit the file again, you have to unset the immutable attribute.
Also got this combined with https://github.com/docker/for-win/issues/10247.
Which makes building images extra slow.
Apparently changing credStore in config.json to use a more recent version of a docker credential helper should help there.
The chattr +i ... is indeed ugly and at least in my case it blocks docker from starting at all. (missing /var/run/docker.sock)
