Share CLI credentials over a unix socket by Benehiko · Pull Request #5948 · docker/cli

Benehiko · 2025-03-21T13:35:06Z

This PR is a proof of concept to share docker credentials from the CLI.
Related to #5858

What is the benefit of this?

Keep the credentials in sync (OAuth credentials refresh - currently in CLI they do not, but DD does)
Single source of truth
No need to worry about if the credentials are stored in the config or inside the credential helper, the CLI already has mechanisms to detect it for you.

./build/docker-darwin-arm64 auth credential-server
Starting credential server...

curl http://localhost/credentials --unix-socket ~/.docker/run/docker_cli_credential_server.sock

- What I did
Created a command called auth which is a manager for the CLI credentials. This allows us to expose the credentials that the CLI have access to (config, credential helper etc.).

docker auth credential-server

This will create a new unix socket inside the default docker config directory ~/.docker/run/docker_cli_credential_server.sock. Using this socket you can retrieve the credentials, save credentials back and delete credentials.

The CLI has a built in mechanism that would detect the docker_cli_credential_server.sock and implements the credentials.Store interface so that any calls to the socket would correctly return types.AuthConfig as normal. This means that the socket iteslf becomes a credential store.

This also solves situatations where the docker CLI need credentials when run inside of a docker container.

docker buildx bake --set binary.platform=linux/arm64
docker run -it -v ./build/docker-linux-arm64:/bin/docker -v /Users/benehiko/.docker/run/docker_cli_credential_server.sock:/root/.docker/run/docker_cli_credential_server.sock -v /var/run/docker.sock:/var/run/docker.sock alpine:latest /bin/ash
/ # docker login
Authenticating with existing credentials... [Username: <your username>]

i Info → To login with a different account, run 'docker logout' followed by 'docker login'

Login Succeeded

- How I did it

- How to verify it

- Human readable description for the release notes

- A picture of a cute animal (not mandatory but encouraged)

codecov-commenter · 2025-03-21T13:36:33Z

Codecov Report

Attention: Patch coverage is 10.46512% with 154 lines in your changes missing coverage. Please review.

Project coverage is 59.19%. Comparing base (48741f7) to head (653818b).
Report is 405 commits behind head on master.

❌ Your patch status has failed because the patch coverage (10.46%) is below the target coverage (50.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5948      +/-   ##
==========================================
- Coverage   59.42%   59.19%   -0.24%     
==========================================
  Files         358      360       +2     
  Lines       29768    29916     +148     
==========================================
+ Hits        17690    17708      +18     
- Misses      11113    11240     +127     
- Partials      965      968       +3

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Signed-off-by: Alano Terblanche <[email protected]>

…uildx: `0.24.0`) (#10) ## Summary of the Pull Request Update docker (and related tooling) to the latest version. ## Detailed Description of the Pull Request / Additional comments The core motivation is to have a version of the docker client that does not attempt to mutate/rewrite the config (docker/cli#5553). This is in preparation of a future enhancement to share the same client configuration of the windows host and to provide a seamless experience. This could include also the auth via credential helpers running on the host (e.g. a basic scenario is to at least use the windows credential manager to avoid storing static credentials in plain in the config file). I did not push anything yet because i am waiting to see if docker/cli#5948 get merged as it would probably provide a better and simpler out of the box experience. Co-authored-by: Luca Piombino <[email protected]>

Share CLI credentials over a unix socket

653818b

Signed-off-by: Alano Terblanche <[email protected]>

Benehiko force-pushed the credential-server branch from d604e96 to 653818b Compare March 21, 2025 14:59

Benehiko mentioned this pull request Mar 21, 2025

run: flag to include the docker socket #5858

Merged

4 tasks

D3-LucaPiombino mentioned this pull request Jun 2, 2025

Bump docker binaries versions (docker: 28.2.2, compose: 2.36.2, buildx: 0.24.0) CodeCoil/container-desktop#10

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Share CLI credentials over a unix socket#5948

Share CLI credentials over a unix socket#5948
Benehiko wants to merge 1 commit intodocker:masterfrom
Benehiko:credential-server

Benehiko commented Mar 21, 2025 •

edited

Loading

Uh oh!

codecov-commenter commented Mar 21, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Benehiko commented Mar 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov-commenter commented Mar 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Benehiko commented Mar 21, 2025 •

edited

Loading

codecov-commenter commented Mar 21, 2025 •

edited

Loading