Use pass backend

[tych0]

To the end of encrypting passwords by default, there is now a pass backend, which will be useable on headless linuxen. Let's prefer that instead of the secretservice backend when choosing a default password backend on linux.

[vdemeester]

LGTM 🦁

[dnephin]

LGTM

[dnephin]

Should we tag a v0.6 release so we can keep using a tag?

What's the release policy on this repo?

[tych0]

On Thu, Aug 17, 2017 at 04:08:48PM +0000, Daniel Nephin wrote: dnephin approved this pull request. LGTM > @@ -8,7 +8,7 @@ github.com/cpuguy83/go-md2man a65d4d2de4d5f7c74868dfa9b202a3c8be315aaa github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76 github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621 github.com/docker/docker d58ffa0364c04d03a8f25704d7f0489ee6cd9634 -github.com/docker/docker-credential-helpers v0.5.1 +github.com/docker/docker-credential-helpers 3c90bd29a46b943b2a9842987b58fb91a7c1819b Should we tag a v0.5.3 release so we can keep using a tag? What's the release policy on this repo?

Happy to update if necessary. If we do tag, can we merge docker/docker-credential-helpers#84 first?

[vdemeester]

@tych0 yes 👼 once it's merged in docker-credential-helpers I'll make a 0.6.0 release 😉

[andrewhsu]

Does this handle migration of credentials from older format?

Also, any suitable tests we should have verify expected functionality of this PR?

[tych0]

On Wed, Aug 30, 2017 at 01:13:35AM +0000, Andrew Hsu wrote: Does this handle migration of credentials from older format?

It doesn't migrate credentials from the older format, although we could implement that. It simply uses them in whatever cred store they're currently stored in (including the base64 encoded native one). For new hosts with pass configured it will use that cred store.

Also, any suitable tests we should have verify expected functionality of this PR?

Yes, if you test `docker login`, a `docker login` with `pass` configured would be sufficient, and we could probably test that the raw password file has the right contents at the end of a `docker login` too, just to be sure.

[tych0]

Hey guys, just a heads up, I've updated this version to a newer version than the 0.6.0 tag, because that includes a better initialization check. I can revert to the tag if we really want, but since a few other things aren't, and it offers a relevant feature, I figured I'd just use the hash.

I've also rebased on top of the latest master. Let me know if anything looks funny. Thanks!

[codecov-io]

Codecov Report

Merging #451 into master will decrease coverage by 0.46%.
The diff coverage is 0%.

@@            Coverage Diff             @@
##           master     #451      +/-   ##
==========================================
- Coverage   49.52%   49.05%   -0.47%     
==========================================
  Files         207      201       -6     
  Lines       17146    16454     -692     
==========================================
- Hits         8491     8072     -419     
+ Misses       8223     7962     -261     
+ Partials      432      420      -12

[dnephin]

still LGTM

[tych0]

Ping, any movement on this?

[thaJeztah]

Generally LGTM, but a couple of things:

• Can we test/double check upgrading if a user currently uses the "secret service" credentials helper? I.e., if a user uses that currently, we should make docker keep using that (similar to the way we handle graph-drivers; if a previous directory of a graph-driver is detected, that one is used)
• This needs an update to the documentation; https://github.com/docker/cli/blob/master/docs/reference/commandline/login.md#credentials-store. We need to mention the new helper, and describe what the defaults are / priority is
• The docs also mention that credsStore must be present in the config.json to make docker use a credentials helper; is that still the case?

[thaJeztah]

We should update to a tagged release probably

[tych0]

As I mentioned in the comment above, there is no tagged version with commits relevant to this patch, so unless we tag a 0.6.1, I don't think we should.

[n4ss]

Lgtm

[tych0]

On Thu, Sep 21, 2017 at 02:07:00AM -0700, Sebastiaan van Stijn wrote: thaJeztah requested changes on this pull request. Generally LGTM, but a couple of things: - Can we test/double check upgrading if a user currently uses the "secret service" credentials helper? I.e., if a user uses that currently, we should make docker keep using that (similar to the way we handle graph-drivers; if a previous directory of a graph-driver is detected, that one is used)

It already does this. If it uses the secret service helper, it sets the credsStore key to "secretservice", and the defaults are no longer used.

- This needs an update to the documentation; https://github.com/docker/cli/blob/master/docs/reference/commandline/login.md#credentials-store. We need to mention the new helper, and describe what the defaults are / priority is

Sure, I can update those.

- The docs also mention that `credsStore` must be present in the `config.json` to make docker use a credentials helper; is that still the case?

Well, it depends :). If you have a pre-configured set of credentials then yes, but if you're doing a new login and have the binary, it will auto-detect that and use it, and save the credsStore key for future reference.

[tych0]

Ok, I've updated the docs. I think this should be good to go now.

[mdlinville]

s/will look/looks

Maybe a table for the default backend per OS?

[mdlinville]

Just Note, not NOTE

s/will store/stores

[tych0]

On Thu, Sep 21, 2017 at 09:33:47AM -0700, Misty Stanley-Jones wrote: mstanleyjones requested changes on this pull request. > @@ -97,6 +98,16 @@ For example, to use `docker-credential-osxkeychain`: If you are currently logged in, run `docker logout` to remove the credentials from the file and run `docker login` again. +### Default behavior + +By default, Docker will look for the native binary on each of the platforms, s/will look/looks Maybe a table for the default backend per OS?

I thought about that, but the point is mostly to state that linux is a bit different and that it tries pass and falls back to secret service, and that doesn't really fit nicely in the table :( Anyway, I've updated the other bits, thanks!

…

> @@ -97,6 +98,16 @@ For example, to use `docker-credential-osxkeychain`: If you are currently logged in, run `docker logout` to remove the credentials from the file and run `docker login` again. +### Default behavior + +By default, Docker will look for the native binary on each of the platforms, +i.e. "osxkeychain" on macOS, "wincred" on windows, and "pass" on Linux. A +special case is that on Linux, Docker will fall back to the "secretservice" +binary if it cannot find the "pass" binary. + +*NOTE:* If you do not supply a credential helper binary, Docker will store your Just Note, not NOTE s/will store/stores -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #451 (review)

[mdlinville]

Docs LGTM

[thaJeztah]

and save the credsStore key for future reference.

Oh! I forgot (or wasn't aware) the client saves the credStore to the config.json after detection; I thought it checked each time if the user did not set this.

[thaJeztah]

sorry for the delay; some minor nits, but no showstopper if we want this merged before those are addressed

[thaJeztah]

This should be formatted as a note;

> **Note**: If you do not supply a credential helper binary, Docker stores your
> password in cleartext (base64 encoded) in your home directory!

Should this mention the actual file this is saved in as well (~/.docker/config.json)?

[thaJeztah]

I see this is being referred to a couple lines up as well;

You can log into any public or private repository for which you have credentials. When you log in, the command stores encoded credentials in $HOME/.docker/config.json on Linux or %USERPROFILE%/.docker/config.json on Windows.

[tych0]

Ok, I tried to address those (I'm not sure what you meant by formatted as a note, so I just moved the text into the paragraph, since it probably should be there anyway).

[thaJeztah]

LGTM

[thaJeztah]

@tych0 @seemethere are there changes needed for packaging?

[tych0]

Yep, we talked a few weeks ago about it and I think we're all on the same page.

[tych0]

Oh, but we didn't actually talk about the OSX or windows packaging/install files. @seemethere do you know who does that?

[vdemeester]

@tych0 for docker4desktop, there is already osx-keychain and wincreds support (cc @ebriney @simonferquel) 😉

[tych0]

Cool, are we distributing the credhelpers binaries in the packages?

[vdemeester]

I'm pretty sure we do yes 👼

[tych0]

Sweet, so that part is solved already then :)

[ebriney]

Yes, on windows and on mac, it is enabled by default. Thanks for this PR!