Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[27.x backport]cli/config/credentials: skip saving config-file if credentials didn't change #5569

Merged
merged 3 commits into from
Oct 22, 2024

Conversation

thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Oct 21, 2024

Before this change, the config-file was always updated, even if there were no changes to save. This could cause issues when the config-file already had credentials set and was read-only for the current user.

For example, on NixOS, this poses a problem because config.json is a symlink to a write-protected file;

$ readlink ~/.docker/config.json
/home/username/.config/sops-nix/secrets/ghcr_auth

$ readlink -f ~/.docker/config.json
/run/user/1000/secrets.d/28/ghcr_auth

Which causes docker login to fail, even if no changes were to be made;

Error saving credentials: rename /home/derek/.docker/config.json2180380217 /home/username/.config/sops-nix/secrets/ghcr_auth: invalid cross-device link

This patch updates the code to only update the config file if changes were detected. It there's nothing to save, it skips updating the file, as well as skips printing the warning about credentials being stored insecurely.

With this patch applied:

$ docker login -u yourname
Password:

WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/

Login Succeeded

$ docker login -u yourname
Password:
Login Succeeded

- How to verify it

- Description for the changelog

The `docker login` and `docker logout` command no longer update the configuration file if the credentials didn't change.

- A picture of a cute animal (not mandatory but encouraged)

… change

Before this change, the config-file was always updated, even if there
were no changes to save. This could cause issues when the config-file
already had credentials set and was read-only for the current user.

For example, on NixOS, this poses a problem because `config.json` is a
symlink to a write-protected file;

    $ readlink ~/.docker/config.json
    /home/username/.config/sops-nix/secrets/ghcr_auth

    $ readlink -f ~/.docker/config.json
    /run/user/1000/secrets.d/28/ghcr_auth

Which causes `docker login` to fail, even if no changes were to be made;

    Error saving credentials: rename /home/derek/.docker/config.json2180380217 /home/username/.config/sops-nix/secrets/ghcr_auth: invalid cross-device link

This patch updates the code to only update the config file if changes
were detected. It there's nothing to save, it skips updating the file,
as well as skips printing the warning about credentials being stored
insecurely.

With this patch applied:

    $ docker login -u yourname
    Password:

    WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/go/credential-store/

    Login Succeeded

    $ docker login -u yourname
    Password:
    Login Succeeded

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d3f6867)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@codecov-commenter
Copy link

codecov-commenter commented Oct 21, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 58.66%. Comparing base (df7e6e5) to head (6736be7).
Report is 8 commits behind head on 27.x.

Additional details and impacted files
@@           Coverage Diff           @@
##             27.x    #5569   +/-   ##
=======================================
  Coverage   58.65%   58.66%           
=======================================
  Files         345      345           
  Lines       29042    29047    +5     
=======================================
+ Hits        17035    17040    +5     
  Misses      11036    11036           
  Partials      971      971           

@thaJeztah thaJeztah marked this pull request as draft October 22, 2024 10:14
This function was names slightly confusing, as it returns a fakeStore,
and it didn't do any constructing, so didn't provide value above just
constructing the type.

I'm planning to add more functionality to the fakeStore, but don't want
to maintain a full-fledged constructor for all of that, so let's remove
this utility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0dd6f7f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Test case for d3f6867

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3c78069)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah force-pushed the 27.x_backport_login_idempotent branch from 3f64900 to 6736be7 Compare October 22, 2024 10:23
@thaJeztah thaJeztah marked this pull request as ready for review October 22, 2024 14:37
@laurazard laurazard merged commit 968506f into docker:27.x Oct 22, 2024
87 checks passed
@thaJeztah thaJeztah deleted the 27.x_backport_login_idempotent branch October 22, 2024 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants