Docker snap docker-credential-secretservice credentials helper

I’m using the docker snap. Thanks for that opportunity. :slight_smile:
Furthermore, I’m trying to take advantage of the secretservice credentials helper binary (ref. Docker Docs - docker login credentials store).
I’ve got stuck with the message:

Error saving credentials: error storing credentials - err: exec: "docker-credential-secretservice": executable file not found in $PATH, out: ``

It appears when I run the command:

docker login

Where does the snap docker engine expect me to store docker-credential-secretservice tool?

CC @tianon

The issue is that AFAICT none of these credential helpers are shipped with the docker snap and The $PATH for the dockerd snap points to the snap environment, which doesn’t contain any of these helpers.

FWIW, I think probably the easiest way to handle this is to either:

  • bundle all of the currently supported credentials helpers inside the docker snap
  • expose a content interface slot from the docker snap, and then create snaps for each of these credentials helpers so that a user can install their chosen credential helper and connect the interface (or perhaps that content interface could be auto-connected) and the content interface directory is added to $PATH so that dockerd can pick it up from the config.json

I think the content interface slot is probably the best solution here because the credential helpers should really be external to the snap (for example, using pass on the host for storing the credentials encrypted in $HOME), but I have to admit that I don’t know what would be involved in creating such an interface.

What you can do for this is to have the docker snap plug a content interface like this:

plugs:
  credentials-helpers:
    interface: content
    content: credentials-helpers
    target: $SNAP/credentials-helpers

and then have these other credentials snap expose content interface slots like this:

slots:
  credentials-helpers:
    interface: content
    content: credentials-helpers
    source:
      read:
        - $SNAP/bin/some-credential-helper

and then the docker snap would also need to add $SNAP/credentials-helpers to the $PATH for the dockerd daemon.

After installing the second snap alongside the docker snap, you would have to connect the interface with something like:

$ snap install docker
$ snap install docker-credential-secretservice # (or whatever the snap is called)
$ snap connect docker:credentials-helpers docker-credentials-secretservice:credentials-helpers
$ snap restart docker

Note that since this would be using the content interface, the docker snap would only auto-connect to these credential snaps that are published by the same publisher (i.e. Canonical currently), but if auto-connection to another snap is desired, that can be requested through the #store-requests category on this forum.