Docker snap docker-credential-secretservice credentials helper

utom · November 17, 2019, 1:56pm

I’m using the docker snap. Thanks for that opportunity. Furthermore, I’m trying to take advantage of the secretservice credentials helper binary (ref. Docker Docs - docker login credentials store). I’ve got stuck with the message:

Error saving credentials: error storing credentials - err: exec: "docker-credential-secretservice": executable file not found in $PATH, out: ``

It appears when I run the command:

docker login

Where does the snap docker engine expect me to store docker-credential-secretservice tool?

ijohnson · November 19, 2019, 4:08pm

CC @tianon

The issue is that AFAICT none of these credential helpers are shipped with the docker snap and The $PATH for the dockerd snap points to the snap environment, which doesn’t contain any of these helpers.

FWIW, I think probably the easiest way to handle this is to either:

bundle all of the currently supported credentials helpers inside the docker snap
expose a content interface slot from the docker snap, and then create snaps for each of these credentials helpers so that a user can install their chosen credential helper and connect the interface (or perhaps that content interface could be auto-connected) and the content interface directory is added to $PATH so that dockerd can pick it up from the config.json

tianon · November 27, 2019, 11:42pm

I think the content interface slot is probably the best solution here because the credential helpers should really be external to the snap (for example, using pass on the host for storing the credentials encrypted in $HOME), but I have to admit that I don’t know what would be involved in creating such an interface.

ijohnson · December 2, 2019, 1:59am

What you can do for this is to have the docker snap plug a content interface like this:

plugs:
  credentials-helpers:
    interface: content
    content: credentials-helpers
    target: $SNAP/credentials-helpers

and then have these other credentials snap expose content interface slots like this:

slots:
  credentials-helpers:
    interface: content
    content: credentials-helpers
    source:
      read:
        - $SNAP/bin/some-credential-helper

and then the docker snap would also need to add $SNAP/credentials-helpers to the $PATH for the dockerd daemon.

After installing the second snap alongside the docker snap, you would have to connect the interface with something like:

$ snap install docker
$ snap install docker-credential-secretservice # (or whatever the snap is called)
$ snap connect docker:credentials-helpers docker-credentials-secretservice:credentials-helpers
$ snap restart docker

Note that since this would be using the content interface, the docker snap would only auto-connect to these credential snaps that are published by the same publisher (i.e. Canonical currently), but if auto-connection to another snap is desired, that can be requested through the #store-requests category on this forum.

andrewsomething · October 8, 2020, 3:52pm

I’m curious about what came of this discussion. Was this interface ever created?

In the doctl snap, we have a command that can be used to log in Docker to the DigitalOcean container registry. We have a personal-files plug that grants access to ~/.docker/config.json. This works as expected when the credentials are stored in the file, but fails when a credential helper is configured. Would love to allow our users to connect to docker-credentials-secretservice

ijohnson · October 8, 2020, 4:06pm

I don’t think this was ever done, probably nowadays this request should be moved to github.com/docker-snap/docker-snap to be tracked there instead

andrewsomething · October 8, 2020, 8:25pm

Thanks @ijohnson! I opened this issue over there to continue the discussion: https://github.com/docker-snap/docker-snap/issues/10