def login(self, registry, docker_secret_path): """ login to docker registry :param registry: registry name :param docker_secret_path: path to docker config directory """ logger.info("logging in: registry '%s', secret path '%s'", registry, docker_secret_path) # Docker-py needs username dockercfg = Dockercfg(docker_secret_path) username = dockercfg.get_credentials(registry)['username'] logger.info("found username %s for registry %s", username, registry) response = self.d.login(registry=registry, username=username, dockercfg_path=dockercfg.json_secret_path) if not response: raise RuntimeError("Failed to login to '%s' with config '%s'" % (registry, dockercfg)) if u'Status' in response and response[u'Status'] == u'Login Succeeded': logger.info("login succeeded") else: if not (isinstance(response, dict) and 'password' in response.keys()): # for some reason docker-py returns the contents of the dockercfg - we shouldn't # be displaying that logger.debug("response: %r", response)
def login(self, registry, docker_secret_path): """ login to docker registry :param registry: registry name :param docker_secret_path: path to docker config directory """ logger.info("logging in: registry '%s', secret path '%s'", registry, docker_secret_path) # Docker-py needs username dockercfg = Dockercfg(docker_secret_path) credentials = dockercfg.get_credentials(registry) unpacked_auth = dockercfg.unpack_auth_b64(registry) username = credentials.get('username') if unpacked_auth: username = unpacked_auth.username if not username: raise RuntimeError("Failed to extract a username from '%s'" % dockercfg) logger.info("found username %s for registry %s", username, registry) response = self.d.login(registry=registry, username=username, dockercfg_path=dockercfg.json_secret_path) if not response: raise RuntimeError("Failed to login to '%s' with config '%s'" % (registry, dockercfg)) if u'Status' in response and response[u'Status'] == u'Login Succeeded': logger.info("login succeeded") else: if not(isinstance(response, dict) and 'password' in response.keys()): # for some reason docker-py returns the contents of the dockercfg - we shouldn't # be displaying that logger.debug("response: %r", response)
def get_dockercfg_credentials(self, docker_registry): """ Read the .dockercfg file and return an empty dict, or else a dict with keys 'basic_auth_username' and 'basic_auth_password'. """ if not self.registry_secret_path: return {} dockercfg = Dockercfg(self.registry_secret_path) registry_creds = dockercfg.get_credentials(docker_registry) if 'username' not in registry_creds: return {} return { 'basic_auth_username': registry_creds['username'], 'basic_auth_password': registry_creds['password'], }
def push_with_skopeo(self, registry_image, insecure, docker_push_secret): # If the last image has type OCI_TAR, then hunt back and find the # the untarred version, since skopeo only supports OCI's as an # untarred directory image = [ x for x in self.workflow.exported_image_sequence if x['type'] != IMAGE_TYPE_OCI_TAR ][-1] cmd = ['skopeo', 'copy'] if docker_push_secret is not None: dockercfg = Dockercfg(docker_push_secret) credentials = dockercfg.get_credentials(registry_image.registry) username = credentials['username'] password = credentials['password'] cmd.append('--dest-creds=' + username + ':' + password) if insecure: cmd.append('--dest-tls-verify=false') if image['type'] == IMAGE_TYPE_OCI: source_img = 'oci:{path}:{ref_name}'.format(**image) elif image['type'] == IMAGE_TYPE_DOCKER_ARCHIVE: source_img = 'docker-archive://{path}'.format(**image) else: raise RuntimeError( "Attempt to push unsupported image type %s with skopeo", image['type']) dest_img = 'docker://' + registry_image.to_str() # Make sure we don't log the credentials cmd += [source_img, dest_img] log_cmd = [ re.sub(r'^--dest-creds=.*', '--dest-creds=<HIDDEN>', arg) for arg in cmd ] self.log.info("Calling: %s", ' '.join(log_cmd)) try: subprocess.check_output(cmd, stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: self.log.error("push failed with output:\n%s", e.output) e.cmd = log_cmd # hide credentials raise
def push_with_skopeo(self, registry_image, insecure, docker_push_secret): # If the last image has type OCI_TAR, then hunt back and find the # the untarred version, since skopeo only supports OCI's as an # untarred directory image = [x for x in self.workflow.exported_image_sequence if x['type'] != IMAGE_TYPE_OCI_TAR][-1] cmd = ['skopeo', 'copy'] if docker_push_secret is not None: dockercfg = Dockercfg(docker_push_secret) credentials = dockercfg.get_credentials(registry_image.registry) username = credentials['username'] password = credentials['password'] cmd.append('--dest-creds=' + username + ':' + password) if insecure: cmd.append('--dest-tls-verify=false') if image['type'] == IMAGE_TYPE_OCI: source_img = 'oci:{path}:{ref_name}'.format(**image) elif image['type'] == IMAGE_TYPE_DOCKER_ARCHIVE: source_img = 'docker-archive://{path}'.format(**image) else: raise RuntimeError("Attempt to push unsupported image type %s with skopeo", image['type']) dest_img = 'docker://' + registry_image.to_str() # Make sure we don't log the credentials cmd += [source_img, dest_img] log_cmd = [re.sub(r'^--dest-creds=.*', '--dest-creds=<HIDDEN>', arg) for arg in cmd] self.log.info("Calling: %s", ' '.join(log_cmd)) try: subprocess.check_output(cmd, stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: self.log.error("push failed with output:\n%s", e.output) e.cmd = log_cmd # hide credentials raise