def login(self, registry, docker_secret_path):
"""
login to docker registry
:param registry: registry name
:param docker_secret_path: path to docker config directory
"""
logger.info("logging in: registry '%s', secret path '%s'", registry,
docker_secret_path)
# Docker-py needs username
dockercfg = Dockercfg(docker_secret_path)
username = dockercfg.get_credentials(registry)['username']
logger.info("found username %s for registry %s", username, registry)
response = self.d.login(registry=registry,
username=username,
dockercfg_path=dockercfg.json_secret_path)
if not response:
raise RuntimeError("Failed to login to '%s' with config '%s'" %
(registry, dockercfg))
if u'Status' in response and response[u'Status'] == u'Login Succeeded':
logger.info("login succeeded")
else:
if not (isinstance(response, dict)
and 'password' in response.keys()):
# for some reason docker-py returns the contents of the dockercfg - we shouldn't
# be displaying that
logger.debug("response: %r", response)
def login(self, registry, docker_secret_path):
"""
login to docker registry
:param registry: registry name
:param docker_secret_path: path to docker config directory
"""
logger.info("logging in: registry '%s', secret path '%s'", registry, docker_secret_path)
# Docker-py needs username
dockercfg = Dockercfg(docker_secret_path)
credentials = dockercfg.get_credentials(registry)
unpacked_auth = dockercfg.unpack_auth_b64(registry)
username = credentials.get('username')
if unpacked_auth:
username = unpacked_auth.username
if not username:
raise RuntimeError("Failed to extract a username from '%s'" % dockercfg)
logger.info("found username %s for registry %s", username, registry)
response = self.d.login(registry=registry, username=username,
dockercfg_path=dockercfg.json_secret_path)
if not response:
raise RuntimeError("Failed to login to '%s' with config '%s'" % (registry, dockercfg))
if u'Status' in response and response[u'Status'] == u'Login Succeeded':
logger.info("login succeeded")
else:
if not(isinstance(response, dict) and 'password' in response.keys()):
# for some reason docker-py returns the contents of the dockercfg - we shouldn't
# be displaying that
logger.debug("response: %r", response)
def get_dockercfg_credentials(self, docker_registry):
"""
Read the .dockercfg file and return an empty dict, or else a dict
with keys 'basic_auth_username' and 'basic_auth_password'.
"""
if not self.registry_secret_path:
return {}
dockercfg = Dockercfg(self.registry_secret_path)
registry_creds = dockercfg.get_credentials(docker_registry)
if 'username' not in registry_creds:
return {}
return {
'basic_auth_username': registry_creds['username'],
'basic_auth_password': registry_creds['password'],
}
def get_dockercfg_credentials(self, docker_registry):
"""
Read the .dockercfg file and return an empty dict, or else a dict
with keys 'basic_auth_username' and 'basic_auth_password'.
"""
if not self.registry_secret_path:
return {}
dockercfg = Dockercfg(self.registry_secret_path)
registry_creds = dockercfg.get_credentials(docker_registry)
if 'username' not in registry_creds:
return {}
return {
'basic_auth_username': registry_creds['username'],
'basic_auth_password': registry_creds['password'],
}
def push_with_skopeo(self, registry_image, insecure, docker_push_secret):
# If the last image has type OCI_TAR, then hunt back and find the
# the untarred version, since skopeo only supports OCI's as an
# untarred directory
image = [
x for x in self.workflow.exported_image_sequence
if x['type'] != IMAGE_TYPE_OCI_TAR
][-1]
cmd = ['skopeo', 'copy']
if docker_push_secret is not None:
dockercfg = Dockercfg(docker_push_secret)
credentials = dockercfg.get_credentials(registry_image.registry)
username = credentials['username']
password = credentials['password']
cmd.append('--dest-creds=' + username + ':' + password)
if insecure:
cmd.append('--dest-tls-verify=false')
if image['type'] == IMAGE_TYPE_OCI:
source_img = 'oci:{path}:{ref_name}'.format(**image)
elif image['type'] == IMAGE_TYPE_DOCKER_ARCHIVE:
source_img = 'docker-archive://{path}'.format(**image)
else:
raise RuntimeError(
"Attempt to push unsupported image type %s with skopeo",
image['type'])
dest_img = 'docker://' + registry_image.to_str()
# Make sure we don't log the credentials
cmd += [source_img, dest_img]
log_cmd = [
re.sub(r'^--dest-creds=.*', '--dest-creds=<HIDDEN>', arg)
for arg in cmd
]
self.log.info("Calling: %s", ' '.join(log_cmd))
try:
subprocess.check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
self.log.error("push failed with output:\n%s", e.output)
e.cmd = log_cmd # hide credentials
raise
def push_with_skopeo(self, registry_image, insecure, docker_push_secret):
# If the last image has type OCI_TAR, then hunt back and find the
# the untarred version, since skopeo only supports OCI's as an
# untarred directory
image = [x for x in self.workflow.exported_image_sequence if
x['type'] != IMAGE_TYPE_OCI_TAR][-1]
cmd = ['skopeo', 'copy']
if docker_push_secret is not None:
dockercfg = Dockercfg(docker_push_secret)
credentials = dockercfg.get_credentials(registry_image.registry)
username = credentials['username']
password = credentials['password']
cmd.append('--dest-creds=' + username + ':' + password)
if insecure:
cmd.append('--dest-tls-verify=false')
if image['type'] == IMAGE_TYPE_OCI:
source_img = 'oci:{path}:{ref_name}'.format(**image)
elif image['type'] == IMAGE_TYPE_DOCKER_ARCHIVE:
source_img = 'docker-archive://{path}'.format(**image)
else:
raise RuntimeError("Attempt to push unsupported image type %s with skopeo",
image['type'])
dest_img = 'docker://' + registry_image.to_str()
# Make sure we don't log the credentials
cmd += [source_img, dest_img]
log_cmd = [re.sub(r'^--dest-creds=.*', '--dest-creds=<HIDDEN>', arg)
for arg in cmd]
self.log.info("Calling: %s", ' '.join(log_cmd))
try:
subprocess.check_output(cmd, stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
self.log.error("push failed with output:\n%s", e.output)
e.cmd = log_cmd # hide credentials
raise
