def login(self, registry, docker_secret_path): """ login to docker registry :param registry: registry name :param docker_secret_path: path to docker config directory """ logger.info("logging in: registry '%s', secret path '%s'", registry, docker_secret_path) # Docker-py needs username dockercfg = Dockercfg(docker_secret_path) credentials = dockercfg.get_credentials(registry) unpacked_auth = dockercfg.unpack_auth_b64(registry) username = credentials.get('username') if unpacked_auth: username = unpacked_auth.username if not username: raise RuntimeError("Failed to extract a username from '%s'" % dockercfg) logger.info("found username %s for registry %s", username, registry) response = self.d.login(registry=registry, username=username, dockercfg_path=dockercfg.json_secret_path) if not response: raise RuntimeError("Failed to login to '%s' with config '%s'" % (registry, dockercfg)) if u'Status' in response and response[u'Status'] == u'Login Succeeded': logger.info("login succeeded") else: if not(isinstance(response, dict) and 'password' in response.keys()): # for some reason docker-py returns the contents of the dockercfg - we shouldn't # be displaying that logger.debug("response: %r", response)
def push_with_skopeo(self, registry_image, insecure, docker_push_secret): # If the last image has type OCI_TAR, then hunt back and find the # the untarred version, since skopeo only supports OCI's as an # untarred directory image = [ x for x in self.workflow.exported_image_sequence if x['type'] != IMAGE_TYPE_OCI_TAR ][-1] cmd = ['skopeo', 'copy'] if docker_push_secret is not None: dockercfg = Dockercfg(docker_push_secret) dest_creds = None unpacked_auth_b64 = None try: unpacked_auth_b64 = dockercfg.unpack_auth_b64( registry_image.registry) except ValueError: self.log.warning("Invalid 'auth' value in '%s'", docker_push_secret) if unpacked_auth_b64: dest_creds = unpacked_auth_b64.raw_str else: credentials = dockercfg.get_credentials( registry_image.registry) username = credentials.get('username') password = credentials.get('password') if username and password: dest_creds = username + ':' + password if dest_creds: cmd.append('--dest-creds=' + dest_creds) else: self.log.warning("No credentials found in '%s'", docker_push_secret) if insecure: cmd.append('--dest-tls-verify=false') if image['type'] == IMAGE_TYPE_OCI: source_img = 'oci:{path}:{ref_name}'.format(**image) elif image['type'] == IMAGE_TYPE_DOCKER_ARCHIVE: source_img = 'docker-archive://{path}'.format(**image) else: raise RuntimeError( "Attempt to push unsupported image type %s with skopeo" % image['type']) dest_img = 'docker://' + registry_image.to_str() # Make sure we don't log the credentials cmd += [source_img, dest_img] log_cmd = [ re.sub(r'^--dest-creds=.*', '--dest-creds=<HIDDEN>', arg) for arg in cmd ] self.log.info("Calling: %s", ' '.join(log_cmd)) try: subprocess.check_output(cmd, stderr=subprocess.STDOUT) except subprocess.CalledProcessError as e: self.log.error("push failed with output:\n%s", e.output) e.cmd = log_cmd # hide credentials raise