Compose: docker-compose tries to retrieve empty secret

Created on 4 May 2019 · 11Comments · Source: docker/compose

the problem is that docker-compose invokes external credential get with empty url, and the credentials are not even needed.

and credential helper rejects such calls with pass no url.

$ docker-compose --version
docker-compose version 1.24.0, build unknown

$ cat Dockerfile
FROM scratch
COPY Dockerfile /

$ cat docker-compose.yml
version: "3"
services:
  app:
    build: .

$ docker-compose build
Building app
Traceback (most recent call last):
  File "/usr/local/Cellar/docker-compose/1.24.0/libexec/lib/python3.7/site-packages/dockerpycreds/store.py", line 80, in _execute
    [self.exe, subcmd], input=data_input, env=env,
  File "/usr/local/opt/python/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 395, in check_output
    **kwargs).stdout
  File "/usr/local/opt/python/Frameworks/Python.framework/Versions/3.7/lib/python3.7/subprocess.py", line 487, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['/usr/local/bin/docker-credential-osxkeychain', 'get']' returned non-zero exit status 1.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/Cellar/docker-compose/1.24.0/libexec/lib/python3.7/site-packages/docker/auth.py", line 264, in _resolve_authconfig_credstore
    data = store.get(registry)
  File "/usr/local/Cellar/docker-compose/1.24.0/libexec/lib/python3.7/site-packages/dockerpycreds/store.py", line 35, in get
    data = self._execute('get', server)
  File "/usr/local/Cellar/docker-compose/1.24.0/libexec/lib/python3.7/site-packages/dockerpycreds/store.py", line 93, in _execute
    raise errors.process_store_error(e, self.program)
dockerpycreds.errors.StoreError: Credentials store docker-credential-osxkeychain exited with "no hostname in URL".

kinbug

Source

glensc

Most helpful comment

my current (better) workaround is to force use of buildkit, which does not invoke docker-credential helper without arguments:

$ COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 docker-compose up

$ docker --version
Docker version 19.03.5, build 633a0ea
$ docker-compose --version
docker-compose version 1.25.0-rc4, build 8f3c9c58

glensc on 2 Dec 2019

❤2

All 11 comments

Hello @glensc Thank you for the report.
What does return the command /usr/local/bin/docker-credential-osxkeychain version ?

jcsirot on 6 May 2019

@jcsirot

$ /usr/local/bin/docker-credential-osxkeychain version
0.6.2
$ readlink -f /usr/local/bin/docker-credential-osxkeychain
/usr/local/Cellar/docker-credential-helper/0.6.2/bin/docker-credential-osxkeychain

the same problem is with docker-credential-desktop which i think is just proxy to osxkeychain provided by docker-for-mac

glensc on 6 May 2019

I accidentally connected two dots. I recently changed password in docker hub, and it tries to authenticate with the invalid credentials.

rather surprising to me that it tries to authenticate resources that do not require authentication.

for example I was able to reproduce this in some other host:

root@guinea-pig# cat ~/.docker/config.json
{
        "auths": {
                "https://index.docker.io/v1/": {
                        "auth": "cmFuZG9tOmhhY2tlcgo="
                }
        }
}

root@guinea-pig# docker pull alpine
Using default tag: latest
Error response from daemon: Get https://registry-1.docker.io/v2/library/alpine/manifests/latest: unauthorized: incorrect username or password

root@guinea-pig# rm -vf ~/.docker/config.json
removed '/home/vagrant/.docker/config.json'

root@guinea-pig# docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
Digest: sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6
Status: Image is up to date for alpine:latest

so, as this seems to happen with docker client as well, it's not a bug in docker-compose, so I'm closing this.

glensc on 23 May 2019

docker compose problem is back:

https://github.com/docker/for-mac/issues/3805#issuecomment-544683672

...so re-opening. and my previuous assesment may be invalid.

current status is that docker cli works fine, but docker-compose fails, so i workaround typically with:

docker build -t <image_name> .
edit docker-compose.yml to use image: <image_name>

or just temporarily edit ~/.docker/config.json and disable credStore while running docker-compose build.

glensc on 21 Oct 2019

seems to be the same as #6852, can we close this one?
A fix has been merged in the code base of Docker Desktop yesterday and should be available in the next edge version

glours on 21 Oct 2019

@glours can you link to the fix that you say was merged?

as in the ticket you linked (#6852), I see nothing "same" with the problem reported here: calling credential helper with no url argument resulting exception from docker-compose

glensc on 21 Oct 2019

my current (better) workaround is to force use of buildkit, which does not invoke docker-credential helper without arguments:

$ COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 docker-compose up

$ docker --version
Docker version 19.03.5, build 633a0ea
$ docker-compose --version
docker-compose version 1.25.0-rc4, build 8f3c9c58

glensc on 2 Dec 2019

❤2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.