Support Azure Container Registry (Azure AD login)

[flcdrg]

I followed the instructions at https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#individual-login-with-azure-ad to log in to an Azure Container Registry.

eg.

az acr login --name myregistry

That updates Docker's config.json like so:

{
	"auths": {
		"myregistry.azurecr.io": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.8 (windows)"
	},
	"credsStore": "desktop",
	"experimental": "enabled",
	"stackOrchestrator": "swarm"
}

With this in place, docker pull or docker push work correctly, but dobi fails with:

The push refers to repository [myregistry.azurecr.io/stuff/things]
....
failed to execute task "myimage:push": unauthorized: authentication required

[mlilien]

For me it works. I had to create a symlink
~/.dockercfg -> /home/user/snap/docker/current/.docker/config.json

[flcdrg]

I'm on Windows, but I'll try creating a .dockercfg directly in the user profile directory (which looks to be the equivalent of what you did) and see if that helps.

[flcdrg]

Nope.. with c:\users\dgardiner.dockercfg having the same contents as C:\Users\dgardiner.docker\config.json it still fails.

[WARN] Failed to load auth config: No docker configuration found
...
...
[ERROR] failed to execute task "myimage:push": unauthorized: authentication required

[dnephin]

The function to look up the config comes from go-dockerclient, here: https://github.com/fsouza/go-dockerclient/blob/eb4b27262d9a41d4004d101c32e0598782a39415/auth.go#L59-L88

It looks like a bunch of files are checked, but they require either the DOCKER_CONFIG or HOME env var to be set. Could the problem be that HOME is not set? This would probably be a good thing to document.

[flcdrg]

I'll test setting these and let you know the results

[flcdrg]

Ok.. so I got a little further after setting DOCKER_CONFIG to point to the directory where config.json lives. I no longer get the warning about no docker config found.

Instead now when I try and push, I get the following:

C:\dev\git\myapp\docker [master ≡ +1 ~2 -0 !]> az acr login --name myacr.azurecr.io
The login server endpoint suffix '.azurecr.io' is automatically omitted.
Login Succeeded
C:\dev\git\myapp\docker [master ≡ +1 ~2 -0 !]> dobi -v myapp:push
[DEBUG] filename=dobi.yaml Configuration loaded
[DEBUG] executing tasks
[DEBUG] time=2020-05-14 10:52:48.9225035 +0930 ACST m=+2.850103101 [image:build myapp] myacr.azurecr.io/myapp/myapp-nano Start
[image:build myapp] myacr.azurecr.io/myapp/myapp-nano is fresh
[DEBUG] elapsed=733.9625ms [image:build myapp] myacr.azurecr.io/myapp/myapp-nano Complete
[DEBUG] [image:tag myapp] myacr.azurecr.io/myapp/myapp-nano time=2020-05-14 10:52:49.656466 +0930 ACST m=+3.584065601 Start
[image:tag myapp] myacr.azurecr.io/myapp/myapp-nano Tagged
[DEBUG] elapsed=14.4382ms [image:tag myapp] myacr.azurecr.io/myapp/myapp-nano Complete
[DEBUG] time=2020-05-14 10:52:49.6709042 +0930 ACST m=+3.598503801 [image:push myapp] myacr.azurecr.io/myapp/myapp-nano Start
[WARN] Missing auth config for "myacr.azurecr.io"
The push refers to repository [myacr.azurecr.io/myapp/myapp-nano]
ef5cd9864edf: Preparing
90dadc26e7a5: Preparing
d01733973ae3: Preparing
e5075e42ae6a: Preparing
d3b61b67446d: Preparing
882081a3d211: Waiting
b85d35010df8: Waiting
89b55c7cf7fa: Waiting
ea1fe3f5daf5: Waiting
f2d0eecba37e: Waiting
c14a85780348: Waiting
f2a07c8a00cd: Waiting
0ee3612948a7: Waiting
0c593bcc2232: Waiting
623016c69eeb: Waiting
8691bdea0e08: Waiting
388f7d9155c2: Waiting
0eabb20ff255: Waiting
a7f53a19c925: Waiting
6d07e9e68015: Waiting
1cd26227ffed: Waiting
35eeb743f582: Waiting
2d4a37fc23b0: Waiting
f5fac1af6fc9: Waiting
b9d3fe3f4dcf: Waiting
446fca2a4269: Waiting
3492c6ad7ce2: Waiting
[DEBUG] stopping tasks
[ERROR] failed to execute task "myapp:push": unauthorized: authentication required

The Missing auth config for "myacr.azurecr.io" warning is curious, as that name is listed in the auths section of config.json, though it just has {} as the value (which is fine for regular docker).

[dnephin]

I'm not familiar with az acr login. Could it be that it is expecting to store the password in a password store, which .dobi doesn't support? I notice there is an --expose-token flag. Maybe that would store the token in the docker config file?

[sajayantony]

The az acr login just invokes docker login with an EMPTY guid username and the token that you can obtain through --expose-token. Does dobi and docker CLI use the same credential store? The one thing to note that is that the docker CLI uses wincred to store the credentials in the windows credential manager and possibly https://github.com/fsouza/go-dockerclient/blob/eb4b27262d9a41d4004d101c32e0598782a39415/auth.go#L59-L88 - doesn't handle credstores to retrieve the username and token.
An option would be to disable credstore to see the token in the $HOME/.docker/config.json

❯ cat ~/.docker/config.json  | jq
{
  "auths": {
    "sajay.azurecr.io": {
      "auth": "MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwOg==",
      "identitytoken": "eyJhbGciOiJSUzI..."
       }
}

The auth is the username which is base64 encoded for 00000000-0000-0000-0000-000000000000
Expose token shows you the token as well. This token however is not a long lived token so will have to renew it depending on the JWT expiration time.