github.com/45cali/docker@v1.11.1/docs/reference/commandline/login.md (about) 1 <!--[metadata]> 2 +++ 3 title = "login" 4 description = "The login command description and usage" 5 keywords = ["registry, login, image"] 6 [menu.main] 7 parent = "smn_cli" 8 +++ 9 <![end-metadata]--> 10 11 # login 12 13 Usage: docker login [OPTIONS] [SERVER] 14 15 Log in to a Docker registry server, if no server is 16 specified "https://index.docker.io/v1/" is the default. 17 18 --help Print usage 19 -p, --password="" Password 20 -u, --username="" Username 21 22 If you want to login to a self-hosted registry you can specify this by 23 adding the server name. 24 25 example: 26 $ docker login localhost:8080 27 28 29 `docker login` requires user to use `sudo` or be `root`, except when: 30 31 1. connecting to a remote daemon, such as a `docker-machine` provisioned `docker engine`. 32 2. user is added to the `docker` group. This will impact the security of your system; the `docker` group is `root` equivalent. See [Docker Daemon Attack Surface](https://docs.docker.com/security/security/#docker-daemon-attack-surface) for details. 33 34 You can log into any public or private repository for which you have 35 credentials. When you log in, the command stores encoded credentials in 36 `$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on Windows. 37 38 > **Note**: When running `sudo docker login` credentials are saved in `/root/.docker/config.json`. 39 > 40 41 ## Credentials store 42 43 The Docker Engine can keep user credentials in an external credentials store, 44 such as the native keychain of the operating system. Using an external store 45 is more secure than storing credentials in the Docker configuration file. 46 47 To use a credentials store, you need an external helper program to interact 48 with a specific keychain or external store. Docker requires the helper 49 program to be in the client's host `$PATH`. 50 51 This is the list of currently available credentials helpers and where 52 you can download them from: 53 54 - D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases 55 - Apple OS X keychain: https://github.com/docker/docker-credential-helpers/releases 56 - Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases 57 58 ### Usage 59 60 You need to speficy the credentials store in `$HOME/.docker/config.json` 61 to tell the docker engine to use it: 62 63 ```json 64 { 65 "credsStore": "osxkeychain" 66 } 67 ``` 68 69 If you are currently logged in, run `docker logout` to remove 70 the credentials from the file and run `docker login` again. 71 72 ### Protocol 73 74 Credential helpers can be any program or script that follows a very simple protocol. 75 This protocol is heavily inspired by Git, but it differs in the information shared. 76 77 The helpers always use the first argument in the command to identify the action. 78 There are only three possible values for that argument: `store`, `get`, and `erase`. 79 80 The `store` command takes a JSON payload from the standard input. That payload carries 81 the server address, to identify the credential, the user name, and either a password 82 or an identity token. 83 84 ```json 85 { 86 "ServerURL": "https://index.docker.io/v1", 87 "Username": "david", 88 "Secret": "passw0rd1" 89 } 90 ``` 91 92 If the secret being stored is an identity token, the Username should be set to 93 `<token>`. 94 95 The `store` command can write error messages to `STDOUT` that the docker engine 96 will show if there was an issue. 97 98 The `get` command takes a string payload from the standard input. That payload carries 99 the server address that the docker engine needs credentials for. This is 100 an example of that payload: `https://index.docker.io/v1`. 101 102 The `get` command writes a JSON payload to `STDOUT`. Docker reads the user name 103 and password from this payload: 104 105 ```json 106 { 107 "Username": "david", 108 "Secret": "passw0rd1" 109 } 110 ``` 111 112 The `erase` command takes a string payload from `STDIN`. That payload carries 113 the server address that the docker engine wants to remove credentials for. This is 114 an example of that payload: `https://index.docker.io/v1`. 115 116 The `erase` command can write error messages to `STDOUT` that the docker engine 117 will show if there was an issue.