github.com/kelda-inc/moby@v1.13.1/docs/reference/commandline/login.md (about) 1 --- 2 title: "login" 3 description: "The login command description and usage" 4 keywords: "registry, login, image" 5 --- 6 7 <!-- This file is maintained within the docker/docker Github 8 repository at https://github.com/docker/docker/. Make all 9 pull requests against that repo. If you see this file in 10 another repository, consider it read-only there, as it will 11 periodically be overwritten by the definitive file. Pull 12 requests which include edits to this file in other repositories 13 will be rejected. 14 --> 15 16 # login 17 18 ```markdown 19 Usage: docker login [OPTIONS] [SERVER] 20 21 Log in to a Docker registry. 22 If no server is specified, the default is defined by the daemon. 23 24 Options: 25 --help Print usage 26 -p, --password string Password 27 -u, --username string Username 28 ``` 29 30 If you want to login to a self-hosted registry you can specify this by 31 adding the server name. 32 33 example: 34 $ docker login localhost:8080 35 36 37 `docker login` requires user to use `sudo` or be `root`, except when: 38 39 1. connecting to a remote daemon, such as a `docker-machine` provisioned `docker engine`. 40 2. user is added to the `docker` group. This will impact the security of your system; the `docker` group is `root` equivalent. See [Docker Daemon Attack Surface](https://docs.docker.com/security/security/#docker-daemon-attack-surface) for details. 41 42 You can log into any public or private repository for which you have 43 credentials. When you log in, the command stores encoded credentials in 44 `$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on Windows. 45 46 ## Credentials store 47 48 The Docker Engine can keep user credentials in an external credentials store, 49 such as the native keychain of the operating system. Using an external store 50 is more secure than storing credentials in the Docker configuration file. 51 52 To use a credentials store, you need an external helper program to interact 53 with a specific keychain or external store. Docker requires the helper 54 program to be in the client's host `$PATH`. 55 56 This is the list of currently available credentials helpers and where 57 you can download them from: 58 59 - D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases 60 - Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases 61 - Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases 62 63 ### Usage 64 65 You need to specify the credentials store in `$HOME/.docker/config.json` 66 to tell the docker engine to use it: 67 68 ```json 69 { 70 "credsStore": "osxkeychain" 71 } 72 ``` 73 74 If you are currently logged in, run `docker logout` to remove 75 the credentials from the file and run `docker login` again. 76 77 ### Protocol 78 79 Credential helpers can be any program or script that follows a very simple protocol. 80 This protocol is heavily inspired by Git, but it differs in the information shared. 81 82 The helpers always use the first argument in the command to identify the action. 83 There are only three possible values for that argument: `store`, `get`, and `erase`. 84 85 The `store` command takes a JSON payload from the standard input. That payload carries 86 the server address, to identify the credential, the user name, and either a password 87 or an identity token. 88 89 ```json 90 { 91 "ServerURL": "https://index.docker.io/v1", 92 "Username": "david", 93 "Secret": "passw0rd1" 94 } 95 ``` 96 97 If the secret being stored is an identity token, the Username should be set to 98 `<token>`. 99 100 The `store` command can write error messages to `STDOUT` that the docker engine 101 will show if there was an issue. 102 103 The `get` command takes a string payload from the standard input. That payload carries 104 the server address that the docker engine needs credentials for. This is 105 an example of that payload: `https://index.docker.io/v1`. 106 107 The `get` command writes a JSON payload to `STDOUT`. Docker reads the user name 108 and password from this payload: 109 110 ```json 111 { 112 "Username": "david", 113 "Secret": "passw0rd1" 114 } 115 ``` 116 117 The `erase` command takes a string payload from `STDIN`. That payload carries 118 the server address that the docker engine wants to remove credentials for. This is 119 an example of that payload: `https://index.docker.io/v1`. 120 121 The `erase` command can write error messages to `STDOUT` that the docker engine 122 will show if there was an issue.