github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/docs/reference/commandline/login.md (about) 1 --- 2 title: "login" 3 description: "The login command description and usage" 4 keywords: "registry, login, image" 5 --- 6 7 # login 8 9 ```markdown 10 Usage: docker login [OPTIONS] [SERVER] 11 12 Log in to a Docker registry. 13 If no server is specified, the default is defined by the daemon. 14 15 Options: 16 --help Print usage 17 -p, --password string Password 18 --password-stdin Read password from stdin 19 -u, --username string Username 20 ``` 21 22 ## Description 23 24 Login to a registry. 25 26 ## Examples 27 28 ### Login to a self-hosted registry 29 30 If you want to login to a self-hosted registry you can specify this by 31 adding the server name. 32 33 ```bash 34 $ docker login localhost:8080 35 ``` 36 37 ### Provide a password using STDIN 38 39 To run the `docker login` command non-interactively, you can set the 40 `--password-stdin` flag to provide a password through `STDIN`. Using 41 `STDIN` prevents the password from ending up in the shell's history, 42 or log-files. 43 44 The following example reads a password from a file, and passes it to the 45 `docker login` command using `STDIN`: 46 47 ```bash 48 $ cat ~/my_password.txt | docker login --username foo --password-stdin 49 ``` 50 51 ### Privileged user requirement 52 53 `docker login` requires user to use `sudo` or be `root`, except when: 54 55 1. connecting to a remote daemon, such as a `docker-machine` provisioned `docker engine`. 56 2. user is added to the `docker` group. This will impact the security of your system; the `docker` group is `root` equivalent. See [Docker Daemon Attack Surface](https://docs.docker.com/engine/security/#docker-daemon-attack-surface) for details. 57 58 You can log into any public or private repository for which you have 59 credentials. When you log in, the command stores credentials in 60 `$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on 61 Windows, via the procedure described below. 62 63 ### Credentials store 64 65 The Docker Engine can keep user credentials in an external credentials store, 66 such as the native keychain of the operating system. Using an external store 67 is more secure than storing credentials in the Docker configuration file. 68 69 To use a credentials store, you need an external helper program to interact 70 with a specific keychain or external store. Docker requires the helper 71 program to be in the client's host `$PATH`. 72 73 This is the list of currently available credentials helpers and where 74 you can download them from: 75 76 - D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases 77 - Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases 78 - Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases 79 - [pass](https://www.passwordstore.org/): https://github.com/docker/docker-credential-helpers/releases 80 81 #### Configure the credentials store 82 83 You need to specify the credentials store in `$HOME/.docker/config.json` 84 to tell the docker engine to use it. The value of the config property should be 85 the suffix of the program to use (i.e. everything after `docker-credential-`). 86 For example, to use `docker-credential-osxkeychain`: 87 88 ```json 89 { 90 "credsStore": "osxkeychain" 91 } 92 ``` 93 94 If you are currently logged in, run `docker logout` to remove 95 the credentials from the file and run `docker login` again. 96 97 #### Default behavior 98 99 By default, Docker looks for the native binary on each of the platforms, i.e. 100 "osxkeychain" on macOS, "wincred" on windows, and "pass" on Linux. A special 101 case is that on Linux, Docker will fall back to the "secretservice" binary if 102 it cannot find the "pass" binary. If none of these binaries are present, it 103 stores the credentials (i.e. password) in base64 encoding in the config files 104 described above. 105 106 #### Credential helper protocol 107 108 Credential helpers can be any program or script that follows a very simple protocol. 109 This protocol is heavily inspired by Git, but it differs in the information shared. 110 111 The helpers always use the first argument in the command to identify the action. 112 There are only three possible values for that argument: `store`, `get`, and `erase`. 113 114 The `store` command takes a JSON payload from the standard input. That payload carries 115 the server address, to identify the credential, the user name, and either a password 116 or an identity token. 117 118 ```json 119 { 120 "ServerURL": "https://index.docker.io/v1", 121 "Username": "david", 122 "Secret": "passw0rd1" 123 } 124 ``` 125 126 If the secret being stored is an identity token, the Username should be set to 127 `<token>`. 128 129 The `store` command can write error messages to `STDOUT` that the docker engine 130 will show if there was an issue. 131 132 The `get` command takes a string payload from the standard input. That payload carries 133 the server address that the docker engine needs credentials for. This is 134 an example of that payload: `https://index.docker.io/v1`. 135 136 The `get` command writes a JSON payload to `STDOUT`. Docker reads the user name 137 and password from this payload: 138 139 ```json 140 { 141 "Username": "david", 142 "Secret": "passw0rd1" 143 } 144 ``` 145 146 The `erase` command takes a string payload from `STDIN`. That payload carries 147 the server address that the docker engine wants to remove credentials for. This is 148 an example of that payload: `https://index.docker.io/v1`. 149 150 The `erase` command can write error messages to `STDOUT` that the docker engine 151 will show if there was an issue. 152 153 ### Credential helpers 154 155 Credential helpers are similar to the credential store above, but act as the 156 designated programs to handle credentials for *specific registries*. The default 157 credential store (`credsStore` or the config file itself) will not be used for 158 operations concerning credentials of the specified registries. 159 160 #### Configure credential helpers 161 162 If you are currently logged in, run `docker logout` to remove 163 the credentials from the default store. 164 165 Credential helpers are specified in a similar way to `credsStore`, but 166 allow for multiple helpers to be configured at a time. Keys specify the 167 registry domain, and values specify the suffix of the program to use 168 (i.e. everything after `docker-credential-`). 169 For example: 170 171 ```json 172 { 173 "credHelpers": { 174 "registry.example.com": "registryhelper", 175 "awesomereg.example.org": "hip-star", 176 "unicorn.example.io": "vcbait" 177 } 178 } 179 ``` 180 181 ## Related commands 182 183 * [logout](logout.md)