github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/docs/reference/commandline/login.md

github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/docs/reference/commandline/login.md (about)

     1  ---
     2  title: "login"
     3  description: "The login command description and usage"
     4  keywords: "registry, login, image"
     5  ---
     6  
     7  # login
     8  
     9  ```markdown
    10  Usage:  docker login [OPTIONS] [SERVER]
    11  
    12  Log in to a Docker registry.
    13  If no server is specified, the default is defined by the daemon.
    14  
    15  Options:
    16        --help                    Print usage
    17    -p, --password       string   Password
    18        --password-stdin          Read password from stdin
    19    -u, --username       string   Username
    20  ```
    21  
    22  ## Description
    23  
    24  Login to a registry.
    25  
    26  ## Examples
    27  
    28  ### Login to a self-hosted registry
    29  
    30  If you want to login to a self-hosted registry you can specify this by
    31  adding the server name.
    32  
    33  ```bash
    34  $ docker login localhost:8080
    35  ```
    36  
    37  ### Provide a password using STDIN
    38  
    39  To run the `docker login` command non-interactively, you can set the
    40  `--password-stdin` flag to provide a password through `STDIN`. Using
    41  `STDIN` prevents the password from ending up in the shell's history,
    42  or log-files.
    43  
    44  The following example reads a password from a file, and passes it to the
    45  `docker login` command using `STDIN`:
    46  
    47  ```bash
    48  $ cat ~/my_password.txt | docker login --username foo --password-stdin
    49  ```
    50  
    51  ### Privileged user requirement
    52  
    53  `docker login` requires user to use `sudo` or be `root`, except when:
    54  
    55  1.  connecting to a remote daemon, such as a `docker-machine` provisioned `docker engine`.
    56  2.  user is added to the `docker` group.  This will impact the security of your system; the `docker` group is `root` equivalent.  See [Docker Daemon Attack Surface](https://docs.docker.com/engine/security/#docker-daemon-attack-surface) for details.
    57  
    58  You can log into any public or private repository for which you have
    59  credentials.  When you log in, the command stores credentials in
    60  `$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on
    61  Windows, via the procedure described below.
    62  
    63  ### Credentials store
    64  
    65  The Docker Engine can keep user credentials in an external credentials store,
    66  such as the native keychain of the operating system. Using an external store
    67  is more secure than storing credentials in the Docker configuration file.
    68  
    69  To use a credentials store, you need an external helper program to interact
    70  with a specific keychain or external store. Docker requires the helper
    71  program to be in the client's host `$PATH`.
    72  
    73  This is the list of currently available credentials helpers and where
    74  you can download them from:
    75  
    76  - D-Bus Secret Service: https://github.com/docker/docker-credential-helpers/releases
    77  - Apple macOS keychain: https://github.com/docker/docker-credential-helpers/releases
    78  - Microsoft Windows Credential Manager: https://github.com/docker/docker-credential-helpers/releases
    79  - [pass](https://www.passwordstore.org/): https://github.com/docker/docker-credential-helpers/releases
    80  
    81  #### Configure the credentials store
    82  
    83  You need to specify the credentials store in `$HOME/.docker/config.json`
    84  to tell the docker engine to use it. The value of the config property should be
    85  the suffix of the program to use (i.e. everything after `docker-credential-`).
    86  For example, to use `docker-credential-osxkeychain`:
    87  
    88  ```json
    89  {
    90    "credsStore": "osxkeychain"
    91  }
    92  ```
    93  
    94  If you are currently logged in, run `docker logout` to remove
    95  the credentials from the file and run `docker login` again.
    96  
    97  #### Default behavior
    98  
    99  By default, Docker looks for the native binary on each of the platforms, i.e.
   100  "osxkeychain" on macOS, "wincred" on windows, and "pass" on Linux. A special
   101  case is that on Linux, Docker will fall back to the "secretservice" binary if
   102  it cannot find the "pass" binary. If none of these binaries are present, it
   103  stores the credentials (i.e. password) in base64 encoding in the config files
   104  described above.
   105  
   106  #### Credential helper protocol
   107  
   108  Credential helpers can be any program or script that follows a very simple protocol.
   109  This protocol is heavily inspired by Git, but it differs in the information shared.
   110  
   111  The helpers always use the first argument in the command to identify the action.
   112  There are only three possible values for that argument: `store`, `get`, and `erase`.
   113  
   114  The `store` command takes a JSON payload from the standard input. That payload carries
   115  the server address, to identify the credential, the user name, and either a password
   116  or an identity token.
   117  
   118  ```json
   119  {
   120    "ServerURL": "https://index.docker.io/v1",
   121    "Username": "david",
   122    "Secret": "passw0rd1"
   123  }
   124  ```
   125  
   126  If the secret being stored is an identity token, the Username should be set to
   127  `<token>`.
   128  
   129  The `store` command can write error messages to `STDOUT` that the docker engine
   130  will show if there was an issue.
   131  
   132  The `get` command takes a string payload from the standard input. That payload carries
   133  the server address that the docker engine needs credentials for. This is
   134  an example of that payload: `https://index.docker.io/v1`.
   135  
   136  The `get` command writes a JSON payload to `STDOUT`. Docker reads the user name
   137  and password from this payload:
   138  
   139  ```json
   140  {
   141    "Username": "david",
   142    "Secret": "passw0rd1"
   143  }
   144  ```
   145  
   146  The `erase` command takes a string payload from `STDIN`. That payload carries
   147  the server address that the docker engine wants to remove credentials for. This is
   148  an example of that payload: `https://index.docker.io/v1`.
   149  
   150  The `erase` command can write error messages to `STDOUT` that the docker engine
   151  will show if there was an issue.
   152  
   153  ### Credential helpers
   154  
   155  Credential helpers are similar to the credential store above, but act as the
   156  designated programs to handle credentials for *specific registries*. The default
   157  credential store (`credsStore` or the config file itself) will not be used for
   158  operations concerning credentials of the specified registries.
   159  
   160  #### Configure credential helpers
   161  
   162  If you are currently logged in, run `docker logout` to remove
   163  the credentials from the default store.
   164  
   165  Credential helpers are specified in a similar way to `credsStore`, but
   166  allow for multiple helpers to be configured at a time. Keys specify the
   167  registry domain, and values specify the suffix of the program to use
   168  (i.e. everything after `docker-credential-`).
   169  For example:
   170  
   171  ```json
   172  {
   173    "credHelpers": {
   174      "registry.example.com": "registryhelper",
   175      "awesomereg.example.org": "hip-star",
   176      "unicorn.example.io": "vcbait"
   177    }
   178  }
   179  ```
   180  
   181  ## Related commands
   182  
   183  * [logout](logout.md)