docker build handles credentials differently than docker pull

[pbecotte]

If a credHelper is defined, 'docker build' with a private FROM image fails, while docker pull of the same image works correctly.

Steps to reproduce the issue:

1. 'docker login' to your private repository (we are using artifactory)
2. Add a credHelper to config.json - for this I went with '{"credHelpers": {"blah.com": "false"}}'
3. Make a dockerfile with a FROM for a non-existant tag in a private image of your private repo
4. docker build - you will get the error "the client does not have permission for the manifest"
5. docker pull - you will get the error "The named manifest is not known to the registry"
6. Remove the credHelper - now docker build will get "The named manifest is not known to the registry"

Describe the results you expected:
'docker build' to be able to pull images the same as 'docker pull'

Additional information you deem important (e.g. issue happens only occasionally):
From our nginx logs, we can see that when the daemon requests a token it makes a request like '/v2/token?account=username' when running 'docker pull', but '/v2/token?scope=repository...' when running 'docker build'. I do not have access to the daemon logs, but the token request on 'docker build' appears to be completely unauthenticated. Removing the credHelper (whether it works or doesn't seems to be immaterial) changes the behavior- in that case, the daemon submits a correctly authenticated request for a token.

Output of docker version:

Client-
Version: 20.10.2
API: 1.39
OS: linux/amd64

Server:
Version: 20.10.2
API: 1.41

[thaJeztah]

I see you're running an older version of docker 20.10;

• are you still able to reproduce this issue on the latest patch release of 20.10?
• could you update the information provided to include the full output (it's ok to redact sensitive data) of docker version and docker info?
• are you building with buildkit enabled (DOCKER_BUILDKIT=1), or using the classic builder?

[pbecotte]

Our environment is quite locked down. The base OS is a frozen rhel8 image with an immutable root filesystem- can't upgrade the daemon. I also cannot copy and paste more than a couple lines of text, which is why I tried to include the important parts, but will take the time to get the rest later.

Using the classic builder.

[pbecotte]

Actually tracked it down- is still in the source code.

https://github.com/docker/docker-ce/blob/master/components/cli/cli/config/configfile/file.go#L357

If any credential helper returns an error, the whole function returns 'nil', instead of continuing to the next one or returning the ones it already has. I would contend that this is a bug- the CLI in this case should either ignore the bad one(s) and still provide the good ones, or print an error message about which host isn't working. Ideally- both, ignore the bad ones and tell the user which ones it ignored.

Actually looks like a straightforward fix, but I am not allowed to make open source contributions without a three month legal review :)