Docker login in 27.2.0 no longer overwrites existing config.json

[thiago-gitlab]

Description

In Docker 27.1.2, running docker login multiple times causes the authentication information in ~/.docker/config.json to be updated with the latest successful execution.

In 27.2.0, the first successful authentication prevents config.json from being updated.

This is a breaking change because the existing expectation is that docker login always overwrites the authentication information.

Reproduce

1. docker login repository-a
2. docker login repository-b
3. docker push repository-b/image

The push will fail since the authentication information recorded is for repository-a.

I've reproduced this in https://gitlab.com/gitlab-org/gitlab/-/issues/481917#note_2081566814 by removing config.json before performing the second authentication.

Expected behavior

docker login always updates config.json with the successful authentication credentials.

docker version

Client 27.2.0 and 27.1.2

docker info

No relevant

Additional Info

https://gitlab.com/gitlab-org/gitlab/-/issues/481917

[thiago-gitlab]

A workaround is to downgrade to 27.1.2. Another workaround is to delete the config.json before authenticating for a second time. Example

[thaJeztah]

Thanks for reporting!

From that linked ticket;

$ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeeded
$ docker pull registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:latest
latest: Pulling from gitlab-org/security-products/analyzers/container-scanning
e4fff0779e6d: Pulling fs layer
,,,
,,,
Digest: sha256:84c7ee8800ce979ef5482d5ca21086f05fbf50d3a477f8194e4b5e87233a5c24
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:latest
registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:latest


$ if [ -n "$CS_DEPLOY_USERNAME" ] && [ -n "$CS_DEPLOY_PASSWORD" ]; then # collapsed multi-line command
Login Succeeded
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
The push refers to repository [registry.gitlab.com/security-products/container-scanning]
5f70bf18a086: Preparing
11c61dfd316c: Preparing
...
...
5f70bf18a086: Layer already exists
b70d9e93136f: Layer already exists
...
...
errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Unfortunately the second login call is shown as "collapsed", but IIUC, the reproducer is effectively;

docker login some-registry.example.com/repository/name
...

docker login some-registry.example.com/other-repository/name
...

The problem looks to be that 27.2 is not converting the given registry to its hostname, and instead preserves the path (repository name), therefore storing each under a different key;

echo $PASS | docker login -u <USERNAME> --password-stdin registry.hub.docker.com
# ...
Login Succeeded

echo $PASS | docker login -u <USERNAME> --password-stdin registry.hub.docker.com/repository/name
# ...
Login Succeeded

echo $PASS | docker login -u <USERNAME> --password-stdin registry.hub.docker.com/other-repository/name
# ...
Login Succeeded

cat ~/.docker/config.json
{
	"auths": {
		"registry.hub.docker.com": {
			"auth": "<REDACTED>"
		},
		"registry.hub.docker.com/other-repository/name": {
			"auth": "<REDACTED>"
		},
		"registry.hub.docker.com/repository/name": {
			"auth": "<REDACTED>"
		}
	}
}

doing the same with 27.1;

echo $PASS | docker login -u <USERNAME> --password-stdin registry.hub.docker.com
# ...
Login Succeeded

echo $PASS | docker login -u <USERNAME> --password-stdin registry.hub.docker.com/repository/name
# ...
Login Succeeded

echo $PASS | docker login -u <USERNAME> --password-stdin registry.hub.docker.com/other-repository/name
# ...
Login Succeeded

cat ~/.docker/config.json
{
	"auths": {
		"registry.hub.docker.com": {
			"auth": "<REDACTED>"
		}
	}
}

[thaJeztah]

cc @laurazard PTAL - looks like somewhere we're missing a call to ConvertToHostname

cli/cli/config/credentials/file_store.go

Line 95 in 6273e65

func ConvertToHostname(maybeURL string) string {

(Wondering if this is actually the underlying issue related to #5378, and not the hostname that's used 🤔 )

[laurazard]

Re: #5378, I'm fairly certain it's a separate thing, because as I wrote there even in v27.1.2 if you only have credentials for https://index.docker.io/v1/ and do a pull from registry-1.docker.io, the pull is unauthenticated.

I see where this issue was introduced though.

[laurazard]

FYI @thiago-gitlab, running docker login [registry address] with the repository name/image included in the repo (such as docker login -u <USERNAME> index.docker.io/repository/name) is undocumented behavior – we're fixing this for now, but no guarantees about the future unless we settle on explicitly supporting it. In general it would be safer to not include the repo name when running docker login.

[thiago-gitlab]

Thank you for letting me know, @laurazard. We'll fix that on our scripts and any user documentation.

And also thanks everyone for the amazingly quick response and fix. 🚀 🎉