skopeo: skopeo doesn't support credsStore in docker/config.json

I am trying to push image with skopeo (version 1.2.0) on Mac OS X to docker registry.

If I do:

$ docker login
Username: zroubalik
Password: 
Login Succeeded!

And then trying to copy image to the registry, I got unauthorized error:

$ skopeo copy docker://docker.io/zroubalik/test:latest docker://docker.io/zroubalik/test:latest --debug
DEBU[0000] Credentials not found
DEBU[0000] Using registries.d directory /usr/local/etc/containers/registries.d for sigstore configuration
DEBU[0000]  Using "default-docker" configuration
DEBU[0000]   Using file:///var/lib/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/docker.io
DEBU[0000] Loading registries configuration "/usr/local/etc/containers/registries.conf"
DEBU[0000] Trying to access "docker.io/zroubalik/test:latest"
DEBU[0000] Credentials not found
DEBU[0000] Using registries.d directory /usr/local/etc/containers/registries.d for sigstore configuration
DEBU[0000]  Using "default-docker" configuration
DEBU[0000]  No signature storage configuration found for docker.io/zroubalik/test:latest
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/docker.io
DEBU[0000] GET https://registry-1.docker.io/v2/
DEBU[0000] Ping https://registry-1.docker.io/v2/ status 401
DEBU[0000] GET https://auth.docker.io/token?scope=repository%3Azroubalik%2Ftest%3Apull&service=registry.docker.io
DEBU[0001] GET https://registry-1.docker.io/v2/zroubalik/test/manifests/latest
DEBU[0002] Content-Type from manifest GET is "application/vnd.docker.distribution.manifest.v2+json"
DEBU[0002] Using blob info cache at /Users/zroubali/.local/share/containers/cache/blob-info-cache-v1.boltdb
DEBU[0002] IsRunningImageAllowed for image docker:docker.io/zroubalik/test:latest
DEBU[0002]  Using default policy section
DEBU[0002]  Requirement 0: allowed
DEBU[0002] Overall: allowed
Getting image source signatures
DEBU[0002] Manifest has MIME type application/vnd.docker.distribution.manifest.v2+json, ordered candidate list [application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v1+json]
DEBU[0002] ... will first try using the original manifest unmodified
DEBU[0002] Checking /v2/zroubalik/test/blobs/sha256:fa372fac507b528228121b30bb7945b7fdd854b288d757b15889d4c4cab9c7d9
DEBU[0002] GET https://registry-1.docker.io/v2/

...

DEBU[0008] ... already exists
Writing manifest to image destination
DEBU[0008] PUT https://registry-1.docker.io/v2/zroubalik/test/manifests/latest
DEBU[0008] Writing manifest using preferred type application/vnd.docker.distribution.manifest.v2+json failed: Error writing manifest: Error uploading manifest latest to docker.io/zroubalik/test: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
FATA[0008] Error writing manifest: Error uploading manifest latest to docker.io/zroubalik/test: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

If I do $ skopeo login docker.io and then try to copy the image, the push is successful.

My config.json:

cat ~/.docker/config.json                                                                                                                                                                        
{
	"auths": {
		"https://index.docker.io/v1/": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.13 (darwin)"
	},
	"credsStore": "desktop",
	"experimental": "disabled",
	"stackOrchestrator": "swarm"
}%

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 5
  • Comments: 27 (15 by maintainers)

Most upvoted comments

I did this on my side to use skopeo with an ECR registry.

% cat ~/.config/containers/registries.conf
credential-helpers = ["ecr-login"]

I hope this helps.

+4
stac47 on Mar 7, 2022

Skopeo will not support this.

+3
rhatdan on Aug 2, 2022

Podman does not use Docker config files. We will read the docker.json file for the case where a user has done a docker login, but this is a fall back. We do not believe that Docker should have combined the purpose of this file the way they did, so extending this is not a priority. Podman also does not read /etc/docker/* content.

Bottom line, this is one of the first issues I have seen over the last few years where we have heard about this.

+3
rhatdan on Aug 2, 2022

Looks like "credsStore": "desktop", configured in ~/.docker/config.json so docker login saves the credential to the desktop, but c/image doesn’t support parsing the “credsStore” configuration

+2
QiWang19 on Oct 22, 2020

@rhatdan From an outsider’s perspective, skopeo (and podman too it sounds) decided to make its own competing version of docker/config.json for no reason. This inevitably causes confusion for developers who quite reasonably expect all their docker-ish tooling to work together nicely. skopeo should fall back to docker/config.json for credsStore just like it already does for credHelpers.

+1
rittneje on Aug 2, 2022

Is really this the approach on this? I think that we should make all tools as much developer friendly as possible. So in this case, docker has been defacto a standard for couple of years, so we should make the transition as smooth as possible.

+1
zroubalik on Aug 2, 2022

Skopeo’s goal is not to match Docker, That is Podman’s goal. If this does not work with Podman then I see why you have a complaint.

+1
rhatdan on Jul 30, 2022

FWIW a way to address this (at this point I’m not sure whether it’s a workaround or a final solution) is to set up credential-helpers in registries.conf.

+1
mtrmac on Jan 31, 2022
Read more comments on GitHub
← skopeo: Image format docker-archive is not equivalent to docker save
skopeo: Skopeo sync fails with 400 (Bad Request) on Quay.io (deeply nested repo name + bad error handling) →