How can I tell if I'm logged in to a private Docker registry from a script?

后端 未结 7 1102
粉色の甜心
粉色の甜心 2021-02-04 23:59

How can I tell whether or not I\'m logged in to a private Docker registry server from a script? In other words, has docker login some.registry.com been run success

7条回答
  •  余生分开走
    2021-02-05 00:51

    If you are constrained to examining your local system, it's impossible to know!

    ... The only way to be sure the credentials docker has stored are still valid is to perform an operation that will cause them to be presented to the registry, and to see if the registry accepts them.

    If you want to use the docker CLI to get an answer, then you could use @matanper suggestion of "login again" which will complete automatically if you still have valid credentials.

    Another way is to try to pull an image known not to exist, which will show different error message when logged in or not e.g.

    # NO VALID LOGIN:
    
    $ docker pull 999999999999.dkr.ecr.us-west-2.amazonaws.com/this/image:does_not_exist
    Error response from daemon: pull access denied for 999999999999.dkr.ecr.us-west-2.amazonaws.com/this/image, repository does not exist or may require 'docker login'
    

    versus

    # WITH VALID LOGIN:
    
    $ docker pull 999999999999.dkr.ecr.us-west-2.amazonaws.com/this/image:does_not_exist
    Error response from daemon: manifest for 999999999999.dkr.ecr.us-west-2.amazonaws.com/this/image:does_not_exist not found
    

    (presume that you didn't want to pull because you don't want any delay or large data tranfser, so the above method is still 'ok')

    In the past, when docker always stored credentials in ~/.docker/config.json (or equivalent for your OS), you could parse that file to get the currently stored credentials and then run a simple list operation using curl or similar. However, recent docker versions store the credentials in host OS specific stores (e.g. the keychain on Mac OS X) so that is no longer a portable methodology. If portability is not important, you could still try something like that - the hash in config.json is just the base64 encoded username & password, separated by a colon, as is standard for HTTP basic auth e.g. on linux, with jq to parse JSON, and base64 to decode base64:

    $  cat ~/.docker/config.json  | jq -r '.auths["registry.example.com"].auth' | base64 -d
    
    username:password
    

    So, completing that with a registry list operation using curl:

    REGISTRY="registry.example.com"
    
    CREDENTIALS="$(cat ~/.docker/config.json | jq -r ".auths[\"${REGISTRY}\"].auth" | base64 -d)"
    
    curl -sSf --max-time 3 --user "${CREDENTIALS}" "https://${REGISTRY}/v2/_catalog"
    

    will return exit code zero, and a JSON response if the CREDENTIALS are good; or a non-zero exit code if not

    {
      "repositories": [
        "jamesjj/test-image",
        "jamesjj/other-image",
        ...
        ...
    }
    

    NOTE: When parsing the JSON, the registry address key may or may not include the schema https://, depending on how the original login was performed, so cat ~/.docker/config.json | jq -r ".auths[\"${REGISTRY}\"].auth" | base64 -d)" ... may need to be: cat ~/.docker/config.json | jq -r ".auths[\"https://${REGISTRY}\"].auth" | base64 -d)"

提交回复
热议问题