Set Up Docker Credential Store on VMware Photon

If you’re using ESXi hypervisors and Docker, you’re probably using VIC or running it on an Ubuntu VM. But recently we tried VMware’s new “Minimal Linux Container Host”, Photon OS.

With Photon, you can install packages using tdnf. To keep it minimalist, we avoided adding any additional repositories, but this made it surprisingly difficult to set up the credential store. We decided to set up pass to protect our login. Otherwise, credentials will appear in cleartext in the ~/.docker/config.json file.

Install Packages from tdnf

To make this easier you’ll want all of the below packages.

  • wget
  • tar
  • make
  • gnupg
  • tree

Login to Docker

Log in to Docker at least once if you have not already done so. This will automatically create the ~/.docker/config.json file for you.

Manually Install pass

None of the built-in repositories in Photon come with pass. Be sure to check the official site in case there is a newer version than what is in the instructions below.

Manually Install docker-credential-pass

Once pass is installed, you can download and install docker-credential-pass from Docker’s GitHub.

Update the Docker Config File

This file should have been automatically created the first time you ran docker login. Add line 8 as seen below:

Generate Keys for the Store

Before you can properly use pass, you’ll need to generate a key for encrypting all your passwords. For simplicity we used the simple command. You may want to consider using gpg --full-generate-key to view all of the possible key creation options.

You’ll be prompted for email address, and then you’ll be asked to create and confirm a password for the store. Below is the sample output. This may take a while to generate the key. I usually set it to run before bed.

Initialize Pass

First, verify that a new, valid key was created with the below:

After verification, initialize pass using the email address you created a key with. You’ll be prompted to create and confirm a password for the store.

Initialize docker-credential-pass

Using pass show you should see the docker-credential-helpers. If not, try running docker login and docker logout again. You may receive an error that “pass store is uninitialized”. Run the below to initialize the docker-credential-helpers. You may get a prompt for your store’s password again (the password you created in the previous step).

Conclusion

You should be all set now. But now logging in will sometimes be a two-step process because the store will time out after some time:

After docker login, you can check cat ~/.docker/config.json, and you should not see any of your credentials in cleartext. Now you are finally ready to safely push and pull containers through your Docker Hub account.