Set Up Docker Credential Store on VMware Photon

Photon OS

If you’re using ESXi hypervisors and Docker, you’re probably using VIC or running it on an Ubuntu VM. But recently we tried VMware’s new “Minimal Linux Container Host”, Photon OS.

With Photon, you can install packages using tdnf. To keep it minimalist, we avoided adding any additional repositories, but this made it surprisingly difficult to set up the credential store. We decided to set up pass to protect our login. Otherwise, credentials will appear in cleartext in the ~/.docker/config.json file.

Install Packages from tdnf

To make this easier you’ll want all of the below packages.

  • wget
  • tar
  • make
  • gnupg
  • tree
[email protected] [ ~ ]# tdnf -y install wget tar make gnupg tree

Login to Docker

Log in to Docker at least once if you have not already done so. This will automatically create the ~/.docker/config.json file for you.

[email protected] [ ~ ]# docker login
Login with your Docker ID to push and pull images from 

Docker Hub

. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: pandatech0
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[email protected] [ ~ ]# docker logout
Removing login credentials for https://index.docker.io/v1/

Manually Install pass

None of the built-in repositories in Photon come with pass. Be sure to check the official site in case there is a newer version than what is in the instructions below.

[email protected] [ ~ ]# wget https://git.zx2c4.com/password-store/snapshot/password-store-1.7.3.tar.xz
[email protected] [ ~ ]# tar -xf password-store-1.7.3.tar.xz 
[email protected] [ ~ ]# cd password-store-1.7.3/
[email protected] [ ~ ]# make install

Manually Install docker-credential-pass

Once pass is installed, you can download and install docker-credential-pass from Docker’s GitHub.

[email protected] [ ~ ]# wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.0/docker-credential-pass-v0.6.0-amd64.tar.gz
[email protected] [ ~ ]# tar -xf docker-credential-pass-v0.6.0-amd64.tar.gz
[email protected] [ ~ ]# chmod +x docker-credential-pass 
[email protected] [ ~ ]# mv docker-credential-pass /usr/local/bin/

Update the Docker Config File

[email protected] [ ~ ]# vi ~/.docker/config.json

This file should have been automatically created the first time you ran docker login. Add line 8 as seen below:

{
    "auths": {
        "https://index.docker.io/v1/": {}
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/18.06.2 (linux)"
    },
    "credsStore": "pass"
}

Generate Keys for the Store

Before you can properly use pass, you’ll need to generate a key for encrypting all your passwords. For simplicity we used the simple command. You may want to consider using gpg --full-generate-key to view all of the possible key creation options.

[email protected] [ ~ ]# gpg --generate-key

You’ll be prompted for email address, and then you’ll be asked to create and confirm a password for the store. Below is the sample output. This may take a while to generate the key. I usually set it to run before bed.

gpg (GnuPG) 2.2.10; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: 
Email address: [email protected]
You selected this USER-ID:
    "[email protected]"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Initialize Pass

First, verify that a new, valid key was created with the below:

[email protected] [ ~ ]# gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-02-27
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2018-02-28 [SC] [expires: 2020-02-27]
      FFFFFFFFFFFFFFF0000000000000000000000000
uid           [ultimate] [email protected]
sub   rsa2048 2018-02-28 [E] [expires: 2020-02-27]

After verification, initialize pass using the email address you created a key with. You’ll be prompted to create and confirm a password for the store.

[email protected] [ ~ ]# pass init [email protected]
Password store initialized for [email protected]

Initialize docker-credential-pass

Using pass show you should see the docker-credential-helpers. If not, try running docker login and docker logout again. You may receive an error that “pass store is uninitialized”. Run the below to initialize the docker-credential-helpers. You may get a prompt for your store’s password again (the password you created in the previous step).

[email protected] [ ~ ]# pass show
Password Store
└── docker-credential-helpers
    └── docker-pass-initialized-check

[email protected] [ ~ ]# pass show docker-credential-helpers/docker-pass-initialized-check 
pass is initialized

[email protected] [ ~ ]# pass show
Password Store
└── docker-credential-helpers
    └── sHR0cHM6Ly0pdNRLeC5kb2NrZXIvyW8vdjFW
        └── pandatech0

Conclusion

You should be all set now. But now logging in will sometimes be a two-step process because the store will time out after some time:

[email protected] [ ~ ]# pass show docker-credential-helpers/docker-pass-initialized-check 
pass is initialized

[email protected] [ ~ ]# docker login
Authenticating with existing credentials...
Login Succeeded

After docker login, you can check cat ~/.docker/config.json, and you should not see any of your credentials in cleartext. Now you are finally ready to safely push and pull containers through your Docker Hub account.

Google Play Music Manager on a Virtual Machine

Google Play Music Manager Login Failed

The first time you install Google Play Music Manager on a virtual machine you will probably receive the error, “Login failed. Could not identify your computer.” You’ll definitely experience this on any VMware ESXi virtual machines. Google currently doesn’t support virtual machines. Therefore, Music Manager on a virtual machine in Hyper-V or XenServer will likely encounter this problem as well.

Google Play Music Manager Login Failed

Installing Google Play Music Manager on a virtual machine is a great idea if you have a home server for streaming and storing media. Google Play Music is still one of the best free options for keeping a copy of your library in the cloud. But you will need to install Google Play’s Music Manager software if you want to automatically keep songs in sync (up to 50,000 songs). Just be aware that it is a great cloud option for streaming, but not archiving or backup, particularly if you are an audiophile. Google’s system will convert loseless FLAC and ALAC down to 320kbps MP3 files.

Manually Assign a MAC Address

The standard VMware OUI MAC addresses will NOT work, i.e., the following three-byte prefixes will not work: 00:0C:29 and 00:50:56. We have had no issues using a randomly generated MAC address. There is the small chance that it will overlap with another device on your network, but that is very unlikely, and you can easily use another MAC from the generated list.

  • Generate a random MAC address for the virtual machine
  • Manually assign the address
  • Start/restart the virtual machine and you should be able to login to Google Play Music Manager now