Problem:
Need to have secure local storage for Docker login credentials configured via Unix pass
tool. When executing docker login
command, by default it stores credentials in ~/.docker/config.json
file in base64 format, which is not a secure way.
Prerequisites:
- Ubuntu 20.04
- If Docker was installed via Snap package manager uninstall it with:
snap remove docker
command - To list installed Snap packages use:
snap list
command - Install Docker on Ubuntu with the following commands:
sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common
--> install a few prerequisite packages which let apt use packages over HTTPScurl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
--> add the GPG key for the official Docker repository to your systemsudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"
--> add the Docker repository to APT sourcesapt-cache policy docker-ce
--> Make sure you are about to install from the Docker repo instead of the default Ubuntu reposudo apt install docker-ce
--> install Dockersudo systemctl status docker
--> Docker should now be installed, the daemon started, and the process enabled to start on boot. Check that it’s runningdocker version
--> Confirm Docker version
- Make docker commands execute without sudo:
sudo usermod -aG docker ${USER}
--> add your username to the docker group:su - ${USER}
--> To apply for the new group membership, log out of the server and back ingroups
--> Confirm that your user is now added to the docker group
Setup secure credential storage for Docker:
- Install
rng-tools
:sudo apt-get install rng-tools -y
- The rng-tools is a set of utilities related to random number generation in kernel. The main program is rngd, a daemon developed to check and feed random data from hardware device to kernel entropy pool.
- Generate the required entropy with the command:
sudo rngd -r /dev/urandom
- Install the pass tool with the command:
sudo apt-get install pass -y
- Generate a new GPG key:
gpg --full-generate-key
. Answer the interactive setup questions. Setup passphrase for the new key. - Create a new directory:
mkdir ~/bin
- Cd into created directory:
cd ~/bin
- Add the directory to your PATH env vaiable:
echo 'export PATH=$PATH:~/bin' >> ~/.bashrc
- Download
docker-credential-pass
with the following command:wget https://github.com/docker/docker-credential-helpers/releases/download/v0.6.3/docker-credential-pass-v0.6.3-amd64.tar.gz
- Extract files:
tar xvzf docker-credential-pass-v0.6.3-amd64.tar.gz
- Give the new file proper permissions with:
chmod a+x docker-credential-pass
- Copy the executable with the command:
sudo cp docker-credential-pass /usr/local/bin
- Logout and login into Docker server:
docker logout
anddocker login
- Create a new directory:
mkdir ~/.docker
- Locate your GPG id associated with credential storage:
gpg --list-secret-keys
orgpg --fingerprint [your_email_set_during_key_creation]
- Initialize the
pass
tool with the command:pass init [your_gpg_id_string_in_hex_format]
- Create password for credential storage with the command:
pass insert docker-credential-helpers/docker-pass-initialized-check
- Once your password is generated, create a new configuration file with the command:
sudo vim ~/.docker/config.json
- Add the following content to the new file, save and close:
{ "credsStore": "pass" }
- Finally login to the Docker with the command
docker login
and check if WARNING message disappeared