[JIRA] [docker-commons-plugin] (JENKINS-28702) Clean up registry credentials
Title: Message Title Nicolas De Loof commented on JENKINS-28702 Re: Clean up registry credentials Docker 1.8 do support DOCKER_CONFIG that plugin should use so it can have distinct config dir per build, and fully delete it after build completion. Main issue I can see is KeyMaterialFactory usage. API is designed to 1.create 2.contextualize 3.materialize, which would be OK. But usage actually do run 1+2 together (1), which prevent combining KeyMaterialFactory using KeyMaterialFactory.plus() with a shared context. Changing this would require some incompatible API changes afaik. (1) https://github.com/jenkinsci/docker-commons-plugin/blob/master/src/main/java/org/jenkinsci/plugins/docker/commons/credentials/DockerServerEndpoint.java#L142 Add Comment This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] [docker-commons-plugin] (JENKINS-28702) Clean up registry credentials
Title: Message Title Jesse Glick created an issue Jenkins / JENKINS-28702 Clean up registry credentials Issue Type: Bug Assignee: Unassigned Components: docker-commons-plugin Created: 02/Jun/15 8:50 PM Labels: security Priority: Major Reporter: Jesse Glick Currently DockerRegistryToken makes no attempt to log you out when KeyMaterial.close is called. This makes it inappropriate for environments in which access to the registry credentials must be tightly controlled. The problem is that ~/.dockercfg must be used to store the login globally for the user (typically, one slave agent), so if there are multiple executors on the slave, one log out while another is still using the login. If https://github.com/docker/docker/issues/10318 or similar is implemented, that would be ideal, so that the authentication between executors does not clash. Otherwise, it might be possible to use reference-counting. TBD if docker login/logout would preserve other fields, or if a separate file would be needed. There are potential locking issues there.
