From 6c23ff484c84a175235e8f966273e6663af4c2f6 Mon Sep 17 00:00:00 2001 From: yy Date: Thu, 21 May 2026 16:34:13 +0800 Subject: [PATCH] fix(v2): store registry credentials without nerdctl login Replace nerdctl login with direct docker config credential storage to avoid HTTPS registry auth failures when WWW-Authenticate omits :443 on port 443. Co-authored-by: Cursor --- v2/controller/internal/commit/commit.go | 12 +----- .../internal/commit/registry_auth.go | 40 +++++++++++++++++++ 2 files changed, 42 insertions(+), 10 deletions(-) create mode 100644 v2/controller/internal/commit/registry_auth.go diff --git a/v2/controller/internal/commit/commit.go b/v2/controller/internal/commit/commit.go index 8895b55..3d96e6c 100644 --- a/v2/controller/internal/commit/commit.go +++ b/v2/controller/internal/commit/commit.go @@ -21,7 +21,6 @@ import ( "github.com/containerd/nerdctl/v2/pkg/api/types" "github.com/containerd/nerdctl/v2/pkg/cmd/container" "github.com/containerd/nerdctl/v2/pkg/cmd/image" - "github.com/containerd/nerdctl/v2/pkg/cmd/login" "github.com/containerd/nerdctl/v2/pkg/containerutil" ncdefaults "github.com/containerd/nerdctl/v2/pkg/defaults" nerderrutil "github.com/containerd/nerdctl/v2/pkg/errutil" @@ -104,15 +103,8 @@ func NewCommitter( var conn *grpc.ClientConn var err error - // login to registry - err = login.Login(context.Background(), types.LoginCommandOptions{ - GOptions: *newGlobalOptionConfigWithSnapshotter(snapshotter), - ServerAddress: registryAddr, - Username: registryUsername, - Password: registryPassword, - }, io.Discard) - if err != nil { - return nil, err + if err := registerRegistryCredentials(registryAddr, registryUsername, registryPassword); err != nil { + return nil, fmt.Errorf("register registry credentials: %w", err) } // retry to connect diff --git a/v2/controller/internal/commit/registry_auth.go b/v2/controller/internal/commit/registry_auth.go new file mode 100644 index 0000000..b175773 --- /dev/null +++ b/v2/controller/internal/commit/registry_auth.go @@ -0,0 +1,40 @@ +package commit + +import ( + "fmt" + + "github.com/containerd/nerdctl/v2/pkg/imgutil/dockerconfigresolver" +) + +// registerRegistryCredentials writes registry credentials to the nerdctl/docker config store. +// nerdctl login fails for HTTPS registries on port 443 when the registry omits the port in +// WWW-Authenticate (acArg host vs host:443 mismatch); storing credentials directly avoids that. +func registerRegistryCredentials(registryAddr, username, password string) error { + registryURL, err := dockerconfigresolver.Parse(registryAddr) + if err != nil { + return err + } + + credStore, err := dockerconfigresolver.NewCredentialsStore("") + if err != nil { + return err + } + + credentials := &dockerconfigresolver.Credentials{ + Username: username, + Password: password, + } + if err := credStore.Store(registryURL, credentials); err != nil { + return fmt.Errorf("save registry credentials: %w", err) + } + + // Match nerdctl login: also store without explicit :443 for default HTTPS port. + if registryURL.Port() == dockerconfigresolver.StandardHTTPSPort { + registryURL.Host = registryURL.Hostname() + if err := credStore.Store(registryURL, credentials); err != nil { + return fmt.Errorf("save registry credentials (host without port): %w", err) + } + } + + return nil +}