From 23e3edba50c21982f2ccfb67b088f8d4b39a682d Mon Sep 17 00:00:00 2001 From: Ina Panova Date: Tue, 22 Oct 2024 21:56:11 +0200 Subject: [PATCH] Adjust docs mentioning auth.d directory with drop-in files. --- docs/containers-auth.json.5.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/containers-auth.json.5.md b/docs/containers-auth.json.5.md index 93910ce2f..b775e85af 100644 --- a/docs/containers-auth.json.5.md +++ b/docs/containers-auth.json.5.md @@ -9,17 +9,19 @@ A credentials file in JSON format used to authenticate against container image r The primary (read/write) per-user file is stored at `${XDG_RUNTIME_DIR}/containers/auth.json` on Linux; on Windows and macOS, at `$HOME/.config/containers/auth.json`. -There is also a system-global `/etc/containers/auth.json` path. When the current process is executing inside systemd as root, this path will be preferred. +There is also a system-global `/etc/containers/auth.json` path and `/etc/containers/auth.d/` directory with drop-in per-repo files. +When the current process is executing inside systemd as root, these paths will be preferred. +Drop-ins always have higher precedence than the configuration file they refer to. Drop-ins are sorted in the lexicographic order. The drop-ins that are later in this order have higher precedence. When running as a user and searching for the credential for a registry, the following files will be read in sequence until the valid credential is found: first reading the primary (read/write) file, or the explicit override using an option of the calling application. If credentials are not present, search in `${XDG_CONFIG_HOME}/containers/auth.json` (usually `~/.config/containers/auth.json`), `$HOME/.docker/config.json`, `$HOME/.dockercfg`. -If the current process is not running in systemd, but is running as root, the system-global `/etc/containers/auth.json` path will be read last. +If the current process is not running in systemd, but is running as root, the system-global `/etc/containers/auth.json` path and `/etc/containers/auth.d/` directory will be read last. Except the primary (read/write) file, other files are read-only, unless the user use an option of the calling application explicitly points at it as an override. -Note that the `/etc/containers/auth.json` file must not be readable by group or world (i.e. mode `044`), or a fatal error will occur. +Note that the `/etc/containers/auth.json` file and drop-in files from `/etc/containers/auth.d/` directory must not be readable by group or world (i.e. mode `044`), or a fatal error will occur. ## FORMAT