Skip to content

Commit

Permalink
Adjust docs mentioning auth.d directory with drop-in files.
Browse files Browse the repository at this point in the history
  • Loading branch information
ipanova committed Oct 23, 2024
1 parent 4bed32a commit e11c979
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions docs/containers-auth.json.5.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,19 @@ A credentials file in JSON format used to authenticate against container image r
The primary (read/write) per-user file is stored at `${XDG_RUNTIME_DIR}/containers/auth.json` on Linux;
on Windows and macOS, at `$HOME/.config/containers/auth.json`.

There is also a system-global `/etc/containers/auth.json` path. When the current process is executing inside systemd as root, this path will be preferred.
There is also a system-global `/etc/containers/auth.json` path and `/etc/containers/auth.d/` directory with drop-in per-repo files.
When the current process is executing inside systemd as root, these paths will be preferred.
Drop-ins always have higher precedence than the configuration file they refer to. Drop-ins are sorted in the lexicographic order. The drop-ins that are later in this order have higher precedence.

When running as a user and searching for the credential for a registry, the following files will be read in sequence until the valid credential is found:
first reading the primary (read/write) file, or the explicit override using an option of the calling application.
If credentials are not present, search in `${XDG_CONFIG_HOME}/containers/auth.json` (usually `~/.config/containers/auth.json`), `$HOME/.docker/config.json`, `$HOME/.dockercfg`.

If the current process is not running in systemd, but is running as root, the system-global `/etc/containers/auth.json` path will be read last.
If the current process is not running in systemd, but is running as root, the system-global `/etc/containers/auth.json` path and `/etc/containers/auth.d/` directory will be read last.

Except the primary (read/write) file, other files are read-only, unless the user use an option of the calling application explicitly points at it as an override.

Note that the `/etc/containers/auth.json` file must not be readable by group or world (i.e. mode `044`), or a fatal error will occur.
Note that the `/etc/containers/auth.json` file and drop-in files from `/etc/containers/auth.d/` directory must not be readable by group or world (i.e. mode `044`), or a fatal error will occur.

## FORMAT

Expand Down

0 comments on commit e11c979

Please sign in to comment.