Posting this here because I’m not sure if it’s appropriate for a bug report on GitHub. I’m putting this in the DockerEngine category since I think it’s more relevant to DockerEngine than docker-compose.

Some relevant information: I’m running Docker 18.09.6-ce and docker-compose 1.24.0 on Arch Linux, with the credential-helper-pass credential helper.

There are really two separate questions here:

1. Why does docker build ask for authentication even when not required?
   After setting up credentials so I could push my first image to Docker Hub, docker build now asks for a password any time I run it. However, the build proceeds normally if I click “cancel” on the password prompt. Clearly authentication is not required here (otherwise I would expect the build to fail after clicking “cancel”), does the Docker CLI always prompt for authentication just in case it ends up needing it later? I can see why this would be desirable (there’s nothing worse than starting what you expect to be a long-running process and coming back later to find out it stopped halfway through because it’s waiting for the user to enter their password), but it’s annoying and possibly detrimental to security - if Docker is always asking for my password even when not required, as someone new to Docker I have no idea when it’s actually talking to Docker Hub and possibly putting information in a publicly accessible location.

2. Why does docker-compose build fail when authentication fails?
   When I run docker-compose build and click “cancel” in the password prompt, docker-compose craps out and the build fails. This behavior differs from that of docker build, which succeeds when I close the authentication prompt. I’m not sure whether this behavior is a bug/oversight or a design decision.

I know this is a minor paper-cut, but ideally I’d like a configuration option for Docker that tells it only to prompt for a password if needed (i.e. if it fails to find an image, it authenticates and tries again just in case the image is private). Additionally, I’d like docker-compose to more gracefully handle a cancelled authentication attempt. I’m willing to put in work to make these things happen, but I want to see what the community thinks first.