docker-pull: support pulling private images via ~/.docker/config.json

[aleshorvat]

Summary

Community app store apps that use private container registry images (e.g. ghcr.io) currently fail to install with a 401 Unauthorized error. The pull() function in docker-pull.ts uses Dockerode without authentication, so private images cannot be pulled even when the host has valid credentials stored in ~/.docker/config.json.

Root cause

docker.pull(image, callback) calls the Docker Engine API directly via Dockerode without passing auth credentials. The Docker CLI reads ~/.docker/config.json automatically, but Dockerode does not — it must be given an explicit authconfig object.

umbreld runs as root, so credentials stored via docker login land in /root/.docker/config.json. Dockerode never reads this file, so all pulls of private images fail regardless of whether the user has logged in on the host.

Fix

Before calling docker.pull(), read /root/.docker/config.json and extract the credentials for the target registry. Pass them as authconfig to docker.pull(). If the file is missing, the registry entry is absent, or any error occurs, the pull proceeds unauthenticated — no regression for public images.

Registry detection logic:

• If the first path segment of the image contains . or : (e.g. ghcr.io, registry.example.com:5000) → use it as the registry key
• Otherwise → fall back to Docker Hub (https://index.docker.io/v1/)

Current limitation

Private registry images cannot be pulled through the Umbrel UI even when the host has valid credentials. To observe this:

1. Log in to a private registry on the Umbrel host:

echo <token> | sudo docker login ghcr.io -u <username> --password-stdin

2. Add a community app store whose app uses a private image (e.g. ghcr.io/owner/app:latest)
3. Attempt to install the app from the Umbrel UI
4. Install fails with Error: (HTTP code 401) unexpected - unauthorized

Despite the host having valid credentials, umbreld's Dockerode-based pull sends no auth headers to the registry.

How to configure credentials on the Umbrel host

SSH into the Umbrel device and log in to the private registry once:

echo <your_token> | sudo docker login ghcr.io -u <your_username> --password-stdin

This writes credentials to /root/.docker/config.json (umbreld runs as root). After that, any community app using a private image from that registry will install without further configuration.

Notes

• fs-extra is already a dependency of umbreld — no new packages required
• Falls back silently to unauthenticated pull if config is missing or registry has no entry
• Tested on UmbrelOS 1.x with private ghcr.io images
• Only the pull() function is changed — pullAll() is unaffected as it delegates to pull()

Changed file

packages/umbreld/source/modules/utilities/docker-pull.ts