Proposal: Add Registry Authentication Support for Private Registries

[cuiyuebing]

Currently, BoxLite only supports anonymous authentication (RegistryAuth::Anonymous) when pulling OCI images. This prevents users from pulling images from private registries that require authentication.

This is a significant limitation in the following scenarios:
Private Container Registries: Organizations using private registries (Alibaba Cloud ACR, AWS ECR, Google GCR, Azure ACR, Harbor, JFrog Artifactory) cannot use BoxLite to pull their images.
Enterprise Environments: Many enterprises require authentication for all registry access, even for pulling public images.
Security Compliance: Some organizations mandate authenticated pulls for audit trails and access control.

Proposed design: The simplest and most user-friendly approach is to read credentials from Docker's configuration file ~/.docker/config.json

[uran0sH]

Boxlite doesn't use Docker to pull images, so I think that a better approach is to read ~/.boxlite/config.json and configure it in the program directly, like #130

[DorianZheng]

Currently, BoxLite only supports anonymous authentication (RegistryAuth::Anonymous) when pulling OCI images. This prevents users from pulling images from private registries that require authentication.

This is a significant limitation in the following scenarios: Private Container Registries: Organizations using private registries (Alibaba Cloud ACR, AWS ECR, Google GCR, Azure ACR, Harbor, JFrog Artifactory) cannot use BoxLite to pull their images. Enterprise Environments: Many enterprises require authentication for all registry access, even for pulling public images. Security Compliance: Some organizations mandate authenticated pulls for audit trails and access control.

Proposed designe: The simplest and most user-friendly approach is to read credentials from Docker's configuration file ~/.docker/config.json

@cuiyuebing It's in the plan

[warjiang]

Currently, BoxLite only supports anonymous authentication (RegistryAuth::Anonymous) when pulling OCI images. This prevents users from pulling images from private registries that require authentication.
This is a significant limitation in the following scenarios: Private Container Registries: Organizations using private registries (Alibaba Cloud ACR, AWS ECR, Google GCR, Azure ACR, Harbor, JFrog Artifactory) cannot use BoxLite to pull their images. Enterprise Environments: Many enterprises require authentication for all registry access, even for pulling public images. Security Compliance: Some organizations mandate authenticated pulls for audit trails and access control.
Proposed designe: The simplest and most user-friendly approach is to read credentials from Docker's configuration file ~/.docker/config.json

@cuiyuebing It's in the plan

looking forward for this feature.
btw, I found one problem when running with private registry, here is my code snippet:

import { SimpleBox, JsBoxlite } from '@boxlite-ai/boxlite';

async function main() {
    const runtime = new JsBoxlite({
        imageRegistries: ['private.registry.com']
    });
    const box = new SimpleBox({ 
        image: 'private.registry.com/ns/python:3.9-alpine',
        runtime: runtime,
    });

    try {
        const result = await box.exec('echo', 'Hello from BoxLite!');
        console.log(result.stdout);  // Hello from BoxLite!
    } finally {
        await box.stop();
    }
}

main().catch((error) => {
    console.error('Error:', error);
});

when execute with bun, it turned out

[DorianZheng]

Currently, BoxLite only supports anonymous authentication (RegistryAuth::Anonymous) when pulling OCI images. This prevents users from pulling images from private registries that require authentication.
This is a significant limitation in the following scenarios: Private Container Registries: Organizations using private registries (Alibaba Cloud ACR, AWS ECR, Google GCR, Azure ACR, Harbor, JFrog Artifactory) cannot use BoxLite to pull their images. Enterprise Environments: Many enterprises require authentication for all registry access, even for pulling public images. Security Compliance: Some organizations mandate authenticated pulls for audit trails and access control.
Proposed designe: The simplest and most user-friendly approach is to read credentials from Docker's configuration file ~/.docker/config.json

@cuiyuebing It's in the plan

looking forward for this feature. btw, I found one problem when running with private registry, here is my code snippet:

import { SimpleBox, JsBoxlite } from '@boxlite-ai/boxlite';

async function main() {
const runtime = new JsBoxlite({
imageRegistries: ['private.registry.com']
});
const box = new SimpleBox({
image: 'private.registry.com/ns/python:3.9-alpine',
runtime: runtime,
});

try {
    const result = await box.exec('echo', 'Hello from BoxLite!');
    console.log(result.stdout);  // Hello from BoxLite!
} finally {
    await box.stop();
}

}

main().catch((error) => {
console.error('Error:', error);
});
when execute with bun, it turned out

@warjiang I find the root cause, will fix it and release tonight

[yingjunwu]

Triage: Legitimate feature request — P1, Medium difficulty (serious gap)

Confirmed: images/store.rs hardcodes RegistryAuth::Anonymous in both pull_manifest() calls (lines 506, 620). No support for ~/.docker/config.json or any credential mechanism.

This is a serious gap — blocks enterprise adoption entirely. Any org with private registries (ECR, GCR, ACR, Harbor, Artifactory) cannot use BoxLite.

What's needed:

1. Parse ~/.docker/config.json for stored credentials
2. Support RegistryAuth::Basic(username, password) from oci-client
3. Handle credential helpers (docker-credential-*) for cloud registries
4. Pass auth through to pull_manifest() and layer download calls

Who: Doesn't require deep boxlite internals — the oci-client crate already supports RegistryAuth::Basic. Main work is Docker config parsing (well-documented format). A solid contributor can do this.

Priority rationale: This is the highest-value feature request because it directly blocks paying enterprise users.