microsoft · kvega005 · Apr 13, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
@@ -21,7 +21,7 @@
   <package id="Microsoft.WSL.DeviceHost" version="1.2.10-0" />
   <package id="Microsoft.WSL.Kernel" version="6.6.114.1-1" targetFramework="native" />
   <package id="Microsoft.WSL.LinuxSdk" version="1.20.0" targetFramework="native" />
-  <package id="Microsoft.WSL.TestData" version="0.3.0" />
+  <package id="Microsoft.WSL.TestData" version="0.4.0" />
   <package id="Microsoft.WSL.TestDistro" version="2.7.1-1" />
   <package id="Microsoft.WSLg" version="1.0.76" />
   <package id="Microsoft.Xaml.Behaviors.WinUI.Managed" version="3.0.0" />

diff --git a/src/windows/common/CMakeLists.txt b/src/windows/common/CMakeLists.txt
@@ -35,6 +35,8 @@ set(SOURCES
     SubProcess.cpp
     svccomm.cpp
     WSLCContainerLauncher.cpp
+    WSLCLocalRegistry.cpp
+    WslcCredentialStore.cpp
     VirtioNetworking.cpp
     WSLCProcessLauncher.cpp
     WslClient.cpp
@@ -116,6 +118,8 @@ set(HEADERS
     SubProcess.h
     svccomm.hpp
     WSLCContainerLauncher.h
+    WSLCLocalRegistry.h
+    WslcCredentialStore.h
     VirtioNetworking.h
     WSLCProcessLauncher.h
     WslClient.h

@@ -79,6 +79,7 @@ class WSLCContainerLauncher : private WSLCProcessLauncher
     void SetDnsSearchDomains(std::vector<std::string>&& DnsSearchDomains);
     void SetDnsOptions(std::vector<std::string>&& DnsOptions);
 
+    using WSLCProcessLauncher::FormatResult;
     using WSLCProcessLauncher::SetUser;
     using WSLCProcessLauncher::SetWorkingDirectory;
 

diff --git a/src/windows/common/WSLCLocalRegistry.cpp b/src/windows/common/WSLCLocalRegistry.cpp
@@ -0,0 +1,67 @@
+/*++
+
+Copyright (c) Microsoft. All rights reserved.
+
+Module Name:
+
+    WSLCLocalRegistry.cpp
+
+Abstract:
+
+    Implementation of WSLCLocalRegistry.
+
+--*/
+#include "WSLCLocalRegistry.h"
+
+using wsl::windows::common::RunningWSLCContainer;
+using wsl::windows::common::WSLCContainerLauncher;
+using wsl::windows::common::WSLCLocalRegistry;
+
+namespace {
+
+constexpr auto c_registryImage = "wslc-registry:latest";
+
+std::vector<std::string> BuildRegistryEnv(const std::string& username, const std::string& password, USHORT port)
+{
+    std::vector<std::string> env = {
+        std::format("REGISTRY_HTTP_ADDR=0.0.0.0:{}", port),
+    };
+
+    if (!username.empty())
+    {
+        env.push_back(std::format("USERNAME={}", username));
+        env.push_back(std::format("PASSWORD={}", password));
+    }
+
+    return env;
+}
+
+} // namespace
+
+WSLCLocalRegistry::WSLCLocalRegistry(
+    IWSLCSession& session, RunningWSLCContainer&& container, std::string&& username, std::string&& password, std::string&& serverAddress) :
+    m_session(wil::com_ptr<IWSLCSession>(&session)),
+    m_username(std::move(username)),
+    m_password(std::move(password)),
+    m_serverAddress(std::move(serverAddress)),
+    m_container(std::move(container))
+{
+}
+
+WSLCLocalRegistry::~WSLCLocalRegistry()
+{
+    // Delete the container first while the session is still active.
+    m_container.Reset();
+}
+
+WSLCLocalRegistry WSLCLocalRegistry::Start(IWSLCSession& session, const std::string& username, const std::string& password, USHORT port)
+{
+    auto env = BuildRegistryEnv(username, password, port);
+
+    WSLCContainerLauncher launcher(c_registryImage, {}, {}, env);
+    launcher.SetEntrypoint({"/entrypoint.sh"});
+    launcher.AddPort(port, port, AF_INET);
+
+    auto container = launcher.Launch(session, WSLCContainerStartFlagsNone);
+    return WSLCLocalRegistry(session, std::move(container), std::string(username), std::string(password), std::format("127.0.0.1:{}", port));
+}
diff --git a/src/windows/common/WSLCLocalRegistry.h b/src/windows/common/WSLCLocalRegistry.h
@@ -0,0 +1,53 @@
+/*++
+
+Copyright (c) Microsoft. All rights reserved.
+
+Module Name:
+
+    WSLCLocalRegistry.h
+
+Abstract:
+
+    Helper class that starts a local Docker registry:3 container inside a WSLC
+    session, optionally configured with htpasswd basic authentication.  Intended
+    for use in both unit tests and E2E tests that need a private registry without
+    an external dependency.
+
+--*/
+
+#pragma once
+#include "WSLCContainerLauncher.h"
+#include "WslcCredentialStore.h"
+
+namespace wsl::windows::common {
+
+class WSLCLocalRegistry
+{
+public:
+    NON_COPYABLE(WSLCLocalRegistry);
+    DEFAULT_MOVABLE(WSLCLocalRegistry);
+    ~WSLCLocalRegistry();
+
+    static WSLCLocalRegistry Start(IWSLCSession& Session, const std::string& Username = {}, const std::string& Password = {}, USHORT Port = 5000);
+
+    std::string GetServerAddress()
+    {
+        return m_serverAddress;
+    }
+
+    std::string GetAuthHeader()
+    {
+        return BuildRegistryAuthHeader(m_username, m_password, m_serverAddress);
+    }
+
+private:
+    WSLCLocalRegistry(IWSLCSession& session, RunningWSLCContainer&& container, std::string&& username, std::string&& password, std::string&& serverAddress);
+
+    wil::com_ptr<IWSLCSession> m_session;
+    std::string m_serverAddress;
+    std::string m_username;
+    std::string m_password;
+    RunningWSLCContainer m_container;
+};
+
+} // namespace wsl::windows::common
diff --git a/src/windows/common/WslcCredentialStore.cpp b/src/windows/common/WslcCredentialStore.cpp
@@ -0,0 +1,52 @@
+/*++
+
+Copyright (c) Microsoft. All rights reserved.
+
+Module Name:
+
+    WslcCredentialStore.cpp
+
+Abstract:
+
+    Implementation of credential store helpers.
+
+--*/
+
+#include "WslcCredentialStore.h"
+#include <nlohmann/json.hpp>
+#include <wincrypt.h>
+
+namespace {
+
+std::string Base64Encode(const std::string& input)
+{
+    DWORD base64Size = 0;
+    THROW_IF_WIN32_BOOL_FALSE(CryptBinaryToStringA(
+        reinterpret_cast<const BYTE*>(input.c_str()), static_cast<DWORD>(input.size()), CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, nullptr, &base64Size));
+
+    auto buffer = std::make_unique<char[]>(base64Size);
+    THROW_IF_WIN32_BOOL_FALSE(CryptBinaryToStringA(
+        reinterpret_cast<const BYTE*>(input.c_str()),
+        static_cast<DWORD>(input.size()),
+        CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF,
+        buffer.get(),
+        &base64Size));
+
+    return std::string(buffer.get());
+}
+
+} // namespace
+
+std::string wsl::windows::common::BuildRegistryAuthHeader(const std::string& username, const std::string& password, const std::string& serverAddress)
+{
+    nlohmann::json authJson = {{"username", username}, {"password", password}, {"serveraddress", serverAddress}};
+
+    return Base64Encode(authJson.dump());
+}
+
+std::string wsl::windows::common::BuildRegistryAuthHeader(const std::string& identityToken, const std::string& serverAddress)
+{
+    nlohmann::json authJson = {{"identitytoken", identityToken}, {"serveraddress", serverAddress}};
+
+    return Base64Encode(authJson.dump());
+}
diff --git a/src/windows/common/WslcCredentialStore.h b/src/windows/common/WslcCredentialStore.h
@@ -0,0 +1,30 @@
+/*++
+
+Copyright (c) Microsoft. All rights reserved.
+
+Module Name:
+
+    WslcCredentialStore.h
+
+Abstract:
+
+    Helpers for building Docker/OCI registry credential payloads.
+
+--*/
+
+#pragma once
+#include <string>
+
+namespace wsl::windows::common {
+
+// Builds the base64-encoded X-Registry-Auth header value used by Docker APIs
+// (PullImage, PushImage, etc.) from the given credentials.
+std::string BuildRegistryAuthHeader(const std::string& username, const std::string& password, const std::string& serverAddress);
+
+// Builds the base64-encoded X-Registry-Auth header value from an identity token
+// returned by Authenticate().
+std::string BuildRegistryAuthHeader(const std::string& identityToken, const std::string& serverAddress);
+
+// TODO: Implement credential storage using WinCred
+
+} // namespace wsl::windows::common
@@ -48,6 +48,25 @@ struct EmptyRequest
     using TResponse = void;
 };
 
+struct AuthRequest
+{
+    using TResponse = struct AuthResponse;
+
+    std::string username;
+    std::string password;
+    std::string serveraddress;
+
+    NLOHMANN_DEFINE_TYPE_INTRUSIVE(AuthRequest, username, password, serveraddress);
+};
+
+struct AuthResponse
+{
+    std::string Status;
+    std::optional<std::string> IdentityToken;
+
+    NLOHMANN_DEFINE_TYPE_INTRUSIVE_WITH_DEFAULT(AuthResponse, Status, IdentityToken);
+};
+
 struct CreateVolume
 {
     using TResponse = void;

@@ -614,7 +614,9 @@ interface IWSLCSession : IUnknown
     HRESULT ListImages([in, unique] const WSLCListImageOptions* Options, [out, size_is(, *Count)] WSLCImageInformation** Images, [out] ULONG* Count);
     HRESULT DeleteImage([in] const WSLCDeleteImageOptions* Options, [out, size_is(, *Count)] WSLCDeletedImageInformation** DeletedImages, [out] ULONG* Count);
     HRESULT TagImage([in] const WSLCTagImageOptions* Options);
+    HRESULT PushImage([in] LPCSTR Image, [in] LPCSTR RegistryAuthenticationInformation, [in, unique] IProgressCallback* ProgressCallback);
     HRESULT InspectImage([in] LPCSTR ImageNameOrId, [out] LPSTR* Output);
+    HRESULT Authenticate([in] LPCSTR ServerAddress, [in] LPCSTR Username, [in] LPCSTR Password, [out] LPSTR* IdentityToken);
 
     // Container management.
     HRESULT CreateContainer([in] const WSLCContainerOptions* Options, [out] IWSLCContainer** Container);

@@ -118,7 +118,8 @@ DockerHTTPClient::DockerHTTPClient(wsl::shared::SocketChannel&& Channel, HANDLE
 {
 }
 
-std::unique_ptr<DockerHTTPClient::HTTPRequestContext> DockerHTTPClient::PullImage(const std::string& Repo, const std::optional<std::string>& tagOrDigest)
+std::unique_ptr<DockerHTTPClient::HTTPRequestContext> DockerHTTPClient::PullImage(
+    const std::string& Repo, const std::optional<std::string>& tagOrDigest, const std::optional<std::string>& registryAuth)
 {
     auto url = URL::Create("/images/create");
 
@@ -131,7 +132,14 @@ std::unique_ptr<DockerHTTPClient::HTTPRequestContext> DockerHTTPClient::PullImag
         url.SetParameter("tag", tagOrDigest.value());
     }
 
-    return SendRequestImpl(verb::post, url, {}, {});
+    std::map<std::string, std::string> customHeaders;
+
+    if (registryAuth.has_value())
+    {
+        customHeaders["X-Registry-Auth"] = registryAuth.value();
+    }
+
+    return SendRequestImpl(verb::post, url, {}, {}, customHeaders);
 }
 
 std::unique_ptr<DockerHTTPClient::HTTPRequestContext> DockerHTTPClient::LoadImage(uint64_t ContentLength)
@@ -163,6 +171,28 @@ void DockerHTTPClient::TagImage(const std::string& Id, const std::string& Repo,
     Transaction<docker_schema::EmptyRequest>(verb::post, url);
 }
 
+std::unique_ptr<DockerHTTPClient::HTTPRequestContext> DockerHTTPClient::PushImage(
+    const std::string& ImageName, const std::optional<std::string>& tag, const std::string& registryAuth)
+{
+    auto url = URL::Create("/images/{}/push", ImageName);
+
+    if (tag.has_value())
+    {
+        url.SetParameter("tag", tag.value());
+    }
+
+    std::map<std::string, std::string> customHeaders = {{"X-Registry-Auth", registryAuth}};
+    return SendRequestImpl(verb::post, url, {}, {}, customHeaders);
+}
+
+std::string DockerHTTPClient::Authenticate(const std::string& serverAddress, const std::string& username, const std::string& password)
+{
+    auto response = Transaction<docker_schema::AuthRequest>(
+        verb::post, URL::Create("/auth"), {.username = username, .password = password, .serveraddress = serverAddress});
+
+    return response.IdentityToken.value_or("");
+}
+
 std::vector<docker_schema::Image> DockerHTTPClient::ListImages(bool all, bool digests, const ListImagesFilters& filters)
 {
     auto url = URL::Create("/images/json");
@@ -632,7 +662,11 @@ void DockerHTTPClient::DockerHttpResponseHandle::OnResponseBytes(const gsl::span
 }
 
 std::unique_ptr<DockerHTTPClient::HTTPRequestContext> DockerHTTPClient::SendRequestImpl(
-    verb Method, const URL& Url, const std::string& Body, const std::map<boost::beast::http::field, std::string>& Headers)
+    verb Method,
+    const URL& Url,
+    const std::string& Body,
+    const std::map<boost::beast::http::field, std::string>& Headers,
+    const std::map<std::string, std::string>& CustomHeaders)
 {
     auto context = std::make_unique<DockerHTTPClient::HTTPRequestContext>(ConnectSocket());
 
@@ -650,11 +684,16 @@ std::unique_ptr<DockerHTTPClient::HTTPRequestContext> DockerHTTPClient::SendRequ
     req.set(http::field::connection, "close");
     req.set(http::field::accept, "application/json");
 
-    for (const auto [field, value] : Headers)
+    for (const auto& [field, value] : Headers)
     {
         req.set(field, value);
     }
 
+    for (const auto& [name, value] : CustomHeaders)
+    {
+        req.set(name, value);
+    }
+
     http::write(context->stream, req);
 
 #ifdef WSLC_HTTP_DEBUG

@@ -151,10 +151,13 @@ class DockerHTTPClient
         std::vector<std::string> labels;
     };
 
-    std::unique_ptr<HTTPRequestContext> PullImage(const std::string& Repo, const std::optional<std::string>& tagOrDigest);
+    std::unique_ptr<HTTPRequestContext> PullImage(
+        const std::string& Repo, const std::optional<std::string>& tagOrDigest, const std::optional<std::string>& registryAuth = std::nullopt);
     std::unique_ptr<HTTPRequestContext> ImportImage(const std::string& Repo, const std::string& Tag, uint64_t ContentLength);
     std::unique_ptr<HTTPRequestContext> LoadImage(uint64_t ContentLength);
     void TagImage(const std::string& Id, const std::string& Repo, const std::string& Tag);
+    std::unique_ptr<HTTPRequestContext> PushImage(const std::string& ImageName, const std::optional<std::string>& tag, const std::string& registryAuth);
+    std::string Authenticate(const std::string& serverAddress, const std::string& username, const std::string& password);
     std::vector<common::docker_schema::Image> ListImages(bool all = false, bool digests = false, const ListImagesFilters& filters = {});
     common::docker_schema::InspectImage InspectImage(const std::string& NameOrId);
     std::vector<common::docker_schema::DeletedImage> DeleteImage(const char* Image, bool Force, bool NoPrune); // Image can be ID or Repo:Tag.
@@ -224,7 +227,11 @@ class DockerHTTPClient
     wil::unique_socket ConnectSocket();
 
     std::unique_ptr<HTTPRequestContext> SendRequestImpl(
-        boost::beast::http::verb Method, const URL& Url, const std::string& Body, const std::map<boost::beast::http::field, std::string>& Headers);
+        boost::beast::http::verb Method,
+        const URL& Url,
+        const std::string& Body,
+        const std::map<boost::beast::http::field, std::string>& Headers = {},
+        const std::map<std::string, std::string>& CustomHeaders = {});
 
     std::pair<HTTPResponse, std::string> SendRequestAndReadResponse(
         boost::beast::http::verb Method, const URL& Url, const std::string& Body = "");