Patch moby#6075 adds support to docker to specify "secret" files to be injected in a container. As of today's Atomic Hosts when one does docker run -it registry.access.redhat.com/rhel7 the secrets files are copied over and injected into the container from /usr/share/rhel/secrets. This enables subscription manager to run inside containers as desired.
On the atomic host we see the forllowing
$ ls -al /usr/share/rhel/secrets/
lrwxrwxrwx. 1 root root 20 Jul 28 01:00 etc-pki-entitlement -> /etc/pki/entitlement
lrwxrwxrwx. 1 root root 28 Jul 28 01:00 rhel7.repo -> /etc/yum.repos.d/redhat.repo
lrwxrwxrwx. 1 root root 9 Jul 28 01:00 rhsm -> /etc/rhsm
So consider the case where you want the /etc/rhsm on the host to be different from the /etc/rhsm inside the container. It could be something basic like "the rhsm base url for yum repos is different from base url for atomic ostree repos" OR "we want to use different entitlement models and hide access to certain repos on hosts vs containers". The above configuration will make it impossible to change that because /usr/share/rhel/secrets/rhsm is a read-only link . The symlink there cannot be redirected.
The /etc/rhsm conf symlinked above specifically points hosts rhsm conf. We cannot have separate configurations for hosts and containers.
In short we need something like this
$ ls -al /usr/share/rhel/secrets/
lrwxrwxrwx. 1 root root 20 Jul 28 01:00 etc-pki-entitlement -> /etc/pki/entitlement-latest
lrwxrwxrwx. 1 root root 28 Jul 28 01:00 rhel7.repo -> /etc/yum.repos.d/redhat-latest.repo
lrwxrwxrwx. 1 root root 9 Jul 28 01:00 rhsm -> /etc/rhsm-latest
$ ls -al /etc/pki/entitlement-latest
entitlement-latest -> entitlements
$ ls -al /etc/rhsm-latest
rhsm-latest -> rhsm
$ ls -al /etc/yum.repos.d/redhat-latest.repo
redhat-latest.repo -> redhat.repo
What this would enable is for one to change what /etc/rhsm-latest points to and specify an alternate configuration for the container while preserving the default behavior when desired.
Patch moby#6075 adds support to docker to specify "secret" files to be injected in a container. As of today's Atomic Hosts when one does
docker run -it registry.access.redhat.com/rhel7the secrets files are copied over and injected into the container from/usr/share/rhel/secrets. This enables subscription manager to run inside containers as desired.On the atomic host we see the forllowing
So consider the case where you want the /etc/rhsm on the host to be different from the /etc/rhsm inside the container. It could be something basic like "the rhsm base url for yum repos is different from base url for atomic ostree repos" OR "we want to use different entitlement models and hide access to certain repos on hosts vs containers". The above configuration will make it impossible to change that because
/usr/share/rhel/secrets/rhsmis a read-only link . The symlink there cannot be redirected.The
/etc/rhsmconf symlinked above specifically points hosts rhsm conf. We cannot have separate configurations for hosts and containers.In short we need something like this
What this would enable is for one to change what /etc/rhsm-latest points to and specify an alternate configuration for the container while preserving the default behavior when desired.