docker icon indicating copy to clipboard operation
docker copied to clipboard

Published 20 hours ago verified publisher icon projectatomic

Need a way to specify custom directories for rhsm configuration

Open parthaa opened this issue 8 years ago • 8 comments

Patch https://github.com/docker/docker/pull/6075 adds support to docker to specify "secret" files to be injected in a container. As of today's Atomic Hosts when one does docker run -it registry.access.redhat.com/rhel7 the secrets files are copied over and injected into the container from /usr/share/rhel/secrets. This enables subscription manager to run inside containers as desired.

On the atomic host we see the forllowing

$ ls -al /usr/share/rhel/secrets/
lrwxrwxrwx. 1 root root 20 Jul 28 01:00 etc-pki-entitlement -> /etc/pki/entitlement          
lrwxrwxrwx. 1 root root 28 Jul 28 01:00 rhel7.repo -> /etc/yum.repos.d/redhat.repo           
lrwxrwxrwx. 1 root root  9 Jul 28 01:00 rhsm -> /etc/rhsm

So consider the case where you want the /etc/rhsm on the host to be different from the /etc/rhsm inside the container. It could be something basic like "the rhsm base url for yum repos is different from base url for atomic ostree repos" OR "we want to use different entitlement models and hide access to certain repos on hosts vs containers". The above configuration will make it impossible to change that because /usr/share/rhel/secrets/rhsm is a read-only link . The symlink there cannot be redirected. The /etc/rhsm conf symlinked above specifically points hosts rhsm conf. We cannot have separate configurations for hosts and containers.

In short we need something like this

$ ls -al /usr/share/rhel/secrets/
lrwxrwxrwx. 1 root root 20 Jul 28 01:00 etc-pki-entitlement -> /etc/pki/entitlement-latest          
lrwxrwxrwx. 1 root root 28 Jul 28 01:00 rhel7.repo -> /etc/yum.repos.d/redhat-latest.repo           
lrwxrwxrwx. 1 root root  9 Jul 28 01:00 rhsm -> /etc/rhsm-latest

$ ls -al /etc/pki/entitlement-latest
entitlement-latest -> entitlements

$ ls -al /etc/rhsm-latest
rhsm-latest -> rhsm

$ ls -al /etc/yum.repos.d/redhat-latest.repo
redhat-latest.repo -> redhat.repo

What this would enable is for one to change what /etc/rhsm-latest points to and specify an alternate configuration for the container while preserving the default behavior when desired.

parthaa avatar Aug 22 '16 22:08 parthaa

I would think having it point to /etc/rhsm-containers would be better then latest.
Have you tried this out and does it work?

rhatdan avatar Aug 23 '16 10:08 rhatdan

How about enhancing the secrets patch to look in both /usr/share/rhel/secrets and /etc/docker/rhel/secrets; the latter overrides the former?

Then all you'd need to do is ln -sr /etc/rhsm-container /etc/docker/rhel/secrets, right?

cgwalters avatar Aug 23 '16 11:08 cgwalters

I am fine with this although I would prefer something generic like /etc/container/rhel/secrets.

rhatdan avatar Aug 23 '16 11:08 rhatdan

/etc/container/rhel/secrets.

+1

runcom avatar Aug 23 '16 11:08 runcom

@rhatdan @cgwalters both suggestions are good and will work for me.

parthaa avatar Aug 23 '16 14:08 parthaa

@runcom can you modify the secrets patch to handle this?

rhatdan avatar Aug 23 '16 22:08 rhatdan

@rhatdan sure I can

runcom avatar Aug 23 '16 23:08 runcom

@runcom, can this be closed?

dustymabe avatar Jan 11 '17 03:01 dustymabe