Bug 1677264

Summary: There is no certs.d directory for podman currently
Product: Red Hat Enterprise Linux 8 Reporter: Suhaas Bhat <subhat>
Component: podmanAssignee: Valentin Rothberg <vrothber>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: ajia, ddarrah, dornelas, dwalsh, igreen, jligon, jnovy, lsm5, mheon, vrothber
Target Milestone: rc   
Target Release: 8.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: skopeo-0.1.35-1.git404c5bd Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 21:01:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1734574    

Description Suhaas Bhat 2019-02-14 12:16:53 UTC 
Description of problem:
We are not having any location for keeping the certificates for private registries such as certs.d at /etc/containers/certs.d location

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8 Beta
podman-1.0.0-1.git82e8011.module+el8+2696+e59f0461.x86_64

Additional Info :
/etc/containers/ should have a certs.d directory consisting of the registries we are going to incorporate as in docker

As we providing these 3 in regsitries.conf file currently in latest podman :
1. registry.redhat.io 
2. quay.io
3. docker.io
Comment 1 Daniel Walsh 2019-03-01 10:10:55 UTC 
Valentin can you look into how this would work with containers/image?
Comment 2 Valentin Rothberg 2019-03-01 11:24:02 UTC 
(In reply to Daniel Walsh from comment #1)
> Valentin can you look into how this would work with containers/image?

containers/image supports this already (see https://github.com/containers/image/blob/master/docker/docker_client.go#L56). There are two lookup paths, namely `/etc/{containers,docker}/certs.d`, with containers having a higher priority but it's not created by the tools or the packages which aligns with docker's behavior.

`man podman-pull`, for instance, mentions the default path but we could reflect if the text could be more explicit.
Comment 3 Daniel Walsh 2019-03-01 11:26:12 UTC 
We can also add the /etc/containers/certs.d directory to containers-common.
Comment 4 Valentin Rothberg 2019-03-01 11:29:59 UTC 
(In reply to Daniel Walsh from comment #3)
> We can also add the /etc/containers/certs.d directory to containers-common.

I like the idea. Maybe, we can add a `container-certs.d` manpage on top which can later be cross-referenced in the tools' pages?
Comment 5 Valentin Rothberg 2019-03-01 12:24:33 UTC 
I opened a PR to add `containers-certs.d(5)` manpage: https://github.com/containers/image/pull/594
Comment 6 Daniel Walsh 2019-03-08 20:18:51 UTC 
Certs pr is merged.

Fixed in skopeo-0.1.35-1.git404c5bd
Comment 13 errata-xmlrpc 2019-11-05 21:01:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3403