Bug 1739707

Summary: Can't pull UBI images rootless, no access to /etc/docker/certs.d/registry.access.redhat.com/
Product: Red Hat Enterprise Linux 7 Reporter: Chris Snyder <csnyder>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED ERRATA QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.8CC: bbreard, bcourt, csnyder, ddarrah, dornelas, dwalsh, fedoraproject, jhnidek, jligon, jnovy, jsefler, lsm5, mheon, petr, pthomas, rhsm-qe, skallesh, smccarty
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.24.14-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1710923 Environment:
Last Closed: 2020-03-31 19:40:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1710923    
Bug Blocks: 1718378    

Comment 4 Shwetha Kallesh 2019-10-30 04:32:31 UTC 
[root@hpe-nehalem-02 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.9.17-1
subscription management rules: 5.37
subscription-manager: 1.24.23-1.el7


[root@hpe-nehalem-02 ~]# whoami
root

[root@hpe-nehalem-02 ~]# subscription-manager register --force --serverurl subscription.rhsm.stage.redhat.com --username stage_auto_syspurpose002
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Password: 
The system has been registered with ID: f1f8d8f1-e24f-4c13-8ae5-29d8a736c864
The registered system name is: hpe-nehalem-02.hpe2.lab.eng.bos.redhat.com
[root@hpe-nehalem-02 ~]# subscription-manager attach --auto
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed


[root@hpe-nehalem-02 ~]# ls -l /etc/docker/certs.d/*/
/etc/docker/certs.d/access.redhat.com/:
total 72
-rw-r--r--. 1 root root 69337 Oct 30 00:26 4973054685650049796.cert
-rw-r--r--. 1 root root  3243 Oct 30 00:26 4973054685650049796.key

/etc/docker/certs.d/cdn.redhat.com/:
total 76
-rw-r--r--. 1 root root 69337 Oct 30 00:26 4973054685650049796.cert
-rw-r--r--. 1 root root  3243 Oct 30 00:26 4973054685650049796.key
-rw-r--r--. 1 root root  2305 Oct 17 15:55 redhat-entitlement-authority.crt

/etc/docker/certs.d/redhat.com/:
total 0
lrwxrwxrwx. 1 root root 27 Oct 29 23:57 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/redhat.io/:
total 0
lrwxrwxrwx. 1 root root 27 Oct 29 23:57 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/registry.access.redhat.com/:
total 72
-rw-r--r--. 1 root root 69337 Oct 30 00:26 4973054685650049796.cert
-rw-r--r--. 1 root root  3243 Oct 30 00:26 4973054685650049796.key
lrwxrwxrwx. 1 root root    27 Oct 29 23:57 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem

/etc/docker/certs.d/registry.redhat.io/:
total 72
-rw-r--r--. 1 root root 69337 Oct 30 00:26 4973054685650049796.cert
-rw-r--r--. 1 root root  3243 Oct 30 00:26 4973054685650049796.key


as a non-root user:

[shwe@hpe-nehalem-02 ~]$ whoami
shwe
[shwe@hpe-nehalem-02 ~]$ podman images
REPOSITORY   TAG   IMAGE ID   CREATED   SIZE
[shwe@hpe-nehalem-02 ~]$ podman pull registry.access.redhat.com/ubi7/ubi
Trying to pull registry.access.redhat.com/ubi7/ubi...Getting image source signatures
Copying blob 1d2c4ce43b78 done
Copying blob 1c9f515fc6ab done
Copying config 22ba711241 done
Writing manifest to image destination
Storing signatures
22ba71124135fed91f331104bd85d2589c55e868ee1e51b84baaccc2d124348b
[shwe@hpe-nehalem-02 ~]$ podman images
REPOSITORY                            TAG      IMAGE ID       CREATED       SIZE
registry.access.redhat.com/ubi7/ubi   latest   22ba71124135   3 weeks ago   215 MB
[shwe@hpe-nehalem-02 ~]$ podman pull registry.access.redhat.com/ubi8/ubi
Trying to pull registry.access.redhat.com/ubi8/ubi...Getting image source signatures
Copying blob 641d7cc5cbc4 done
Copying blob c65691897a4d done
Copying config 11f9dba4d1 done
Writing manifest to image destination
Storing signatures
11f9dba4d1bc7bbead64adb8fd73ea92dca5fac88a9b5c2c9796abcf2e97846d
[shwe@hpe-nehalem-02 ~]$ podman images
REPOSITORY                            TAG      IMAGE ID       CREATED       SIZE
registry.access.redhat.com/ubi7/ubi   latest   22ba71124135   3 weeks ago   215 MB
registry.access.redhat.com/ubi8/ubi   latest   11f9dba4d1bc   6 weeks ago   216 MB
Comment 6 errata-xmlrpc 2020-03-31 19:40:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1028