New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nested redhat podman containers don't get subscription from host (common/pkg/subscriptions) #1735
Comments
Not sure why this is not happening automatically. This file is supposed to tell Podman to mount the directory into the container. more /usr/share/containers/mounts.conf |
Strange, the file looks the same on both the host and the container host:
container (ubi8):
|
I can spot a difference by looking at the contents of host:
container:
The /etc/pki/entitlement is empty on the container and the entitlements from the host are located under /etc/pki/entitlement-host Perhaps it's missing a logic which is something like this pseudo code:
|
Dnf is supposed to have a plugin that puts the entitlements back together, I am not sure how that works. |
That might be what's enabling the repos/subscriptions on parent container, but I don't think that's going to work on the nested container, as neither /etc/pki/entitlement nor /etc/pki/entitlement-host gets populated on the nested container |
It is best to add -v /run/secrets:/run/secrets in the internal container. |
Perhaps we should modify the mounts.conf file inside of the container to do that by default. |
But won't cause potential conflicts with --secret ?
I think |
Sure, You could add these to containers.conf. |
But isn't this something that should be handled automatically? |
You could make an argument that podman's containers image should do this automatically, but no way Podman in general should handle this. |
Ok while I understand your concerns about Podman's scope, I think there's a case for consistency. If Podman already manages subscriptions for the initial container, logically, it should do so for nested containers too. Otherwise, it might be more consistent to not handle subscriptions at all and leave it entirely to the user. Coming back to your point:
and my concerns about mounting the whole /run/secrets, I realized that it is already being mounted in https://github.com/containers/common/blob/main/pkg/subscriptions/mounts.conf So perhaps the best course of action would be to modify the mounts.conf as you suggested initially. |
I am not sure if mounts.conf inside of the container would work correctly rather then just adding it to |
I tried changing mounts.conf inside of the "parent" container to |
Ok, lets add /etc/containers/storage.conf with |
This change will allow RHEL subscriptions from the host to flow to internal containers. Fixes: containers/common#1735 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This change will allow RHEL subscriptions from the host to flow to internal containers. Fixes: containers/common#1735 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This change will allow RHEL subscriptions from the host to flow to internal containers. Fixes: containers/common#1735 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This change will allow RHEL subscriptions from the host to flow to internal containers. Fixes: containers/common#1735 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This change will allow RHEL subscriptions from the host to flow to internal containers. Fixes: containers/common#1735 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When running nested redhat containers (container inside a container) the nested container does not get the redhat subscription from the host, whereas the container that runs directly on the host gets the subscription from the host.
Subscription manager does not run in container mode and the repositories don't exist inside the nested container.
I traced the issue down to the differences in
/run/secrets
and I'm actually able to get the subscription to work correctly in the nested container by simply bind mounting /run/secrets on the nested container from the parent container.Upon closer inspection I found out that the yum repos from the host actually exist on the nested container under
/run/secrets/redhat.repo
but the certificates don't exist, so bind mounting/run/secrets/etc-pki-entitlement
and/run/secrets/rhsm
seems to be sufficient.The text was updated successfully, but these errors were encountered: