[CI:DOCS] Pass secrets from the host down to internal podman containers

[rhatdan]

This change will allow RHEL subscriptions from the host to flow to internal containers.

Fixes: containers/common#1735

Does this PR introduce a user-facing change?

RHEL Subscriptions from the host now flow through to quay.io/podman/* images

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

@gardar could you make sure this does what you want?

[gardar]

@rhatdan sure, thanks! I'll do it once I get back to the office after the weekend.

[vrothberg]

Tentative LGTM.

Would be great to have this tested in CI.

[Luap99]

While I understand what you are trying to do it seems that /run/secrets is overloaded. If you create the outer container with a secret it will be written to /run/secrets. Thus this patch will leak all secrets to the inner container which seems undesirable if not outright dangerous as I cannot imagine anyone expecting this.
Is there a way to only limit this to the RHEL subscription?

[gardar]

Is there a way to only limit this to the RHEL subscription?

Yes, with /run/secrets/etc-pki-entitlement and /run/secrets/rhsm as I suggested here: containers/common#1735 (comment)

[rhatdan]

I agree that their could be a leak, but doing /run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement will fail if /run/secrets/etc-pki-entitlement does not exists within the first container.

Since this is not a general purpose container, I think it is safe to do /run/secrets:/run/secrets

[rhatdan]

We could add an optional volume construct,
-/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement which would only volume mount if the source existed, but I am not sure if that is worth it.

Could go all the way to

+/run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement

Which would create the source volume if it did not exists (Matching Docker behavior).

[Luap99]

Well I think secrets contain generally sensitive data, thus leaking it without any user content to the inner container may be very bad.
Also it seems we already special hande the case were a directory does not exists and only print a warning: https://github.com/containers/common/blob/7aab1cc4bf70e6da448c0dbe86f0fec8d8cfcd6a/pkg/subscriptions/subscriptions.go#L230-L236
We could easily drop this down to info level.

[gardar]

Am I understanding it correctly that this proposed change only fixes the issue when using the podmanimage container as the "parent" and using other containers would still cause issues? Or is podmanimage some specialized container image that podman runs internally when running Podman in Podman?

[rhatdan]

This will only fix this for podmanimage(s), but gives a guide to others on how to handle it.

[gardar]

This will only fix this for podmanimage(s), but gives a guide to others on how to handle it.

Ok that what I thought.
Would it not be more feasible to fix this at a level where it would work for any container? By extending the code in common/pkg/subscriptions

[rhatdan]

You could potentially do something their but it would be an abuse and hard coding RHEL semantics into the tool. Currently the tool is generalized to look for a file and then copies the contents of that file into the container. I would not want to hard code this path into the podman/buildah.

[Luap99]

@rhatdan it seems like you didn't fix #20659 (comment)

This means podman will print a bunch of warnings if the container is not run on non RHEL/fedora based host.