Mount host's certificate bundles

[DavidTorresOcana]

Add support for usage of REQUESTS_CA_BUNDLE env. variable

Certificates might not always be in /etc/ssl but users might setup variable REQUESTS_CA_BUNDLE to other directory.
Documentation update might be needed.

[AkihiroSuda]

Why only for rootless, and why alter the namespace?

[AkihiroSuda]

The “REQUESTS_CA_BUNDLE” env var seems specific to Python requests, which isn’t related to Moby.

https://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

NOTLGTM

[DavidTorresOcana]

How do we handle then situations like:

• Users cannot write to /etc/ssl (the main purpose of rootless docker) and have to use certificates (stored somewhere else than /etc/ssl)?
• Users cannot write to /etc/ssl which contains an expired certificate: this prevents the daemon from pulling images

Maybe I am missing something.

If the problem is the name of the variable REQUESTS_CA_BUNDLE what should be used?

This PR builds on top of rootless-containers/rootlesskit#225 to solve the above cases

[AkihiroSuda]

Why not just use ~/.config/docker/certs.d? (equivalent of /etc/docker/certs.d)

[DavidTorresOcana]

As I understand ~/.config/docker/certs.d is where keys/certificates are placed for encrypting (SSL) daemon-client and daemon-registry communication.
These are not certificates to be used by daemon when pulling from public registries.
Am I missing something?

If not using the fix of this PR users might get the error expired certificates errors as in rootless-containers/rootlesskit#225 if host did not updated tat certificate.

If this is really not a feature we want, I would suggest to revert fix for rootless-containers/rootlesskit#225 as it is the root cause.