Need a way to specify custom directories for rhsm configuration

[parthaa]

Patch moby#6075 adds support to docker to specify "secret" files to be injected in a container. As of today's Atomic Hosts when one does docker run -it registry.access.redhat.com/rhel7 the secrets files are copied over and injected into the container from /usr/share/rhel/secrets. This enables subscription manager to run inside containers as desired.

On the atomic host we see the forllowing

$ ls -al /usr/share/rhel/secrets/
lrwxrwxrwx. 1 root root 20 Jul 28 01:00 etc-pki-entitlement -> /etc/pki/entitlement          
lrwxrwxrwx. 1 root root 28 Jul 28 01:00 rhel7.repo -> /etc/yum.repos.d/redhat.repo           
lrwxrwxrwx. 1 root root  9 Jul 28 01:00 rhsm -> /etc/rhsm                                    

So consider the case where you want the /etc/rhsm on the host to be different from the /etc/rhsm inside the container. It could be something basic like "the rhsm base url for yum repos is different from base url for atomic ostree repos" OR "we want to use different entitlement models and hide access to certain repos on hosts vs containers". The above configuration will make it impossible to change that because /usr/share/rhel/secrets/rhsm is a read-only link . The symlink there cannot be redirected.
The /etc/rhsm conf symlinked above specifically points hosts rhsm conf. We cannot have separate configurations for hosts and containers.

In short we need something like this

$ ls -al /usr/share/rhel/secrets/
lrwxrwxrwx. 1 root root 20 Jul 28 01:00 etc-pki-entitlement -> /etc/pki/entitlement-latest          
lrwxrwxrwx. 1 root root 28 Jul 28 01:00 rhel7.repo -> /etc/yum.repos.d/redhat-latest.repo           
lrwxrwxrwx. 1 root root  9 Jul 28 01:00 rhsm -> /etc/rhsm-latest

$ ls -al /etc/pki/entitlement-latest
entitlement-latest -> entitlements

$ ls -al /etc/rhsm-latest
rhsm-latest -> rhsm

$ ls -al /etc/yum.repos.d/redhat-latest.repo
redhat-latest.repo -> redhat.repo                                   

What this would enable is for one to change what /etc/rhsm-latest points to and specify an alternate configuration for the container while preserving the default behavior when desired.

[rhatdan]

I would think having it point to /etc/rhsm-containers would be better then latest.
Have you tried this out and does it work?

[cgwalters]

How about enhancing the secrets patch to look in both /usr/share/rhel/secrets and /etc/docker/rhel/secrets; the latter overrides the former?

Then all you'd need to do is ln -sr /etc/rhsm-container /etc/docker/rhel/secrets, right?

[rhatdan]

I am fine with this although I would prefer something generic like /etc/container/rhel/secrets.

[runcom]

/etc/container/rhel/secrets.

+1

[parthaa]

@rhatdan @cgwalters both suggestions are good and will work for me.

[rhatdan]

@runcom can you modify the secrets patch to handle this?

[runcom]

@rhatdan sure I can

[dustymabe]

@runcom, can this be closed?