RHEL 8.0 - (rootless) podman cannot access registry.redhat.io

Latest response

I discovered a bug on a fresh installation of RHEL 8.0, it's not possible to login to registry.redhat.io with rootless podman. I could figure out that
a /etc/docker/certs.d directory which contains certs and keys is responsible. After a discussion with Dan Walsh and Scott McCarty (both are real
"Red Hat Container Gurus") yesterday, we could elaborate two workarounds, either chmod 644 the key(s) or remove the /etc/docker directory.

$ podman login registry.redhat.io --username XXXXXXXX --password XXXXXXXXXX
error authenticating creds for "registry.redhat.io":
error creating new docker client: open /etc/docker/certs.d/registry.redhat.io/4275960890465482954.key:
permission denied

$ ls -l /etc/docker/certs.d
total 0
drwxr-xr-x. 2 root root 69 7. Mai 12:12 access.redhat.com
drwxr-xr-x. 2 root root 109 7. Mai 12:12 cdn.redhat.com
drwxr-xr-x. 2 root root 69 7. Mai 12:12 registry.access.redhat.com
drwxr-xr-x. 2 root root 69 7. Mai 12:12 registry.redhat.io

sudo rm -r /etc/docker

$ podman login registry.redhat.io --username XXXXXXXX --password XXXXXXXXXX
Login Succeeded!

The - important - remaining question was : what creates this /etc/docker directory - even though docker not having ever been installed at all ?
I received a message from Scott, which explains what's going on. For those who use (rootless) podman and are affected, here's what he wrote :

"The directories, themselves, are created by Anaconda. The directories are then populated by RHSM when you register the system.
Rootless works perfectly on an unregistered system or if you just blow the /etc/docker directory away completely (which is safe) ...
Apparently, this directory and these certs were part of some experimental project which never went live (and never will go live)."

I thought it would be a good idea to share this information with our community members ... Thank you, Daniel and Scott for your assistance ! :)

Red Hat Bugzilla - Bug 1710923 - Description -> Can't pull UBI images rootless, no access to /etc/docker/certs.d/registry.access.redhat.com/

Responses

That is a good research Christian and congrats for becoming Red Hat Accelerator :)

Thank you, Sadashiva ! :)

Just to clarify, the subscription-manager-plugin-container package provides a yum plugin, and this plugin is what creates the /etc/docker/certs.d/.redhat. directories and populates them with the entitlement cert/key files. This subscription-manager-plugin-container package is part of a base RHEL 8 install, but it can be removed after install (or very likely excluded via kickstart.) Since this package is no longer needed our hope is to deprecate it in a future release.

Thanks for the explanation, Derrick ! :)