Docker snap: self-signed certificates for private registry


We are trying to set up communication between dockerd (via the official Docker snap, latest/stable, on UC20) and a private container registry.

In this case, the private container registry uses a self-signed certificate.

And so, we are encountering the same problem that has been discussed in the following threads:

Is there a solution for managing certificates in Ubuntu Core?

For now, we’ve resorted to the following hack/proof of concept…
Assuming write access is available on /var/snap/docker/current/etc/docker, we create /var/snap/docker/current/etc/docker/certs.d/\:5443/ and place file ca.crt there.

The dockerd daemon was then able to communicate with the private registry (e.g. can pull an image) - but there are several issues.

  1. This only works in unconfined mode. Would need to get this addition to snapcraft.yaml approved for our snap:
    interface: system-files
      - /var/snap/docker/current/etc/docker
  1. More importantly, if the docker snap is updated/refreshed, then the existing certificates won’t be carried over to the new version (AFAIK) - since current is a symlink:
$ sudo ls -l /var/snap/docker
total 8
drwxr-xr-x 4 root root 4096 Jun 14 15:49 796
drwxr-xr-x 5 root root 4096 Jul 27 20:17 common
lrwxrwxrwx 1 root root    3 Jun 14 15:49 current -> 796

Use of common would be a better fit, but dockerd isn’t configured to use this directory.

Any thoughts/recommendations to this problem?

Other resources checked:

Thanks in advance for your support!