Hello,
We are trying to set up communication between dockerd (via the official Docker snap, latest/stable, on UC20) and a private container registry.
In this case, the private container registry uses a self-signed certificate.
And so, we are encountering the same problem that has been discussed in the following threads:
- Extending system certificates
- Certificate substitution and snaps
- Ubuntu-Core OpenSSL certificate authority creation
Is there a solution for managing certificates in Ubuntu Core?
For now, we’ve resorted to the following hack/proof of concept…
Assuming write access is available on /var/snap/docker/current/etc/docker, we create /var/snap/docker/current/etc/docker/certs.d/myregistry.domain.com\:5443/ and place file ca.crt there.
The dockerd daemon was then able to communicate with the private registry (e.g. can pull an image) - but there are several issues.
- This only works in unconfined mode. Would need to get this addition to
snapcraft.yamlapproved for our snap:
plugs:
docker-certs-fs:
interface: system-files
write:
- /var/snap/docker/current/etc/docker
- More importantly, if the docker snap is updated/refreshed, then the existing certificates won’t be carried over to the new version (AFAIK) - since
currentis a symlink:
$ sudo ls -l /var/snap/docker
total 8
drwxr-xr-x 4 root root 4096 Jun 14 15:49 796
drwxr-xr-x 5 root root 4096 Jul 27 20:17 common
lrwxrwxrwx 1 root root 3 Jun 14 15:49 current -> 796
Use of common would be a better fit, but dockerd isn’t configured to use this directory.
Any thoughts/recommendations to this problem?
Other resources checked:
- Docker’s documentation assumes write access to
/etc/docker/certs.d. The docs don’t appear to specify a way to override the certs directory (say with config or an environment variable).
https://docs.docker.com/engine/security/certificates/ - There’s a similar issue reported some time ago (for
daemon.json- but similar concept): https://github.com/docker-archive/docker-snap/issues/22
Thanks in advance for your support!