Configuring container pull secrets

A common scenario is needing to configure the host system with a "pull secret" necessary to fetch container images - which includes the host updates itself!

There is a section in the upstream bootc documentation for secrets in general that applies here.

The following content applies to the built image. When using an external installer such as Anaconda (Bare metal) or bootc-image-builder, those systems will each need to be configured with any applicable pull secrets.

Credential location for bootc

See ostree-container-auth.md.

The recommendation for host bootc updates is to write configuration to /etc/ostree/auth.json (which is shared with rpm-ostree). As of relatively recently, /usr/lib/ostree/auth.json is also supported.

Credential location for podman

See containers-auth.json.

Lack of "system wide" podman credentials

A general conceptual problem with all of the available containers-auth locations that are accepted by podman today is that the two locations are underneath:

  • /run: This vanishes on reboot, which is not usually desired

  • /root: Part of root’s home directory, which is local mutable state by default

There is discussion about adding a system-wide location for the container stack, but this has not yet happened. More in this pull request.

Unifying bootc and podman credentials

A common pattern will be using a single default global pull secret for both bootc and podman.

The following container build demonstrates one approach to achieve this.

This reference example is maintained in container-auth.

Containerfile
COPY link-podman-credentials.conf /usr/lib/tmpfiles.d/link-podman-credentials.conf
RUN --mount=type=secret,id=creds,required=true cp /run/secrets/creds /usr/lib/container-auth.json && \
    chmod 0600 /usr/lib/container-auth.json && \
    ln -sr /usr/lib/container-auth.json /etc/ostree/auth.json
link-podman-credentials.conf
# Make /run/containers/0/auth.json (a transient runtime file)
# a symlink to our /usr/lib/container-auth.json (a persistent file)
# which is also symlinked from /etc/ostree/auth.json.
d /run/containers/0 0755 root root -
L /run/user/0/containers/auth.json - - - - ../../../../usr/lib/container-auth.json

Want to help? Learn how to contribute to Fedora Docs