How do I attach subscription data to containers running in Docker not provided by Red Hat?

Environment

• Non-Red Hat container solution such as Docker-CE or Docker-EE
• Non-Red Hat Kubernetes solutions
• Red Hat Enterprise Linux 7
• Red Hat Enterprise Linux 8
• Red Hat provided base images such as registry.redhat.io/rhel7 or registry.redhat.io/ubi8

Issue

• Docker or Podman, as provided by Red Hat on Red Hat Enterprise Linux 7 or 8, automatically mounts host subscription data into containers as a secret via the /run/secrets directory.
• Docker as provided by other vendors, or any Docker package not provided by Red Hat, may not provide methods for automatically attaching subscription data.
• What manual steps can be taken to automatically attach host entitlement data directly into containers running non-Red Hat container solutions?

Resolution

• The following steps outline possible methods for attaching subscription data to containers running on non-Red Hat container runtimes and engines, however, this method is unsupported by Red Hat and Red Hat Support offers no assistance in ensuring that subscription data for hosts is passed to non-Red Hat Docker or Podman.
• The following steps are provided as a courtesy in the event one wishes to try manually adding subscription data to containers using Non-Red Hat container solutions.
• Although it is highly, highly dependent on the container runtime, adding the following directories and files to your container in the /run/secrets location within the Red Hat base image container should provide subscription data:

/etc/pki/entitlement/
/etc/rhsm
/etc/yum.repos.d/redhat.repo

• Please consult with your container provider vendor for steps on how to mount these volumes properly and securely.
• In some instances you will receive an error about the SSL CA cert permissions or path, in these instances you need to mount /etc/rhsm from the host to /etc/rhsm-host inside of the container.

Errors during downloading metadata for repository 'rhel-8-for-x86_64-supplementary-rpms':
  - Curl error (77): Problem with the SSL CA cert (path? access rights?)

Root Cause

• Upstream Docker has rejected patches that allow for host subscription data to be directly attached to the containers automatically.
• Docker as provided by Red Hat, and the Podman project, allow for the addition of automatic mounts of subscription directories directly into the container's /run/secrets path, which is read by yum in base registry images importing subscription data from the host.
• As an example, this can be inspected in the registry.redhat.io/ubi8 image:

# rpm -q docker
docker-1.13.1-203.git0be3e21.el7_9.x86_64

# docker run -it --rm --name ubi8 registry.redhat.io/ubi8 bash

[root@1408b6428d1c /]# ls /run/secrets/*
/run/secrets/redhat.repo

/run/secrets/etc-pki-entitlement:
entitlement1-key.pem  entitlement1.pem  entitlement2-key.pem  entitlement2.pem

/run/secrets/rhsm:
ca  logging.conf  rhsm.conf  syspurpose

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.