Copy flatpak's approach to trusting host CA certs

[cgwalters]

See flatpak/flatpak#1757

We should debate whether it's opt-in (--host-ca-certs) or opt-out (--disable-host-ca-certs). The argument for having this opt in is theoretically it's an information leak from the host that some people may not want. But the argument for having it opt out is...I think almost every "normal" use of podman would want this.

[rhatdan]

@cgwalters What path would that be
--host-cert /etc/pki?

[rhatdan]

@cgwalters ???

[rhatdan]

@cgwalters Is this still something you suggest we do or should I close?

[cgwalters]

Why wouldn't we want this? I mean today I provision the RH internal CA cert on both my host and in my toolbox container, and it's an annoyance every time I spin up a non-toolbox podman container and it can't talk https:// to internal websites.

[rhatdan]

I am asking more of what you expect to have happen.
Mount /run/user/%d/p11-kit/pkcs11 into the container?
This will be blocked by SELinux, so we would need to allow this.
Copy and mount "/etc/pkcs11/modules/p11-kit-trust.module" into the container?
Create container specific version of /etc/pkcs11/pkcs11.conf and mount it in place.

Others?

[cgwalters]

I am asking more of what you expect to have happen.

The high level is: Define an API for a container to gain access to the host's trusted CA roots. You're asking more about the implementation:

Mount /run/user/%d/p11-kit/pkcs11 into the container? This will be blocked by SELinux, so we would need to allow this.

Right, doing it the same way flatpak does would make sense to me. (It works for flatpak without policy changes because flatpak doesn't apply special labels to its containers)

[rhatdan]

@vrothberg could you look into this?

[vrothberg]

@vrothberg could you look into this?

Sure. I will go through my backlog after Flock.

[rhatdan]

great

[vrothberg]

Sure. I will go through my backlog after Flock.

That didn't work out well. Will look into it latest next week, promised.