[Podman] Re: rootless podman, docker-credential-gcloud, and snaps

On 2/1/21 4:37 PM, Ioan Rogers via Podman wrote: On the off-chance that tweaking your setup is possible/easier fix: I found it trivial to use rootless-podman in an interactive script with the SDK image `docker.io/google/cloud-sdk:alpine` and simply point it at the executing user's configuration. Something like: GCLOUD="podman run -it --rm --security-opt label=disable -v $HOME/.config/gcloud:/root/.config/gcloud -v $HOME/.config/gcloud/ssh:/root/.ssh $GCLOUD_IMAGE gcloud --configuration=$CFGNAME --project=$PROJECT" Then the user (or a script) can simply do things like: $GCLOUD init --project=$PROJECT --console-only --skip-diagnostics $GCLOUD compute instance create --zone=$ZONE ... --- For non-interactive use, we use built container images containing the installed SDK along with an entrypoint script. From the host-side, we call these containers passing in the GCP service-account JSON within an env. var. For automated use, I deliberately avoid writing and volume-mounting in the credentials. This improves security because it avoids the on-disk credentials being accessable from two places (host and container). The function we call to setup GCP inside the container, is here for reference: https://github.com/containers/automation_images/blob/master/imgts/lib_ent... -- Chris Evich, RHCA III Senior Quality Assurance Engineer If it ain't broke, yain't tryin' hard nough.