From b9cf7b7db5d35fee40142ed8aa667c6cef9dc050 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Thu, 3 Jun 2021 16:08:27 +0900
Subject: [PATCH] rootless: fix "x509: certificate signed by unknown authority"
 on openSUSE Tumbleweed

openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error,
as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`,
which was not supported by `rootlesskit --copy-up=/etc` .

See rootless-containers/rootlesskit issues 225

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 8610d8ce4cd28fe17c0867fbcb0714135ba9bbb8)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 contrib/dockerd-rootless.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/contrib/dockerd-rootless.sh b/contrib/dockerd-rootless.sh
index 9c6c0f8c52..b9eda0a023 100755
--- a/contrib/dockerd-rootless.sh
+++ b/contrib/dockerd-rootless.sh
@@ -118,5 +118,15 @@ else
 		# https://github.com/moby/moby/issues/41230
 		chcon system_u:object_r:iptables_var_run_t:s0 /run
 	fi
+
+	if [ "$(stat -c %T -f /etc)" = "tmpfs" ] && [ -L "/etc/ssl" ]; then
+		# Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed.
+		# https://github.com/rootless-containers/rootlesskit/issues/225
+		realpath_etc_ssl=$(realpath /etc/ssl)
+		rm -f /etc/ssl
+		mkdir /etc/ssl
+		mount --rbind ${realpath_etc_ssl} /etc/ssl
+	fi
+
 	exec dockerd $@
 fi