Container registry client certificates cannot be used with image pull user isolation #1682
Description
The default user isolation for container image pulls interacts somewhat poorly with using TLS client certificates to authenticate to registries. It is good practice to restrict read permissions on TLS private keys, so we have systems configured with registry client certificates in /etc/containers/certs.d/$registry readable only by root. However, when running bootc under systemd (including the default bootc-fetch-apply-updates.service), the default user isolation will switch to nobody before pulling the container image, which cannot read the client cert and so cannot connect to the registry.
It seems undesirable to open up access to the client key, so for now we've worked around this by unsetting $INVOCATION_ID when invoking bootc from systemd. Is there a better solution that can be implemented on the bootc side?