Comment 2 for bug 1903508

from e.g. https://logserver.rdoproject.org/openstack-periodic-integration-stable1/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-8-standalone-on-multinode-ipa-victoria/2858887/logs/undercloud/var/log/extra/podman/containers/nova_libvirt/podman_info.log.txt.gz the bind mounts are configured for the libvirt container:

        "HostConfig": {
            "Binds": [
                "/var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro,rprivate,rbind",
                "/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro,rprivate,rbind",
                "/var/log/libvirt/qemu:/var/log/libvirt/qemu:ro,rprivate,rbind",
                "/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro,rprivate,rbind",
                "/etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro,rprivate,rbind",
                "/var/log/containers/libvirt:/var/log/libvirt:rw,rprivate,rbind",
                "/var/lib/libvirt:/var/lib/libvirt:shared,rw,rbind",
                "/etc/pki/libvirt-vnc/server-key.pem:/etc/pki/libvirt-vnc/server-key.pem:ro,rprivate,rbind",
                "/sys/fs/cgroup:/sys/fs/cgroup:rw,rprivate,noexec,nosuid,nodev,rbind",
                "/etc/pki/libvirt-vnc/server-cert.pem:/etc/pki/libvirt-vnc/server-cert.pem:ro,rprivate,rbind",
                "/var/lib/vhost_sockets:/var/lib/vhost_sockets:rw,rprivate,rbind",
                "/etc/ipa/ca.crt:/etc/pki/CA/cacert.pem:ro,rprivate,rbind",
                "/etc/pki/libvirt-nbd:/etc/pki/libvirt-nbd:ro,rprivate,rbind",
                "/etc/hosts:/etc/hosts:ro,rprivate,rbind",
                "/run:/run:rw,rprivate,nosuid,nodev,rbind",
                "/var/cache/libvirt:/var/cache/libvirt:shared,rw,rbind",
                "/var/lib/nova:/var/lib/nova:shared,rw,rbind",
                "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro,rprivate,rbind",
                "/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro,rprivate,rbind",
                "/etc/ceph:/var/lib/kolla/config_files/src-ceph:ro,rprivate,rbind",
                "/etc/selinux/config:/etc/selinux/config:ro,rprivate,rbind",
                "/lib/modules:/lib/modules:ro,rprivate,rbind",
                "/etc/pki/qemu/ca-cert.pem:/etc/pki/qemu/ca-cert.pem:ro,rprivate,rbind",
                "/sys/fs/selinux:/sys/fs/selinux:rw,rprivate,rbind",
                "/etc/localtime:/etc/localtime:ro,rprivate,rbind",
                "/var/lib/container-config-scripts/nova_libvirt_launcher.sh:/nova_libvirt_launcher.sh:ro,rprivate,rbind",
                "/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro,rprivate,rbind",
                "/dev/log:/dev/log:rw,rprivate,nosuid,rbind",
                "/run/libvirt:/run/libvirt:shared,rw,nosuid,nodev,rbind",
                "/dev:/dev:rw,rprivate,nosuid,rbind",
                "/etc/pki/CA/certs/vnc.crt:/etc/pki/libvirt-vnc/ca-cert.pem:ro,rprivate,rbind",
                "/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro,rprivate,rbind",
                "/etc/pki/libvirt:/etc/pki/libvirt:ro,rprivate,rbind",
                "/etc/libvirt:/etc/libvirt:rw,rprivate,rbind",
                "/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro,rprivate,rbind",
                "/var/lib/kolla/config_files/nova_libvirt.json:/var/lib/kolla/config_files/config.json:ro,rprivate,rbind",
                "/etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro,rprivate,rbind",
                "/etc/puppet:/etc/puppet:ro,rprivate,rbind"
            ],
...
            {
                "Type": "bind",
                "Name": "",
                "Source": "/etc/pki/libvirt-vnc/server-key.pem",
                "Destination": "/etc/pki/libvirt-vnc/server-key.pem",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": false,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Name": "",
                "Source": "/sys/fs/cgroup",
                "Destination": "/sys/fs/cgroup",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "noexec",
                    "nosuid",
                    "nodev",
                    "rbind"
                ],
                "RW": true,
                "Propagation": "rprivate"
            },
            {
                "Type": "bind",
                "Name": "",
                "Source": "/etc/pki/libvirt-vnc/server-cert.pem",
                "Destination": "/etc/pki/libvirt-vnc/server-cert.pem",
                "Driver": "",
                "Mode": "",
                "Options": [
                    "rbind"
                ],
                "RW": false,
                "Propagation": "rprivate"
            },

The certs are generated on the host - https://logserver.rdoproject.org/openstack-periodic-integration-stable1/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-8-standalone-on-multinode-ipa-victoria/2858887/logs/undercloud/etc/pki/libvirt-vnc/