0

As the title says, I need a rootless podman container to have access to SSL keys (created with certbot, of course) from the host (Fedora CoreOS, SELinux active) machine, since the main server on the host will be running in that container. However, it would obviously be bad to set the permissions on the keys too permissively, or just wrongly in general, so what should I do?

Should I set the group on the keys to the containers group I have the podman container running as part of, add allow read-access to the keys to that group? This seems like the right move, but if so, I don't know how to change the owner on the keys, because chown doesn't work.

Improve this question

1 Answer 1

Reset to default
0

Taken from this tutorial

  1. Create a directory to store the SSL cert and key in the host machine.
  2. Copy the SSL cert and key to the directory created in step 1.
  3. Create a Podman container with the necessary software to use the SSL cert and key.
  4. Mount the directory created in step 1 to the Podman container.
  5. Configure the software in the Podman container to use the SSL cert and key.

Step 1 and 2 look something like:

mkdir /mnt/certs
cp /etc/mycerts/mycert.pem /mnt/certs
cp /etc/mycerts/privkey.pem /mnt/certs

3 & 4 can be combined into one step. For example:

podman run -d --name nginx -v /mnt/certs:/etc/nginx/certs:z nginx

Creates a pod with nginx installed and mounts the hosts /mnt/certs to the pods /etc/nginx/certs

So this way, there's an isolated copy of your certs, maintained by the host but mounted in your pod.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .