Red Hat SummitChapter 5. Best practices for running containers by using local sources
You can access content hosted in an internal registry that requires a custom Transport Layer Security (TLS) root certificate, when running RHEL bootc images.
You can install content to a container by using only local resources in two way: * By using the bind mounts: This option overrides the container’s store with the host’s. * By using the derived image option: This option creates a new container image with your custom certificates by building it with a Containerfile.
You can use the same techniques to run a bootc-image-builder container or a bootc container when appropriate.
5.1. Importing custom certificate to a container by using bind mounts
To import custom certificates into Red Hat Enterprise Linux containers by using bind mounts, you can establish trust for private certificate authorities. Providing certificates at runtime allows applications to establish connections without requiring you to rebuild the container image for every credential update.
Procedure
Run a
bootc-image-buildertool and use a bind mount, for example-v /etc/pki:/etc/pki, to override the container’s store with the host’s:# podman run \ --rm \ -it \ --privileged \ --pull=newer \ --security-opt label=type:unconfined_t \ -v ./output:/output \ -v /etc/pki:/etc/pki \ registry.redhat.io/rhel10/bootc-image-builder:latest \ --type iso \ --config /config.toml \ quay.io/<namespace>/<image>:<tag>
Verification
- The disk image build process can access internal certificates.
5.2. Importing custom certificates to an image by using a Containerfile
Import custom certificates into your Red Hat Enterprise Linux container image by defining them in the Containerfile. By adding these certificates during the build process, you can enable containerized applications to establish trusted connections with internal services or private certificate authorities.
Include instructions to install custom certificate roots with a Containerfile.
Procedure
Create a
Containerfile:FROM <internal_repository>/<image> # Add certificate to the input set of anchors COPY additional-certificate-root.pem /etc/pki/ca-trust/source/anchors RUN update-ca-trustBuild the custom image:
# podman build -t <your_image> .Run the
<your_image>:# podman run -it --rm <your_image>
Verification
Verify your certificate is in the generated merged store:
# cat etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ...
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}