Red Hat SummitChapter 5. Best practices for running containers using local sources
You can access content hosted in an internal registry that requires a custom Transport Layer Security (TLS) root certificate, when running RHEL bootc images.
There are two options available to install content to a container by using only local resources:
-
Bind mounts: Use for example
-v /etc/pki:/etc/pkito override the container’s store with the host’s. -
Derived image: Create a new container image with your custom certificates by building it using a
Containerfile.
You can use the same techniques to run a bootc-image-builder container or a bootc container when appropriate.
5.1. Importing custom certificate to a container by using bind mounts
Use bound mounts to override the container’s store with the host’s.
Procedure
Run bootc-image-builder and use a bind mount, for example
-v /etc/pki:/etc/pki, to override the container’s store with the host’s:podman run \ --rm \ -it \ --privileged \ --pull=newer \ --security-opt label=type:unconfined_t \ -v $(pwd)/output:/output \ -v /etc/pki:/etc/pki \ registry.redhat.io/rhel10/bootc-image-builder:latest \ --type iso \ --config /config.toml \ quay.io/<namespace>/<image>:<tag>
# podman run \ --rm \ -it \ --privileged \ --pull=newer \ --security-opt label=type:unconfined_t \ -v $(pwd)/output:/output \ -v /etc/pki:/etc/pki \ registry.redhat.io/rhel10/bootc-image-builder:latest \ --type iso \ --config /config.toml \ quay.io/<namespace>/<image>:<tag>Copy to Clipboard Copied!
Verification
- The disk image build process should now be able to access internal certificates.
5.2. Importing custom certificates to an image by using Containerfile
Include instructions to install custom certificate roots with a Containerfile.
Procedure
Create a
Containerfile:FROM <internal_repository>/<image> # Add certificate to the input set of anchors COPY additional-certificate-root.pem /etc/pki/ca-trust/source/anchors RUN update-ca-trust
FROM <internal_repository>/<image> # Add certificate to the input set of anchors COPY additional-certificate-root.pem /etc/pki/ca-trust/source/anchors RUN update-ca-trustCopy to Clipboard Copied! Build the custom image:
podman build -t <your_image> .
# podman build -t <your_image> .Copy to Clipboard Copied! Run the
<your_image>:podman run -it --rm <your_image>
# podman run -it --rm <your_image>Copy to Clipboard Copied!
Verification
Verify your certificate is in the generated merged store:
cat etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ...
# cat etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ...Copy to Clipboard Copied!
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}