Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 6. Best practices for running containers using local sources
You can access content hosted in an internal registry that requires a custom Transport Layer Security (TLS) root certificate, when running RHEL bootc images.
There are two options available to install content to a container by using only local resources:
-
Bind mounts: Use for example
-v /etc/pki:/etc/pkito override the container’s store with the host’s. -
Derived image: Create a new container image with your custom certificates by building it using a
Containerfile.
You can use the same techniques to run a bootc-image-builder` container or a bootc container when appropriate.
6.1. Importing custom certificate to a container by using bind mounts
Use bound mounts to override the container’s store with the host’s.
Procedure
Run RHEL bootc image and use bind mount, for example
-v /etc/pki:/etc/pki, to override the container’s store with the host’s:# podman run \ --rm \ -it \ --privileged \ --pull=newer \ --security-opt label=type:unconfined_t \ -v $(pwd)/output:/output \ -v /etc/pki:/etc/pki \ localhost/<image> \ --type iso \ --config /config.toml \ quay.io/<namespace>/<image>:<tag>
Verification
List certificates inside the container:
# ls -l /etc/pki
6.2. Importing custom certificates to a container by using Containerfile
Create a new container image with your custom certificates by building it using a Containerfile.
Procedure
Create a
Containerfile:FROM <internal_repository>/<image> RUN mkdir -p /etc/pki/ca-trust/extracted/pem/ COPY tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/ RUN rm -rf /etc/yum.repos.d/* COPY echo-rhel9_4.repo /etc/yum.repos.d/
Build the custom image:
# podman build -t <your_image> .Run the
<your_image>:# podman run -it --rm <your_image>
Verification
List the certificates inside the container:
# ls -l /etc/pki/ca-trust/extracted/pem/ tls-ca-bundle.pem
