Deploying CA Container as Systemd Service - dogtagpki/pki GitHub Wiki
Note
|
This page is still under construction. |
This document describes the process to deploy CA container as a rootless systemd service using PKI 11.6 or later.
Install Podman and FUSE OverlayFS:
$ dnf install -y podman fuse-overlayfs
Execute the following commands as root
:
$ setcap cap_setuid+ep /usr/bin/newuidmap $ setcap cap_setgid+ep /usr/bin/newgidmap $ usermod --add-subuids 100000-165535 --add-subgids 100000-165535 pkiuser $ loginctl enable-linger pkiuser
Execute the following commands as pkiuser
:
$ mkdir -p $HOME/.config/containers $ cat > $HOME/.config/containers/storage.conf << EOF [storage] driver = "overlay" [storage.options.overlay] mount_program = "/usr/bin/fuse-overlayfs" EOF
Verify with the following command:
$ podman system info host: security: rootless: true store: configFile: /home/pkiuser/.config/containers/storage.conf graphDriverName: overlay graphOptions: overlay.mount_program: Executable: /usr/bin/fuse-overlayfs
Execute the following commands as pkiuser
:
$ podman pull quay.io/dogtagpki/pki-ca
Execute the following commands as pkiuser
:
$ mkdir -p $HOME/.dogtag/pki-ca/certs $ mkdir -p $HOME/.dogtag/pki-ca/conf $ mkdir -p $HOME/.dogtag/pki-ca/logs
Execute the following commands as pkiuser
:
$ mkdir -p $HOME/.config/containers/systemd $ cat > $HOME/.config/containers/systemd/pki-ca.container << EOF [Unit] Description=PKI CA [Container] Image=pki-ca Network=host # run CA container as PKI user User=pkiuser Group=pkiuser UserNS=keep-id # use shared folders in PKI home directory Volume=$HOME/.dogtag/pki-ca/certs:/certs Volume=$HOME/.dogtag/pki-ca/conf:/conf Volume=$HOME/.dogtag/pki-ca/logs:/logs # configure DS connection Environment=PKI_DS_URL=ldap://ds.example.com:3389 Environment=PKI_DS_PASSWORD=Secret.123 [Install] WantedBy=multi-user.target EOF
Execute the following commands as pkiuser
:
$ systemctl --user daemon-reload
To start the systemd service, execute the following command as pkiuser
:
$ systemctl --user start pki-ca.service
It should start a systemd-pki-ca
container:
$ podman ps CONTAINER ID IMAGE ... NAMES 1297a77a4a65 quay.io/dogtagpki/pki-ca:latest ... systemd-pki-ca