Deploying CA Container as Systemd Service - dogtagpki/pki GitHub Wiki

Overview

Note
This page is still under construction.

This document describes the process to deploy CA container as a rootless systemd service using PKI 11.6 or later.

Installing Podman

Install Podman and FUSE OverlayFS:

$ dnf install -y podman fuse-overlayfs

Configure Rootless Container

Execute the following commands as root:

$ setcap cap_setuid+ep /usr/bin/newuidmap
$ setcap cap_setgid+ep /usr/bin/newgidmap
$ usermod --add-subuids 100000-165535 --add-subgids 100000-165535 pkiuser
$ loginctl enable-linger pkiuser

Execute the following commands as pkiuser:

$ mkdir -p $HOME/.config/containers
$ cat > $HOME/.config/containers/storage.conf << EOF
[storage]
driver = "overlay"

[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
EOF

Verify with the following command:

$ podman system info
host:
  security:
    rootless: true
store:
  configFile: /home/pkiuser/.config/containers/storage.conf
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs

Installing CA Container Image

Execute the following commands as pkiuser:

$ podman pull quay.io/dogtagpki/pki-ca

Preparing Shared Folders

Execute the following commands as pkiuser:

$ mkdir -p $HOME/.dogtag/pki-ca/certs
$ mkdir -p $HOME/.dogtag/pki-ca/conf
$ mkdir -p $HOME/.dogtag/pki-ca/logs

Creating Systemd Service

Execute the following commands as pkiuser:

$ mkdir -p $HOME/.config/containers/systemd
$ cat > $HOME/.config/containers/systemd/pki-ca.container << EOF
[Unit]
Description=PKI CA

[Container]
Image=pki-ca
Network=host

# run CA container as PKI user
User=pkiuser
Group=pkiuser
UserNS=keep-id

# use shared folders in PKI home directory
Volume=$HOME/.dogtag/pki-ca/certs:/certs
Volume=$HOME/.dogtag/pki-ca/conf:/conf
Volume=$HOME/.dogtag/pki-ca/logs:/logs

# configure DS connection
Environment=PKI_DS_URL=ldap://ds.example.com:3389
Environment=PKI_DS_PASSWORD=Secret.123

[Install]
WantedBy=multi-user.target
EOF

Execute the following commands as pkiuser:

$ systemctl --user daemon-reload

Starting Systemd Service

To start the systemd service, execute the following command as pkiuser:

$ systemctl --user start pki-ca.service

It should start a systemd-pki-ca container:

$ podman ps
CONTAINER ID  IMAGE                           ... NAMES
1297a77a4a65  quay.io/dogtagpki/pki-ca:latest ... systemd-pki-ca

See Also

⚠️ **GitHub.com Fallback** ⚠️