On 9/14/22 17:24, Mikhaël MYARA wrote:
dear all,

    I work on a podman container for postfix + dovecot. On my host, the encrypt keys (including the private key) are stored in /etc/letsencrypt/live/xxxxx.xxx/, and these keys have to be used by both postfix and dovecot.

   However the "/etc/letsencrypt/live" folder is only accessible by root, so that when I share the /etc/letsencrypt folder using the -v option, the container has no access to the live folder. Of course, if I do awful things like chmod 777 on the /etc/letsencrypt/live folder everything is ok. But of course it is not a good way for that.

  I wanted to know what I should do to avoid this chmod 777 while working with a rootless container. Can I map the volume using root ? (and if so is it a good idea ?) Should I play with groups on the host (= a group called like "encrypters", that may contain only root and the user that runs the container ?) Or a root process that performs copies of the keys ? 
  I also have seen the "--secret"  option for podman I did not understad If it would solve my problem. Please also notice that the "let's encrypt" keys are re-generated sometimes because they have a 1 month lifetime.

  If there is some guideline somewhere about this topic please show me.

  My host is ubuntu 22.04, and the podman version is 3.4.4. I don't use SE linux for now.

  Thanks a lot,

Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io

I guess if the goal is to change the /etc/letsencrypt/live on the host via a container, then  you will have to make the directory writable by the non root user running the container.

This can be done using group access or ACLs. Inside of the container the files will look like they are owned by the nobody user.

If you want the files read from the host but only writeable from within the container, IE they don't effect the host at all, you could try to mount the volume as an Overlay volume.

-v /etc/letsencrypt/live:/etc/letsencrypt/live:O

Note the values here will be private to the container and will be removed when the container is destroyed.

If you don't want values read from the host at all, but just the container to use secrets, then you could use secrets