Hi,
so for context, I want to isolate most services I plan on running inside
containers, with each its own nginx, php, etc.
My issue is with credentials. I would like the host to handle the
renewal of tls certificate, and to have the credentials propagated via
systemd-nspawn to the services that run within each container. I get the
basic idea of how to implement this, but from what I'm reading, once the
credentials are loaded, they are immutable for as long as the service
runs -- in this case I'm assuming as long as the nspawn container itself
runs.
So how would I best handle renewal of the certificate? Would I have to
restart each container via machinectl in order to reload this, thus
causing very brief downtime on all of my services?
Is there a better way of doing what I'm trying to accomplish here? Nginx
can access the certificate normally, but I would like to run it as a
totally dynamic user combo. I also host other services that do not run
as root first before dropping privileges, so they require access to the
certificate another way. So I thought of systemd's credentials
management to give access without compromising on security and isolation.
- [systemd-devel] how to use systemd credentials properly Xogium
-
