Customize security policies on the server

The default allowed security algorithms on the server may contain weak ones. This workflow shows you how to apply the same policies in the SUSE Multi-Linux Manager server container than on the container host on podman.

This workflow shows you how to restrict the use of weak security algorithms inside the SUSE Multi-Linux Manager server container by mounting the host’s cryptographic policies.

This approach uses a systemd drop-in file to cleanly handle the volume mount via Podman at startup, ensuring consistency across container Lifecycles.

1. Use Case

This workflow is beneficial when:

  • You need to comply with strict security hardening standards by disabling weak cryptographic algorithms.

  • You want to centralize policy management so that host-level crypto changes automatically apply to the container.

2. Outcome

After completing this workflow, the host’s /etc/crypto-policies directory will be mounted read-only into the server container every time it starts, enforcing your required security baselines.

3. Preparation

Before you start, you should have:

  • Root access to the SUSE Multi-Linux Manager Server host.

  • The desired cryptographic policies already configured and tested on the host system using the crypto-policies package and it update-crypto-policies.

4. Step-by-step Workflow Instructions

Do not modify the systemd service file directly. Always use a drop-in configuration file in the .service.d directory to ensure modifications are preserved during system updates.

Procedure: Creating a systemd drop-in for crypto policy volume mounting
  1. Open a terminal on your SUSE Multi-Linux Manager Server host as the root user.

  2. Create or edit the drop-in configuration file named custom.conf:

    vi /etc/systemd/system/uyuni-server.service.d/custom.conf
  3. Add the following configuration block to inject the read-only volume mount parameter into Podman:

    [Service]
    Environment="PODMAN_EXTRA_ARG=--volume /etc/crypto-policies:/etc/crypto-policies:ro"
  4. Reload the systemd manager configuration to apply the new drop-in file:

    systemctl daemon-reload
  5. Restart the SUSE Multi-Linux Manager services to recreate the container with the newly defined volume mount:

    mgradm restart

== Related Topics

  • For more information on crypto policies, see man 7 crypto-policies.