Customize security policies on the server
The default allowed security algorithms on the server may contain weak ones. This workflow shows you how to apply the same policies in the SUSE Multi-Linux Manager server container than on the container host on podman.
This workflow shows you how to restrict the use of weak security algorithms inside the SUSE Multi-Linux Manager server container by mounting the host’s cryptographic policies.
This approach uses a systemd drop-in file to cleanly handle the volume mount via Podman at startup, ensuring consistency across container Lifecycles.
1. Use Case
This workflow is beneficial when:
-
You need to comply with strict security hardening standards by disabling weak cryptographic algorithms.
-
You want to centralize policy management so that host-level crypto changes automatically apply to the container.
2. Outcome
After completing this workflow, the host’s /etc/crypto-policies directory will be mounted read-only into the server container every time it starts, enforcing your required security baselines.
3. Preparation
Before you start, you should have:
-
Root access to the SUSE Multi-Linux Manager Server host.
-
The desired cryptographic policies already configured and tested on the host system using the
crypto-policiespackage and itupdate-crypto-policies.
4. Step-by-step Workflow Instructions
|
Do not modify the systemd service file directly. Always use a drop-in configuration file in the |
Open a terminal on your SUSE Multi-Linux Manager Server host as the
rootuser.Create or edit the drop-in configuration file named
custom.conf:vi /etc/systemd/system/uyuni-server.service.d/custom.confAdd the following configuration block to inject the read-only volume mount parameter into Podman:
[Service] Environment="PODMAN_EXTRA_ARG=--volume /etc/crypto-policies:/etc/crypto-policies:ro"Reload the systemd manager configuration to apply the new drop-in file:
systemctl daemon-reloadRestart the SUSE Multi-Linux Manager services to recreate the container with the newly defined volume mount:
mgradm restart== Related Topics
For more information on crypto policies, see
man 7 crypto-policies.