Downstream customization for appliance creators

[cgwalters]

As an organization making a generic "appliance" delivered as a bootc container image, I still need to expose some customization options for my customers. For example, they may need to inject custom CA certificates, networking, or tweak hardening. How do I do that?

[cgwalters]

The basic answer here is to use /etc and some tool that can inject content into it (cloud-init, kickstart, etc.).

At least on Fedora derivatives, ca certificates are always in /etc/pki/ca-trust, and if that is left in the default bootc state of writable and persistent (as it needs to be for this) then a kickstart %post which writes it will work.

Another case is "customer wants to harden the image, for example noexec on /tmp". That will work fine by writing a drop-in like this:

# /etc/systemd/system/tmp.mount.d/noexec.conf
[Mount]
Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,noexec

Note addition of noexec.

---

Or of course, instead of exposing the generic ability to write files to /etc for your appliance, you could define a custom API that only exposes tested/supported configuration flags. (Ultimately the ability to write generic files to /etc is also the ability to execute arbitrary code, which has tradeoffs).