diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml
index 248cde18..6c6fc19c 100644
--- a/.github/workflows/build-test.yaml
+++ b/.github/workflows/build-test.yaml
@@ -76,13 +76,19 @@ jobs:
           - os: fedora-40
           - os: fedora-40
             readonly: --read-only
+            volume: freeipa-data
           - os: fedora-40
             readonly: --read-only
             ca: --external-ca
           - os: fedora-rawhide
+          - os: fedora-rawhide
+            readonly: --read-only
+            ca: --external-ca
+            volume: freeipa-data
           - os: centos-9-stream
           - os: centos-9-stream
             readonly: --read-only
+            volume: freeipa-data
           - os: centos-9-stream
             readonly: --read-only
             ca: --external-ca
@@ -96,8 +102,10 @@ jobs:
           name: freeipa-server-${{ matrix.os }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
+      - run: docker volume create ${{ matrix.volume }}
+        if: ${{ matrix.volume }} == freeipa-data
       - name: Run master and replica
-        run: readonly=${{ matrix.readonly }} ca=${{ matrix.ca }} seccomp=${{ matrix.seccomp }} replica=${{ matrix.replica }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}
+        run: readonly=${{ matrix.readonly }} ca=${{ matrix.ca }} VOLUME=${{ matrix.volume }} seccomp=${{ matrix.seccomp }} replica=${{ matrix.replica }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}
       - name: Run partial tests
         if: ${{ failure() }}
         run: tests/run-partial-tests.sh Dockerfile.${{ matrix.os }}
@@ -109,8 +117,17 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-rawhide, fedora-40, rocky-9, almalinux-8 ]
-        readonly: [ --read-only ]
+        include:
+          - os: fedora-rawhide
+            readonly: --read-only
+          - os: fedora-40
+            readonly: --read-only
+            volume: freeipa-data
+          - os: rocky-9
+            readonly: --read-only
+          - os: almalinux-8
+            readonly: --read-only
+            volume: freeipa-data
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
@@ -121,8 +138,10 @@ jobs:
           name: freeipa-server-${{ matrix.os }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | docker load
+      - run: docker volume create ${{ matrix.volume }}
+        if: ${{ matrix.volume }} == freeipa-data
       - name: Run master and replica
-        run: readonly=${{ matrix.readonly }} ca=${{ matrix.ca }} seccomp=${{ matrix.seccomp }} replica=${{ matrix.replica }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}
+        run: readonly=${{ matrix.readonly }} ca=${{ matrix.ca }} VOLUME=${{ matrix.volume }} seccomp=${{ matrix.seccomp }} replica=${{ matrix.replica }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }}
       - name: Run partial tests
         if: ${{ failure() }}
         run: tests/run-partial-tests.sh Dockerfile.${{ matrix.os }}
@@ -185,7 +204,15 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ fedora-40, centos-9-stream, rocky-9, almalinux-8 ]
+        include:
+          - os: fedora-40
+            readonly: --read-only
+            volume: freeipa-data
+          - os: almalinux-9
+            readonly: --read-only
+            volume: freeipa-data
+          - os: rocky-8
+            readonly: --read-only
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
@@ -196,8 +223,10 @@ jobs:
           name: freeipa-server-${{ matrix.os }}
       - name: Load image
         run: gunzip < freeipa-server-${{ matrix.os }}.tar.gz | podman load
-      - name: Run master
-        run: docker=podman tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} && podman pod ls -q | xargs podman pod rm -f
+      - run: podman volume create ${{ matrix.volume }}
+        if: ${{ matrix.volume }} == freeipa-data
+      - name: Run master and replica
+        run: docker=podman VOLUME=${{ matrix.volume }} tests/run-master-and-replica.sh localhost/freeipa-server:${{ matrix.os }} && podman pod ls -q | xargs podman pod rm -f
       - name: Run partial tests
         if: ${{ failure() }}
         run: docker=podman tests/run-partial-tests.sh Dockerfile.${{ matrix.os }}
diff --git a/README b/README
index d92e4951..3a4c9bb5 100644
--- a/README
+++ b/README
@@ -141,6 +141,14 @@ and with docker using
 When running in rootless mode, make sure the volume directory on
 the host is owned by uid which becomes uid 0 in the container.
 
+Of course, the volume can also be created in the container system,
+for example with
+
+    podman volume create freeipa-data
+    podman run --name freeipa-server-container -ti \
+        -h ipa.example.test --read-only \
+        -v freeipa-data:/data:Z <image> [ ... ]
+
 ### Initial FreeIPA master setup
 
 Upon the first invocation with empty directory mounted to `/data`,
diff --git a/tests/run-master-and-replica.sh b/tests/run-master-and-replica.sh
index 95dbbc3f..954c8f3c 100755
--- a/tests/run-master-and-replica.sh
+++ b/tests/run-master-and-replica.sh
@@ -11,6 +11,20 @@ sudo=sudo
 
 BASE=ipa1
 VOLUME=${VOLUME:-/tmp/freeipa-test-$$/data}
+if test "$VOLUME" != "${VOLUME#/}" ; then
+	mkdir -p "$VOLUME"
+fi
+
+function setup_sudo() {
+	if test "$VOLUME" == "${VOLUME#/}" ; then
+		sudo="$docker run --rm -i --security-opt label=disable -v $VOLUME:/$VOLUME docker.io/library/busybox"
+	elif test -O $VOLUME/build-id ; then
+		sudo=
+	else
+		sudo=sudo
+	fi
+}
+setup_sudo
 
 function wait_for_ipa_container() {
 	set +x
@@ -43,9 +57,6 @@ function wait_for_ipa_container() {
 		fi
 	done
 	date
-	if test -O $VOLUME/build-id ; then
-		sudo=
-	fi
 	if [ "$EXIT_STATUS" -ne 0 ] ; then
 		exit "$EXIT_STATUS"
 	fi
@@ -55,7 +66,7 @@ function wait_for_ipa_container() {
 	if $docker diff "$N" | tee /dev/stderr | grep . ; then
 		exit 1
 	fi
-	MACHINE_ID=$( cat $VOLUME/etc/machine-id )
+	MACHINE_ID=$( $sudo cat $VOLUME/etc/machine-id )
 	# Check that journal landed on volume and not in host's /var/log/journal
 	$sudo ls -la $VOLUME/var/log/journal/$MACHINE_ID
 	if [ -e /var/log/journal/$MACHINE_ID ] ; then
@@ -73,9 +84,15 @@ function run_ipa_container() {
 	HOSTNAME=ipa.example.test
 	if [ "$N" == "freeipa-replica" ] ; then
 		HOSTNAME=replica.example.test
-		VOLUME=/tmp/freeipa-test-$$/data-replica
+		if test "$VOLUME" == "${VOLUME#/}" ; then
+			VOLUME=$VOLUME-$$-replica
+			$docker volume create $VOLUME
+		else
+			VOLUME=/tmp/freeipa-test-$$/data-replica
+			mkdir -p $VOLUME
+		fi
+		setup_sudo
 	fi
-	mkdir -p $VOLUME
 	OPTS=
 	if [ "${docker%podman}" = "$docker" ] ; then
 		# if it is not podman, it is docker
@@ -159,7 +176,7 @@ fi
 
 
 fresh_install=true
-if [ -f "$VOLUME/build-id" ] ; then
+if $sudo test -f "$VOLUME/build-id" ; then
 	# If we were given already populated volume, just run the container
 	fresh_install=false
 	run_ipa_container $IMAGE freeipa-master exit-on-finished
@@ -177,7 +194,8 @@ else
 	if [ -n "$ca" ] ; then
 		$docker rm -f freeipa-master
 		date
-		$sudo cp tests/generate-external-ca.sh $VOLUME/
+		cat tests/generate-external-ca.sh | $sudo tee $VOLUME/generate-external-ca.sh > /dev/null
+		$sudo chmod a+x $VOLUME/generate-external-ca.sh
 		$docker run --rm -v $VOLUME:/data:Z --entrypoint /data/generate-external-ca.sh "$IMAGE"
 		# For external CA, provide the certificate for the second stage
 		run_ipa_container $IMAGE freeipa-master exit-on-finished -U -r EXAMPLE.TEST --setup-dns --no-forwarders $skip_opts --no-ntp \