diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 9a622b751a096453dcbb1aa6fe24e51ec6622e16..dec2810b4ddd7d03249f50bef8e09771b60f3d46 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -211,6 +211,17 @@ deploy:
     - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
     - docker push $CI_REGISTRY_IMAGE/$CI_JOB_NAME
 
+deploy-to-obs:
+  image: docker:stable
+  variables:
+    DOCKER_DRIVER: overlay2
+  services:
+    - docker:stable-dind
+  script:
+    - docker build -t $CI_REGISTRY_IMAGE/$CI_JOB_NAME $CI_JOB_NAME
+    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
+    - docker push $CI_REGISTRY_IMAGE/$CI_JOB_NAME
+
 deploy-to-aur:
   image: docker:stable
   variables:
diff --git a/deploy-to-obs/Dockerfile b/deploy-to-obs/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..b8ca6baeed8714aef4b555c5b50f674d62e97176
--- /dev/null
+++ b/deploy-to-obs/Dockerfile
@@ -0,0 +1,28 @@
+FROM docker.io/centos:centos8
+LABEL maintainer="Christian Felder"
+
+WORKDIR /root
+
+COPY openSUSE_Tools-repomd.xml.key /etc/yum.repos.d
+
+RUN chmod 775 \
+  /root \
+  && \
+  mkdir -m 775 -p /root/.config/osc/trusted-certs \
+  && \
+  cd /etc/yum.repos.d/ && \
+  curl -LO https://download.opensuse.org/repositories/openSUSE:Tools/CentOS_8/openSUSE:Tools.repo && \
+  rpm --import openSUSE_Tools-repomd.xml.key && \
+  cd - \
+  && \
+  yum update -y && yum install -y epel-release && yum install -y \
+  osc \
+  && \
+  yum clean all -y
+
+COPY entrypoint.sh /
+
+VOLUME ["/oscrc"]
+VOLUME ["/certs"]
+
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/deploy-to-obs/README.md b/deploy-to-obs/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..04884b6a984b1eba052d86821bb5cab06de4c44c
--- /dev/null
+++ b/deploy-to-obs/README.md
@@ -0,0 +1,27 @@
+# osc container
+
+## volumes
+
+* ``/oscrc`` - osc resource file (``.oscrc``) - **mandatory**
+* ``/certs`` - directory containing pem files for osc-trusted hosts, e.g.
+  ``jcnsbs.jcns.frm2.tum.de_443.pem`` - **optional**
+
+## examples
+
+The following command will invoke the ``osc`` command inside a container.
+
+``podman run -v `pwd`/oscrc:/oscrc:ro --rm -it osc:latest``
+
+cli arguments should just be appended, e.g.
+
+```
+podman run -v `pwd`/oscrc:/oscrc:ro --rm -it osc:latest \
+           co science:gr-framework/gr
+```
+
+certificates may be mounted into the container to trust self-signed appliances.
+
+```
+podman run -v `pwd`/oscrc:/oscrc:ro -v `pwd`/certs:/certs:ro --rm -it \
+           osc:latest co science:gr-framework/gr
+```
diff --git a/deploy-to-obs/entrypoint.sh b/deploy-to-obs/entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..25f01b69ef1b65f43b8416411d87785a6d04dabb
--- /dev/null
+++ b/deploy-to-obs/entrypoint.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -eu
+
+osc=/usr/bin/osc
+certsro=/certs
+certs=$HOME/.config/osc/trusted-certs
+oscrcro=/oscrc
+oscrc=$HOME/.`basename $oscrcro`
+
+if [ ! -r $oscrcro ]; then
+  >&2 echo "Missing oscrc volume '$oscrcro'."
+  exit 1
+elif [ ! -r $oscrc ]; then
+  cp -aL --no-preserve=ownership $oscrcro $oscrc
+fi
+
+if [ -d $certsro ]; then
+  cp -aLr --no-preserve=ownership $certsro/* $certs/
+fi
+
+exec $osc "$@"
diff --git a/deploy-to-obs/openSUSE_Tools-repomd.xml.key b/deploy-to-obs/openSUSE_Tools-repomd.xml.key
new file mode 100644
index 0000000000000000000000000000000000000000..ba3f6e10fd7ef78be7c6cf5329972eb88f4efe7a
--- /dev/null
+++ b/deploy-to-obs/openSUSE_Tools-repomd.xml.key
@@ -0,0 +1,21 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.15 (GNU/Linux)
+
+mQENBFuqQ5ABCADA8eLWbIjSzmyCvUURQespG73y+0sG8upjPEccVjI6jFeLhic2
+hb4/MN/PcRUtuDemBMeB05TDr8LgcOEJVyfuNZ3O0WPg4C/F6yW4JD7wWtj54NlQ
+Tm1yXzkAowMBjprG539Luo5KczWzr82CTweTHvnq3oj2OzLY4ZsrM1gptD2o1kZX
+bUbpz/DXx8Yqs3JcxfuwHi8bDgnP4N+WZuxGRIuA38zVhFBBHrs7nB9MNwx6t1cX
+wyuVG66KbHk/TQDzZpu08mWQQ8xZSIoMIne9AnN8Kf7T5AVhgxzMhYuLeUrUZ8DU
+AZ6fsF63oPtSDRcs7XaJxnR+ZgCqEDKN6+kBABEBAAG0Pm9wZW5TVVNFOlRvb2xz
+IE9CUyBQcm9qZWN0IDxvcGVuU1VTRTpUb29sc0BidWlsZC5vcGVuc3VzZS5vcmc+
+iQE+BBMBCAAoBQJbqkOQAhsDBQkEHrAABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIX
+gAAKCRCCZlmpAT5bZYDZCACCVtDC3OlzficI9YNWd72V1bFjithtvz+EJhTTdQRE
+k+Ve9vuNo18mMut3X/rljaLmCst44qNQCmKYPLyTopTR+GCREG9Kcy7iMsZubK6i
+K4rO8u/N4gjMp4jjbtIWSqOiay4R3pAbqTxIn0gWIT5Ib15p6Usj7IIn57gGhPNS
+SMPXKWGz0Y+In6wLJzlU1ENQqYTSIct6/NF6bteiE42RwS6Lhwv2w5WtMCxiGMzw
+EJp6pCyUTp9/lbbPsFh89q6CCorp563nVlrZtJyVl884RCeEorodgjlHp78twVda
+DpHg7i6YEv4ajRpRK9NMBLKSulstYcjxHEoNFVOiTk2QiEYEExECAAYFAluqQ5AA
+CgkQOzARt2udZSOQYwCgpZq0lyfuNhx9qDz4UhEKc/cYKl8AmQFcbVCCqXSZDIbt
+okiAs4DU9RdG
+=dmC6
+-----END PGP PUBLIC KEY BLOCK-----