Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 13. Pushing a container to a registry and embedding it into an image

With RHEL image builder, you can build security-hardened images by using the OpenSCAP tool. You can take advantage of the support for container customization in the blueprints to create a container and embed it directly into the image you create.

13.1. Customizing a blueprint to embed a container into an image
Link kopieren

Embed a container from registry.access.redhat.com by adding a container customization to your blueprint. RHEL image builder pulls the container during the image build and stores the container in the image.

The default local container storage location depends on the image type, so that all supported container-tools, such as Podman, can work with it.

Prerequisites

  • You have created a blueprint.

Procedure

  • Customize your blueprint with the container: 
[[containers]]
source = "registry.access.redhat.com/ubi10/ubi:latest"
name =  "_<local_name>_"
tls-verify = true
  • source - Mandatory field. It is a reference to the container image at a registry. This example uses the registry.access.redhat.com registry. You can specify a tag version. The default tag version is the latest.
  • name - The name of the container in the local registry.

  • tls-verify - Boolean field. The tls-verify boolean field controls the transport layer security. The default value is true.

    To access protected container resources, you can use a containers-auth.json file.

13.2. Pushing a container artifact directly to a container registry
Link kopieren

You can push container artifacts directly to a container registry after you build them by using the RHEL image builder CLI.

Prerequisites

  • Access to quay.io registry. This example uses the quay.io container registry as a target registry, but you can use a container registry of your choice.

Procedure

  1. Set up a registry-config.toml file to select the container provider. The credentials are optional. 

    provider = "<container_provider>"
[settings]
tls_verify = false
username = "<admin>"
password = "<your_password>"

  2. Create a blueprint in the .toml format. This is a blueprint for the container in which you install an nginx package into the blueprint. 

    name = "simple-container"
description = "Simple RHEL container"
version = "0.0.1"
[[packages]]
name = "nginx"
version = "*"

  3. Build the container image, by passing the registry and the repository to the image-builder tool as arguments. 

    # image-builder build --blueprint <simple-container> --extra-repo "quay.io:8080/<namespace>/<repository>" --extra-repo registry-config.toml
    Note

    Building the container image takes time because of resolving dependencies of the customized packages.

  4. After the image build finishes, the container you created is available in quay.io.

Verification

  1. Open quay.io and click Repository Tags. You can see details about the container you created, such as:

    • Last modified
    • Image size
    • The manifest ID that you can copy to the clipboard.
  2. Copy the manifest ID value to build the image in which you want to embed a container.

13.3. Building an image and pulling the container into the image
Link kopieren

After you create a container image, build your customized image and pull the container image into it. Use the container customization specification in the blueprint and the container name for the final image. It fetches the container image and add it to the local Podman container storage.

Prerequisites

Procedure

  1. Create a blueprint to build a qcow2 image. The blueprint must contain the [[containers]] customization. 

    name = "image"
description = "A qcow2 image with a container"
version = "0.0.1"
distro = "rhel-10"
[[packages]]
name = "podman"
version = "*"
[[containers]]
source = "registry.access.redhat.com/ubi10:8080/image/container/container-image@sha256:manifest-ID-from-Repository-tag: tag-version"
name =  "source"
tls-verify = true

  2. Build the container image: 

    # image-builder build qcow2 --blueprint <blueprint>
    Note

    Building the image takes time because it checks the container on quay.io registry.

    You can use the qcow2 image you created and downloaded to create a VM.

Verification

  1. Locate the resulting qcow2 image.
  2. Start the qcow2 image in a VM. See Creating a virtual machine from a KVM guest image.
  3. The qemu wizard opens. Log in to the qcow2 image by entering the username and password. These can be the username and password you set up in the .qcow2 blueprint in the customizations.user section, or created at boot time with cloud-init.

  4. Run the container image and open a shell prompt inside the container: 

    # podman run -it registry.access.redhat.com/ubi10:8080/<organization>/<repository>/bin/bash/

    registry.access.redhat.com is the target registry, <organization> is the organization, and repository is the location to push the container when it finishes building.

  5. Check that the packages you added to the blueprint are available: 

    # type -a nginx

    The output shows you the nginx package path.

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben