Chapter 11. Red Hat Enterprise Linux Atomic Host
Included in the release of Red Hat Enterprise Linux 7.1 is Red Hat Enterprise Linux Atomic Host - a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. It has been designed to take advantage of the powerful technology available in Red Hat Enterprise Linux 7. Red Hat Enterprise Linux Atomic Host uses SELinux to provide strong safeguards in multi-tenant environments, and provides the ability to perform atomic upgrades and rollbacks, enabling quicker and easier maintenance with less downtime. Red Hat Enterprise Linux Atomic Host uses the same upstream projects delivered via the same RPM packaging as Red Hat Enterprise Linux 7.
Red Hat Enterprise Linux Atomic Host is pre-installed with the following tools to support Linux containers:
- Docker - For more information, see Get Started with Docker Formatted Container Images on Red Hat Systems.
- Kubernetes, flannel, etcd - For more information, see Get Started Orchestrating Containers with Kubernetes.
Red Hat Enterprise Linux Atomic Host makes use of the following technologies:
- OSTree and rpm-OSTree - These projects provide atomic upgrades and rollback capability.
- systemd - The powerful new init system for Linux that enables faster boot times and easier orchestration.
- SELinux - Enabled by default to provide complete multi-tenant security.
New features in Red Hat Enterprise Linux Atomic Host 7.1.4
- The iptables-service package has been added.
- It is now possible to enable automatic "command forwarding" when commands that are not found on Red Hat Enterprise Linux Atomic Host, are seamlessly retried inside the RHEL Atomic Tools container. The feature is disabled by default (it requires a RHEL Atomic Tools pulled on the system). To enable it, uncomment the
export
line in the/etc/sysconfig/atomic
file so it looks like this:export TOOLSIMG=rhel7/rhel-tools
- The
atomic
command:- You can now pass three options (
OPT1
,OPT2
,OPT3
) to theLABEL
command in a Dockerfile. Developers can add environment variables to the labels to allow users to pass additional commands usingatomic
. The following is an example from a Dockerfile:LABEL docker run ${OPT1}${IMAGE}
atomic run --opt1="-ti" image_name
docker run -ti image_name
- You can now use
${NAME}
and${IMAGE}
anywhere in your label, andatomic
will substitute it with an image and a name. - The
${SUDO_UID}
and${SUDO_GID}
options are set and can be used in imageLABEL
. - The
atomic mount
command attempts to mount the file system belonging to a given container/image ID or image to the given directory. Optionally, you can provide a registry and tag to use a specific version of an image.
New features in Red Hat Enterprise Linux Atomic Host 7.1.3
- Enhanced rpm-OSTee to provide a unique machine ID for each machine provisioned.
- Support for remote-specific GPG keyring has been added, specifically to associate a particular GPG key with a particular OSTree remote.
- the
atomic
command:atomic upload
— allows the user to upload a container image to a docker repository or to a Pulp/Crane instance.atomic version
— displays the "Name Version Release" container label in the following format:ContainerID;Name-Version-Release;Image/Tag
atomic verify
— inspects an image to verify that the image layers are based on the latest image layers available. For example, if you have a MongoDB application based on rhel7-1.1.2 and a rhel7-1.1.3 base image is available, the command will inform you there is a later image.- A dbus interface has been added to verify and version commands.
New features in Red Hat Enterprise Linux Atomic Host 7.1.2
The atomic command-line interface is now available for Red Hat Enterprise Linux 7.1 as well as Red Hat Enterprise Linux Atomic Host. Note that the feature set is different on both systems. Only Red Hat Enterprise Linux Atomic Host includes support for OSTree updates. The
atomic run
command is supported on both platforms.
atomic run
allows a container to specify its run-time options via theRUN
meta-data label. This is used primarily with privileges.atomic install
andatomic uninstall
allow a container to specify install and uninstall scripts via theINSTALL
andUNINSTALL
meta-data labels.atomic
now supports container upgrade and checking for updated images.
The iscsi-initiator-utils package has been added to Red Hat Enterprise Linux Atomic Host. This allows the system to mount iSCSI volumes; Kubernetes has gained a storage plugin to set up iSCSI mounts for containers.
You will also find Integrity Measurement Architecture (IMA), audit and libwrap available from systemd.
Important
Red Hat Enterprise Linux Atomic Host is not managed in the same way as other Red Hat Enterprise Linux 7 variants. Specifically:
- The Yum package manager is not used to update the system and install or update software packages. For more information, see Installing Applications on Red Hat Enterprise Linux Atomic Host.
- There are only two directories on the system with write access for storing local system configuration:
/etc/
and/var/
. The/usr/
directory is mounted read-only. Other directories are symbolic links to a writable location - for example, the/home/
directory is a symlink to/var/home/
. For more information, see Red Hat Enterprise Linux Atomic Host File System. - The default partitioning dedicates most of available space to containers, using direct Logical Volume Management (LVM) instead of the default loopback.
For more information, see Getting Started with Red Hat Enterprise Linux Atomic Host.
Red Hat Enterprise Linux Atomic Host 7.1.1 provides new versions of Docker and etcd, and maintenance fixes for the
atomic
command and other components.