Search

Chapter 3. Configuring RHEL image builder repositories

download PDF

To use RHEL image builder, you must ensure that the repositories are configured. You can use the following types of repositories in RHEL image builder:

Official repository overrides
Use these if you want to download base system RPMs from elsewhere than the Red Hat Content Delivery Network (CDN) official repositories, for example, a custom mirror in your network. Using official repository overrides disables the default repositories, and your custom mirror must contain all the necessary packages.
Custom third-party repositories
Use these to include packages that are not available in the official RHEL repositories.

3.1. Adding custom third-party repositories to RHEL image builder

You can add custom third-party sources to your repositories and manage these repositories by using the composer-cli.

Prerequisites

  • You have the URL of the custom third-party repository.

Procedure

  1. Create a repository source file, such as /root/repo.toml. For example:

    id = "k8s"
    name = "Kubernetes"
    type = "yum-baseurl"
    url = "https://server.example.com/repos/company_internal_packages/"
    check_gpg = false
    check_ssl = false
    system = false

    The type field accepts the following valid values: yum-baseurl, yum-mirrorlist, and yum-metalink.

  2. Save the file in the TOML format.
  3. Add the new third-party source to RHEL image builder:

    $ composer-cli sources add <file-name>.toml

Verification

  1. Check if the new source was successfully added:

    $ composer-cli sources list
  2. Check the new source content:

    $ composer-cli sources info <source_id>

3.2. Adding third-party repositories with specific distributions to RHEL image builder

You can specify a list of distributions in the custom third-party source file by using the optional field distro. The repository file uses the distribution string list while resolving dependencies during the image building.

Any request that specifies rhel-8 uses this source. For example, if you list packages and specify rhel-8, it includes this source. However, listing packages for the host distribution do not include this source.

Prerequisites

  • You have the URL of the custom third-party repository.
  • You have the list of distributions that you want to specify.

Procedure

  1. Create a repository source file, such as /root/repo.toml. For example, to specify the distribution:

    check_gpg = true
    check_ssl = true
    distros = ["rhel-8"]
    id = "rh9-local"
    name = "packages for RHEL"
    system = false
    type = "yum-baseurl"
    url = "https://local/repos/rhel8/projectrepo/"
  2. Save the file in the TOML format.
  3. Add the new third-party source to RHEL image builder:

    $ composer-cli sources add <file-name>.toml

Verification

  1. Check if the new source was successfully added:

    $ composer-cli sources list
  2. Check the new source content:

    $ composer-cli sources info <source_id>

3.3. Checking repositories metadata with GPG

To detect and avoid corrupted packages, you can use the DNF package manager to check the GNU Privacy Guard (GPG) signature on RPM packages, and also to check if the repository metadata has been signed with a GPG key.

You can either enter the gpgkey that you want to do the check over https by setting the gpgkeys field with the key URL. Alternatively, to improve security, you can also embed the whole key into the gpgkeys field, to import it directly instead of fetching the key from the URL.

Prerequisites

  • The directory that you want to use as a repository exists and contains packages.

Procedure

  1. Access the folder where you want to create a repository:

    $ cd repo/
  2. Run the createrepo_c to create a repository from RPM packages:

    $ createrepo_c .
  3. Access the directory where the repodata is:

    $ cd repodata/
  4. Sign your repomd.xml file:

    $ gpg -u <_gpg-key-email_> --yes --detach-sign --armor /srv/repo/example/repomd.xml
  5. To enable GPG signature checks in the repository:

    1. Set check_repogpg = true in the repository source.
    2. Enter the gpgkey that you want to do the check. If your key is available over https, set the gpgkeys field with the key URL for the key. You can add as many URL keys as you need.

      The following is an example:

      check_gpg = true
      check_ssl = true
      id = "signed local packages"
      name = "repository_name"
      type = "yum-baseurl"
      url = "https://local/repos/projectrepo/"
      check_repogpg = true
      gpgkeys=["https://local/keys/repokey.pub"]

      As an alternative, add the GPG key directly in the gpgkeys field, for example:

      check_gpg = true
      check_ssl = true
      check_repogpg
      id = "custom-local"
      name = "signed local packages"
      type = "yum-baseurl"
      url = "https://local/repos/projectrepo/"
      gpgkeys=["https://remote/keys/other-repokey.pub",
      '''-----BEGIN PGP PUBLIC KEY BLOCK-----
      …​
      -----END PGP PUBLIC KEY BLOCK-----''']
      • If the test does not find the signature, the GPG tool shows an error similar to the following one:

        $ GPG verification is enabled, but GPG signature is not available.
        This may be an error or the repository does not support GPG verification:
        Status code: 404 for http://repo-server/rhel/repodata/repomd.xml.asc (IP: 192.168.1.3)
      • If the signature is invalid, the GPG tool shows an error similar to the following one:

        repomd.xml GPG signature verification error: Bad GPG signature

Verification

  • Test the signature of the repository manually:

    $ gpg --verify /srv/repo/example/repomd.xml.asc

3.4. RHEL image builder official repository overrides

RHEL image builder osbuild-composer back end does not inherit the system repositories located in the /etc/yum.repos.d/ directory. Instead, it has its own set of official repositories defined in the /usr/share/osbuild-composer/repositories directory. This includes the Red Hat official repository, which contains the base system RPMs to install additional software or update already installed programs to newer versions. If you want to override the official repositories, you must define overrides in /etc/osbuild-composer/repositories/. This directory is for user defined overrides and the files located there take precedence over those in the /usr/share/osbuild-composer/repositories/ directory.

The configuration files are not in the usual YUM repository format known from the files in /etc/yum.repos.d/. Instead, they are JSON files.

3.5. Overriding a system repository

You can configure your own repository override for RHEL image builder in the /etc/osbuild-composer/repositories directory.

Note

Prior to RHEL 8.5 release, the name of the repository overrides is rhel-8.json. Starting from RHEL 8.5, the names also respect the minor version: rhel-84.json, rhel-85.json, and so on.

Prerequisites

  • You have a custom repository that is accessible from your host system.

Procedure

  1. Create the /etc/osbuild-composer/repositories/ directory to store your repository overrides:

    $ sudo mkdir -p /etc/osbuild-composer/repositories
  2. Create a JSON file, using a name corresponding to your RHEL version. Alternatively, you can copy the file for your distribution from /usr/share/osbuild-composer/ and modify its content.

    For RHEL 8.9, use /etc/osbuild-composer/repositories/rhel-89.json.

  3. Add the following structure to your JSON file. Specify only one of the following attributes, in the string format:

    • baseurl - The base URL of the repository.
    • metalink - The URL of a metalink file that contains a list of valid mirror repositories.
    • mirrorlist - The URL of a mirrorlist file that contains a list of valid mirror repositories. The remaining fields, such as gpgkey, and metadata_expire, are optional.

      For example:

      {
           "x86_64": [
              {
                  "name": "baseos",
                  "baseurl": "http://mirror.example.com/composes/released/RHEL-8/8.0/BaseOS/x86_64/os/",
                  "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…​)",
                  "check_gpg": true
              }
          ]
      }

      Alternatively, you can copy the JSON file for your distribution, by replacing rhel-version.json with your RHEL version, for example: rhel-8.json.

      $  cp /usr/share/osbuild-composer/repositories/rhel-version.json /etc/osbuild-composer/repositories/
  4. Optional: Verify the JSON file:

    $ json_verify  /etc/osbuild-composer/repositories/<file>.json
  5. Edit the baseurl paths in the rhel-8.json file and save it. For example:

    $ /etc/osbuild-composer/repositories/rhel-version.json
  6. Restart the osbuild-composer.service:

    $ sudo systemctl restart osbuild-composer.service

Verification

  • Check if the repository points to the correct URLs:

    $ cat /etc/yum.repos.d/redhat.repo

    You can see that the repository points to the correct URLs which are copied from the /etc/yum.repos.d/redhat.repo file.

3.6. Overriding a system repository that requires subscriptions

You can set up the osbuild-composer service to use system subscriptions that are defined in the /etc/yum.repos.d/redhat.repo file. To use a system subscription in osbuild-composer, define a repository override that has the following details:

  • The same baseurl as the repository defined in /etc/yum.repos.d/redhat.repo.
  • The value of ”rhsm”: true defined in the JSON object.

    Note

    osbuild-composer does not automatically use repositories defined in /etc/yum.repos.d/. You need to manually specify them either as a system repository override or as an additional source by using composer-cli. The “BaseOS” and “AppStream” repositories usually use system repository overrides, whereas all the other repositories use composer-cli sources.

Prerequisites

Procedure

  1. Get the baseurl from the /etc/yum.repos.d/redhat.repo file:

    # cat /etc/yum.repos.d/redhat.repo
    [AppStream]
    name = AppStream mirror example
    baseurl = https://mirror.example.com/RHEL-8/8.0/AppStream/x86_64/os/
    enabled = 1
    gpgcheck = 0
    sslverify = 1
    sslcacert = /etc/pki/ca1/ca.crt
    sslclientkey = /etc/pki/ca1/client.key
    sslclientcert = /etc/pki/ca1/client.crt
    metadata_expire = 86400
    enabled_metadata = 0
  2. Configure the repository override to use the same baseurl and set rhsm to true:

    {
        "x86_64": [
            {
                "name": "AppStream mirror example",
                "baseurl": "https://mirror.example.com/RHEL-8/8.0/AppStream/x86_64/os/",
                "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…​)",
                "check_gpg": true,
                "rhsm": true
            }
        ]
    }
  3. Restart the osbuild-composer.service:

    $ sudo systemctl restart osbuild-composer.service

3.7. Configuring and using Satellite CV as a content source

You can use Satellite’s content views (CV) as repositories to build images with RHEL image builder. To do so, on your host registered to Satellite, manually configure the repository references so that you can retrieve from the Satellite repositories, instead of the Red Hat Content Delivery Network (CDN) official repositories.

Prerequisites

  • You are using RHEL image builder on a host registered to Satellite 6.

Procedure

  1. Find the repository URL from your currently configured repositories:

    $ sudo yum -v repolist rhel-8-for-x86_64-baseos-rpms | grep repo-baseurl
      Repo-baseurl :

    The following output is an example:

    https://satellite6.example.com/pulp/content/YourOrg/YourEnv/YourCV/content/dist/rhel8/8/x86_64/baseos/os
  2. Modify the hard-coded repositories to a Satellite Server.

    1. Create a repository directory with the 0755 permission:

      $ sudo mkdir -pvm 0755 /etc/osbuild-composer/repositories
    2. Copy the content from /usr/share/osbuild-composer/repositories/*.json to the directory that you created:

      $ sudo cp /usr/share/osbuild-composer/repositories/*.json /etc/osbuild-composer/repositories/
    3. Update the Satellite URL and the file contents through the /content/dist/* line:

      $ sudo sed -i -e 's|cdn.redhat.com|satellite6.example.com/pulp/content/YourOrg/YourEnv/YourCV|' /etc/osbuild-composer/repositories/*.json
    4. Verify that the configuration was correctly replaced:

      $ sudo vi /etc/osbuild-composer/repositories/rhel-8.json
  3. Restart the services:

    $ sudo systemctl restart osbuild-worker@1.service osbuild-composer.service
  4. Override the required system repository in Red Hat image builder configuration and use the URL of your Satellite repository as a baseurl. See Overriding a system repository.

3.8. Using Satellite CV as repositories to build images in RHEL image builder

Configure RHEL image builder to use Satellite’s content views (CV) as repositories to build your custom images.

Prerequisites

Procedure

  1. In the Satellite web UI, navigate to Content > Products, select your Product and click the repository you want to use.
  2. Search for the secured URL (HTTPS) in the Published field and copy it.
  3. Use the URL that you copied as a baseurl for the Red Hat image builder repository. See Adding custom third-party repositories to RHEL image builder.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.