Chapter 3. Configuring RHEL image builder repositories
To use RHEL image builder, you must ensure that the repositories are configured. You can use the following types of repositories in RHEL image builder:
- Official repository overrides
- Use these if you want to download base system RPMs from elsewhere than the Red Hat Content Delivery Network (CDN) official repositories, for example, a custom mirror in your network. Using official repository overrides disables the default repositories, and your custom mirror must contain all the necessary packages.
- Custom third-party repositories
- Use these to include packages that are not available in the official RHEL repositories.
3.1. Adding custom third-party repositories to RHEL image builder
You can add custom third-party sources to your repositories and manage these repositories by using the composer-cli
.
Prerequisites
- You have the URL of the custom third-party repository.
Procedure
Create a repository source file, such as
/root/repo.toml
. For example:id = "k8s" name = "Kubernetes" type = "yum-baseurl" url = "https://server.example.com/repos/company_internal_packages/" check_gpg = false check_ssl = false system = false
The
type
field accepts the following valid values:yum-baseurl
,yum-mirrorlist
, andyum-metalink
.- Save the file in the TOML format.
Add the new third-party source to RHEL image builder:
$ composer-cli sources add <file-name>.toml
Verification
Check if the new source was successfully added:
$ composer-cli sources list
Check the new source content:
$ composer-cli sources info <source_id>
3.2. Adding third-party repositories with specific distributions to RHEL image builder
You can specify a list of distributions in the custom third-party source file by using the optional field distro
. The repository file uses the distribution string list while resolving dependencies during the image building.
Any request that specifies rhel-8
uses this source. For example, if you list packages and specify rhel-8
, it includes this source. However, listing packages for the host distribution do not include this source.
Prerequisites
- You have the URL of the custom third-party repository.
- You have the list of distributions that you want to specify.
Procedure
Create a repository source file, such as
/root/repo.toml
. For example, to specify the distribution:check_gpg = true check_ssl = true distros = ["rhel-8"] id = "rh9-local" name = "packages for RHEL" system = false type = "yum-baseurl" url = "https://local/repos/rhel8/projectrepo/"
- Save the file in the TOML format.
Add the new third-party source to RHEL image builder:
$ composer-cli sources add <file-name>.toml
Verification
Check if the new source was successfully added:
$ composer-cli sources list
Check the new source content:
$ composer-cli sources info <source_id>
3.3. Checking repositories metadata with GPG
To detect and avoid corrupted packages, you can use the DNF package manager to check the GNU Privacy Guard (GPG) signature on RPM packages, and also to check if the repository metadata has been signed with a GPG key.
You can either enter the gpgkey
that you want to do the check over https
by setting the gpgkeys
field with the key URL. Alternatively, to improve security, you can also embed the whole key into the gpgkeys
field, to import it directly instead of fetching the key from the URL.
Prerequisites
- The directory that you want to use as a repository exists and contains packages.
Procedure
Access the folder where you want to create a repository:
$ cd repo/
Run the
createrepo_c
to create a repository from RPM packages:$ createrepo_c .
Access the directory where the repodata is:
$ cd repodata/
Sign your
repomd.xml
file:$ gpg -u <_gpg-key-email_> --yes --detach-sign --armor /srv/repo/example/repomd.xml
To enable GPG signature checks in the repository:
-
Set
check_repogpg = true
in the repository source. Enter the
gpgkey
that you want to do the check. If your key is available overhttps
, set thegpgkeys
field with the key URL for the key. You can add as many URL keys as you need.The following is an example:
check_gpg = true check_ssl = true id = "signed local packages" name = "repository_name" type = "yum-baseurl" url = "https://local/repos/projectrepo/" check_repogpg = true gpgkeys=["https://local/keys/repokey.pub"]
As an alternative, add the GPG key directly in the
gpgkeys
field, for example:check_gpg = true check_ssl = true check_repogpg id = "custom-local" name = "signed local packages" type = "yum-baseurl" url = "https://local/repos/projectrepo/" gpgkeys=["https://remote/keys/other-repokey.pub", '''-----BEGIN PGP PUBLIC KEY BLOCK----- … -----END PGP PUBLIC KEY BLOCK-----''']
If the test does not find the signature, the GPG tool shows an error similar to the following one:
$ GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 404 for http://repo-server/rhel/repodata/repomd.xml.asc (IP: 192.168.1.3)
If the signature is invalid, the GPG tool shows an error similar to the following one:
repomd.xml GPG signature verification error: Bad GPG signature
-
Set
Verification
Test the signature of the repository manually:
$ gpg --verify /srv/repo/example/repomd.xml.asc
3.4. RHEL image builder official repository overrides
RHEL image builder osbuild-composer
back end does not inherit the system repositories located in the /etc/yum.repos.d/
directory. Instead, it has its own set of official repositories defined in the /usr/share/osbuild-composer/repositories
directory. This includes the Red Hat official repository, which contains the base system RPMs to install additional software or update already installed programs to newer versions. If you want to override the official repositories, you must define overrides in /etc/osbuild-composer/repositories/
. This directory is for user defined overrides and the files located there take precedence over those in the /usr/share/osbuild-composer/repositories/
directory.
The configuration files are not in the usual YUM repository format known from the files in /etc/yum.repos.d/
. Instead, they are JSON files.
3.5. Overriding a system repository
You can configure your own repository override for RHEL image builder in the /etc/osbuild-composer/repositories
directory.
Prior to RHEL 8.5 release, the name of the repository overrides is rhel-8.json
. Starting from RHEL 8.5, the names also respect the minor version: rhel-84.json
, rhel-85.json
, and so on.
Prerequisites
- You have a custom repository that is accessible from your host system.
Procedure
Create the
/etc/osbuild-composer/repositories/
directory to store your repository overrides:$ sudo mkdir -p /etc/osbuild-composer/repositories
Create a JSON file, using a name corresponding to your RHEL version. Alternatively, you can copy the file for your distribution from
/usr/share/osbuild-composer/
and modify its content.For RHEL 8.9, use
/etc/osbuild-composer/repositories/rhel-89.json
.Add the following structure to your JSON file. Specify only one of the following attributes, in the string format:
-
baseurl
- The base URL of the repository. -
metalink
- The URL of a metalink file that contains a list of valid mirror repositories. mirrorlist
- The URL of a mirrorlist file that contains a list of valid mirror repositories. The remaining fields, such asgpgkey
, andmetadata_expire
, are optional.For example:
{ "x86_64": [ { "name": "baseos", "baseurl": "http://mirror.example.com/composes/released/RHEL-8/8.0/BaseOS/x86_64/os/", "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…)", "check_gpg": true } ] }
Alternatively, you can copy the JSON file for your distribution, by replacing
rhel-version.json
with your RHEL version, for example: rhel-8.json.$ cp /usr/share/osbuild-composer/repositories/rhel-version.json /etc/osbuild-composer/repositories/
-
Optional: Verify the JSON file:
$ json_verify /etc/osbuild-composer/repositories/<file>.json
Edit the
baseurl
paths in therhel-8.json
file and save it. For example:$ /etc/osbuild-composer/repositories/rhel-version.json
Restart the
osbuild-composer.service
:$ sudo systemctl restart osbuild-composer.service
Verification
Check if the repository points to the correct URLs:
$ cat /etc/yum.repos.d/redhat.repo
You can see that the repository points to the correct URLs which are copied from the
/etc/yum.repos.d/redhat.repo
file.
Additional resources
-
The latest RPMs version available in repository not visible for
osbuild-composer
. (Red Hat Knowledgebase)
3.6. Overriding a system repository that requires subscriptions
You can set up the osbuild-composer
service to use system subscriptions that are defined in the /etc/yum.repos.d/redhat.repo
file. To use a system subscription in osbuild-composer
, define a repository override that has the following details:
-
The same
baseurl
as the repository defined in/etc/yum.repos.d/redhat.repo
. The value of
”rhsm”: true
defined in the JSON object.Noteosbuild-composer
does not automatically use repositories defined in/etc/yum.repos.d/
. You need to manually specify them either as a system repository override or as an additionalsource
by usingcomposer-cli
. The “BaseOS” and “AppStream” repositories usually use system repository overrides, whereas all the other repositories usecomposer-cli
sources.
Prerequisites
-
Your system has a subscription defined in
/etc/yum.repos.d/redhat.repo
- You have created a repository override. See Overriding a system repository.
Procedure
Get the
baseurl
from the/etc/yum.repos.d/redhat.repo
file:# cat /etc/yum.repos.d/redhat.repo [AppStream] name = AppStream mirror example baseurl = https://mirror.example.com/RHEL-8/8.0/AppStream/x86_64/os/ enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/pki/ca1/ca.crt sslclientkey = /etc/pki/ca1/client.key sslclientcert = /etc/pki/ca1/client.crt metadata_expire = 86400 enabled_metadata = 0
Configure the repository override to use the same
baseurl
and setrhsm
to true:{ "x86_64": [ { "name": "AppStream mirror example", "baseurl": "https://mirror.example.com/RHEL-8/8.0/AppStream/x86_64/os/", "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…)", "check_gpg": true, "rhsm": true } ] }
Restart the
osbuild-composer.service
:$ sudo systemctl restart osbuild-composer.service
Additional resources
- RHEL image builder uses CDN repositories when host is registered to Satellite 6 (Red Hat Knowledgebase)
3.7. Configuring and using Satellite CV as a content source
You can use Satellite’s content views (CV) as repositories to build images with RHEL image builder. To do so, on your host registered to Satellite, manually configure the repository references so that you can retrieve from the Satellite repositories, instead of the Red Hat Content Delivery Network (CDN) official repositories.
Prerequisites
- You are using RHEL image builder on a host registered to Satellite 6.
Procedure
Find the repository URL from your currently configured repositories:
$ sudo yum -v repolist rhel-8-for-x86_64-baseos-rpms | grep repo-baseurl Repo-baseurl :
The following output is an example:
https://satellite6.example.com/pulp/content/YourOrg/YourEnv/YourCV/content/dist/rhel8/8/x86_64/baseos/os
Modify the hard-coded repositories to a Satellite Server.
Create a repository directory with the
0755
permission:$ sudo mkdir -pvm 0755 /etc/osbuild-composer/repositories
Copy the content from
/usr/share/osbuild-composer/repositories/*.json
to the directory that you created:$ sudo cp /usr/share/osbuild-composer/repositories/*.json /etc/osbuild-composer/repositories/
Update the Satellite URL and the file contents through the
/content/dist/*
line:$ sudo sed -i -e 's|cdn.redhat.com|satellite6.example.com/pulp/content/YourOrg/YourEnv/YourCV|' /etc/osbuild-composer/repositories/*.json
Verify that the configuration was correctly replaced:
$ sudo vi /etc/osbuild-composer/repositories/rhel-8.json
Restart the services:
$ sudo systemctl restart osbuild-worker@1.service osbuild-composer.service
- Override the required system repository in Red Hat image builder configuration and use the URL of your Satellite repository as a baseurl. See Overriding a system repository.
Additional resources
- Composer RHEL image builder fails when multiple custom repositories are defined on the Satellite (Red Hat Knowledgebase)
3.8. Using Satellite CV as repositories to build images in RHEL image builder
Configure RHEL image builder to use Satellite’s content views (CV) as repositories to build your custom images.
Prerequisites
- You have integrated Satellite with RHEL web console. See Enabling the RHEL web console on Satellite
Procedure
- In the Satellite web UI, navigate to Content > Products, select your Product and click the repository you want to use.
- Search for the secured URL (HTTPS) in the Published field and copy it.
- Use the URL that you copied as a baseurl for the Red Hat image builder repository. See Adding custom third-party repositories to RHEL image builder.
Next steps
- Build the image. See Creating a system image by using RHEL image builder in the web console interface.