Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Deploying confidential containers on IBM Z and IBM LinuxONE with peer pods

You can deploy confidential containers workloads on a Red Hat OpenShift Container Platform cluster running on IBM Z® and IBM® LinuxONE with peer pods.

In the peer pod approach, you leverage libvirt as the provider to launch peer pod virtual machines (VMs) on a logical partition (LPAR). The OpenShift Container Platform cluster is hosted on the same LPAR, either as a single-node or multi-node setup, where all nodes run as VMs (guests).

This approach enables flexible resource sharing and isolation in a virtualized environment, making it suitable for development, testing, or workloads that need isolation without requiring dedicated hardware.

Important

Confidential containers on IBM Z® and IBM® LinuxONE is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

4.1. Preparation
Copy link

Review these prerequisites and concepts before you deploy confidential containers on IBM Z® and IBM® LinuxONE with peer pods.

Note

IBM® Hyper Protect Confidential Container (HPCC) for Red Hat OpenShift Container Platform is now production-ready. HPCC enables Confidential Computing technology at the enterprise scale by providing a multiparty Hyper Protect Contract, deployment attestation, and validation of container runtime and OCI image integrity.

HPCC is supported by IBM Z17® and IBM® LinuxONE Emperor 5. For more information, see the IBM HPCC documentation.

4.1.1. Prerequisites
Copy link

  • You have installed the latest version of Red Hat OpenShift Container Platform on the cluster where you are running your confidential containers workload.
  • You have deployed Red Hat build of Trustee on an OpenShift Container Platform cluster in a trusted environment. For more information, see Deploying Red Hat build of Trustee.
  • You are using LinuxONE Emperor 4 or later.
  • You have enabled Secure Unpack Facility on your Logical Partition (LPAR), which is necessary for the IBM Secure Execution. For more information, see Enabling the KVM host for IBM Secure Execution.

4.1.2. Peer pod resource requirements
Copy link

You must ensure that your cluster has sufficient resources.

Peer pod virtual machines (VMs) require resources in two locations:

  • The worker node. The worker node stores metadata, Kata shim resources (containerd-shim-kata-v2), remote-hypervisor resources (cloud-api-adaptor), and the tunnel setup between the worker nodes and the peer pod VM.
  • The cloud instance. This is the actual peer pod VM running in the cloud.

The CPU and memory resources used in the Kubernetes worker node are handled by the pod overhead included in the RuntimeClass (kata-remote) definition used for creating peer pods.

The total number of peer pod VMs running in the cloud is defined as Kubernetes Node extended resources. This limit is per node and is set by the PEERPODS_LIMIT_PER_NODE attribute in the peer-pods-cm config map.

The extended resource is named kata.peerpods.io/vm, and enables the Kubernetes scheduler to handle capacity tracking and accounting.

You can edit the limit per node based on the requirements for your environment after you install the OpenShift sandboxed containers Operator.

A mutating webhook adds the extended resource kata.peerpods.io/vm to the pod specification. It also removes any resource-specific entries from the pod specification, if present. This enables the Kubernetes scheduler to account for these extended resources, ensuring the peer pod is only scheduled when resources are available.

The mutating webhook modifies a Kubernetes pod as follows:

  • The mutating webhook checks the pod for the expected RuntimeClassName value, specified in the TARGET_RUNTIMECLASS environment variable. If the value in the pod specification does not match the value in the TARGET_RUNTIMECLASS, the webhook exits without modifying the pod.

  • If the RuntimeClassName values match, the webhook makes the following changes to the pod spec:

    1. The webhook removes every resource specification from the resources field of all containers and init containers in the pod.
    2. The webhook adds the extended resource (kata.peerpods.io/vm) to the spec by modifying the resources field of the first container in the pod. The extended resource kata.peerpods.io/vm is used by the Kubernetes scheduler for accounting purposes.
Note

The mutating webhook excludes specific system namespaces in OpenShift Container Platform from mutation. If a peer pod is created in those system namespaces, then resource accounting using Kubernetes extended resources does not work unless the pod spec includes the extended resource.

As a best practice, define a cluster-wide policy to only allow peer pod creation in specific namespaces.

4.1.3. Initdata
Copy link

The initdata specification provides a flexible way to initialize a pod with workload-specific data at runtime, avoiding the need to embed such data in the virtual machine (VM) image.

This approach enhances security by reducing the exposure of confidential information and improves flexibility by eliminating custom image builds. For example, initdata can include three configuration settings:

  • An X.509 certificate for secure communication.
  • A cryptographic key for authentication.
  • An optional Kata Agent policy.rego file to enforce runtime behavior when overriding the default Kata Agent policy.

The initdata content configures the following components:

  • Attestation Agent (AA), which verifies the trustworthiness of the pod by sending evidence for attestation.
  • Confidential Data Hub (CDH), which manages secrets and secure data access within the pod VM.
  • Kata Agent, which enforces runtime policies and manages the lifecycle of the containers inside the pod VM.

You create an initdata.toml file and convert it to a Base64-encoded, gzip-format string. You apply the initdata string to your workload by one of the following methods:

  • Global configuration: Add the initdata string as the value of the INITDATA key in the peer pods config map to create a default configuration for all peer pods.

  • Pod configuration: Add the initdata string as an annotation to a pod manifest, allowing customization for individual workloads.

    Note

    The initdata annotation in the pod manifest overrides the global INITDATA value in the peer pods config map for that specific pod. The Kata runtime handles this precedence automatically at pod creation time.

4.2. Deployment overview
Copy link

You deploy confidential containers on IBM Z® and IBM® LinuxONE with peer pods by performing the following steps:

  1. Install the OpenShift sandboxed containers Operator.
  2. Create the peer pods secret.
  3. Enable the confidential containers feature gate.
  4. Create initdata to initialize a peer pod with sensitive or workload-specific data at runtime.

  5. Create initdata to initialize a pod with sensitive or workload-specific data at runtime.

    Important

    Do not use the default permissive Kata Agent policy in a production environment. You must configure a restrictive policy, preferably by creating initdata.

    As a minimum requirement, you must disable ExecProcessRequest to prevent a cluster administrator from accessing sensitive data by running the oc exec command on a confidential containers pod.

  6. Create the peer pods config map. You can add initdata to the config map to create a default global configuration for your peer pods.
  7. Create the KataConfig CR.
  8. Verify the attestation process.

4.3. Creating MachineConfig config map for TDX
Copy link

If you use Intel Trust Domain Extensions (TDX), you must create a MachineConfig object before you install the Red Hat build of Trustee Operator.

Procedure

  1. Create a tdx-machine-config.yaml manifest file according to the following example: 

    apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: <role>
    1 
    
  name: 99-enable-intel-tdx
spec:
  kernelArguments:
  - kvm_intel.tdx=1
  - nohibernate
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/modules-load.d/vsock.conf
          mode: 0644
          contents:
            source: data:text/plain;charset=utf-8;base64,dnNvY2stbG9vcGJhY2sK
    Copy to Clipboard Toggle word wrap
    1
    Specify master for single-node OpenShift or kata-oc for a multi-node cluster.

  2. Create the TDX config map by running the following command: 

    $ oc create -f tdx-config.yaml
    Copy to Clipboard Toggle word wrap

You can install or upgrade the OpenShift sandboxed containers Operator by using the command line interface (CLI).

Note

You must configure the OpenShift sandboxed containers Operator subscription for manual updates by setting the value of installPlanApproval to Manual. Automatic updates are not supported.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create an osc-namespace.yaml manifest file: 

    apiVersion: v1
kind: Namespace
metadata:
  name: openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

  2. Create the namespace by running the following command: 

    $ oc apply -f osc-namespace.yaml
    Copy to Clipboard Toggle word wrap

  3. Create an osc-operatorgroup.yaml manifest file: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: sandboxed-containers-operator-group
  namespace: openshift-sandboxed-containers-operator
spec:
  targetNamespaces:
  - openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

  4. Create the operator group by running the following command: 

    $ oc apply -f osc-operatorgroup.yaml
    Copy to Clipboard Toggle word wrap

  5. Create an osc-subscription.yaml manifest file: 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: sandboxed-containers-operator
  namespace: openshift-sandboxed-containers-operator
spec:
  channel: stable
  installPlanApproval: Manual
  name: sandboxed-containers-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: sandboxed-containers-operator.v1.11.0
    Copy to Clipboard Toggle word wrap

  6. Create the subscription by running the following command: 

    $ oc create -f osc-subscription.yaml
    Copy to Clipboard Toggle word wrap

  7. Get the InstallPlan CR for the OpenShift sandboxed containers Operator by running the following command: 

    $ oc get installplan -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    • Installation example output 

      NAME            CSV                                      APPROVAL  APPROVED
install-bl4fl   sandboxed-containers-operator.v1.11.0    Manual    false
      Copy to Clipboard Toggle word wrap

    • Upgrade example output 

      NAME            CSV                                     APPROVAL   APPROVED
install-jdzrb   sandboxed-containers-operator.v1.11.0   Manual     false
install-pfk8l   sandboxed-containers-operator.v1.10.3   Manual     true
      Copy to Clipboard Toggle word wrap

  8. Approve the manual installation by running the following command: 

    $ oc patch installplan <installplan_name> -p '{"spec":{"approved":true}}' --type=merge -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap
    <installplan_name>
    Specify the InstallPlan resource. For example, install-jdzrb.

  9. Verify that the Operator is correctly installed by running the following command: 

    $ oc get csv -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    This command can take several minutes to complete.

  10. Watch the process by running the following command: 

    $ watch oc get csv -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                             DISPLAY                                  VERSION             REPLACES                   PHASE
openshift-sandboxed-containers   openshift-sandboxed-containers-operator  1.11.0    1.10.3        Succeeded
    Copy to Clipboard Toggle word wrap

4.5. Creating the peer pods secret
Copy link

You must create a peer pods secret. The secret stores credentials for creating the pod virtual machine (VM) image and peer pod instances.

Prerequisites

  • LIBVIRT_URI. This value is the default gateway IP address of the libvirt network. Check your libvirt network setup to obtain this value.

    Note

    If libvirt uses the default bridge virtual network, you can obtain the LIBVIRT_URI by running the following commands: 

    $ virtint=$(bridge_line=$(virsh net-info default | grep Bridge);  echo "${bridge_line//Bridge:/}" | tr -d [:blank:])

$ LIBVIRT_URI=$( ip -4 addr show $virtint | grep -oP '(?<=inet\s)\d+(\.\d+){3}')

$ LIBVIRT_GATEWAY_URI="qemu+ssh://root@${LIBVIRT_URI}/system?no_verify=1"
    Copy to Clipboard Toggle word wrap
  • REDHAT_OFFLINE_TOKEN. You have generated this token to download the RHEL image at Red Hat API Tokens.
  • HOST_KEY_CERTS. The Host Key Document (HKD) certificate enables secure execution on IBM Z®. For more information, see Obtaining a host key document from Resource Link in the IBM documentation.

Procedure

  1. Create a peer-pods-secret.yaml manifest file according to the following example: 

    apiVersion: v1
kind: Secret
metadata:
  name: peer-pods-secret
  namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
  CLOUD_PROVIDER: "libvirt"
  LIBVIRT_URI: "<libvirt_gateway_uri>"
    1 
    
  REDHAT_OFFLINE_TOKEN: "<rh_offline_token>"
    2 
    
  HOST_KEY_CERTS: "<host_key_crt_value>"
    3
    Copy to Clipboard Toggle word wrap
    1
    Specify the libvirt URI.
    2
    Specify the Red Hat offline token, which is required for the Operator-built image.
    3
    Specify the HKD certificate value to enable IBM Secure Execution for the Operator-built image.

  2. Create the secret by running the following command: 

    $ oc create -f peer-pods-secret.yaml
    Copy to Clipboard Toggle word wrap

4.6. Creating the osc-feature-gates config map
Copy link

You enable the confidential containers feature gate by creating the config map.

Procedure

  1. Create a my-feature-gate.yaml manifest file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: osc-feature-gates
  namespace: openshift-sandboxed-containers-operator
data:
  confidential: "true"
  deploymentMode: <deployment_mode>
    Copy to Clipboard Toggle word wrap

    where

    <deployment_mode>

    On OpenShift Container Platform clusters with the Machine Config Operator (MCO), the deploymentMode field is optional and can be omitted. Specifies the strategy for installing and configuring the Kata runtime. Specify the deployment mode:

    • MachineConfig for clusters that always use the MCO
    • DaemonSet for clusters that never use the MCO
    • DaemonSetFallback for clusters that sometimes use the MCO

  2. Create the my-feature-gates config map by running the following command: 

    $ oc create -f my-feature-gate.yaml
    Copy to Clipboard Toggle word wrap

4.7. Creating initdata
Copy link

You create initdata to securely initialize a pod with sensitive or workload-specific data at runtime, thus avoiding the need to embed this data in a virtual machine image. This approach provides additional security by reducing the risk of exposure of confidential information and eliminates the need for custom image builds.

You can specify initdata in the pods config map, for global configuration, or in a pod manifest, for a specific pod. The initdata value in a pod manifest overrides the value set in the pods config map.

Important

In a production environment, you must create initdata to override the default permissive Kata agent policy.

You can specify initdata in the peer pods config map, for global configuration, or in a peer pod manifest, for a specific pod. The initdata value in a peer pod manifest overrides the value set in the peer pods config map.

Important

You must delete the kbs_cert setting if you configure insecure_http = true in the kbs-config config map for Red Hat build of Trustee.

Procedure

  1. Obtain the Red Hat build of Trustee IP address by running the following command: 

    $ oc get node $(oc get pod -n trustee-operator-system \
  -o jsonpath='{.items[0].spec.nodeName}') \
  -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'
    Copy to Clipboard Toggle word wrap

    Example output

    192.168.122.22
    Copy to Clipboard Toggle word wrap

  2. Obtain the port by running the following command: 

    $ oc get svc kbs-service -n trustee-operator-system
    Copy to Clipboard Toggle word wrap

    Example output

    NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
kbs-service  NodePort    172.30.116.11   <none>        8080:32178/TCP   12d
    Copy to Clipboard Toggle word wrap

  3. Create the initdata.toml file: 

    algorithm = "sha384"
version = "0.1.0"

[data]
"aa.toml" = '''
[token_configs]
[token_configs.coco_as]

url = '<trustee_url>'

[token_configs.kbs]
url = '<trustee_url>'
'''

"cdh.toml" = '''
socket = 'unix:///run/confidential-containers/cdh.sock'
credentials = []

[kbc]
name = 'cc_kbc'
url = '<trustee_url>'
kbs_cert = """
-----BEGIN CERTIFICATE-----
<kbs_certificate>
-----END CERTIFICATE-----
"""
[image]
image_security_policy_uri = 'kbs:///default/<secret-policy-name>/<key>
'''

"policy.rego" = '''
package agent_policy

default AddARPNeighborsRequest := true
default AddSwapRequest := true
default CloseStdinRequest := true
default CopyFileRequest := true
default CreateContainerRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default GetMetricsRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default ListInterfacesRequest := true
default ListRoutesRequest := true
default MemHotplugByProbeRequest := true
default OnlineCPUMemRequest := true
default PauseContainerRequest := true
default PullImageRequest := true
default ReadStreamRequest := true
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default ReseedRandomDevRequest := true
default ResumeContainerRequest := true
default SetGuestDateTimeRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StartTracingRequest := true
default StatsContainerRequest := true
default StopTracingRequest := true
default TtyWinResizeRequest := true
default UpdateContainerRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default ExecProcessRequest := false
default SetPolicyRequest := false
default WriteStreamRequest := false

ExecProcessRequest if {
    input_command = concat(" ", input.process.Args)
    some allowed_command in policy_data.allowed_commands
    input_command == allowed_command
}

policy_data := {
  "allowed_commands": [
        "curl http://127.0.0.1:8006/cdh/resource/default/attestation-status/status"
  ]
}
'''
    Copy to Clipboard Toggle word wrap
    url
    Specify the Red Hat build of Trustee IP address and the port, for example, https://192.168.122.22:32178.
    <kbs_certificate>
    Specify the Base64-encoded TLS certificate for the attestation agent.
    kbs_cert
    Delete the kbs_cert setting if you configure insecure_http = true in the kbs-config config map for Red Hat build of Trustee.
    image_security_policy_uri
    Optional, only if you enabled the container image signature verification policy. Replace <secret-policy-name> and <key> with the secret name and key, respectively specified in Creating the KbsConfig custom resource.

  4. Convert the initdata.toml file to a Base64-encoded string in gzip format in a text file by running the following command: 

    $ cat initdata.toml | gzip | base64 -w0 > initdata.txt
    Copy to Clipboard Toggle word wrap

    Record this string to use in the peer pods config map or the peer pod manifest.

4.8. Applying initdata to a pod
Copy link

You can override the global INITDATA setting you applied in the peer pods config map by applying customized initdata to a specific pod for special use cases, such as development and testing with a relaxed policy, or when using different Red Hat build of Trustee configurations. You can customize initdata by adding an annotation to the workload pod YAML.

Prerequisite

  • You have created an initdata string.

Procedure

  1. Add the initdata string to the pod manifest: 

    apiVersion: v1
kind: Pod
metadata:
  name: ocp-cc-pod
  labels:
    app: ocp-cc-pod
  annotations:
    io.katacontainers.config.hypervisor.cc_init_data: <initdata_string>
spec:
  runtimeClassName: kata-cc
  containers:
  - name: <container_name>
    image: registry.access.redhat.com/ubi9/ubi:latest
    command:
    - sleep
    - "36000"
    securityContext:
      privileged: false
      seccompProfile:
        type: RuntimeDefault
    Copy to Clipboard Toggle word wrap

  2. Create the pod by running the following command: 

    $ oc create -f my-pod.yaml
    Copy to Clipboard Toggle word wrap

4.9. Creating the KataConfig custom resource
Copy link

You must create the KataConfig custom resource (CR) to install kata-cc as a runtime class on your worker nodes.

OpenShift sandboxed containers installs kata-cc as a secondary, optional runtime on the cluster and not as the primary runtime.

Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors can increase the reboot time:

  • A large OpenShift Container Platform deployment with a greater number of worker nodes.
  • Activation of the BIOS and Diagnostics utility.
  • Deployment on a hard disk drive rather than an SSD.
  • Deployment on physical nodes such as bare metal, rather than on virtual nodes.
  • A slow CPU and network.

Procedure

  1. Create an example-kataconfig.yaml manifest file according to the following example: 

    apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: example-kataconfig
spec:

  enablePeerPods: true

  logLevel: info
#  kataConfigPoolSelector:
#    matchLabels:
#      <label_key>: '<label_value>'
    1
    Copy to Clipboard Toggle word wrap
    1
    Optional: If you have applied node labels to install kata-cc on specific nodes, specify the key and value, for example, cc: 'true'.

  2. Create the KataConfig CR by running the following command: 

    $ oc create -f example-kataconfig.yaml
    Copy to Clipboard Toggle word wrap

    The new KataConfig CR is created and installs kata-cc as a runtime class on the worker nodes.

    Wait for the kata-cc installation to complete and the worker nodes to reboot before verifying the installation.

  3. Monitor the installation progress by running the following command: 

    $ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"
    Copy to Clipboard Toggle word wrap

    When the status of all workers under kataNodes is installed and the condition InProgress is False without specifying a reason, the kata-cc is installed on the cluster.

  4. Verify that you have built the peer pod image and uploaded it to the libvirt volume by running the following command: 

    $ oc describe configmap peer-pods-cm -n openshift-sandboxed-containers-operator
    Copy to Clipboard Toggle word wrap

    Example output

    Name: peer-pods-cm
Namespace: openshift-sandboxed-containers-operator
Labels: <none>
Annotations: <none>

Data
====
CLOUD_PROVIDER: libvirt
DISABLECVM: false
    1 
    
LIBVIRT_IMAGE_ID: fa-pp-vol
    2 
    

BinaryData
====
Events: <none>
    Copy to Clipboard Toggle word wrap

    1
    Enables the Confidential VM during IBM Secure Execution for the Operator-built image.
    2
    Contains a value if you have built the peer pod image and uploaded it to the libvirt volume.

  5. Monitor the kata-oc machine config pool progress to ensure that it is in the UPDATED state, when UPDATEDMACHINECOUNT equals MACHINECOUNT, by running the following command: 

    $ watch oc get mcp/kata-oc
    Copy to Clipboard Toggle word wrap

  6. Verify the daemon set by running the following command: 

    $ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-ds
    Copy to Clipboard Toggle word wrap

  7. Verify the runtime classes by running the following command: 

    $ oc get runtimeclass
    Copy to Clipboard Toggle word wrap

    Example output

    NAME             HANDLER          AGE
kata-cc      kata-se      152m
    Copy to Clipboard Toggle word wrap

4.10. Verifying attestation
Copy link

You can verify the attestation process by creating a BusyBox pod. The pod image deploys the confidential workload where you can retrieve the key.

Important

This procedure is an example to verify that attestation is working. Do not write sensitive data to standard I/O, because the data can be captured by using a memory dump. Only data written to memory is encrypted.

Procedure

  1. Create a test-pod.yaml manifest file: 

    apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
  annotations:
    io.katacontainers.config.hypervisor.cc_init_data: <initdata_string>
    1 
    
  labels:
    run: busybox
spec:
  runtimeClassName: kata-cc
  restartPolicy: Never
  containers:
  - name: busybox
    image: quay.io/prometheus/busybox:latest
    imagePullPolicy: Always
    command:
      - "sleep"
      - "3600"
    Copy to Clipboard Toggle word wrap
    1
    Optional: Setting initdata in a pod annotation overrides the global INITDATA setting in the peer pods config map.

  2. Create the pod by running the following command: 

    $ oc create -f test-pod.yaml
    Copy to Clipboard Toggle word wrap

  3. Log in to the pod by running the following command: 

    $ oc exec -it busybox -n default -- /bin/sh
    Copy to Clipboard Toggle word wrap

  4. Fetch the Red Hat build of Trustee resource by running the following command: 

    $ wget http://127.0.0.1:8006/cdh/resource/default/kbsres1/key1
    Copy to Clipboard Toggle word wrap

    Example output

    Connecting to 127.0.0.1:8006 (127.0.0.1:8006)
saving to 'key1'
key1                 100% |*******************************************|     8  0:00:00 ETA
'key1' saved
    Copy to Clipboard Toggle word wrap

  5. Display the key1 value by running the following command: 

    $ cat key1
    Copy to Clipboard Toggle word wrap

    Example output

    success #/
    Copy to Clipboard Toggle word wrap

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat