Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Manage containers in private automation hub

Private automation hub functions as an internal container registry for your organization. It allows you to store, manage, and govern the container images, or automation execution environments, that your teams use to run automation.

To effectively manage these containers, first learn the difference between the two types of registries in your workflow:

External registries (Source): Public or third-party registries where you source your initial images. Common examples include the Red Hat Ecosystem Catalog (registry.redhat.io) or Quay.io. You can pull images from these registries to your local environment.

Private automation hub registry, or your "remote" registry (Destination): Your internal, secure registry hosted on private automation hub. You push your curated and approved images here. Your Ansible Automation Platform infrastructure then pulls these images from private automation hub to execute jobs.

3.1. Managing your private automation hub registry
Copy link

You do not build container images directly inside private automation hub. Instead, use the following workflow to populate and manage your registry.

Procedure

  1. Pull an execution environment from an external registry (like registry.redhat.io) to your local machine.
  2. Tag the image locally for your private automation hub registry.
  3. Push the image to your private automation hub.
  4. Configure access permissions and documentation (such as READMEs) within private automation hub so your teams can use the image.

Configure team access to container repositories in private automation hub to control who can access and manage automation execution environments.

3.2.1. Remote registry team permissions
Copy link

Create and assign permissions to a team in private automation hub to allow users to access specific features in the system. New teams do not have any assigned permissions by default. You must add permissions when first creating a team or edit an existing team to add or remove permissions.

For more on managing access through teams, see Teams in the Access management and authentication guide.

The following table lists permissions you can grant to teams to ensure they have the correct level of access and privileges to your remote registries.

Expand
Table 3.1. Team permissions for managing containers in private automation hub
Permission nameDescription

Create new containers

Users can create new containers

Change container namespace permissions

Users can change permissions on the container repository

Change container

Users can change information on a container

Change execution environment tags

Users can modify execution environment tags

Push to existing container

Users can push an execution environment to an existing container

You must follow a specific workflow to populate your private automation hub remote registry:

  • Pull automation execution environments from the Red Hat Ecosystem Catalog (registry.redhat.io)
  • Tag them
  • Push them to your private automation hub remote registry
Important

As of April 1st, 2025, quay.io is adding three additional endpoints. As a result, you must adjust the allow/block lists within your firewall systems lists to include the following endpoints:

  • cdn04.quay.io
  • cdn05.quay.io
  • cdn06.quay.io

To avoid problems pulling container images, customers must allow outbound TCP connections (ports 80 and 443) to the following hostnames:

  • cdn.quay.io
  • cdn01.quay.io
  • cdn02.quay.io
  • cdn03.quay.io
  • cdn04.quay.io
  • cdn05.quay.io
  • cdn06.quay.io

This change should be made to any firewall configuration that specifically enables outbound connections to registry.redhat.io or registry.access.redhat.com.

Use the hostnames instead of IP addresses when configuring firewall rules.

After making this change, you can continue to pull images from registry.redhat.io or registry.access.redhat.com. You do not require a quay.io login, or need to interact with the quay.io registry directly in any way to continue pulling Red Hat container images.

For more information, see Firewall changes for container image pulls 2024/2025.

Ensure that the Network ports and protocols listed in Table 6.4. Execution Environments (EE) are available to avoid problems pulling container images.

Before you can push execution environments to your private automation hub, you must first pull them from an existing registry and tag them for use. The following example details how to pull an execution environment from the Red Hat Ecosystem Catalog (registry.redhat.io).

Prerequisites

  • You have permissions to pull automation execution environments from registry.redhat.io.

Procedure

  1. Log in to Podman with your registry.redhat.io credentials: 

    $ podman login registry.redhat.io
    Copy to Clipboard Toggle word wrap

  2. Pull an execution environment: 

    $ podman pull registry.redhat.io/<ee_name>:<tag>
    Copy to Clipboard Toggle word wrap

Verification

To verify that the execution environment you pulled is contained in the list, take these steps:

  1. List the images in local storage: 

    $ podman images
    Copy to Clipboard Toggle word wrap
  2. Check the execution environment name, and verify that the tag is correct.

After you pull execution environments from a registry, tag them for use in your private automation hub remote registry.

Prerequisites

  • You have pulled an execution environment from an external registry.
  • You have the FQDN or IP address of the automation hub instance.

Procedure

  • Tag a local execution environment with the automation hub container repository: 

    $ podman tag registry.redhat.io/<ee_name>:<tag> <automation_hub_hostname>/<ee_name>
    Copy to Clipboard Toggle word wrap

Verification

  1. List the images in local storage: 

    $ podman images
    Copy to Clipboard Toggle word wrap
  2. Verify that the execution environment you tagged with your automation hub information is contained in the list.

You can push tagged execution environments to private automation hub to create new containers and populate the remote registry.

Prerequisites

  • You have permissions to create new containers.
  • You have the FQDN or IP address of the Ansible Automation Platform instance.

Procedure

  1. Log in to Podman using your Ansible Automation Platform location and credentials: 

    $ podman login -u=<username> -p=<password> <aap_url>
    Copy to Clipboard Toggle word wrap
    Warning

    Let Podman prompt you for your password when you log in. Entering your password at the same time as your username can expose your password to the shell history.

  2. Push your execution environment to your automation hub remote registry: 

    $ podman push <automation_hub_url>/<ee_name>
    Copy to Clipboard Toggle word wrap

Troubleshooting

The push operation re-compresses image layers during the upload, which is not guaranteed to be reproducible and is client-implementation dependent. This may lead to image-layer digest changes and a failed push operation, resulting in Error: Copying this image requires changing layer representation, which is not possible (image is signed or the destination specifies a digest).

Verification

  1. Log in to your Ansible Automation Platform.
  2. Navigate to Automation Content Execution Environments.
  3. Locate the container in the container repository list.

3.4. Setting up your container repository
Copy link

When you set up your container repository, you can add a description, include a README, add teams that can access the repository, and tag automation execution environments.

Add a README to your container repository to provide instructions to your users on how to work with the container. Automation hub container repositories support Markdown for creating a README. By default, the README is empty.

Prerequisites

  • You have permissions to change containers.

Procedure

  1. Log in to Ansible Automation Platform.
  2. From the navigation panel, select Automation Content Execution Environments.
  3. Select your execution environment.
  4. On the Detail tab, click Add.
  5. In the Raw Markdown text field, enter your README text in Markdown.
  6. Click Save when you are finished.

Next steps

After you add a README, you can edit it at any time by clicking Edit and repeating steps 4 and 5.

Provide users with access to your automation execution environments by adding them to a team. Then, modify the permissions the team can have to a particular execution environment.

Prerequisites

  • You have change container namespace permissions.

Procedure

  1. Log in to Ansible Automation Platform.
  2. From the navigation panel, select Automation Content Execution Environments.
  3. Select your automation execution environment.
  4. From the Team Access tab, click Add roles.
  5. Select the team or teams to which you want to grant access and click Next.
  6. Select the roles that you want to add to this execution environment and click Next.
  7. Click Finish.

3.4.3. Tagging container images
Copy link

Tag automation execution environments to add an additional name to automation execution environments stored in your automation hub container repository. If no tag is added to an automation execution environment, automation hub defaults to latest for the name.

Prerequisites

  • You have change automation execution environment tags permissions.

Procedure

  1. From the navigation panel, select Automation Content Execution Environments.
  2. Select your automation execution environments.
  3. Click the Images tab.
  4. Click the More Actions icon , and click Manage tags.
  5. Add a new tag in the text field and click Add.
  6. Optional: Remove current tags by clicking x on any of the tags for that image.

Verification

  • Click the Activity tab and review the latest changes.

3.4.4. Creating a credential
Copy link

To pull automation execution environments images from a password or token-protected registry, you must create a credential.

In earlier versions of Ansible Automation Platform, you were required to deploy a registry to store execution environment images. On Ansible Automation Platform 2.0 and later, the system operates as if you already have a remote registry up and running. To store execution environment images, add the credentials of only your selected remote registries.

Procedure

  1. Log in to Ansible Automation Platform.
  2. From the navigation panel, select Automation Execution Infrastructure Credentials.
  3. Click Create credential to create a new credential.
  4. Enter an authorization Name, Description, and Organization.
  5. In the Credential Type drop-down, select Container Registry.
  6. Enter the Authentication URL. This is the remote registry address.
  7. Enter the Username and Password or Token required to log in to the remote registry.
  8. Optional: To enable SSL verification, select Verify SSL.
  9. Click Create credential.

3.5. Pulling images from a container repository
Copy link

Pull automation execution environments from the automation hub remote registry to make a copy to your local machine. Automation hub provides the podman pull command for each latest execution environment in the container repository. You can copy and paste this command into your terminal, or use podman pull to copy an execution environment based on an execution environment tag.

3.5.1. Pulling an image
Copy link

You can pull an execution environment from your private automation hub remote registry to make a copy to your local machine.

Prerequisites

  • You must have permission to view and pull from a private container repository.
  • If you are pulling automation execution environments from a password or token-protected registry, create a credential first.

Procedure

  1. From the navigation panel, select Automation Content Execution Environments.
  2. Select your automation execution environments.
  3. In the Pull this image entry, click Copy to clipboard.
  4. Paste and run the command in your terminal.

Verification

  • Run podman images to view images on your local machine.

3.5.2. Syncing images from a container repository
Copy link

You can pull automation execution environments from the private automation hub remote registry to sync an image to your local machine. To sync an execution environment from a remote registry, you must first configure a remote registry.

Prerequisites

You must have permission to view and pull from a private container repository.

Procedure

  1. From the navigation panel, select Automation Content Execution Environments.
  2. Add https://registry.redhat.io to the registry.

  3. Add any required credentials to authenticate.

    Note

    Some remote registries are aggressive with rate limiting. Set a rate limit under Advanced Options.

  4. From the navigation panel, select Automation Content Execution Environments.
  5. Click Create execution environment in the page header.

  6. Select the registry you want to pull from. The Name field displays the name of the automation execution environments displayed on your local registry.

    Note

    The Upstream name field is the name of the image on the remote server. For example, if the upstream name is set to "alpine" and the Name field is "local/alpine", the alpine image is downloaded from the remote and renamed to "local/alpine".

  7. Set a list of tags to include or exclude. Note that syncing automation execution environments with a large number of tags is time consuming and uses a lot of disk space.

3.6. Working with signed containers
Copy link

Add an extra layer of security to your content by enabling container signing in private automation hub.

3.6.1. Deploying your system for container signing
Copy link

To deploy your system so that it is ready for container signing, first ensure that you have enabled automation content collection and container signing. Then you can create a signing script, or add and sign an execution environment manually.

Note that installer looks for the script and key on the same server where installer is located.

Procedure

  1. From a terminal, create a signing script, and pass the script path as an installer parameter.

    Example: 

    #!/usr/bin/env bash

# pulp_container SigningService will pass the next 4 variables to the script.
MANIFEST_PATH=$1
FINGERPRINT="$PULP_SIGNING_KEY_FINGERPRINT"
IMAGE_REFERENCE="$REFERENCE"
SIGNATURE_PATH="$SIG_PATH"

# Create container signature using skopeo
skopeo standalone-sign \
  $MANIFEST_PATH \
  $IMAGE_REFERENCE \
  $FINGERPRINT \
  --output $SIGNATURE_PATH

# Optionally pass the passphrase to the key if password protected.
# --passphrase-file /path/to/key_password.txt

# Check the exit status
STATUS=$?
if [ $STATUS -eq 0 ]; then
  echo {\"signature_path\": \"$SIGNATURE_PATH\"}
else
  exit $STATUS
fi
    Copy to Clipboard Toggle word wrap

  2. Review the Ansible Automation Platform installer inventory file for options for container signing that begin with automationhub_*. 

    [all:vars]
.
.
.

automationhub_create_default_container_signing_service = True
automationhub_container_signing_service_key = /absolute/path/to/key/to/sign
automationhub_container_signing_service_script = /absolute/path/to/script/that/signs
    Copy to Clipboard Toggle word wrap

  3. Once installation is complete, log in to Ansible Automation Platform and navigate to Automation Content Signature Keys.

    Note

    The container-default service is created by the Ansible Automation Platform installer.

Verification

Ensure that you have a key titled container-default, or container-anyname.

You can add containers remotely to automation hub in one of the following two ways:

  • By creating remotes
  • By using an automation execution environment

Procedure

  1. Log in to Ansible Automation Platform.
  2. From the navigation panel, select Automation Content Remote Registries.

  3. Click Create remote registry.

    • In the Name field, enter the name of the registry where the container resides.
    • In the URL field, enter the URL of the registry where the container resides.
    • In the Username field, enter the username if necessary.
    • In the Password field, enter the password if necessary.
    • Click Create remote registry.

3.6.3. Adding and signing an execution environment
Copy link

Push a signed execution environment to your private automation hub for added security.

Procedure

  1. From the navigation panel, select Automation Content Execution Environments.

  2. Click Create execution environment and enter the relevant information in the fields that appear.

    1. The Name field displays the name of the execution environment on your local registry.
    2. The Upstream name field is the name of the image on the remote server.
    3. Under Registry, select the name of the registry from the drop-down menu.
    4. Optional: Enter tags in the Add tag(s) to include field. If the field is blank, all the tags are passed. You must specify which repository-specific tags to pass.
    5. Optional: Enter tags to exclude in the Add tag(s) to exclude field.
  3. Click Create execution environment. You should see your new execution environment in the list that appears.

  4. Sync and sign your new automation execution environment.

    1. Click the More Actions icon and select Sync execution environment.
    2. Click the More Actions icon and select Sign execution environment.
  5. Click on your new execution environment. On the Details page, find the Signed label to determine that your execution environment has been signed.

Sign an automation execution environment on a local system and push the signed execution environment to the automation hub registry.

Procedure

  1. From a terminal, log in to Podman, or any container client currently in use, and pull the execution environment you want to sign. 

     podman pull <container-name>
    Copy to Clipboard Toggle word wrap

  2. After the execution environment is pulled, add tags (for example: latest, rc, beta, or version numbers, such as 1.0, 2.3, and so on): 

     podman tag <container-name> <server-address>/<container-name>:<tag name>
    Copy to Clipboard Toggle word wrap

  3. Sign the execution environment after changes have been made, and push it back up to the automation hub registry: 

     podman push <server-address>/<container-name>:<tag name> --tls-verify=false --sign-by <reference to the gpg key on your local>
    Copy to Clipboard Toggle word wrap

    If the execution environment is not signed, it can only be pushed with any current signature embedded. Alternatively, you can use the following script to push the execution environment without signing it: 

     podman push <server-address>/<container-name>:<tag name> --tls-verify=false
    Copy to Clipboard Toggle word wrap
  4. After the execution environment has been pushed, navigate to Automation Content Execution Environments.
  5. To display the new execution environment, click the Refresh icon.
  6. Click the name of the image to view your pushed image.

Troubleshooting

The details page for each execution environment indicates whether it has been signed. If the details page indicates that an image is Unsigned, you can sign the execution environment from automation hub using the following steps:

  1. Click the execution environment name to navigate to the details page.

  2. Click the More Actions icon . Three options are available:

    • Sign execution environment
    • Use in Controller
    • Delete execution environment
  3. Click Sign execution environment from the drop-down menu.

Verification

After the execution environment is signed, the status changes to "signed".

Podman and other image clients can use policies to ensure the validity of an image. To enable this capability, assign a policy to the signature.

To ensure an execution environment is signed by specific signatures, the signatures must first be on your local environment.

Procedure

  1. From the navigation panel, select Automation Content Signature Keys.
  2. Click the Download key icon next to the signature that you are using. A new window should open to indicate you have downloaded the key.

3.6.6. Configure the client to verify signatures
Copy link

To ensure an execution environment pulled from the remote registry is properly signed, first configure the execution environment with the proper public key in a policy file.

Prerequisites

  • The client must have sudo privileges configured to verify signatures.

Procedure

  1. Open your terminal and use the following command: 

    sudo <name of editor> /etc/containers/policy.json
    Copy to Clipboard Toggle word wrap

    The file that is displayed is similar to this: 

    {
  "default": [{"type": "reject"}],
  "transports": {
  	"docker": {
    	"quay.io": [{"type": "insecureAcceptAnything"}],
    	"docker.io": [{"type": "insecureAcceptAnything"}],
    	"<server-address>": [
      	{
          	    "type": "signedBy",
          	    "keyType": "GPGKeys",
          	    "keyPath": "/tmp/containersig.txt"
      	}]
  	}
  }
}
    Copy to Clipboard Toggle word wrap

    This file shows that neither quay.io, or docker.io will perform the verification, because the type is insecureAcceptAnything which overrides the default type of reject. However, <server-address> will perform the verification, because the parameter type is set to "signedBy".

    Note

    The only keyType currently supported is GPG keys.

  2. Under the <server-address> entry, modify the keyPath <1> to include the name of your key file. 

    {
    	"default": [{"type": "reject"}],
    	"transports": {
        	"docker": {
          	  "quay.io": [{"type": "insecureAcceptAnything"}],
          	  "docker.io": [{"type": "insecureAcceptAnything"}],
          	  "<server-address>": [{
                	"type": "signedBy",
                	"keyType": "GPGKeys",
                	"keyPath": "/tmp/<key file name>",
                	"signedIdentity": {
                  	  "type": "matchExact"
                    }
            	  }]
            }
    	}
}
    Copy to Clipboard Toggle word wrap
  3. Save and close the file.

Verification

  • Pull the file using Podman, or your client of choice: 
 podman pull <server-address>/<container-name>:<tag name> --tls-verify=false
Copy to Clipboard Toggle word wrap

This response verifies the execution environment has been signed with no errors. If the execution environment is not signed, the command fails.

3.6.7. Deleting a container repository
Copy link

Delete a remote repository from your Ansible Automation Platform to manage your disk space. You can delete repositories from the Red Hat Ansible Automation Platform interface in the Execution Environment list view.

Prerequisites

  • You have permissions to manage repositories.

Procedure

  1. Log in to Ansible Automation Platform.
  2. From the navigation panel, select Automation Content Execution Environments.
  3. On the container repository that you want to delete, click the More Actions icon , and click Delete execution environment.
  4. When the confirmation message is displayed, click the checkbox and click Delete execution environment.

Verification

  • Return to the execution environment list view. If the execution environment has been successfully deleted, it will no longer be in the list.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat