Build the operating system image with bootc

Build the operating system image with the bootc that contains the Red Hat Edge Manager agent. You can optionally include the following items in your operating system image:

About this task
Copy link

  • The agent configuration for early binding
  • Any drivers
  • Host configuration
  • Application workloads that you need

Complete the following steps:

Procedure
Copy link

  1. Create a Containerfile file with the following content to build a RHEL 9-based operating system image that includes the Red Hat Edge Manager agent and configuration:
  2. Build instructions for the bootc image: 
    FROM registry.redhat.io/rhel9/rhel-bootc:<required_os_version>
RUN dnf --enablerepo ansible-automation-platform-2.5-for-rhel-9-x86_64-rpms -y install flightctl-agent-0.7.2-1.el9fc  && \
    dnf -y clean all && \
    systemctl enable flightctl-agent.service && \
    systemctl mask bootc-fetch-apply-updates.timer
    <required_os_version>
    The base image referenced in FROM is a bootable container (bootc) image that already has a Linux kernel. You can reuse existing standard container build tools and workflows.
    systemctl mask bootc-fetch-apply-updates.timer

    This part of the RUN command disables the default automatic updates. The updates are managed by the Red Hat Edge Manager.

    Important

    If your device relies on containers from a private repository, you must place the device pull secret in the /etc/ostree/auth.json path. The pull secret must exist on the device before the secret can be consumed.
    • Optional: To enable podman-compose application support, add the following section to the Containerfile file: 
      RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
    dnf -y install podman-compose && \
    dnf -y clean all && \
    systemctl enable podman.service
    • Optional: If you created the config.yaml for early binding, add the following section to the Containerfile:
    ADD config.yaml /etc/flightctl/

    For more information, see Optional: Requesting an enrollment certificate for early binding.

  3. Define the Open Container Initiative (OCI) registry by running the following command: 
    OCI_REGISTRY=registry.redhat.io
  4. Define the image repository that you have permissions to write to by running the following command: 
    OCI_IMAGE_REPO=${OCI_REGISTRY}/<your_org>/<your_image>
  5. Define the image tag by running the following command: 
    OCI_IMAGE_TAG=v1
  6. Build the operating system image for your target platform: 
    sudo podman build -t ${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG} .

Sign and publish the bootc operating system image by using Sigstore
Copy link

To sign the bootc operating system image by using Sigstore, complete the following steps:

About this task
Copy link

Procedure
Copy link

  1. Generate a Sigstore key pair named signingkey.pub and signingkey.private: 
    skopeo generate-sigstore-key --output-prefix signingkey
  2. Configure container tools such as Podman and Skopeo to upload Sigstore signatures together with your signed image to your OCI registry: 
    sudo tee "/etc/containers/registries.d/${OCI_REGISTRY}.yaml" > /dev/null <<EOF
docker:
    ${OCI_REGISTRY}:
        use-sigstore-attachments: true
EOF
  3. Log in to your OCI registry by running the following command: 
    sudo podman login ${OCI_REGISTRY}
  4. Sign and publish the operating system image by running the following command: 
    sudo podman push \
    --sign-by-sigstore-private-key ./signingkey.private \
    ${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG}

Build the operating system disk image
Copy link

Build the operating system disk image that has the file system for your devices.

About this task
Copy link

Procedure
Copy link

  1. Create a directory called output by running the following command: 
    mkdir -p output
  2. Use bootc-image-builder to generate an operating system disk image of type iso from your operating system image by running the following command: 
    sudo podman run --rm -it --privileged --pull=newer \
    --security-opt label=type:unconfined_t \
    -v "${PWD}/output":/output \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    registry.redhat.io/rhel9/bootc-image-builder:latest \
    --type iso \
    ${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG}

Results
Copy link

When the bootc-image-builder completes, you can find the ISO disk image at the ${PWD}/output/bootiso/install.iso path.

Optional: Sign and publish the operating system disk image to an Open Container Initiative registry
Copy link

Sign and publish disk images to your Open Container Initiative (OCI) registry. Optionally compress them as OCI artifacts for unified distribution with bootc images. To publish an ISO, use a repository named after your bootc image with /diskimage-iso appended.

Before you begin
Copy link

Sign and publish your disk image to your OCI registry by completing the following steps:

About this task
Copy link

Procedure
Copy link

  1. Change the owner of the directory where the ISO disk image is located from root to your current user by running the following command: 
    sudo chown -R $(whoami):$(whoami) "${PWD}/output"
  2. Define the OCI_DISK_IMAGE_REPO environmental variable to be the same repository as your bootc image with /diskimage-iso appended by running the following command: 
    OCI_DISK_IMAGE_REPO=${OCI_IMAGE_REPO}/diskimage-iso
  3. Create a manifest list by running the following command: 
    sudo podman manifest create \
    ${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG}
  4. Add the ISO disk image to the manifest list as an OCI artifact by running the following command: 
    sudo podman manifest add \
    --artifact --artifact-type application/vnd.diskimage.iso \
    --arch=amd64 --os=linux \
    ${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG} \
    "${PWD}/output/bootiso/install.iso"
  5. Sign the manifest list with your private Sigstore key and push the image to the registry by running the following command: 
    sudo podman manifest push --all \
     --sign-by-sigstore-private-key ./signingkey.private \
    ${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG} \
    docker://${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG}

Additional resources
Copy link

Access supplementary documentation for detailed guidance on building Red Hat Edge Manager operating system images for different target platforms, including how to configure container pull secrets.