Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Embedding in a RHEL for Edge image using image builder

Use this guide to build a RHEL image containing MicroShift.

1.1. Preparing for image building
Copy link

Use the image builder tool to compose customized Red Hat Enterprise Linux for Edge (RHEL for Edge) images optimized for edge deployments. You can run a MicroShift node with your applications on a RHEL for Edge virtual machine for development and testing first, then use your whole solution in edge production environments.

Use the following RHEL documentation to understand the full details of using RHEL for Edge:

If you have an extended support (EUS) release of MicroShift or Red Hat Enterprise Linux (RHEL), you must enable the RHEL EUS repositories for image builder to use. If you do not have an EUS version, you can skip these steps.

Prerequisites

Warning

Keeping component versions in a supported configuration of Red Hat Device Edge can require updating MicroShift and RHEL at the same time. Ensure that your version of RHEL is compatible with the version of MicroShift you are updating to, especially if you are updating MicroShift across two minor versions. Otherwise, you can create an unsupported configuration, break your node, or both. For more information, see the Red Hat Device Edge release compatibility matrix.

Procedure

  1. Create the /etc/osbuild-composer/repositories directory by running the following command: 

    $ sudo mkdir -p /etc/osbuild-composer/repositories
    Copy to Clipboard Toggle word wrap

  2. Copy the /usr/share/osbuild-composer/repositories/rhel-9.4.json file into the /etc/osbuild-composer/repositories directory by running the following command: 

    $ sudo cp /usr/share/osbuild-composer/repositories/rhel-9.4.json /etc/osbuild-composer/repositories/rhel-9.4.json
    Copy to Clipboard Toggle word wrap

  3. Update the baseos source by modifying the /etc/osbuild-composer/repositories/rhel-9.4.json file with the following values: 

    # ...
"baseurl": "https://cdn.redhat.com/content/eus/rhel<9>/<9.4>//baseos/os",
    1 
    
# ...
    Copy to Clipboard Toggle word wrap
    1
    Replace <9> with the major RHEL version you are using, and replace <9.4> with the <major.minor> version. Be certain that the RHEL version you choose is compatible with the MicroShift version you are using.

  4. Optional. Apply the baseos update by running the following command: 

    $ sudo sed -i "s,dist/rhel<9>/<9.4>/$(uname -m)/baseos/,eus/rhel<9>/<9.4>/$(uname -m)/baseos/,g" \
/etc/osbuild-composer/repositories/rhel-<9.4>.json
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <9> with the major RHEL version you are using, and replace <9.4> with the <major.minor> version. Be certain that the RHEL version you choose is compatible with the MicroShift version you are using.

  5. Update the appstream source by modifying the /etc/osbuild-composer/repositories/rhel-<major.minor>.json file with the following values: 

    # ...
"baseurl": "https://cdn.redhat.com/content/eus/rhel<9>/<9.4>//appstream/os",
    1 
    
# ...
    Copy to Clipboard Toggle word wrap
    1
    Replace <9> with the major RHEL version you are using, and replace <9.4> with the <major.minor> version. Be certain that the RHEL version you choose is compatible with the MicroShift version you are using.

  6. Optional. Apply the appstream update by running the following command: 

    $ sudo sed -i "s,dist/rhel<9>/<9.4>/$(uname -m)/appstream/,eus/rhel<9>/<9.4>/$(uname -m)/appstream/,g" \
/etc/osbuild-composer/repositories/rhel-<9.4>.json
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <9> with the major RHEL version you are using, and replace <9.4> with the <major.minor> version. Be certain that the RHEL version you choose is compatible with the MicroShift version you are using.

Verification

You can verify the repositories by using the composer-cli tool to display information about the source.

  1. Verify the baseos source by running the following command: 

    $ sudo composer-cli sources info baseos | grep 'url ='
    Copy to Clipboard Toggle word wrap

    Example output

    url = "https://cdn.redhat.com/content/eus/rhel9/9.4/x86_64/baseos/os"
    Copy to Clipboard Toggle word wrap

  2. Verify the appstream source by running the following command: 

    $ sudo composer-cli sources info appstream | grep 'url ='
    Copy to Clipboard Toggle word wrap

    Example output

    url = "https://cdn.redhat.com/content/eus/rhel9/9.4/x86_64/appstream/os"
    Copy to Clipboard Toggle word wrap

Use the following procedure to add the MicroShift repositories to image builder on your build host.

Prerequisites

  • Your build host meets the image builder system requirements.
  • You have installed and set up image builder and the composer-cli tool.
  • You have root-user access to your build host.

Procedure

  1. Create an image builder configuration file for adding the rhocp-4.18 RPM repository source required to pull MicroShift RPMs by running the following command: 

    cat > rhocp-4.18.toml <<EOF
id = "rhocp-4.18"
name = "Red Hat OpenShift Container Platform 4.18 for RHEL 9"
type = "yum-baseurl"
url = "https://cdn.redhat.com/content/dist/layered/rhel9/$(uname -m)/rhocp/4.18/os"
check_gpg = true
check_ssl = true
system = false
rhsm = true
EOF
    Copy to Clipboard Toggle word wrap

  2. Create an image builder configuration file for adding the fast-datapath RPM repository by running the following command: 

    cat > fast-datapath.toml <<EOF
id = "fast-datapath"
name = "Fast Datapath for RHEL 9"
type = "yum-baseurl"
url = "https://cdn.redhat.com/content/dist/layered/rhel9/$(uname -m)/fast-datapath/os"
check_gpg = true
check_ssl = true
system = false
rhsm = true
EOF
    Copy to Clipboard Toggle word wrap

  3. Add the sources to the image builder by running the following commands: 

    $ sudo composer-cli sources add rhocp-4.18.toml
    Copy to Clipboard Toggle word wrap 
    $ sudo composer-cli sources add fast-datapath.toml
    Copy to Clipboard Toggle word wrap

Verification

  • Confirm that the sources were added properly by running the following command: 

    $ sudo composer-cli sources list
    Copy to Clipboard Toggle word wrap

    Example output

    appstream
baseos
fast-datapath
rhocp-4.18
    Copy to Clipboard Toggle word wrap

1.4. Adding the MicroShift service to a blueprint
Copy link

Adding the MicroShift RPM package to an image builder blueprint enables the build of a RHEL for Edge image with MicroShift embedded.

Procedure

  1. Use the blueprint installed in the /usr/share/microshift/blueprint directory that is specific to your platform architecture. See the following example snippet for an explanation of the blueprint sections:

    Generated image builder blueprint example snippet

    name = "microshift_blueprint"
description = "MicroShift 4.18.1 on x86_64 platform"
version = "0.0.1"
modules = []
groups = []

[[packages]]
    1 
    
name = "microshift"
version = "4.18.1"
...
...

[customizations.services]
    2 
    
enabled = ["microshift"]

[customizations.firewall]
ports = ["ssh"]
...
...

[[containers]]
    3 
    
source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f41e79c17e8b41f1b0a5a32c3e2dd7cd15b8274554d3f1ba12b2598a347475f4"

[[containers]]
source = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:dbc65f1fba7d92b36cf7514cd130fe83a9bd211005ddb23a8dc479e0eea645fd"
...
…
EOF
    Copy to Clipboard Toggle word wrap

    1
    References for all non-optional MicroShift RPM packages using the same version compatible with the microshift-release-info RPM.
    2
    References for automatically enabling MicroShift on system startup and applying default networking settings.
    3
    References for all non-optional MicroShift container images necessary for an offline deployment. The SHA depends on the release you are using.

  2. Add the blueprint to the image builder by running the following command: 

    $ sudo composer-cli blueprints push microshift_blueprint.toml
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify the image builder configuration listing only MicroShift packages by running the following command: 

    $ sudo composer-cli blueprints depsolve microshift_blueprint | grep microshift
    Copy to Clipboard Toggle word wrap

    Example output

    blueprint: microshift_blueprint v0.0.1
    microshift-release-info-4.18.1-202511250827.p0.g4105d3b.assembly.4.18.1.el9.noarch
    microshift-4.18.1-202511250827.p0.g4105d3b.assembly.4.18.1.el9.x86_64
    Copy to Clipboard Toggle word wrap

  2. Optional: Verify the image builder configuration that lists all of the components to be installed by running the following command: 

    $ sudo composer-cli blueprints depsolve microshift_blueprint
    Copy to Clipboard Toggle word wrap

1.5. Adding other packages to a blueprint
Copy link

Add the references for optional RPM packages to your ostree blueprint to enable them.

Prerequisites

  • You created an image builder blueprint file.

Procedure

  1. Edit your ostree blueprint by running the following command: 

    $ vi <microshift_blueprint.toml>
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <microshift_blueprint.toml> with the name of the blueprint file used for the MicroShift service.

  2. Add the following example text to your blueprint: 

    [[packages]]
    1 
    
name = "<microshift-additional-package-name>"
    2 
    
version = "*"
    Copy to Clipboard Toggle word wrap
    1
    Include one stanza for each additional service that you want to add.
    2
    Replace <microshift-additional-package-name> with the name the RPM for the service you want to include. For example, microshift-olm.

Next steps

  1. Add custom certificate authorities to the blueprint as needed.

  2. After you are done adding to your blueprint, you can apply the manifests to an active cluster by building a new ostree system and deploying it on the client:

    • Create the ISO.
    • Add the blueprint and build the ISO.
    • Download the ISO and prepare it for use.
    • Do any provisioning that is needed.

1.6. Adding a certificate authority bundle
Copy link

MicroShift uses the host trust bundle when clients evaluate server certificates. You can also use a customized security certificate chain to improve the compatibility of your endpoint certificates with clients specific to your deployments. To do this, you can add a certificate authority (CA) bundle with root and intermediate certificates to the Red Hat Enterprise Linux for Edge (RHEL for Edge) system-wide truststore.

You can include additional trusted certificate authorities (CAs) to the Red Hat Enterprise Linux for Edge (RHEL for Edge) rpm-ostree image by adding them to the blueprint that you use to create the image. Using the following procedure sets up additional CAs to be trusted by the operating system when pulling images from an image registry.

Note

This procedure requires you to configure the CA bundle customizations in the blueprint, and then add steps to your Kickstart file to enable the bundle. In the following steps, data is the key, and <value> represents the PEM-encoded certificate.

Prerequisites

  • You have root user access to your build host.
  • Your build host meets the image builder system requirements.
  • You have installed and set up image builder and the composer-cli tool.

Procedure

  1. Add the following custom values to your blueprint to add a directory.

    1. Add instructions to your blueprint on the host where the image is built to create the directory, for example, /etc/pki/ca-trust/source/anchors/ for your certificate bundles. 

      [[customizations.directories]]
path = "/etc/pki/ca-trust/source/anchors"
      Copy to Clipboard Toggle word wrap

    2. After the image has booted, create the certificate bundles, for example, /etc/pki/ca-trust/source/anchors/cert1.pem: 

      [[customizations.files]]
path = "/etc/pki/ca-trust/source/anchors/cert1.pem"
data = "<value>"
      Copy to Clipboard Toggle word wrap

  2. To enable the certificate bundle in the system-wide trust store configuration, use the update-ca-trust command on the host where the image you are using has booted, for example: 

    $ sudo update-ca-trust
    Copy to Clipboard Toggle word wrap
    Note

    The update-ca-trust command might be included in the %post section of a Kickstart file used for MicroShift host installation so that all the necessary certificate trust is enabled on the first boot. You must configure the CA bundle customizations in the blueprint before adding steps to your Kickstart file to enable the bundle. 

    %post
# Update certificate trust storage in case new certificates were
# installed at /etc/pki/ca-trust/source/anchors directory
update-ca-trust
%end
    Copy to Clipboard Toggle word wrap

Use the following procedure to create the ISO. The RHEL for Edge Installer image pulls the commit from the running container and creates an installable boot ISO with a Kickstart file configured to use the embedded rpm-ostree commit.

Prerequisites

  • Your build host meets the image builder system requirements.
  • You installed and set up image builder and the composer-cli tool.
  • You root-user access to your build host.
  • You installed the podman tool.

Procedure

  1. Start an ostree container image build by running the following command: 

    $ BUILDID=$(sudo composer-cli compose start-ostree --ref "rhel/{op-system-version-major}/$(uname -m)/edge" <microshift_blueprint> edge-container | awk '/^Compose/ {print $2}')
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <microshift_blueprint> with the name of your blueprint.

    This command also returns the identification (ID) of the build for monitoring.

  2. You can check the status of the build periodically by running the following command: 

    $ sudo composer-cli compose status
    Copy to Clipboard Toggle word wrap

    Example output of a running build

    ID                                     Status     Time                     Blueprint                 Version   Type               Size
cc3377ec-4643-4483-b0e7-6b0ad0ae6332   RUNNING    Wed Jun 7 12:26:23 2023  microshift_blueprint      0.0.1     edge-container
    Copy to Clipboard Toggle word wrap

    Example output of a completed build

    ID                                     Status     Time                      Blueprint              Version   Type               Size
cc3377ec-4643-4483-b0e7-6b0ad0ae6332   FINISHED   Wed Jun 7 12:32:37 2023   microshift_blueprint   0.0.1     edge-container
    Copy to Clipboard Toggle word wrap

    Note

    You can use the watch command to monitor your build if you are familiar with how to start and stop it.

  3. Download the container image using the ID and get the image ready for use by running the following command: 

    $ sudo composer-cli compose image ${BUILDID}
    Copy to Clipboard Toggle word wrap

  4. Change the ownership of the downloaded container image to the current user by running the following command: 

    $ sudo chown $(whoami). ${BUILDID}-container.tar
    Copy to Clipboard Toggle word wrap

  5. Add read permissions for the current user to the image by running the following command: 

    $ sudo chmod a+r ${BUILDID}-container.tar
    Copy to Clipboard Toggle word wrap

  6. Bootstrap a server on port 8085 for the ostree container image to be consumed by the ISO build by completing the following steps:

    1. Get the IMAGEID variable result by running the following command: 

      $ IMAGEID=$(cat < "./${BUILDID}-container.tar" | sudo podman load | grep -o -P '(?<=sha256[@:])[a-z0-9]*')
      Copy to Clipboard Toggle word wrap

    2. Use the IMAGEID variable result to execute the podman command step by running the following command: 

      $ sudo podman run -d --name=minimal-microshift-server -p 8085:8080 ${IMAGEID}
      Copy to Clipboard Toggle word wrap

      This command also returns the ID of the container saved in the IMAGEID variable for monitoring.

  7. Generate the installer blueprint file by running the following command: 

    cat > microshift-installer.toml <<EOF
name = "microshift-installer"

description = ""
version = "0.0.0"
modules = []
groups = []
packages = []
EOF
    Copy to Clipboard Toggle word wrap

  1. Add the blueprint to the image builder by running the following command: 

    $ sudo composer-cli blueprints push microshift-installer.toml
    Copy to Clipboard Toggle word wrap

  2. Start the ostree ISO build by running the following command: 

    $ BUILDID=$(sudo composer-cli compose start-ostree --url http://localhost:8085/repo/ --ref "rhel/9/$(uname -m)/edge" microshift-installer edge-installer | awk '{print $2}')
    Copy to Clipboard Toggle word wrap

    This command also returns the identification (ID) of the build for monitoring.

  3. You can check the status of the build periodically by running the following command: 

    $ sudo composer-cli compose status
    Copy to Clipboard Toggle word wrap

    Example output for a running build

    ID                                     Status     Time                      Blueprint              Version   Type               Size
c793c24f-ca2c-4c79-b5b7-ba36f5078e8d   RUNNING    Wed Jun 7 13:22:20 2023   microshift-installer   0.0.0     edge-installer
    Copy to Clipboard Toggle word wrap

    Example output for a completed build

    ID                                     Status     Time                      Blueprint              Version   Type               Size
c793c24f-ca2c-4c79-b5b7-ba36f5078e8d   FINISHED   Wed Jun 7 13:34:49 2023   microshift-installer   0.0.0     edge-installer
    Copy to Clipboard Toggle word wrap

1.9. Download the ISO and prepare it for use
Copy link

  1. Download the ISO using the ID by running the following command: 

    $ sudo composer-cli compose image ${BUILDID}
    Copy to Clipboard Toggle word wrap

  2. Change the ownership of the downloaded container image to the current user by running the following command: 

    $ sudo chown $(whoami). ${BUILDID}-installer.iso
    Copy to Clipboard Toggle word wrap

  3. Add read permissions for the current user to the image by running the following command: 

    $ sudo chmod a+r ${BUILDID}-installer.iso
    Copy to Clipboard Toggle word wrap

Next steps

  • Provision a virtual machine with a Kickstart file.

1.9.1. Embedding a Kickstart file in an ISO
Copy link

You can use the Kickstart file provided with MicroShift, or you can update an existing RHEL for Edge Installer (ISO) Kickstart file. When ready, embed the Kickstart file into the ISO. Your Kickstart file must include detailed instructions about how to create a user and how to fetch and deploy the RHEL for Edge image.

Prerequisites

  • You created a RHEL for Edge Installer (ISO) image containing your RHEL for Edge commit with MicroShift.
  • You have an existing Kickstart file ready for updating. You can use the microshift-starter.ks Kickstart file provided with the MicroShift RPMs.

Procedure

  1. In the main section of the Kickstart file, update the setup of the filesystem such that it contains an LVM volume group called rhel with at least 10GB system root. Leave free space for the LVMS CSI driver to use for storing the data for your workloads.

    Example Kickstart file snippet for configuring the filesystem

    # Partition disk such that it contains an LVM volume group called `rhel` with a
# 10GB+ system root but leaving free space for the LVMS CSI driver for storing data.
#
# For example, a 20GB disk would be partitioned in the following way:
#
# NAME          MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
# sda             8:0    0  20G  0 disk
# ├─sda1          8:1    0 200M  0 part /boot/efi
# ├─sda1          8:1    0 800M  0 part /boot
# └─sda2          8:2    0  19G  0 part
#  └─rhel-root  253:0    0  10G  0 lvm  /sysroot
#
ostreesetup --nogpg --osname=rhel --remote=edge \
--url=file:///run/install/repo/ostree/repo --ref=rhel/<RHEL VERSION NUMBER>/x86_64/edge
zerombr
clearpart --all --initlabel
part /boot/efi --fstype=efi --size=200
part /boot --fstype=xfs --asprimary --size=800
# Uncomment this line to add a SWAP partition of the recommended size
#part swap --fstype=swap --recommended
part pv.01 --grow
volgroup rhel pv.01
logvol / --vgname=rhel --fstype=xfs --size=10000 --name=root
# To add users, use a line such as the following
user --name=<YOUR_USER_NAME> \
--password=<YOUR_HASHED_PASSWORD> \
--iscrypted --groups=<YOUR_USER_GROUPS>
    Copy to Clipboard Toggle word wrap

  2. In the %post section of the Kickstart file, add your pull secret and the mandatory firewall rules.

    Example Kickstart file snippet for adding the pull secret and firewall rules

    %post --log=/var/log/anaconda/post-install.log --erroronfail

# Add the pull secret to CRI-O and set root user-only read/write permissions
cat > /etc/crio/openshift-pull-secret << EOF
YOUR_OPENSHIFT_PULL_SECRET_HERE
EOF
chmod 600 /etc/crio/openshift-pull-secret

# Configure the firewall with the mandatory rules for MicroShift
firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16
firewall-offline-cmd --zone=trusted --add-source=169.254.169.1

%end
    Copy to Clipboard Toggle word wrap

  3. Install the mkksiso tool by running the following command: 

    $ sudo yum install -y lorax
    Copy to Clipboard Toggle word wrap

  4. Update the ISO with your new Kickstart file by running the following command: 

    $ sudo mkksiso <your_kickstart>.ks <your_installer>.iso <updated_installer>.iso
    Copy to Clipboard Toggle word wrap

1.10. How to access the MicroShift node
Copy link

Access the MicroShift service by using the OpenShift CLI (oc).

  • You can access the node from either the same machine running the MicroShift service or from a remote location.
  • You can use this access to observe and administer workloads.
  • When using the following steps, choose the kubeconfig file that contains the hostname or IP address you want to connect to and place it in the relevant directory.

1.10.1. Accessing the MicroShift node locally
Copy link

Use the following procedure to access the MicroShift node locally by using a kubeconfig file.

Prerequisites

  • You have installed the oc binary.

Procedure

  1. Optional: to create a ~/.kube/ folder if your Red Hat Enterprise Linux (RHEL) machine does not have one, run the following command: 

    $ mkdir -p ~/.kube/
    Copy to Clipboard Toggle word wrap

  2. Copy the generated local access kubeconfig file to the ~/.kube/ directory by running the following command: 

    $ sudo cat /var/lib/microshift/resources/kubeadmin/kubeconfig > ~/.kube/config
    Copy to Clipboard Toggle word wrap

  3. Update the permissions on your ~/.kube/config file by running the following command: 

    $ chmod go-r ~/.kube/config
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that MicroShift is running by entering the following command: 

    $ oc get all -A
    Copy to Clipboard Toggle word wrap

Use the following procedure to open the firewall so that a remote user can access the MicroShift service. You must complete this procedure before a workstation user can access the node remotely.

For this procedure, user@microshift is the user on the MicroShift host machine and is responsible for setting up that machine so that it can be accessed by a remote user on a separate workstation.

Prerequisites

  • You installed OpenShift CLI (oc).
  • Your account has cluster administration privileges.

Procedure

  • As user@microshift on the MicroShift host, open the firewall port for the Kubernetes API server (6443/tcp) by running the following command: 

    [user@microshift]$ sudo firewall-cmd --permanent --zone=public --add-port=6443/tcp && sudo firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

Verification

  • As user@microshift, verify that MicroShift is running by entering the following command: 

    [user@microshift]$ oc get all -A
    Copy to Clipboard Toggle word wrap

1.10.3. Accessing the MicroShift node remotely
Copy link

Use the following procedure to access the MicroShift service from a remote location by using a kubeconfig file.

The user@workstation login is used to access the host machine remotely. The <user> value in the procedure is the name of the user that user@workstation logs in with to the MicroShift host.

Prerequisites

  • You installed OpenShift CLI (oc).
  • The user@microshift has opened the firewall from the local host.
  • You generated additional kubeconfig files.

Procedure

  1. As user@workstation, create a ~/.kube/ folder if your Red Hat Enterprise Linux (RHEL) machine does not have one by running the following command: 

    [user@workstation]$ mkdir -p ~/.kube/
    Copy to Clipboard Toggle word wrap

  2. As user@workstation, set a variable for the hostname of your MicroShift host by running the following command: 

    [user@workstation]$ MICROSHIFT_MACHINE=<name or IP address of MicroShift machine>
    Copy to Clipboard Toggle word wrap

  3. As user@workstation, copy the generated kubeconfig file that contains the hostname or IP address you want to connect to from the RHEL machine running MicroShift to your local machine by running the following command: 

    [user@workstation]$ ssh <user>@$MICROSHIFT_MACHINE "sudo cat /var/lib/microshift/resources/kubeadmin/$MICROSHIFT_MACHINE/kubeconfig" > ~/.kube/config
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <user> with your SSH login credentials.

  4. As user@workstation, update the permissions on your ~/.kube/config file by running the following command: 

    $ chmod go-r ~/.kube/config
    Copy to Clipboard Toggle word wrap

Verification

  • As user@workstation, verify that MicroShift is running by entering the following command: 

    [user@workstation]$ oc get all -A
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat