Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Installing with image mode for RHEL

Red Hat build of MicroShift 4.19

Embedding MicroShift in a bootc image

Red Hat OpenShift Documentation Team

Abstract

You can embed MicroShift into a bootc image by using image mode for Red Hat Enterprise Linux (RHEL). Bootc stands for bootable container, and the image includes the kernel, bootloader, and other items typically excluded from application containers.

You can embed MicroShift into an operating system image using image mode for Red Hat Enterprise Linux (RHEL).

By using image mode for RHEL, you can use the same tools and techniques for the operating system that you use with application containers. Image mode for RHEL is a deployment method that uses a container-native approach to build, deploy, and manage the operating system as a rhel-bootc image.

  • This container image uses standard OCI or Docker containers as a transport and delivery format for base operating system updates.
  • A bootc image includes a Linux kernel that is used to start the operating system.
  • By using bootc containers, developers, operations administrators, and solution providers can all use the same container-native tools and techniques.

Image mode for RHEL splits the creation and installation of software changes into two steps: one on a build system and one on a running target system.

  • In the build-system step, a Podman build inspects the RPM files available for installation, determines any dependencies, and creates an ordered list of chained steps to complete. Along with any other system configuration steps taking place, the end result is a new operating system available to install.
  • In the running-target-system step, a bootc update downloads, unpacks, and prepares the new operating system to be started alongside the currently running system. Local configuration changes are carried forward to the new operating system. These changes take effect only when the system is restarted and the new operating system image replaces the previously running one.

1.2. Preparing for bootc image building
Copy link

Use the image builder tool to compose customized MicroShift bootc images optimized for edge deployments. You can run a MicroShift node with your applications on a image mode for RHEL virtual machine for development and testing first, then use your whole solution in edge production environments.

Use the following RHEL documentation to understand the full details of using image mode for RHEL:

Warning

For offline or disconnected configurations, embed all container image dependencies as part of the system image. When container images are downloaded without being embedded into the system image, CRI-O wipes them off during unclean shutdowns, such as when a power loss occurs. In this case, you can only restore those container images when the system is online.

1.3. Additional resources
Copy link

MicroShift is built and published as image mode containers. When installing a Red Hat Enterprise Linux (RHEL) bootable container image with MicroShift, use either a prebuilt bootable container image or build your own custom bootable container image.

Before you use image mode for RHEL, ensure that the following resources are available:

  • A RHEL 9.6 host with an active Red Hat subscription for building MicroShift bootc images.
  • A remote registry for storing and accessing rhel-bootc images.
  • An AArch64 or x86_64 system architecture.

The workflow for using image mode for RHEL with MicroShift includes the following steps:

  1. Find and use a prebuilt MicroShift container image to install RHEL.
  2. If the prebuilt MicroShift container image requires customization, build a custom MicroShift container image.
  3. Run the container image.
Important

The rpm-ostree file system used by RHEL for Edge is not supported in image mode for RHEL. Do not use the rpm-ostree file system to modify deployments that use image mode for RHEL.

2.2. Get or build your bootc image
Copy link

Either get an existing bootc image or create one, then you can publish that image to a remote registry for use.

You can use the MicroShift container images to install image mode for RHEL.

Prerequisites

  • You have an x86_64 or AArch64 platform.
  • You have access to the registry.redhat.io registry.

Procedure

  1. Navigate to the Red Hat Ecosystem Catalog.
  2. Search for the MicroShift container image by using the microshift-bootc keyword.
  3. Open the container image page of the MicroShift container image.
  4. Select the Get this image tab to view instructions for downloading the image.

  5. Get access to the latest image on x86_64 and AArch64 platforms by logging into the registry using the following command: 

    $ sudo podman login registry.redhat.io
    Copy to Clipboard Toggle word wrap

  6. Download the bootc image by running the following command: 

    $ podman pull registry.redhat.io/openshift4/microshift-bootc-rhel9:v4.19
    Copy to Clipboard Toggle word wrap

2.2.2. Building the bootc image
Copy link

Build your Red Hat Enterprise Linux (RHEL) that contains MicroShift as a bootable container image by using a Containerfile.

Prerequisites

  • A RHEL 9.6 host with an active Red Hat subscription for building MicroShift bootc images and running containers.
  • You logged into the RHEL 9.6 host by using the user credentials that have sudo permissions.
  • The rhocp and fast-datapath repositories are accessible in the host subscription. The repositories do not necessarily need to be enabled on the host.
  • You have a remote registry such as {quay} for storing and accessing bootc images.
  • You used the dnf install -y container-tools command to install the container-tools meta-package on the host. The meta-package contains all container tools, such as Podman, Buildah, and Skopeo for additional support and troubleshooting. These tools are required for obtaining assistance from Red Hat Support when you are building and installing the image.

Procedure

  1. Create a Containerfile that includes the following instructions:

    Example Containerfile for RHEL image mode

    FROM registry.redhat.io/rhel9/rhel-bootc:9.6

ARG USHIFT_VER=4.19
RUN dnf config-manager \
        --set-enabled rhocp-${USHIFT_VER}-for-rhel-9-$(uname -m)-rpms \
        --set-enabled fast-datapath-for-rhel-9-$(uname -m)-rpms
RUN dnf install -y firewalld microshift && \
    systemctl enable microshift && \
    dnf clean all

# Create a default 'redhat' user with the specified password.
# Add it to the 'wheel' group to allow for running sudo commands.
ARG USER_PASSWD
RUN if [ -z "${USER_PASSWD}" ] ; then \
        echo USER_PASSWD is a mandatory build argument && exit 1 ; \
    fi
RUN useradd -m -d /var/home/redhat -G wheel redhat && \
    echo "redhat:${USER_PASSWD}" | chpasswd

# Mandatory firewall configuration
RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
    firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
    firewall-offline-cmd --zone=trusted --add-source=169.254.169.1

# Create a systemd unit to recursively make the root filesystem subtree
# shared as required by OVN images
RUN cat > /etc/systemd/system/microshift-make-rshared.service <<'EOF'
[Unit]
Description=Make root filesystem shared
Before=microshift.service
ConditionVirtualization=container
[Service]
Type=oneshot
ExecStart=/usr/bin/mount --make-rshared /
[Install]
WantedBy=multi-user.target
EOF
RUN systemctl enable microshift-make-rshared.service
    Copy to Clipboard Toggle word wrap

Podman uses the host subscription information and repositories inside the container when building the container image. If the rhocp and fast-datapath repositories are not available on the host, the build fails.

  1. Set the PULL_SECRET environment variable: 

    $ PULL_SECRET=~/.pull-secret.json
    Copy to Clipboard Toggle word wrap

  2. Configure the USER_PASSWD environment variable: 

    $ USER_PASSWD=<redhat_user_password>
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <redhat_user_password> with your password.

  3. Configure the IMAGE_NAME environment variable: 

    $ IMAGE_NAME=microshift-4.19-bootc
    Copy to Clipboard Toggle word wrap

  4. Create a local bootc image by running the following image build command: 

    $ sudo podman build --authfile "${PULL_SECRET}" -t "${IMAGE_NAME}" \
    --build-arg USER_PASSWD="${USER_PASSWD}" \
    -f Containerfile
    Copy to Clipboard Toggle word wrap
    Important

    How secrets are used during the image build:

    • The podman --authfile argument is required to pull the base rhel-bootc:9.6 image from the registry.redhat.io registry.
    • The build USER_PASSWD argument is used to set a password for the redhat user.

Verification

  1. Verify that the local MicroShift bootc image was created by running the following command: 

    $ sudo podman images "${IMAGE_NAME}"
    Copy to Clipboard Toggle word wrap

    Example output

    REPOSITORY                       TAG         IMAGE ID      CREATED        SIZE
localhost/microshift-4.19-bootc  latest      193425283c00  2 minutes ago  2.31 GB
    Copy to Clipboard Toggle word wrap

Publish your bootc image to the remote registry so that the image can be used for running the container on another host, or for when you want to install a new operating system with the bootc image layer.

Prerequisites

  • You are logged in to the RHEL 9.6 host where the image was built using the user credentials that have sudo permissions.
  • You have a remote registry such as {quay} for storing and accessing bootc images.
  • You created the Containerfile and built the image.

Procedure

  1. Set the REGISTRY_URL variable for the image by running the following command: 

    $ REGISTRY_URL=<quay.io>
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <quay.io> with the URL for your image registry.

  2. Log in to your remote registry by running the following command: 

    $ sudo podman login "${REGISTRY_URL}"
    Copy to Clipboard Toggle word wrap

  3. Set the IMAGE_NAME variable for the image by running the following command: 

    $ IMAGE_NAME=<microshift-4.19-bootc>
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <microshift-4.19-bootc> with the name of the image you want to publish.

  4. Set the REGISTRY_IMG variable for the image by running the following command: 

    $ REGISTRY_IMG=<myorg/mypath>/"${IMAGE_NAME}"
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <myorg/mypath> with your remote registry organization name and path.

  5. Publish the image by running the following command: 

    $ sudo podman push localhost/"${IMAGE_NAME}" "${REGISTRY_URL}/${REGISTRY_IMG}"
    Copy to Clipboard Toggle word wrap

Verification

  1. Run the container using the image you pushed to your registry as described in the "Running the MicroShift bootc container" section.

Use the bootable container image as an installation source to set up a Red Hat Enterprise Linux (RHEL) virtual machine.

3.1. Creating the Kickstart file
Copy link

You must create the Kickstart file to use during installation.

Prerequisites

  • You have root-user access.
  • You are logged in to the physical hypervisor host.

Procedure

  1. Set the AUTH_CONFIG environment variable to reference the secret file in the kickstart.ks file to authenticate private container registry access by running the following command: 

    $ AUTH_CONFIG=~/.quay-auth.json
    Copy to Clipboard Toggle word wrap

  2. Set the PULL_SECRET environment variable to reference the secret files in the kickstart.ks file to authenticate the OpenShift Container Platform registry access by running the following command: 

    $ PULL_SECRET=~/.pull-secret.json
    Copy to Clipboard Toggle word wrap

  3. Set the IMAGE_REF environment variable to reference the image mode for your container image to use during installation by running the following command: 

    $ IMAGE_REF="quay.io/<myorg>/<mypath>/microshift-4.19-bootc"
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <myorg/<mypath> with your remote registry organization name and path.

  4. Create the kickstart.ks file to use during installation by running the following script: 

    $ cat > kickstart.ks <<EOFKS
lang en_US.UTF-8
keyboard us
timezone UTC
text
reboot

# Partition the disk with hardware-specific boot and swap partitions, adding an
# LVM volume that contains a 10GB+ system root. The remainder of the volume will
# be used by the CSI driver for storing data.
zerombr
clearpart --all --initlabel
# Create boot and swap partitions as required by the current hardware platform
reqpart --add-boot
# Add an LVM volume group and allocate a system root logical volume
part pv.01 --grow
volgroup rhel pv.01
logvol / --vgname=rhel --fstype=xfs --size=10240 --name=root

# Lock root user account
rootpw --lock

# Configure network to use DHCP and activate on boot
network --bootproto=dhcp --device=link --activate --onboot=on

%pre-install --log=/dev/console --erroronfail

# Create a 'bootc' image registry authentication file
mkdir -p /etc/ostree
cat > /etc/ostree/auth.json <<'EOF'
$(cat "${AUTH_CONFIG}")
EOF

%end

# Pull a 'bootc' image from a remote registry
ostreecontainer --url "${IMAGE_REF}"

%post --log=/dev/console --erroronfail

# Create an OpenShift pull secret file
cat > /etc/crio/openshift-pull-secret <<'EOF'
$(cat "${PULL_SECRET}")
EOF
chmod 600 /etc/crio/openshift-pull-secret

%end
EOFKS
    Copy to Clipboard Toggle word wrap

3.2. Creating a virtual machine
Copy link

You can create a virtual machine by using the Red Hat Enterprise Linux (RHEL) boot ISO image.

Prerequisites

  • You created the Kickstart file.
  • You installed the OpenShift CLI (oc).
  • You have redhat credentials.

Procedure

  1. Download the Red Hat Enterprise Linux (RHEL) boot ISO image from the Download Red Hat Enterprise Linux.
  2. Copy the downloaded file to the /var/lib/libvirt/images directory.

  3. Configure the VMNAME environment variable with your value by running the following command: 

    $ VMNAME=microshift-4.19-bootc
    Copy to Clipboard Toggle word wrap

  4. Configure the NETNAME environment variable with your value by running the following command: 

    $ NETNAME=default
    Copy to Clipboard Toggle word wrap

  5. Create a RHEL virtual machine with 2 cores, 2GB of RAM and 20GB of storage by running the following command: 

    $ sudo virt-install \
    --name ${VMNAME} \
    --vcpus 2 \
    --memory 2048 \
    --disk path=/var/lib/libvirt/images/${VMNAME}.qcow2,size=20 \
    --network network=${NETNAME},model=virtio \
    --events on_reboot=restart \
    --location /var/lib/libvirt/images/rhel-9.6-$(uname -m)-boot.iso \
    --initrd-inject kickstart.ks \
    --extra-args "inst.ks=file://kickstart.ks" \
    --wait
    Copy to Clipboard Toggle word wrap
    Note

    The sudo virt-install command uses the Kickstart file to pull a bootc image from the remote registry and install the RHEL operating system.

  6. Log in to the virtual machine by using your redhat credentials.

Verification

  1. Verify that all of the MicroShift pods are running without error by entering the following command: 

    $ watch sudo oc get pods -A \
    --kubeconfig /var/lib/microshift/resources/kubeadmin/kubeconfig
    Copy to Clipboard Toggle word wrap

    Example output

    NAMESPACE                  NAME                                       READY   STATUS    RESTARTS      AGE
kube-system                csi-snapshot-controller-7cfb9df49c-kc9dx   1/1     Running   0             31s
openshift-dns              dns-default-rpnlt                          2/2     Running   0             14s
openshift-dns              node-resolver-rxvdk                        1/1     Running   0             31s
openshift-ingress          router-default-69cd7b5545-7zcw7            1/1     Running   0             29s
openshift-ovn-kubernetes   ovnkube-master-c7hlh                       4/4     Running   1 (16s ago)   31s
openshift-ovn-kubernetes   ovnkube-node-mkpht                         1/1     Running   1 (17s ago)   31s
openshift-service-ca       service-ca-5d5d96459d-5pd5s                1/1     Running   0             28s
openshift-storage          topolvm-controller-677cbfcdb9-28dqr        5/5     Running   0             31s
openshift-storage          topolvm-node-6fzbl                         3/3     Running   0             14s
    Copy to Clipboard Toggle word wrap

If you need your bootc image to include everything required to run workloads, use physically-bound container images. Edge-computing scenarios involving embedded systems on specialized devices, high security, or high hardware control scenarios are likely candidates.

4.1. About physically bound bootc image building
Copy link

When a bootc image is fully self-contained, everything you need to run workloads is embedded with the bootc image, including MicroShift and application container images. The underlying mechanism is to pre-pull physically-bound images during image build and then make them available at runtime.

Because embedded images might change with each system update, you cannot pull the images directly to the default container storage. Additional image stores do not work in this case because of current implementation limits. These limits do not allow bootc image updates for those container images.

The manifest, layer tarballs, and signatures are exported as individual files into the directory. The dir transport type preserves the digest of the image, which is crucial for the original digest to reference the image.

Technical details to understand include the following items:

  • Each image goes into the same top-level directory, but a separate subdirectory.
  • Subdirectories are named after the image reference string SHA.
  • An image list file maps image references to their name SHA.
  • You must install the microshift-release-info RPM to get the image references required by MicroShift.
  • You must have image references for your workloads. Apply the same methods to workload image references that you use for MicroShift image references.
  • When you build the container, you must install the microshift-release-info RPM. The release-x86_64.json and release-aarch64.json files from this RPM reside in the /usr/share/microshift/release/ directory. These files contain image references required by MicroShift.
Important

You must keep track of the name of the image. A tag, digest, or a mix of both can reference images. Choosing the best way to reference the images you need can impact the quality and robustness of workloads.

4.2. Embedding container images into a bootc image
Copy link

First, you must add instructions to an existing Containerfile to copy the images you want and list them in a file to keep track of the copied image names. Then, you must copy images locally from the /usr/lib/containers/storage directory to the local container storage.

Important

You cannot store images in the default or additional container storage directory when you build bootc images. For example, if you update the additional container store setting in /etc/containers/storage.conf to point to the /usr/lib/containers/storage directory, bootc image updates fail.

Prerequisites

  • You have root access to the host.
  • You installed Podman.
  • You installed skopeo.
  • You have workload image references.
  • You have a Containerfile for building MicroShift images.

Procedure

  1. Add the pull secret to the container build procedure to ensure that images can be pulled by running the following command: 

    $ podman build --secret id=pullsecret,src=/<path/to/pull/secret>.json
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the path to your pull secret in <path/to/pull/secret>.

  2. Add the instructions to physically embed the image at build time by adding the following to your Containerfile: 

    ENV IMAGE_STORAGE_DIR=/usr/lib/containers/storage
ENV IMAGE_LIST_FILE=${IMAGE_STORAGE_DIR}/image-list.txt

RUN dnf install -y microshift-release-info
RUN --mount=type=secret,id=pullsecret,dst=/run/secrets/pull-secret.json \
    images="$(jq -r ".images[]" /usr/share/microshift/release/release-"$(uname -m)".json)" ; \
    mkdir -p "${IMAGE_STORAGE_DIR}" ; \
    for img in ${images} ; do \
        sha="$(echo "${img}" | sha256sum | awk '{print $1}')" ; \
        skopeo copy --all --preserve-digests \
            --authfile /run/secrets/pull-secret.json \
            "docker://${img}" "dir:$IMAGE_STORAGE_DIR/${sha}" ; \
        echo "${img},${sha}" >> "${IMAGE_LIST_FILE}" ; \
    done
    Copy to Clipboard Toggle word wrap

    When run, the Containerfile extracts the list of MicroShift container image dependencies from the microshift-release-info RPM and pulls them into a custom /usr/lib/containers/storage directory. The resulting image list file is saved at /usr/lib/containers/storage/image-list.txt.

  3. Next, you must copy container images from the custom directory to the main container storage directory so that they are available to MicroShift. Add a script and a systemd service to your Containerfile to copy the embedded images from the /usr/lib/containers/storage directory to the local container storage. Copying happens at runtime before each MicroShift start. Use the following example: 

    RUN cat > /usr/bin/microshift-copy-images <<EOF
#!/bin/bash
set -eux -o pipefail
while IFS="," read -r img sha ; do
    skopeo copy --preserve-digests \
        "dir:${IMAGE_STORAGE_DIR}/\${sha}" \
        "containers-storage:\${img}"
done < "${IMAGE_LIST_FILE}"
EOF

RUN chmod 755 /usr/bin/microshift-copy-images && \
    mkdir -p /usr/lib/systemd/system/microshift.service.d

RUN cat > /usr/lib/systemd/system/microshift.service.d/microshift-copy-images.conf <<EOF
[Service]
ExecStartPre=/usr/bin/microshift-copy-images
EOF
    Copy to Clipboard Toggle word wrap

Next steps

  1. Build the image.
  2. Test and deploy per your use case.

4.3. Additional resources
Copy link

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat