Red Hat SummitConfigure offline container development environment
Explore how to configure a secure, offline container development environment to work with Red Hat build of Podman Desktop.
Abstract
Preface
An air-gapped environment denotes a network security measure where machines are completely isolated from external networks. While this isolation provides maximum security against cyber threats to sensitive assets, it forces a fundamental shift in operations. The automated, network-dependent workflow is replaced by manual, multi-step processes relying on secured physical media for data transfer.
To set up Red Hat build of Podman Desktop offline, pre-fetch the required binaries from the identified sources and install them manually into the specified locations. These steps ensure the core components operate correctly without internet access.
Chapter 1. The air-gapped environment and its impact
An air-gapped environment is a computer system or network that is physically or logically disconnected from all external networks, specifically the internet. Its primary purpose is to provide the highest possible security for highly sensitive data and critical infrastructure. This offline, secure environment eliminates digital entry points for hackers, malware, or other cyber threats.
1.1. Impact on workflow
Red Hat build of Podman Desktop simplifies local container development, which relies heavily on pulling resources from the internet. In an air-gapped environment, the entire workflow shifts from an online, automated process to a manual, pre-fetched, and controlled one. The isolation from external networks makes the air-gapped environment much less convenient to operate. The following table highlights the impact of such an environment on the workflow of Red Hat build of Podman Desktop:
| Core workflow area | Online or automated (Default) | Air-gapped (Manual process) |
|---|---|---|
| Installation and dependencies (For example, Kind or Docker Compose binaries for Windows or macOS) | Automatic downloading of all required components and binaries. | Manual pre-fetching: You must download all the executable files externally, transfer them through secured removable media, and install them manually. |
| Container image management (For example, pulling images) | Direct pulling of images from internet registries, such as Docker Hub or Quay. |
Manual load or import: Use an internet-connected machine to fetch the required images and save them as |
| Updates and security patches (For example, Red Hat build of Podman Desktop, Kind, or Docker Compose upgrade) | Automatic checks and seamless updates. | Manual patching: You must fetch, transfer, and install application-related updates manually. |
In an air-gapped environment, you can implement high-level security at the cost of speed and convenience, turning instant network actions into secure, multistep manual procedures.
Chapter 2. Set up an air-gapped environment
You can set up the components of Red Hat build of Podman Desktop in a secure, air-gapped environment. The core challenge is mitigating the application’s reliance on automatic online downloads. You must manually download required components, such as Kind or Docker Compose binaries, from official GitHub release pages by using an internet-connected machine. You must securely transfer the downloaded components to the air-gapped environment and install them by running each component installer. You must place supporting binaries in directories that the system’s Path variable recognizes, such as /usr/local/bin/ or a custom Windows directory, so that Red Hat build of Podman Desktop can find and run the components. This manual approach ensures the container development environment is fully operational despite the lack of external network connectivity.
| Component | Platform | Download Source (URL to fetch binary) | Installation location on air-gapped machine |
|---|---|---|---|
| Kind | Linux (AMD64) |
Kind GitHub releases: Download the |
Location:
Make the file executable with this command: |
| macOS (Intel/ARM64) |
Kind GitHub releases: Download the appropriate |
Location:
Make the file executable with this command: | |
| Windows (AMD64) |
Kind GitHub releases: Download the |
Location: Any directory in your system’s
Ensure the directory is added to your Windows | |
| Docker Compose (V2 plugin) | Linux (AMD64) |
Docker Compose GitHub releases: Download the appropriate |
Location (recommended plugin path):
Create the |
| macOS (Intel/ARM64) |
Docker Compose GitHub releases: Download the appropriate |
Location (recommended plugin path):
Create the | |
| Windows (AMD64) |
Docker Compose GitHub releases: Download the appropriate |
Location: Any directory in your system’s
Rename the downloaded file to | |
|
Bootable Containers ( | Linux (AMD64) |
|
Requires pre-loading a builder container image, such as |
| macOS and Windows |
The Bootable Containers extension provides the functionality to package an operating system into a single container image. Red Hat registry: Synchronize the | No host binary is required for macOS and Windows. The tooling runs inside the Podman machine VM. Ensure the Podman machine is in rootful mode. | |
| Red Hat OpenShift Local | All platforms | Red Hat Customer Portal: Download the Red Hat OpenShift Local bundle. |
Location: Extract the downloaded bundle to a working directory, for example,
The installation procedure requires the |
2.1. Download the bootc image builder on Linux
The Bootable Containers extension supports offline workflows by leveraging pre-cached container images. To build disk images offline, you must first pull the required images and build the bootc container while online. Once these local artifacts are prepared, you can use the extension to generate disk images entirely offline. Supported formats include .qcow2, .raw, .vmdk, and others.
Prerequisites
- You have registered your Red Hat account to access a no-cost subscription.
- You have logged in to the Red Hat registry.
Procedure
Use an internet-connected machine to pull the appropriate
bootc-image-builderimage:podman pull registry.redhat.io/<rhel_version>/bootc-image-builder:<version_tag>where:
- <rhel_version>
-
Specifies the version of Red Hat Enterprise Linux (RHEL) that the image builder tool is based on. Replace this with a value, such as
rhel9orrhel10. - <version_tag>
-
Refers to the specific release version or lifecycle tag of the image builder tool. Replace this with a value, such as
10.1or9.7.
Pull the base
bootcimage you plan to use in yourContainerfile:podman pull registry.redhat.io/<rhel_version>/rhel-bootc:latestWhere:
- <rhel_version>
-
Specifies the version of RHEL you want to use as your base operating system. Replace this with a value, such as
rhel9orrhel10.
-
Build your
bootccontainer image from yourContainerfile. - Connect to your air-gapped machine.
-
Use the
bootcextension to build disk images in the required format.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}