Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Configuring RHEL image builder repositories

To use RHEL image builder, you must ensure that the repositories are configured. You can use the following types of repositories in RHEL image builder:

Official repository overrides
Use these if you want to download base system RPMs from elsewhere than the Red Hat Content Delivery Network (CDN) official repositories, for example, a custom mirror in your network. Using official repository overrides disables the default repositories, and your custom mirror must contain all the necessary packages.
Custom third-party repositories
Use these to include packages that are not available in the official RHEL repositories.

You can add custom third-party sources to your repositories and manage these repositories by using the composer-cli.

Prerequisites

  • You have the URL of the custom third-party repository.

Procedure

  1. Create a repository source file, such as /root/repo.toml. For example: 

    id = "k8s"
name = "Kubernetes"
type = "yum-baseurl"
url = "https://server.example.com/repos/<company_internal_packages>/"
check_gpg = false
check_ssl = false
system = false
    Copy to Clipboard Toggle word wrap

    The type field accepts the following valid values: yum-baseurl, yum-mirrorlist, and yum-metalink.

  2. Save the file in the TOML format.

  3. Add the new third-party source to RHEL image builder: 

    $ composer-cli sources add <file_name>.toml
    Copy to Clipboard Toggle word wrap

Verification

  1. Check if the new source was successfully added: 

    $ composer-cli sources list
    Copy to Clipboard Toggle word wrap

  2. Check the new source content: 

    $ composer-cli sources info <source_id>
    Copy to Clipboard Toggle word wrap

You can specify a list of distributions in the custom third-party source file by using the optional field distro. The repository file uses the distribution string list while resolving dependencies during the image building.

Any request that specifies rhel-10.0 uses this source. For example, if you list packages and specify rhel-10.0, it includes this source. However, listing packages for the host distribution do not include this source.

Prerequisites

  • You have the URL of the custom third-party repository.
  • You have the list of distributions that you want to specify.

Procedure

  1. Create a repository source file, such as /root/repo.toml. For example, to specify the distribution: 

    check_gpg = true
check_ssl = true
distros = ["rhel-10.0"]
id = "rhel-10.0-local"
name = "packages for RHEL"
system = false
type = "yum-baseurl"
url = "https://local/repos/rhel10/<project_repo>/"
    Copy to Clipboard Toggle word wrap
  2. Save the file in the TOML format.

  3. Add the new third-party source to RHEL image builder: 

    $ composer-cli sources add <file_name>.toml
    Copy to Clipboard Toggle word wrap

Verification

  1. Check if the new source was successfully added: 

    $ composer-cli sources list
    Copy to Clipboard Toggle word wrap

  2. Check the new source content: 

    $ composer-cli sources info <source_id>
    Copy to Clipboard Toggle word wrap

3.3. Checking repositories metadata with GPG
Copy link

To detect and avoid corrupted packages, you can use the DNF package manager to check the GNU Privacy Guard (GPG) signature on RPM packages, and also to check if the repository metadata has been signed with a GPG key.

You can either enter the gpgkey that you want to do the check over https by setting the gpgkeys field with the key URL. Alternatively, to improve security, you can also embed the whole key into the gpgkeys field, to import it directly instead of fetching the key from the URL.

Prerequisites

  • The directory that you want to use as a repository exists and contains packages.

Procedure

  1. Access the folder where you want to create a repository: 

    $ cd repo/
    Copy to Clipboard Toggle word wrap

  2. Run the createrepo_c to create a repository from RPM packages: 

    $ createrepo_c .
    Copy to Clipboard Toggle word wrap

  3. Access the directory where the repodata is: 

    $ cd repodata/
    Copy to Clipboard Toggle word wrap

  4. Sign your repomd.xml file: 

    $ gpg -u <gpg_key_email> --yes --detach-sign --armor /srv/repo/example/repomd.xml
    Copy to Clipboard Toggle word wrap

  5. To enable GPG signature checks in the repository:

    1. Set check_repogpg = true in the repository source.

    2. Enter the gpgkey that you want to do the check. If your key is available over https, set the gpgkeys field with the key URL for the key. You can add as many URL keys as you need.

      The following is an example: 

      check_gpg = true
check_ssl = true
id = "<signed_local_packages>"
name = "<repository_name>"
type = "yum-baseurl"
url = "\https://local/repos/<projectrepo>/"
check_repogpg = true
gpgkeys=["\https://local/keys/repokey.pub"]
      Copy to Clipboard Toggle word wrap

      As an alternative, add the GPG key directly in the gpgkeys field, for example: 

      check_gpg = true
check_ssl = true
check_repogpg
id = "custom-local"
name = "signed local packages"
type = "yum-baseurl"
url = "\https://local/repos/projectrepo/"
gpgkeys=["\https://remote/keys/<other_repokey>.pub",
'''-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----''']
      Copy to Clipboard Toggle word wrap

      • If the test does not find the signature, the GPG tool shows an error similar to the following one: 

        $ GPG verification is enabled, but GPG signature is not available.
This may be an error or the repository does not support GPG verification:
Status code: 404 for \http://repo-server/rhel/repodata/repomd.xml.asc (IP: 192.168.1.3)
        Copy to Clipboard Toggle word wrap

      • If the signature is invalid, the GPG tool shows an error similar to the following one: 

        repomd.xml GPG signature verification error: Bad GPG signature
        Copy to Clipboard Toggle word wrap

Verification

  • Test the signature of the repository manually: 

    $ gpg --verify /srv/repo/example/repomd.xml.asc
    Copy to Clipboard Toggle word wrap

RHEL image builder osbuild-composer back end does not inherit the system repositories located in the /etc/yum.repos.d/ directory. Instead, it has its own set of official repositories defined in the /usr/share/osbuild-composer/repositories directory. This includes the Red Hat official repository, which contains the base system RPMs to install additional software or update already installed programs to newer versions. If you want to override the official repositories, you must define overrides in /etc/osbuild-composer/repositories/. This directory is for user defined overrides and the files located there take precedence over those in the /usr/share/osbuild-composer/repositories/ directory.

The configuration files are not in the usual RPM repository format known from the files in /etc/yum.repos.d/. Instead, they are JSON files.

3.5. Overriding a system repository
Copy link

You can configure your own repository override for RHEL image builder in the /etc/osbuild-composer/repositories directory.

Prerequisites

  • You have a custom repository that is accessible from your host system.

Procedure

  1. Create the /etc/osbuild-composer/repositories/ directory to store your repository overrides: 

    $ sudo mkdir -p /etc/osbuild-composer/repositories
    Copy to Clipboard Toggle word wrap

  2. Create a JSON file, using a name corresponding to your RHEL version. Alternatively, you can copy the file for your distribution from /usr/share/osbuild-composer/ and modify its content.

    For RHEL 10, use /etc/osbuild-composer/repositories/rhel-10.json.

  3. Add the following structure to your JSON file. Specify only one of the following attributes, in the string format:

    • baseurl is the base URL of the repository.
    • metalink is the URL of a metalink file that contains a list of valid mirror repositories.

    • mirrorlist is the URL of a mirrorlist file that contains a list of valid mirror repositories. The remaining fields, such as gpgkey, and metadata_expire, are optional.

      For example: 

      {
     "x86_64": [
        {
            "name": "baseos",
            "baseurl": "http://mirror.example.com/composes/released/RHEL-10.0/10.0/BaseOS/x86_64/os/",
            "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…​)",
            "check_gpg": true
        }
    ]
}
      Copy to Clipboard Toggle word wrap

      Alternatively, you can copy the JSON file for your distribution, by replacing rhel-version.json with your RHEL version, for example: rhel-10.0.json. 

      $ cp /usr/share/osbuild-composer/repositories/rhel-10.0.json /etc/osbuild-composer/repositories/
      Copy to Clipboard Toggle word wrap

  4. Optional: Verify the JSON file: 

    $ json_verify /etc/osbuild-composer/repositories/<file>.json
    Copy to Clipboard Toggle word wrap

  5. Edit the baseurl paths in the rhel-10.0.json file and save it. For example: 

    $ /etc/osbuild-composer/repositories/rhel-10.0.json
    Copy to Clipboard Toggle word wrap

  6. Restart the osbuild-composer.service: 

    $ sudo systemctl restart osbuild-composer.service
    Copy to Clipboard Toggle word wrap

Verification

  • Check if the repository points to the correct URLs: 

    $ cat /etc/yum.repos.d/redhat.repo
    Copy to Clipboard Toggle word wrap

    You can see that the repository points to the correct URLs which are copied from the /etc/yum.repos.d/redhat.repo file.

You can set up the osbuild-composer service to use system subscriptions that are defined in the /etc/yum.repos.d/redhat.repo file. To use a system subscription in osbuild-composer, define a repository override that has the following details:

  • The same baseurl as the repository defined in /etc/yum.repos.d/redhat.repo.

  • The value of ”rhsm”: true defined in the JSON object.

    Note

    osbuild-composer does not automatically use repositories defined in /etc/yum.repos.d/. You need to manually specify them either as a system repository override or as an additional source by using composer-cli. The BaseOS and AppStream repositories usually use system repository overrides, whereas all the other repositories use composer-cli sources.

Prerequisites

  • Your system has a subscription defined in /etc/yum.repos.d/redhat.repo.
  • You have created a repository override.

Procedure

  1. Get the baseurl from the /etc/yum.repos.d/redhat.repo file: 

    # cat /etc/yum.repos.d/redhat.repo
[AppStream]
name = AppStream mirror example
baseurl = \https://mirror.example.com/RHEL-10.0/10.0/AppStream/x86_64/os/
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/pki/ca1/ca.crt
sslclientkey = /etc/pki/ca1/client.key
sslclientcert = /etc/pki/ca1/client.crt
metadata_expire = 86400
enabled_metadata = 0
    Copy to Clipboard Toggle word wrap

  2. Configure the repository override to use the same baseurl and set rhsm to true: 

    {
    "x86_64": [
        {
            "name": "AppStream mirror example",
            "baseurl": "https://mirror.example.com/RHEL-10.0/10.0/AppStream/x86_64/os/",
            "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (...)",
            "check_gpg": true,
            "rhsm": true
        }
    ]
}
    Copy to Clipboard Toggle word wrap

  3. Restart the osbuild-composer.service: 

    $ sudo systemctl restart osbuild-composer.service
    Copy to Clipboard Toggle word wrap

You can use Satellite’s content views (CV) as repositories to build images with RHEL image builder. For that, on your host registered to Satellite, manually configure the repository references to be able to retrieve from the Satellite repositories, instead of the Red Hat Content Delivery Network (CDN) official repositories.

Prerequisites

Procedure

  1. Find the repository URL from your currently configured repositories: 

    $ $ sudo yum -v repolist "-baseos-rpms" | grep -i repo-baseurl
    Copy to Clipboard Toggle word wrap

    The following output is an example: 

    https://satellite6.example.com/pulp/content/<your_org>/<your_env>/<your_cv>/content/dist/rhel10/10/x86_64/baseos/os
    Copy to Clipboard Toggle word wrap

  2. Modify the hard-coded repositories to a Satellite Server.

    1. Create a repository directory with the 0755 permission: 

      $ sudo mkdir -pvm 0755 /etc/osbuild-composer/repositories
      Copy to Clipboard Toggle word wrap

    2. Copy the content from /usr/share/osbuild-composer/repositories/*.json to the directory that you created: 

      $ sudo cp /usr/share/osbuild-composer/repositories/*.json /etc/osbuild-composer/repositories/
      Copy to Clipboard Toggle word wrap

    3. Update the Satellite URL and the file contents through the /content/dist/* line: 

      $ sudo sed -i -e 's|cdn.redhat.com|satellite6.example.com/pulp/content/<your_org>/<your_env>/<your_cv>|' /etc/osbuild-composer/repositories/.json
      Copy to Clipboard Toggle word wrap

    4. Verify that the configuration was correctly replaced: 

      $ sudo vi /etc/osbuild-composer/repositories/rhel-10.json
      Copy to Clipboard Toggle word wrap

  3. Restart the services: 

    $ sudo systemctl restart osbuild-worker@1.service osbuild-composer.service
    Copy to Clipboard Toggle word wrap
  4. Override the required system repository in Red Hat image builder configuration and use the URL of your Satellite repository as a baseurl. See Overriding a system repository.

Configure RHEL image builder to use Satellite’s content views (CV) as repositories to build your custom images.

Prerequisites

Procedure

  1. In the Satellite web UI, navigate to Content, locate Products, select your Product, and click the repository you want to use.
  2. Search for the secured URL (HTTPS) in the Published field and copy it.
  3. Use the URL that you copied as a baseurl for the Red Hat image builder repository. See Adding custom third-party repositories to RHEL image builder.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat