Red Hat SummitChapter 11. Pushing a container to a registry and embedding it into an image
With RHEL image builder, you can build security hardened images using the OpenSCAP tool. You can take advantage of the support for container customization in the blueprints to create a container and embed it directly into the image you create.
11.1. Customizing a blueprint to embed a container into an image
To embed a container from registry.access.redhat.com registry, you must add a container customization to your blueprint. RHEL image builder pulls the container during the image build and stores the container into the image. The default local container storage location depends on the image type, so that all support container-tools, such as Podman, are able to work with it.
Prerequisites
- You have created a blueprint.
Procedure
- Customize your blueprint with the container :
[[containers]] source = "registry.access.redhat.com/ubi10/ubi:latest" name = "_<local_name>_" tls-verify = true
[[containers]]
source = "registry.access.redhat.com/ubi10/ubi:latest"
name = "_<local_name>_"
tls-verify = true-
source- Mandatory field. It is a reference to the container image at a registry. This example uses theregistry.access.redhat.comregistry. You can specify a tag version. The default tag version islatest. -
name- The name of the container in the local registry. tls-verify- Boolean field. Thetls-verifyboolean field controls the transport layer security. The default value istrue.To access protected container resources, you can use a
containers-auth.jsonfile.
11.2. The Container registry credentials
The osbuild-worker@.service is a template service that can start multiple service instances. By default, the osbuild-composer service always starts with only one local osbuild-worker, specifically osbuild-worker@1.service. The osbuild-worker service is responsible for the communication with the container registry.
Prerequisites
-
Access to quay.io registry. This example uses the
quay.iocontainer registry as a target registry, but you can use a container registry of your choice.
Procedure
-
Enable the service by setting up the
/etc/osbuild-worker/osbuild-worker.tomlconfiguration file. Restart the
osbuild-workerservice, because it reads the/etc/osbuild-worker/osbuild-worker.tomlconfiguration file only once, during theosbuild-workerservice start.systemctl restart osbuild-worker@*
$ systemctl restart osbuild-worker@*Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: To stop the service instance, restart the
systemdservice:systemctl restart osbuild-worker@*
$ systemctl restart osbuild-worker@*Copy to Clipboard Copied! Toggle word wrap Toggle overflow With that, you restart all the started instances of
osbuild-worker, specificallyosbuild-worker@1.service, the only service that might be running.In the
/etc/osbuild-worker/osbuild-worker.tomlconfiguration file, locate in the containers section theauth_field_pathentry that is a string referring to a path of acontainers-auth.jsonfile and used to access protected resources. The container registry credentials are only used to pull a container image from a registry, when embedding the container into the image. For example:[containers] auth_file_path = "/etc/osbuild-worker/containers-auth.json"
[containers] auth_file_path = "/etc/osbuild-worker/containers-auth.json"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
11.3. Pushing a container artifact directly to a container registry
You can push container artifacts, such as RHEL for Edge container images directly, directly to a container registry after you build it, by using the RHEL image builder CLI.
Prerequisites
-
Access to quay.io registry. This example uses the
quay.iocontainer registry as a target registry, but you can use a container registry of your choice.
Procedure
Set up a
registry-config.tomlfile to select the container provider. The credentials are optional.provider = "<container_provider>" [settings] tls_verify = false username = "<admin>" password = "<your_password>"
provider = "<container_provider>" [settings] tls_verify = false username = "<admin>" password = "<your_password>"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a blueprint in the
.tomlformat. This is a blueprint for the container in which you install annginxpackage into the blueprint.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Push the blueprint:
composer-cli blueprints push blueprint.toml
# composer-cli blueprints push blueprint.tomlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Build the container image, by passing the registry and the repository to the
composer-clitool as arguments.composer-cli compose start simple-container container "quay.io:8080/osbuild/repository" registry-config.toml
# composer-cli compose start simple-container container "quay.io:8080/osbuild/repository" registry-config.tomlCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
simple-containeris the blueprint name. -
containeris the image type. quay.io:8080/osbuild/repositoryis the target registry,osbuildis the organization andrepositoryis the location to push the container when it finishes building. Optionally, you can set atag. If you do not set a value for:tag, it uses the:latesttag by default.NoteBuilding the container image takes time because of resolving dependencies of the customized packages.
-
- After the image build finishes, the container you created is available in quay.io.
Verification
Open quay.io. and click
Repository Tags. You can see details about the container you created, such as:- Last modified
- Image size
-
The
manifest IDthat you can copy to the clipboard.
-
Copy the
manifest IDvalue to build the image in which you want to embed a container.
11.4. Building an image and pulling the container into the image
After you have created the container image, you can build your customized image and pull the container image into it. For that, you must specify a container customization in the blueprint, and the container name for the final image. During the build process, the container image is fetched and placed in the local Podman container storage.
Prerequisites
-
You created a container image and pushed it into your local
quay.iocontainer registry instance. See Pushing a container artifact directly to a container registry. - You have access to registry.access.redhat.com.
-
You have a container
manifest ID. -
You have the
qemu-kvmandqemu-imgpackages installed.
Procedure
Create a blueprint to build a
qcow2image. The blueprint must contain the[[containers]]customization.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Push the blueprint:
composer-cli blueprints push <blueprint_image>.toml
# composer-cli blueprints push <blueprint_image>.tomlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Build the container image:
composer-cli start compose <image> qcow2
# composer-cli start compose <image> qcow2Copy to Clipboard Copied! Toggle word wrap Toggle overflow - image is the blueprint name.
qcow2is the image type.NoteBuilding the image takes time because it checks the container on
quay.ioregistry.
To check the status of the compose:
composer-cli compose status
# composer-cli compose statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow A finished compose shows the FINISHED status value. To identify your compose in the list, use its UUID.
After the compose process is finished, download the resulting image file to your default download location:
composer-cli compose image <uuid>
# composer-cli compose image <uuid>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace UUID with the UUID value shown in the previous steps.
You can use the
qcow2image you created and downloaded to create a VM.
Verification
-
Locate the resulting
qcow2image. -
Start the
qcow2image in a VM. See Creating a virtual machine from a KVM guest image. -
The
qemuwizard opens. Login in to theqcow2image by entering the username and password. These can be the username and password you set up in the.qcow2blueprint in thecustomizations.usersection, or created at boot time withcloud-init. Run the container image and open a shell prompt inside the container:
podman run -it registry.access.redhat.com/ubi10:8080/osbuild/<repository>/bin/bash/
# podman run -it registry.access.redhat.com/ubi10:8080/osbuild/<repository>/bin/bash/Copy to Clipboard Copied! Toggle word wrap Toggle overflow registry.access.redhat.comis the target registry,osbuildis the organization, andrepositoryis the location to push the container when it finishes building.Check that the packages you added to the blueprint are available:
type -a nginx
# type -a nginxCopy to Clipboard Copied! Toggle word wrap Toggle overflow The output shows you the
nginxpackage path.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}