Chapter 29. Red Hat Enterprise Linux Atomic Host 7.4.0
29.1. Atomic Host
OStree update:
New Tree Version: 7.4.0 (hash: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a)
Changes since Tree Version 7.3.6 (hash: e073a47baa605a99632904e4e05692064302afd8769a15290d8ebe8dbfd3c81b)
Updated packages:
- atomic-devmode-0.3.7-2.el7
- cockpit-ostree-141-2.el7
- redhat-release-atomic-host-7.4-20170427.0.atomic.el7.1
- rpm-ostree-client-2017.6-5.atomic.el7
29.2. Extras
Updated packages:
- atomic-1.18.1-3.1.git0705b1b.el7
- cockpit-141-4.el7
- container-selinux-2.21-1.el7
- docker-1.12.6-48.git0fdc778.el7
- docker-distribution-2.6.1-1.1.gita25b9ef.el7
- docker-latest-1.13.1-21.1.gitcd75c68.el7
- dpdk-16.11.2-4.el7 *
- etcd-3.1.9-2.el7
- flannel-0.7.1-2.el7
- gomtree-0.3.1-2.1.el7
- libev-4.15-7.el7 *
- libssh-0.7.1-3.el7 *
- oci-register-machine-0-3.11.1.gitdd0daef.el7
- oci-systemd-hook-0.1.8-4.1.gite533efa.el7
- ostree-2017.7-1.el7
- python-backports-lzma-0.0.2-9.el7 *
- python-gevent-1.0-3.el7 *
- python-greenlet-0.4.2-4.el7 *
- runc-1.0.0-12.1.gitf8ce01d.el7
- skopeo-0.1.20-2.1.gite802625.el7
- storaged-2.5.2-3.el7 *
New packages:
- container-storage-setup-0.3.0-3.git927974f.el7
- sshpass-1.06-2.el7 *
- python-httplib2-0.9.1-3.el7 *
- libtommath-0.42.0-6.el7 *
- python-passlib-1.6.5-2.el7 *
- python-paramiko-2.1.1-2.el7 *
- ansible-2.3.1.0-3.el7 *
- python-crypto-2.6.1-15.el7 *
- libtomcrypt-1.17-26.el7 *
- rhel-system-roles-0.2-2.el7 *
- driverctl-0.95-1.el7 *
The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.
29.2.1. Container Images
Updated:
- Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
- Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
- Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
- Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
- Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
- Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
- Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
- Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
- Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap)
- Red Hat Enterprise Linux 7.4 Container Image (rhel7.4, rhel7, rhel7/rhel, rhel)
- Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
- Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
- Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
- Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
29.3. New Features
Limited support for containers on little-endian IBM power systems
Now containers have limited support on the little-endian variant of IBM power Systems (PPCle). See the Supported Architectures for Containers on RHEL for details.
Notably, packages from the Extras channel are now provided for the little-endian variant of IBM power Systems, along with the
rhel7-ppc64le
base container. This enables using containers on these systems with Red Hat Enterprise Linux 7.4.overlay2 storage driver now available
The
overlay2
graph driver has been upgraded from a Technology Preview to a fully supported feature.The
overlay2
graph driver, along withoverlay
, uses OverlayFS, a copy-on-write union file system that features page-cache sharing between containers. However,overlay2
is the more performant option.To enable the driver, specify overlay2 in the /etc/sysconfig/docker-storage-setup file:
STORAGE_DRIVER=overlay2
OverlayFS now can be run with SELinux enforced
Previously, SELinux had to be in permissive or disabled mode for OverlayFS to work. Now you can run the OverlayFS file system with SELinux in enforcing mode.
For more information on OverlayFS, see Overlay Graph Driver.
SSSD in a container is now fully supported
The System Security Services Daemon (SSSD) in a container has been upgraded from a Technology Preview to a fully supported feature.
SSSD allows Red Hat Enterprise Linux Atomic Host authentication subsystem to be connected to central identity providers such as Red Hat Identity Management and Microsoft Active Directory.
To install this new image, use the
atomic install rhel7/sssd
command.For full documentation on SSSD, see Configuring SSSD.
Package layering is now fully supported
The pkg-add subcommand of the rpm-ostree tool has been upgraded from a Technology Preview to a fully supported feature.
The
rpm-ostree install
commands installs layered packages that are persistent across reboots. This command can be used to install individual packages that are not part of the original OSTree, such as diagnostics tools. For detailed information about package layering, see Package Layering.Image signing is now fully supported
The image signing and validation functionality has been upgraded from a Technology Preview to a fully supported feature.
Signing container images on RHEL and RHEL Atomic Host systems provides a means of validating where a container image came from, checking that the image has not been tampered with, and setting policies to determine which validated images you will allow to use on your systems.
The main image signing tasks can be done as follows:
-
To sign and distribute an image, use the
atomic sign
andatomic push
commands. -
To get and verify a signed image, use the
atomic pull
andatomic verify
commands. -
To designate a signed image as trusted and acceptable on the local system, use the
atomic trust
command.
For the current release, image signing is only supported when pushing and pulling between Docker v2 registries (such as the registry software included in the docker-distribution package) and the Docker Hub (docker.io).
To learn more about image signing, see Image Signing.
-
To sign and distribute an image, use the
GPG verification changes for OSTree commits
For new installations of RHEL Atomic Host 7.4.0 and later, the GPG verification of OSTree commits is enabled by default. If you upgrade from RHEL Atomic Host 7.3, you can enable GPG verification manually.
To enable GPG verification, set the
gpg-verify
directive in the/etc/ostree/remotes.d/redhat.conf
file totrue
.If GPG verification is enabled, the output of the
atomic host status
command shows information about the GPG signature of the commit.docker-storage-setup
renamed tocontainer-storage-setup
The docker-storage-setup utility has been renamed to container-storage-setup for RHEL7.4 and RHEL Atomic Host 7.4. Note that:
- The name of the package has also changed to container-storage-setup.
- The name of the service is still docker-storage-setup.
- The default configuration is in the /usr/share/container-storage-setup/container-storage-setup file, but your configuration should go to /etc/sysconfig/docker-storage-setup, which overrides configuration from /usr/share/container-storage-setup/container-storage-setup.