Chapter 13. Working with containers
13.1. Introduction to containers
Containers include all the necessary components like libraries, frameworks, and other additional dependencies that are isolated and self-sufficient within their own executable. A Red Hat container certification ensures supportability of both the operating system and the application layers. It provides enhanced security by vulnerability scanning and health grading of the Red Hat components, and lifecycle commitment whenever the Red Hat or partner components are updated.
However, containers running in privileged mode, or privileged containers, stretch their boundaries and interact with their host to run commands or access the host’s resources. For example, a container that reads or writes to a filesystem mounted on the host must run in privileged mode.
Privileged containers might create a security risk. A compromised privileged container might also compromise its host and the integrity of the environment as a whole.
Moreover, privileged containers are susceptible to incompatibilities with the host as operating system interfaces such as commands, libraries, ABI, and APIs might change or deprecate over time. This can put privileged containers at risk of interacting with the host in an unsupported way.
You must ensure that your containers can run on any supported hosts in the customer’s environment. Red Hat encourages you to adopt a continuous integration model that lets you test your containers with public betas or earlier versions of Red Hat products to maximize compatibility.
13.2. Container certification workflow
Red Hat recommends that you are a Red Hat Certified Engineer or hold equivalent experience before starting the certification process.
Task Summary
The certification workflow includes the three primary stages-
13.2.1. Certification on-boarding
Perform the steps outlined for certification onboarding:
- Join the Red Hat Connect for Technology Partner Program.
- Agree to the program terms and conditions.
Create your product listing by selecting your desired product category. You can select from the available product categories:
- Containerized Application
- Standalone Application
- OpenStack Infrastructure
- Complete your company profile.
- Add components to the product listing.
- Certify components for your product listing.
Additional resources
For detailed instructions about creating your first product listing, see Creating a product.
13.2.2. Certification testing for containerized applications
Follow these high-level steps to run a certification test:
- Build your container image.
- Upload your container image to your chosen registry. You can choose any registry of your choice.
You can perform Red Hat Container certification by using a custom container registry. This enables you to provide an access token to the registry, which thereby helps to verify the availability of the container images for users. Also, it ensures that the container image can undergo scanning by the security scanner and can be published on the Red Hat Ecosystem Catalog. Custom registries employ diverse authentication methods, and the Red Hat Software certification program supports the following authentication methods along with the standard OCI registry API:
- Bearer Authentication
- OAuth2
- Basic Authentication
For more details about the authentication methods, see Supported auth methods.
- Download the Preflight certification utility.
- Run Preflight with your container image.
- Submit results on Red Hat Partner Connect.
Additional resources
For detailed instructions about certification testing, see Running the certification test suite.
13.2.3. Publishing the certified product listing on the Red Hat Ecosystem Catalog
Certified container images are delivered to customers through the Red Hat Connect Image Registry, which you can then run on a supported Red Hat container platform. Your product and its images get listed on the Red Hat Container Catalog using the listing information that you provide.
Additional resources
- For more details about publishing your certified container image, see Publishing the certified container on Red Hat Ecosystem Catalog.
For more information about containers, see:
13.3. Testing multi-arch container certification using preflight
Follow these steps to perform a multi-arch container certification test:
Procedure
- Build your multi-arch container images. See Building and pushing multi-arch container images using Podman for more information.
- Upload your container images to your chosen registry. You can select any OCI registry of your choice.
You can perform Red Hat Container certification by using a custom container registry. This enables you to provide an access token to the registry, which thereby helps to verify the availability of the container images for users. Also, it ensures that the container image can be scanned by the security scanner and published on the Red Hat Ecosystem Catalog. Custom registries employ diverse authentication methods, and the Red Hat Software certification program supports the following authentication methods along with the standard OCI registry API:
- Bearer Authentication
- OAuth2
- Basic Authentication
For more details about the authentication methods, see Supported auth methods.
- Download the Preflight certification utility. Ensure that you have the latest version to benefit from any updates or improvements.
- Run preflight with your multi-arch container image. Preflight will automatically run and submit results for all architectures if the supplied image is a manifest list.
- Review and address the preflight certification results.
- Submit results on Red Hat Partner Connect.
13.3.1. Building and pushing multi-arch container images using Podman
Follow the instructions to build and push multi-arch images using Podman:
Prerequisites
- Podman is installed on your system.
- You have a Dockerfile that defines the image you want to build for multiple architectures.
- You have a Quay.io account or any other container registry account.
Procedure
- Prepare Your Dockerfile.
- Build and push the multi-arch container Images. Check the podman-manifest documentation for instructions on building and pushing the multi-arch container images.