Red Hat SummitChapter 14. Working with containers
14.1. Introduction to containers
Containers include all the necessary components like libraries, frameworks, and other additional dependencies that are isolated and self-sufficient within their own executable. A Red Hat container certification ensures supportability of both the operating system and the application layers. It provides enhanced security by vulnerability scanning and health grading of the Red Hat components, and lifecycle commitment whenever the Red Hat or partner components are updated.
However, containers running in privileged mode, or privileged containers, stretch their boundaries and interact with their host to run commands or access the host’s resources. For example, a container that reads or writes to a filesystem mounted on the host must run in privileged mode.
Privileged containers might create a security risk. A compromised privileged container might also compromise its host and the integrity of the environment as a whole.
Moreover, privileged containers are susceptible to incompatibilities with the host as operating system interfaces such as commands, libraries, ABI, and APIs might change or deprecate over time. This can put privileged containers at risk of interacting with the host in an unsupported way.
You must ensure that your containers can run on any supported hosts in the customer’s environment. Red Hat encourages you to adopt a continuous integration model that lets you test your containers with public betas or earlier versions of Red Hat products to maximize compatibility.
Partner Validation - Select this type of certification, if you want to validate your product using your own criteria and test suite on Red Hat platforms. This partner validation allows you to publish your software offerings on the Red Hat Ecosystem Catalog more quickly. However, validated workloads may not incorporate all of Red Hat integration requirements and best practices. We encourage you to continue your efforts toward Red Hat certification.
Certified - Select this type of certification, if you want your product to undergo thorough testing by using Red Hat’s test suite, and benefit from collaborative support. Your products will meet your standards and Red Hat’s criteria, including interoperability, lifecycle management, security, and support requirements.
Products that meet the requirements and complete the certification workflow get listed on the Red Hat Ecosystem Catalog. Partners will receive a logo to promote their product certification.
14.2. Container certification workflow
Red Hat recommends that you are a Red Hat Certified Engineer or hold equivalent experience before starting the certification process.
Task Summary
The certification workflow includes the three primary stages-
14.2.1. Certification on-boarding
Perform the steps outlined for certification onboarding:
- Join the Red Hat Connect for Technology Partner Program.
- Agree to the program terms and conditions.
Create your product listing by selecting your desired product category. You can select from the available product categories:
- Containerized Application
- Standalone Application
- OpenStack Infrastructure
- Complete your company profile.
- Add components to the product listing.
- Certify components for your product listing.
Additional resources
For detailed instructions about creating your first product listing, see Creating a product.
14.2.2. Certification testing for containerized applications
Follow these high-level steps to run a certification test:
- Build your container image.
- Upload your container image to your chosen registry. You can choose any registry of your choice.
You can perform Red Hat Container certification by using a custom container registry. This enables you to provide an access token to the registry, which thereby helps to verify the availability of the container images for users. Also, it ensures that the container image can undergo scanning by the security scanner and can be published on the Red Hat Ecosystem Catalog. Custom registries employ diverse authentication methods, and the Red Hat Software certification program supports the following authentication methods along with the standard OCI registry API:
- Bearer Authentication
- OAuth2
- Basic Authentication
For more details about the authentication methods, see Supported auth methods.
Additionally, if you are using a public registry—such as DockerHub, GitLab, GitHub, or similar that enforces rate limits on unauthenticated or anonymous access, provide a Docker configuration file with valid authentication credentials for the specified registry. Without this configuration, Red Hat certification systems can exceed the allowed request limits, preventing it from certifying or serving your container.
- Download the Preflight certification utility.
- Run Preflight with your container image.
- Submit results on Red Hat Partner Connect.
Additional resources
For detailed instructions about certification testing, see Running the certification test suite.
14.2.3. Publishing the certified product listing on the Red Hat Ecosystem Catalog
The Partner Validated or Certified container must be added to your product’s Product Listing page on the Red Hat Partner Connect portal. Once published, your product listing is displayed on the Red Hat Ecosystem Catalog, by using the product information that you provide. You can publish both the Partner Validated and Certified application on the Red Hat Ecosystem Catalog with the respective labels.
Additional resources
For more information about containers, see:
14.3. Testing multi-arch container certification using preflight
Follow these steps to perform a multi-arch container certification test:
Procedure
- Build your multi-arch container images. See Building and pushing multi-arch container images using Podman for more information.
- Upload your container images to your chosen registry. You can select any OCI registry of your choice.
You can perform Red Hat Container certification by using a custom container registry. This enables you to provide an access token to the registry, which thereby helps to verify the availability of the container images for users. Also, it ensures that the container image can be scanned by the security scanner and published on the Red Hat Ecosystem Catalog. Custom registries employ diverse authentication methods, and the Red Hat Software certification program supports the following authentication methods along with the standard OCI registry API:
- Bearer Authentication
- OAuth2
- Basic Authentication
For more details about the authentication methods, see Supported auth methods.
Additionally, if you are using a public registry—such as DockerHub, GitLab, GitHub, or similar that enforces rate limits on unauthenticated or anonymous access, provide a Docker configuration file with valid authentication credentials for the specified registry. Without this configuration, Red Hat certification systems can exceed the allowed request limits, preventing it from certifying or serving your container.
- Download the Preflight certification utility. Ensure that you have the latest version to benefit from any updates or improvements.
- Run preflight with your multi-arch container image. Preflight will automatically run and submit results for all architectures if the supplied image is a manifest list.
- Review and address the preflight certification results.
- Submit results on Red Hat Partner Connect.
14.3.1. Building and pushing multi-arch container images using Podman
Follow the instructions to build and push multi-arch images using Podman:
Prerequisites
- Podman is installed on your system.
- You have a Dockerfile that defines the image you want to build for multiple architectures.
- You have a Quay.io account or any other container registry account.
Procedure
- Prepare Your Dockerfile.
- Build and push the multi-arch container Images. Check the podman-manifest documentation for instructions on building and pushing the multi-arch container images.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}