Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Container image requirements

Products packaged as containers must comply with the following requirements to ensure that container images are:

  • Covered as part of the end-user Red Hat Enterprise Linux support subscription.
  • Scanned to avoid introducing known security vulnerabilities in customer environments.

Additional resources

2.1. Platform requirements

RequirementJustification

Containers must be able to run by using Podman.

Allows the administrator to run and manage their containers by using an OCI-compatible, RHEL-integrated command. The podman command supports options similar to those found in the docker command.

Containers must be able to be started and stopped by using a Systemd unit file.

Allows an administrator to automatically start, stop, and check the status of their containers by using a standard RHEL command.

2.2. Image content requirements

RequirementJustification

Container images must declare a non-root user unless their functionality requires privileged access.

To certify container images requiring root access, you must:

  • Include the requirement in the product documentation.
  • Indicate that the container requires privileged host-level access in the certification project settings. This setting is subject to Red Hat review.

Test name: RunAsNonRoot

Ensures that containers do not run as the root user unless required. Images running as the root user can pose a security risk.

Container images must use a Universal Base Image (UBI) provided by Red Hat.

The version of the UBI base image must be supported on the RHEL version undergoing certification. For more information, see the Red Hat Enterpise Linux Container Compatibility Matrix.

You can add additional RHEL packages to the UBI images, except for kernel packages.

Test name: BasedOnUbi

Ensures that application runtime dependencies, such as operating system components and libraries, are covered under the customer’s subscription.

Container images must not change content provided by Red Hat packages or layers except for files that both you or the customers can change, such as configuration files.

Test name: HasModifiedFiles

Ensures that Red Hat does not deny support on the basis of unauthorized changes to Red Hat components.

Container images must contain a “licenses” directory. Use this directory to add files containing software terms and conditions for your product and any open source software included in the image.

Test name: HasLicense

Ensures that customers are aware of the terms and conditions applicable to the software included in the image.

Uncompressed container images must have less than 40 layers.

Test name: LayerCountAcceptable

Ensures that images run appropriately on containers. Too many layers could degrade the performance.

Container images must not include RHEL kernel packages.

Test name: HasNoProhibitedPackages

Ensures compliance with RHEL redistribution rules for partners.

Container images must not contain Red hat components with identified important or critical vulnerabilities.

Test name: N/A. The Red Hat Certification Service conducts this scan.

Ensures that customers are not exposed to known vulnerabilities.

Additional resources

2.3. Image metadata requirements

RequirementJustification

Container images must include the following labels:

  • name: Image Name
  • vendor: Company name
  • version: Version of the image
  • release: A number used to identify the specific build for this image
  • summary: A short overview of the application or component in this image
  • description: A long description of the application or component in this image

Test name: HasRequiredLabel

Ensures that customers can obtain information about the image provider and the content of the images in a consistent way.

Container images must include a unique tag that is descriptive of the certified image.

Red Hat recommends appending the image version and its build date or released date to the unique tag.

Floating tags, such as latest although not adequate for certification, can be added to the image in addition to the descriptive tag.

Test name: HasUniqueTag

Ensures that images can be uniquely identified.

Additional resources

2.4. Image maintenance requirements

Partners are responsible for monitoring the health status of their certified containers. When an image rebuild is required because of new functionality or a security update, submit the updated container image for recertification and publication.

Partners must keep the application components up-to-date and rebuild their container images periodically.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.