Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 16. System configuration
Image mode for RHEL uses a container-native approach to build, deploy, and manage the operating system. Image mode packages the operating system and its configuration as container images based on the registry.redhat.io/rhel10/rhel-bootc image, which contain the OS and its configuration as immutable container layers.
16.1. Transient runtime reconfiguration
You can perform a dynamic reconfiguration in the base image configuration. For example, you can run the firewall-cmd --permanent command to achieve persistent changes across a reboot.
The /etc directory is persistent by default. If you perform changes made by using tools, for example firewall-cmd --permanent, the contents of the /etc on the system can differ from the one described in the container image.
In the default configuration, first make the changes in the base image, then queue the changes without restarting running systems, and then simultaneously write to apply the changes to existing systems only in memory.
You can configure the /etc directory to be transient by using bind mounts. In this case, the etc directory is a part of the machine’s local root filesystem. For example, if you inject static IP addresses by using Anaconda Kickstart, they persist across upgrades.
A 3-way merge is applied across upgrades and each "deployment" has its own copy of /etc.
- The
/rundirectory -
The
/rundirectory is an API filesystem that is defined to be deleted when the system is restarted. Use the/rundirectory for transient files. - Dynamic reconfiguration models
- In the Pull model, you can include code directly embedded in your base image or a privileged container that contacts the remote network server for configuration, and subsequently launch additional container images, by using the Podman API.
In the Push model, some workloads are implemented by tools such as Ansible.
- systemd
-
You can use systemd units for dynamic transient reconfiguration by writing to
/run/systemddirectory. For example, thesystemctl edit --runtime myservice.servicedynamically changes the configuration of themyservice.serviceunit, without persisting the changes. - NetworkManager
-
Use a
/run/NetworkManager/conf.ddirectory for applying temporary network configuration. Use thenmcli connection modify --temporarycommand to write changes only in memory. Without the--temporaryoption, the command writes persistent changes. - Podman
-
Use the
podman run --rmcommand to automatically remove the container when it exits. Without the--rmoption, thepodman runcommand creates a container that persists across system reboots.
16.2. Using DNF with image mode for RHEL
Use the DNF tool within your Containerfile to manage software packages for Red Hat Enterprise Linux bootc images. This ensures that all dependencies are resolved at build time, resulting in a predictable and immutable deployment.
The rhel10/rhel-bootc container image includes the dnf package manager. You can use dnf for several use cases:
- Using
dnfas a part of a container build -
You can use the
RUN dnf installdirective in the Containerfile. - Using
dnfat runtime
The functionality depends on the dnf version. You might get an error: error: can’t create transaction lock on /usr/share/rpm/.rpm.lock (Read-only file system).
You can use the bootc-usr-overlay command to create a writable overlay filesystem for /usr directory. The dnf install writes to this overlay. You can use this feature for installing debugging tools. Note that changes will be lost on reboot.
- Configuring storage
The supported storage technologies are the following:
-
xfs/ext4 - Logical volume management (LVM)
- Linux Unified Key Setup (LUKS)
-
You can add other storage packages to the host system.
-
Storage with
bootc-image-builderYou can use the bootc-image-builder tool to create a disk image. The available configuration for partitioning and layout is relatively fixed. The default filesystem type is derived from the container image’s bootc install configuration. -
Storage with bootc install You can use the
bootc install to-diskcommand for flat storage configurations andbootc install to-filesytemcommand for more advanced installations. For more information see Advanced installation withto-filesystem.
16.3. Network configuration
The default images include the NetworkManager dynamic network control and configuration system, and bootc attempts to connect by using DHCP on every interface with a cable plugged in. You can apply a temporary network configuration, by setting up the /run/NetworkManager/conf.d directory.
However, if you need to use static addressing or more complex networking such as VLANs, bonds, bridges, teams, among others, you can use different ways. Regardless of the way you choose to configure networking, it results as a configuration for NetworkManager, which takes the form of NetworkManager keyfiles.
- Host Network Configuration options
- Complex networking configuration often also requires per-machine state. You can generate machine-specific container images that have, for example, static IP addressing included. You can also include code to generate network configuration from inside the image by inspecting the MAC address of the host.
- Network configuration options available
The following are the available options for configuring static IP, and how the configuration should be done:
By using a Containerfile: Create a container image with static IP or include code to generate network configuration from inside the image based on MAC address.
- Use the configuration specified in Device List Format to match the MAC address or other addresses.
-
To configure a network, you can use the
nmcli connection addsimilarly to what you do to a booted system. However, during build time, you must use the command combined with an explicit--offlineargument. See Configuring an Ethernet connection by using nmcli for more details. Ensure to add the following command before the
nmclicommand in the ContainerFile:RUN nmcli --offline connection add
-
By using Anaconda: You can use an Anaconda Kickstart to configure networking, including Wi-Fi, for bare-metal installations. The configuration is stored by default in the
/etc/NetworkManager/system-connections/file, and is inherently per-machine state. -
By using kernel arguments: Add kernel parameters on first boot to define networking configuration. On the first boot of a machine, enter kernel arguments that define networking configuration. The kernel arguments are mostly defined in the
dracut.cmdlineman page. You can apply these kernel arguments on first boot by using different methods. When usingbootc install, you can also set per-machine kernel arguments by using--karg. -
By using NetworkManager key files:
nmcliornm-initrd-generator
- Generating NetworkManager keyfiles by using
nmcli The
nmcliNetworkManager command line tool provides an offline mode that does not communicate with the NetworkManager daemon and just writes the keyfile content to standard output.Run the
nmclitool for each connection profile you want to create:$ nmcli --offline connection add \ type ethernet ifname enp1s0 \ ipv4.method manual ipv4.addresses 192.0.0.1/24 \ ipv6.method disabled [connection] id=ethernet-enp1s0 uuid=ff242096-f803-425f-9a77-4c3ec92686bd type=ethernet interface-name=enp1s0 [ethernet] [ipv4] address1=192.0.0.1/24 method=manual [ipv6] addr-gen-mode=default method=disabled [proxy]
See the settings man page for a list of the properties that can be specified by using nmcli. Bash autocompletion is available.
- Generating NetworkManager Keyfiles by
using nm-initrd-generator NetworkManager contains the
nm-initrd-generatortool, that can generate keyfiles fromdracutkernel argument syntax. You can use the tool to either convert from kernel arguments to keyfiles or to just quickly generate some keyfiles giving a small amount of input and then modify some more detailed settings.Generate keyfiles for a bond by using
nm-initrd-generator:$ podman run --rm -ti quay.io/<namespace>/<image>:<tag> /usr/libexec/nm-initrd-generator -s -- "ip=bond0:dhcp" "bond=bond0:ens2,ens3:mode=active-backup,miimon=100" "nameserver=8.8.8.8" * Connection 'bond0' * [connection] id=bond0 uuid=643c17b5-b364-4137-b273-33f450a45476 type=bond interface-name=bond0 multi-connect=1 permissions= [ethernet] mac-address-blacklist= [bond] miimon=100 mode=active-backup [ipv4] dns=8.8.8.8; dns-search= may-fail=false method=auto [ipv6] addr-gen-mode=eui64 dns-search= method=auto [proxy] * Connection 'ens3' * [connection] id=ens3 uuid=b42cc917-fd87-47df-9ac2-34622ecddd8c type=ethernet interface-name=ens3 master=643c17b5-b364-4137-b273-33f450a45476 multi-connect=1 permissions= slave-type=bond [ethernet] mac-address-blacklist= * Connection 'ens2' * [connection] id=ens2 uuid=e111bb4e-3ee3-4612-afc2-1d2dfff97671 type=ethernet interface-name=ens2 master=643c17b5-b364-4137-b273-33f450a45476 multi-connect=1 permissions= slave-type=bond [ethernet] mac-address-blacklist=
The command generates three keyfiles for each interface: bond0, ens3, and ens2. You can use the generated output, add more settings or modify existing settings, and then commit the files into a container image.
- Configuring a static IP
-
You can use the following
dracutkernel arguments:
Template:
-
You can use the following
ip=${ip}::${gateway}:${netmask}:${hostname}:${interface}:none:${nameserver}Example:
ip=10.10.10.10::10.10.10.1:255.255.255.0:myhostname:ens2:none:8.8.8.8- Writing configuration embedded in container images
-
Store the NetworkManager configuration embedded in container images in
/usr/lib/NetworkManager/system-connections/because this form is part of the immutable image state. You can also write configuration to/etc/NetworkManager/system-connections/as part of the container image. The default OSTree 3-way merge, that is, using the old default configuration, the active/etcsystem, and the new default configuration, applies with any machine-specific configuration.
The keyfiles must have the 600 root-only access permissions, otherwise NetworkManager ignores them.
- Disabling automatic configuration of Ethernet devices
By default,
NetworkManagerattempts to autoconfigure by using the DHCP or SLAAC addresses on every interface with a cable plugged in. In some network environments this might not be desirable. For that, it is possible to change the NetworkManager behavior by adding a configuration file, such as/usr/lib/NetworkManager/conf.d/noauto.conf.Disable the
NetworkManagerautoconfiguration of Ethernet devices[main] # Do not do automatic (DHCP or SLAAC) configuration on ethernet devices # with no other matching connections. no-auto-default=*
16.4. Setting a hostname in image mode for RHEL
To set a custom hostname for your system, modify the /etc/hostname file. You can set the hostname by using Anaconda, or with a privileged container.
Once you boot a system, you can verify the hostname by using the hostnamectl command.
16.5. Setting up proxied internet access in image Mode for RHEL
If you are deploying to an environment that requires internet access by using a proxy, you need to configure services so that they can access resources as intended.
To do this, define a single file with required environment variables in your configuration, and reference this by using systemd drop-in unit files for all such services.
Procedure
Defining common proxy environment variables. This common file has to be subsequently referenced explicitly by each service that requires internet access.
# /etc/example-proxy.env https_proxy="http://example.com:8080" all_proxy="http://example.com:8080" http_proxy="http://example.com:8080" HTTP_PROXY="http://example.com:8080" HTTPS_PROXY="http://example.com:8080" no_proxy="*.example.com,127.0.0.1,0.0.0.0,localhost"Defining drop-in units for core services. The
bootcandpodmantools commonly need proxy configuration and thebootcdoes not always run as asystemdunit.# /usr/lib/systemd/system/bootc-fetch-apply-updates.service.d/99-proxy.conf [Service] EnvironmentFile=/etc/example-proxy.envDefining proxy use for podman
systemdunitsUsing the Podman
systemdconfiguration, similarly addEnvironmentFile=/etc/example-proxy.env. You can set the configuration for proxy and environment settings ofpodmanand containers in the/etc/containers/containers.confconfiguration file as a root user or in the$HOME/.config/containers/containers.confconfiguration file as a non-root user.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}