ApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 11. Managing container images

With Satellite, you can import container images from various sources and distribute them to external containers by using content views.

For information about containers for Red Hat Enterprise Linux Atomic Host 7, see Getting Started with Containers in Red Hat Enterprise Linux Atomic Host 7.

For information about containers for Red Hat Enterprise Linux 8, see Red Hat Enterprise Linux 8 Building, running, and managing containers.

For information about containers for Red Hat Enterprise Linux 9, see Red Hat Enterprise Linux 9 Building, running, and managing containers.

11.1. Importing container images

You can import container image repositories from Red Hat Registry or from other image registries.

To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure with repository discovery

  1. In the Satellite web UI, navigate to Content > Products and click Repo Discovery.
  2. From the Repository Type list, select Container Images.
  3. In the Registry to Discover field, enter the URL of the registry to import images from.
  4. In the Registry Username field, enter the name that corresponds with your user name for the container image registry.
  5. In the Registry Password field, enter the password that corresponds with the user name that you enter.
  6. In the Registry Search Parameter field, enter any search criteria that you want to use to filter your search, and then click Discover.
  7. Optional: To further refine the Discovered Repository list, in the Filter field, enter any additional search criteria that you want to use.
  8. From the Discovered Repository list, select any repositories that you want to import, and then click Create Selected.
  9. Optional: To change the download policy for this container repository to on demand, see Section 4.11, “Changing the download policy for a repository”.
  10. Optional: If you want to create a product, from the Product list, select New Product.
  11. In the Name field, enter a product name.
  12. Optional: In the Repository Name and Repository Label columns, you can edit the repository names and labels.
  13. Click Run Repository Creation.
  14. When repository creation is complete, you can click each new repository to view more information.
  15. Optional: To filter the content you import to a repository, click a repository, and then navigate to Limit Sync Tags. Click to edit, and add any tags that you want to limit the content that synchronizes to Satellite.
  16. In the Satellite web UI, navigate to Content > Products and select the name of your product.
  17. Select the new repositories and then click Sync Now to start the synchronization process.

Procedure with creating a repository manually

  1. In the Satellite web UI, navigate to Content > Products. Click the name of the required product.
  2. Click New repository.
  3. From the Type list, select docker. Enter the details for the repository, and click Save.
  4. Select the new repository, and click Sync Now.

Next steps

  • To view the progress of the synchronization, navigate to Content > Sync Status and expand the repository tree.
  • When the synchronization completes, you can click Container Image Manifests to list the available manifests. From the list, you can also remove any manifests that you do not require.

CLI procedure

  1. Create the custom Red Hat Container Catalog product: 

    # hammer product create \
--description "My_Description" \
--name "Red Hat Container Catalog" \
--organization "My_Organization" \
--sync-plan "My_Sync_Plan"

  2. Create the repository for the container images: 

    # hammer repository create \
--content-type "docker" \
--docker-upstream-name "rhel7" \
--name "RHEL7" \
--organization "My_Organization" \
--product "Red Hat Container Catalog" \
--url "http://registry.access.redhat.com/"

  3. Synchronize the repository: 

    # hammer repository synchronize \
--name "RHEL7" \
--organization "My_Organization" \
--product "Red Hat Container Catalog"

Additional resources

11.2. Managing container name patterns

When you use Satellite to create and manage your containers, as the container moves through content view versions and different stages of the Satellite lifecycle environment, the container name changes at each stage. For example, if you synchronize a container image with the name ssh from an upstream repository, when you add it to a Satellite product and organization and then publish as part of a content view, the container image can have the following name: my_organization_production-custom_spin-my_product-custom_ssh. This can create problems when you want to pull a container image because container registries can contain only one instance of a container name. To avoid problems with Satellite naming conventions, you can set a registry name pattern to override the default name to ensure that your container name is clear for future use.

Limitations

If you use a registry name pattern to manage container naming conventions, because registry naming patterns must generate globally unique names, you might experience naming conflict problems. For example:

  • If you set the repository.docker_upstream_name registry name pattern, you cannot publish or promote content views with container content with identical repository names to the Production lifecycle.
  • If you set the lifecycle_environment.name registry name pattern, this can prevent the creation of a second container repository with the identical name.

You must proceed with caution when defining registry naming patterns for your containers.

Procedure

To manage container naming with a registry name pattern, complete the following steps:

  1. In the Satellite web UI, navigate to Content > Lifecycle > Lifecycle Environments.
  2. Create a lifecycle environment or select an existing lifecycle environment to edit.
  3. In the Container Image Registry area, click the edit icon to the right of Registry Name Pattern area.
  4. Use the list of variables and examples to determine which registry name pattern you require.

  5. In the Registry Name Pattern field, enter the registry name pattern that you want to use. For example, to use the repository.docker_upstream_name: 

    <%= repository.docker_upstream_name %>
  6. Click Save.

11.3. Managing container registry authentication

You can manage the authentication settings for accessing containers images from Satellite. By default, users must authenticate to access containers images in Satellite.

You can specify whether you want users to authenticate to access container images in Satellite in a lifecycle environment. For example, you might want to permit users to access container images from the Production lifecycle without any authentication requirement and restrict access the Development and QA environments to authenticated users.

Procedure

  1. In the Satellite web UI, navigate to Content > Lifecycle > Lifecycle Environments.
  2. Select the lifecycle environment that you want to manage authentication for.
  3. To permit unauthenticated access to the containers in this lifecycle environment, select the Unauthenticated Pull checkbox. To restrict unauthenticated access, clear the Unauthenticated Pull checkbox.
  4. Click Save.

11.4. Configuring Podman and Docker to trust the certificate authority

Podman uses two paths to locate the CA file, namely, /etc/containers/certs.d/ and /etc/docker/certs.d/.

Copy the root CA file to one of these locations, with the exact path determined by the server hostname, and naming the file ca.crt

In the following examples, replace hostname.example.com with satellite.example.com or capsule.example.com, depending on your use case.

  • You might first need to create the relevant location using: 

    # mkdir -p /etc/containers/certs.d/hostname.example.com

    or 

    # mkdir -p /etc/docker/certs.d/hostname.example.com

  • For podman, use: 

    # cp rootCA.pem /etc/containers/certs.d/hostname.example.com/ca.crt

  • Alternatively, if you are using Docker, copy the root CA file to the equivalent Docker directory: 

    # cp rootCA.pem /etc/docker/certs.d/hostname.example.com/ca.crt

You no longer need to use the --tls-verify=false option when logging in to the registry: 

$ podman login hostname.example.com

Username: admin
Password:
Login Succeeded!

11.5. Using container registries

You can use Podman and Docker to fetch content from container registries and push the content to the Satellite container registry. The Satellite registry follows the Open Containers Initiative (OCI) specification, so you can push content to Satellite by using the same methods that apply to other registries. For more information about OCI, see Open Container Initiative Distribution Specification.

Prerequisites

  • To push content to Satellite, ensure your Satellite account has the edit_products permission.
  • To pull content from Satellite, ensure that your Satellite account has the view_lifecycle_environments, view_products, and view_content_views permissions, unless the lifecycle environment allows unauthenticated pull.

Container registries on Capsules

On Capsules with content, the Container Gateway Capsule plugin acts as the container registry. It caches authentication information from Katello and proxies incoming requests to Pulp. The Container Gateway is available by default on Capsules with content.

Considerations for pushing content to the Satellite container registry

  • You can only push content to the Satellite Server itself. If you need pushed content on Capsule Servers as well, use Capsule syncing.
  • The pushed container registry name must contain only lowercase characters.
  • Unless pushed repositories are published in a content view version, they do not follow the registry name pattern. For more information, see Section 11.2, “Managing container name patterns”. This is to ensure that users can push and pull from the same path.
  • Users are required to push and pull from the same path. If you use the label-based schema, pull using labels. If you use the ID-based schema, pull using IDs.

Procedure

  • Logging in to the container registry: 

    # podman login satellite.example.com

  • Listing container images: 

    # podman search satellite.example.com/

  • Pulling container images: 

    # podman pull satellite.example.com/my-image:<optional_tag>

  • Pushing container images to the Satellite container registry:

    • To indicate which organization, product, and repository the container image belongs to, include the organization and product in the container registry name.

    • You can address the container destination by using one of the following schemas: 

      $ podman push My_Container_Image_Hash satellite.example.com/My_Organization_Label/My_Product_Label/My_Repository_Name[:_My_Tag_]
$ podman push My_Container_Image_Hash satellite.example.com/id/My_Organization_ID/My_Product_ID/My_Repository_Name[:_My_Tag_]
    • After the content push has completed, a repository is created in Satellite.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.