Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 2. Migrating from rpm-ostree-based deployed systems to bootc-based systems

Starting with RHEL 10.0, image mode for RHEL replaces RHEL image builder for creating edge artifacts. To build operating system images for edge deployments, you must now use image mode to produce bootable container images.

Note

If you prefer, you can continue to use RHEL image builder on RHEL 9 to build RHEL for Edge artifacts.

To use image mode for RHEL, you can upgrade from RHEL 9 image builder to image mode for RHEL 10 and use image mode for RHEL to build bootable container images that you can use for your edge deployments.

By using the image mode for RHEL feature, you can customize your operating system with the registry.redhat.io/rhel10/rhel-bootc container image. You can also build a smaller bootc base image from scratch, similar in size and content to the standard RHEL for Edge OSTree commit.

2.1. Image mode for RHEL
Copia collegamento

Image mode for Red Hat Enterprise Linux (RHEL) is a deployment method that uses a container-native approach that you can use to build, deploy, and manage the operating system as a bootc base image (rhel-bootc). The rhel-bootc contains the necessary components for a bootable operating system, such as kernel, firmware, boot loader, among others.

Use image mode for RHEL to build, test, and deploy operating systems by using the same tools and techniques as application containers. Image mode for RHEL is available by using the registry.redhat.io/rhel10/rhel-bootc bootc image. The RHEL bootc images differ from the existing application Universal Base Images (UBI) in that they contain additional components necessary to boot that were traditionally excluded, such as kernel, initrd, boot loader, firmware, among others.

Important

Image mode for RHEL does not support rpm-ostree file system with blueprint customization. You cannot build disk images from bootc images by using osbuild-composer. Instead, use bootc-image-builder to generate disk images from bootc images.

2.2. Building customized images from a base image
Copia collegamento

You can use Podman to build and test your customized container image.

Prerequisites

  • The container-tools meta-package is installed.

Procedure

  1. Create a Containerfile with the following structure: 

    FROM registry.redhat.io/rhel10/rhel-bootc:latest

RUN dnf -y install [software] [dependencies] && dnf clean all

ADD [application]
ADD [configuration files]

RUN [config scripts]

  2. Build the <image> image by using the Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

Verification

  • Build the <image> image by using the Containerfile in the current directory: 

    $ podman images

Map your blueprint customization options and their equivalent Containerfile commands.

Expand
BlueprintCommand instructions

distro = "rhel-10."

FROM rhel-bootc:10

[[packages]]

name = "openssh-server" version = "8.*"

RUN dnf install <package name>

[[groups]]

name = "anaconda-tools"

RUN dnf group install <group_name>

[[containers]]

source = "quay.io/rhel/rhel:latest"

RUN podman pull docker.io/library/postgres:alpine

[customizations.kernel]

name = "kernel-debug" append = "nosmt=force"

RUN mkdir -p /usr/lib/bootc/kargs.d RUN cat <<`EOF` >> /usr/lib/bootc/kargs.d/console.toml kargs = ["console=ttyS0,114800n8","kernel-debug"] match-architectures = ["x86_64"] EOF

[customizations.rhsm.config.dnf_plugins.product_id]

enabled = true [customizations.rhsm.config.dnf_plugins.subscription_manager]

enabled = true [customizations.rhsm.config.subscription_manager.rhsm]

manage_repos = true [customizations.rhsm.config.subscription_manager.rhsmcertd]

auto_registration = true

COPY ./rhsm.conf /etc/rhsm/rhsm.conf

[customizations.rpm.import_keys]

files = [ "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-primary", "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-primary" ]

RUN mkdir -p /etc/pki/rpm-gpg/ COPY <host_path>/gpg_key /etc/pki/rpm-gpg//gpg_key

[[customizations.sshkey]]

user = "root" key = "PUBLIC SSH KEY"

# SSH keys COPY test.pub container_key.pub RUN mkdir -p .ssh && \ cat container_key.pub >> .ssh/authorized_keys && \ chmod 600 .ssh/authorized_keys && \ rm -f container_path_to_key.pub

[customizations.timezone]

timezone = "US/Eastern" ntpservers = ["0.north-america.pool.ntp.org", "1.north-america.pool.ntp.org"]

RUN ln -sf /usr/share/zoneinfo/Asia/Bangkok /etc/localtime

[customizations.locale]

languages = ["en_US.UTF-8"] keyboard = "us"

RUN cat <<`EOF` >> /etc/locale.conf LANG="en_US.UTF-8" EOF && \ cat <<`EOF` >> /etc/vconsole.conf KEYMAP=us EOF

[customizations.firewall]

ports = ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp", "30000-32767:tcp", "30000-32767:udp"]

RUN dnf install -y firewalld && \ dnf clean all && \ firewall-offline-cmd --new-zone=customzone && \ firewall-offline-cmd --zone=customzone --set-description="Custom firewall rules for the container" && \ firewall-offline-cmd --zone=customzone --add-service=ftp && \ firewall-offline-cmd --zone=customzone --add-service=ntp && \ firewall-offline-cmd --zone=customzone --add-service=dhcp && \ firewall-offline-cmd --zone=customzone --add-port=22/tcp && \ firewall-offline-cmd --zone=customzone --add-port=80/tcp && \ firewall-offline-cmd --zone=customzone --add-port=53/tcp && \ firewall-offline-cmd --zone=customzone --add-port=53/udp && \ firewall-offline-cmd --zone=customzone --add-port=30000-32767/tcp && \ firewall-offline-cmd --zone=customzone --add-port=30000-32767/udp && \ firewall-offline-cmd --set-default-zone=customzone

[[customizations.directories]]

path = "/etc/<dir-name>" mode = "0755" user = "root" group = "root" ensure_parents = false

#Directory: RUN mkdir /etc/<dir> RUN chown -R admin:wheel /etc/<dir> && \ chmod -R 644 /etc/<dir> #Files: RUN touch /etc/<myfile> RUN chown :widget /etc/<myfile> && \ chmod 600 /etc/<myfile>

[customizations]

installation_device = "/dev/sda"

RUN mkdir -p /usr/lib/bootc/kargs.d && \ cat <<`EOF` >> /usr/lib/bootc/kargs.d/console.toml kargs = ["inst.device=/dev/sda"] EOF

[customizations.ignition.embedded]

config = "eyJpZ25pdG…​.xIn1dfX0="

RUN mkdir -p /usr/lib/bootc/kargs.d && \ cat <<`EOF` >> /usr/lib/bootc/kargs.d/console.toml kargs = ["ignition.config.url=http://192.168.122.1/fiot.ign","rd.neednet=1"] EOF

[customizations.fdo]

manufacturing_server_url = "http://192.168.122.199:8080" diun_pub_key_insecure = "true" di_mfg_string_type_mac_iface = "enp2s0"

RUN dnf install -y fdo-init fdo-client && \ systemctl enable fdo-client-linuxapp.service

[customizations.openscap]

datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml" profile_id = "xccdf_org.ssgproject.content_profile_cis"

[customizations.openscap.json_tailoring] profile_id = "<name-of-profile-used-in-json-tailoring>-file" filepath = "/some/path/tailoring-file.json"

[[customizations.files]] path = "/the/path/tailoring-file.json" data = "<json-tailoring-file-contents>"

RUN dnf install -y openscap-utils && \ autotailor --output /some/path/tailoring-file.json \ --new-profille-id xccdf_org.ssgproject.content_profile_cis

[customizations]

fips = true

RUN mkdir -p /usr/lib/bootc/kargs.d && \ cat <<`EOF` >> /usr/lib/bootc/kargs.d/01-fips.toml kargs = ["fips=1"] EOF && \ update-crypto-policies --no-reload --set FIPS

2.4. Achieving parity with RHEL for Edge images by using image mode for RHEL
Copia collegamento

To create RHEL for Edge images by using image mode for RHEL, you must manually install some missing packages that are common to an OSTree commit. Most of these packages are part of the bootc images, and you can install the missing packages to be able to create an image similar to the RHEL for Edge image.

The following are examples of the missing packages:

  • clevis
  • clevis-dracut
  • clevis-luks
  • greenboot
  • greenboot-default-health-checks
  • fdo-client
  • fdo-owner-cli

Prerequisites

  • An existing RHEL for Edge rpm-ostree-based deployed system.

Procedure

  1. Create a Containerfile with the following content: 

    FROM registry.io.redhat.com/rhel10/rhel-bootc:latest

RUN dnf install -y  \
    clevis  \
    clevis-dracut  \
    clevis-luks  \
    greenboot  \
    greenboot-default-health-checks  \
    fdo-client  \
    fdo-owner-cli
# (Optional) Extra packages often used in edge
# RUN dnf install -y
#     dracut-config-generic  \
#     platform-python  \
#     pinentry  \
#     firewalld  \
#     iptables  \
#     NetworkManager-wifi  \
#     NetworkManager-wwan  \
#     wpa_supplicant  \
#     traceroute  \
#     rootfiles  \
#     policycoreutils-python-utils  \
#     setools-console  \
#     rsync  \
#     usbguard
RUN systemctl enable NetworkManager.service  \
    greenboot-grub2-set-counter.service  \
    greenboot-grub2-set-success.service  \
    greenboot-healthcheck.service  \
    greenboot-rpm-ostree-grub2-check-fallback.service  \
    greenboot-status.service  \
    greenboot-task-runner.service
    redboot-auto-reboot.service  \
    redboot-task-runner.service"

  2. Build your similar RHEL for Edge customized bootc image: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

  3. Optional: Push the image: 

    $ podman push quay.io/<namespace>/<image>:<tag>

Verification

  • List all images: 

    $ podman images

2.4.1. Building RHEL 9.6 and later for Edge images by using image mode
Copia collegamento

In RHEL 9.6 and later, you can use image mode to compose bootable container images and generate disk images for edge deployments. To create an image mode for RHEL system for an edge host, define your configuration in a Containerfile and use bootc-image-builder to output a deployable artifact.

Note

While image mode is the recommended path for container-native workflows, you can continue to use the traditional RHEL image builder to create standard RHEL 9.6 and later edge artifacts. See Composing, installing, and managing RHEL for Edge images.

Prerequisites

  • You have Podman installed on your host machine.
  • You have root access to run the bootc-image-builder tool, and run the containers in --privileged mode, to build the images.

Procedure

  1. Create a Containerfile, for example: 

    $ cat Containerfile
FROM registry.redhat.io/rhel9/rhel-bootc:9.6

# Packages
RUN dnf install -y zsh && dnf clean all

# Group install
RUN dnf group -y install "Development Tools"

# Hostname
RUN echo "rock.paper.scissor" > /etc/hostname

# Kernel
RUN mkdir -p /usr/lib/bootc/kargs.d
RUN cat <<EOF >> /usr/lib/bootc/kargs.d/console.toml
kargs = ["console=ttyS0,114800n8","kernel-debug"]
match-architectures = ["x86_64"]
EOF

# Subscription-manager
RUN dnf install subscription-manager

# RPM config
RUN mkdir -p /etc/pki/rpm-gpg/
COPY <host_path>/gpg_key /etc/pki/rpm-gpg/gpg_key

# Timezones
RUN cat <<EOF >> /etc/localtime
Asia/Bangkok
EOF


# Locale
RUN cat <<EOF >> /etc/locale.conf
LANG="en_US.UTF-8"
EOF && \
cat <<EOF >> /etc/vconsole.conf
KEYMAP=us
EOF


# firewall
RUN dnf install -y firewalld && \
    mkdir -p /etc/firewalld/zones
RUN cat <<EOF >> /etc/firewalld/zones/customzone.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
    <short>Customzone</short>
    <description>Custom firewall rules for the container.</description>

    <!-- Allowed services -->
    <service name="ftp"/>
    <service name="ntp"/>
    <service name="dhcp"/>

    <!-- Blocked services (not explicitly listed) -->
    <!-- Removing telnet explicitly is unnecessary if it is not included -->

    <!-- Open specific ports -->
    <port protocol="tcp" port="22"/>
    <port protocol="tcp" port="80"/>
    <port protocol="tcp" port="53"/>
    <port protocol="udp" port="53"/>
    <port protocol="tcp" port="30000-32767"/>
    <port protocol="udp" port="30000-32767"/>
</zone>
EOF
RUN firewall-offline-cmd --set-default-zone=customzone

# systemd services
RUN systemctl enable sshd

#ignition
RUN mkdir -p /usr/lib/bootc/kargs.d && \
cat <<EOF >> /usr/lib/bootc/kargs.d/console.toml
kargs = ["ignition.config.url=http://192.168.122.1/fiot.ign","rd.neednet=1"]
EOF

#fdo
RUN dnf install -y fdo-init fdo-client && \
systemctl enable fdo-client-linuxapp.service

#Repositories
RUN mkdir -p /etc/yum.repos.d
COPY custom.repo /etc/yum.repos.d/custom.repo

#fips
RUN mkdir -p /usr/lib/bootc/kargs.d && \
cat <<EOF >>  /usr/lib/bootc/kargs.d/01-fips.toml
kargs = ["fips=1"]
EOF
RUN dnf install -y crypto-policies-scripts && update-crypto-policies --no-reload --set FIPS

  2. Build the <image> image by using Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

Verification

  • List all images: 

    $ podman images
REPOSITORY                                  TAG      IMAGE ID       CREATED              SIZE
quay.io/<namespace>/<image>                          latest   b28cd00741b3   About a minute ago   2.1 GB

2.4.2. Building RHEL 10 and later for Edge images by using image mode
Copia collegamento

Starting with RHEL 10, bootc is the primary tool for creating RHEL for Edge installations. Because RHEL image builder no longer supports traditional edge artifacts, you must use image mode to build, deploy, and manage bootable container images for edge computing environments.

Note

Not all the available RHEL image builder artifacts are available in image mode for RHEL. That means that you cannot create certain image types by using bootc-image-builder.

Notably, the simplified-installer no longer exists. Instead, use the bootc-image-builder Anaconda ISO for workflows such as FDO.

Prerequisites

  • You have Podman installed on your host machine.
  • You have root access to run the bootc-image-builder tool, and run the containers in --privileged mode, to build the images.

Procedure

  1. Create a Containerfile. The following example contains several customizations that you can use as an example, and can be removed in case it does not suit your requirements. 

    $ cat Containerfile
FROM registry.redhat.io/rhel10/rhel-bootc:10.0

# Packages
RUN dnf install -y zsh && dnf clean all

# Group install
RUN dnf group -y install "Development Tools"

# Kernel
RUN mkdir -p /usr/lib/bootc/kargs.d
RUN cat <<EOF >> /usr/lib/bootc/kargs.d/console.toml
kargs = ["console=ttyS0,114800n8","kernel-debug"]
match-architectures = ["x86_64"]
EOF

# Subscription-manager
COPY ./rhsm.conf /etc/rhsm/rhsm.conf

# RPM config
RUN mkdir -p /etc/pki/rpm-gpg/
COPY <host_path>/gpg_key /etc/pki/rpm-gpg//gpg_key

# Additional groups
RUN groupadd -g 1001 widget

# Timezones
RUN ln -sf /usr/share/zoneinfo/Asia/Bangkok /etc/localtime

# Locale
RUN cat <<EOF >> /etc/locale.conf
LANG="en_US.UTF-8"
EOF && \
cat <<EOF >> /etc/vconsole.conf
KEYMAP=us
EOF


# firewall
RUN dnf install -y firewalld && \
    dnf clean all && \
    firewall-offline-cmd --new-zone=customzone && \
    firewall-offline-cmd --zone=customzone --set-description="Custom firewall rules for the container" && \
    firewall-offline-cmd --zone=customzone --add-service=ftp && \
    firewall-offline-cmd --zone=customzone --add-service=ntp && \
    firewall-offline-cmd --zone=customzone --add-service=dhcp && \
    firewall-offline-cmd --zone=customzone --add-port=22/tcp && \
    firewall-offline-cmd --zone=customzone --add-port=80/tcp && \
    firewall-offline-cmd --zone=customzone --add-port=53/tcp && \
    firewall-offline-cmd --zone=customzone --add-port=53/udp && \
    firewall-offline-cmd --zone=customzone --add-port=30000-32767/tcp && \
    firewall-offline-cmd --zone=customzone --add-port=30000-32767/udp && \
    firewall-offline-cmd --set-default-zone=customzone

# systemd services
RUN systemctl enable httpd sshd && \
systemctl disable telnetd && \
systemctl mask rcpbind

  2. Build the <image> image by using Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

Verification

  • List all images: 

    $ podman images
REPOSITORY                                  TAG      IMAGE ID       CREATED              SIZE
quay.io/<namespace>/<image>                           latest   b28cd00741b3   About a minute ago   2.1 GB

2.5. Installing bootc-image-builder
Copia collegamento

To install the bootc-image-builder, use the Red Hat Container Registry. The bootc-image-builder is intended to be used as a container and it is not available as an RPM package in RHEL.

Prerequisites

  • The container-tools meta-package is installed. The meta-package contains all container tools, such as Podman, Buildah, and Skopeo.
  • You are authenticated to registry.redhat.io. For details, see Red Hat Container Registry Authentication.

Procedure

  1. Log in to authenticate to registry.redhat.io: 

    $ sudo podman login registry.redhat.io

  2. Install the bootc-image-builder tool: 

    $ sudo podman pull registry.redhat.io/rhel10/bootc-image-builder

Verification

  • List all images pulled to your local system: 

    $ sudo podman images
REPOSITORY                                    TAG         IMAGE ID      CREATED       SIZE
registry.redhat.io/rhel10/bootc-image-builder  latest      b361f3e845ea  24 hours ago  676 MB

2.5.1. Using bootc-image-builder to create RHEL 9.6 disk images
Copia collegamento

You can use bootc-image-builder to create bootable disk images from existing container images and deploy these disk images by using your traditional methods for your physical or virtual hosts.

Prerequisites

  • You have Podman installed on your host machine.
  • You have root access to run the bootc-image-builder tool, and run the containers in --privileged mode, to build the images.

Procedure

  1. Optional: Create a config.toml to configure user access, for example: 

    [[customizations.user]]
name = "user"
password = "pass"
key = "ssh-rsa AAA ... user@email.com"
groups = ["wheel"]

  2. Manually pull the image: 

    $ sudo podman pull quay.io/quay.io/<_namespace_>/<_image_>:<_tag_>

  3. Create the output directory for the image that you are building: 

    $ mkdir output

  4. Run bootc-image-builder to create the image. If you do not want to add any configuration, omit the -v $(pwd)/config.toml:/config.toml argument. 

    $ sudo podman run \
    --rm \
    -it \
    --privileged \
    --pull=newer \
    --security-opt label=type:unconfined_t \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    -v $(pwd)/config.toml:/config.toml \
    -v $(pwd)/output:/output \
    registry.redhat.io/rhel9/bootc-image-builder:latest \
    --type iso \
    --config /config.toml \
  quay.io/<namespace>/<image>:<tag>

    You can find the .iso image in the output folder.

2.5.2. Using bootc-image-builder to create RHEL 10.0 disk images
Copia collegamento

Starting with RHEL 10 and later, RHEL image builder no longer supports composing customized RHEL rpm-ostree images optimized for Edge. To create new RHEL images for Edge environments as part of RHEL 10, you must use image mode for RHEL.

Note

Not all the available RHEL image builder artifacts are available in image mode. That means that you cannot create certain image types by using bootc-image-builder. The simplified-installer no longer exists. Instead, use the bootc-image-builder Anaconda ISO for FDO workflow.

Prerequisites

  • You have Podman installed on your host machine.
  • You have root access to run the bootc-image-builder tool, and run the containers in --privileged mode, to build the images.

Procedure

  1. Optional: Create a config.toml to configure user access, for example: 

    [[customizations.user]]
name = "user"
password = "pass"
key = "ssh-rsa AAA ... user@email.com"
groups = ["wheel"]

  2. Manually pull the image: 

    $ sudo podman pull quay.io/<namespace>/<image>:_<tag>_

  3. Create the output directory for the image that you are building: 

    $ mkdir output

  4. Run bootc-image-builder to create the image. If you do not want to add any configuration, omit the -v $(pwd)/config.toml:/config.toml argument. 

    $ sudo podman run \
    --rm \
    -it \
    --privileged \
    --pull=newer \
    --security-opt label=type:unconfined_t \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    -v $(pwd)/config.toml:/config.toml \
    -v $(pwd)/output:/output \
    registry.redhat.io/rhel10/bootc-image-builder:latest \
    --type iso \
    --config /config.toml \
  quay.io/<namespace>/<image>:<tag>

    You can find the .iso image in the output folder.

2.6. Configuring Users and Groups in an Image Mode Containerfile
Copia collegamento

When switching between different host builds, you must define persistent users and groups within your Containerfile into the bootable container image. This enables you to maintain consistent permissions across your infrastructure when deploying or performing a bootc switch to migrate existing hosts.

Important

Some user and group IDs differ between rhel-bootc images and RHEL for Edge. This affects several groups and users, such as ssh_keys. As a consequence, the private keys belong to a group with a misconfigured ID, and you will not be able to use public keys to access the edge system.

The Image Mode system uses altfiles to manage users at /user/lib/passwd and groups at /user/lib/group. To workaround this, you must extract the groups and users information of the existing RHEL for Edge system and fixating them as part of the Containerfile. Configure the Containerfile to copy a local lib/group file to the container image.

You can manually change the permissions of private keys, the /etc folder is mutable in edge systems. However, it does not solve the problem, because after running the bootc switch command, the Image Mode based system has the ssh_keys group configured with the ID 999. This value comes from the RHEL bootc base image, and this drift from ID 101 to ID 999 left the edge system unreachable through SSH. To fix this issue, follow the steps:

Prerequisites

Procedure

  1. Extract the information of users and groups from the RHEL for Edge system. 

    $ mkdir -p ./usr/lib
$ ssh admin@192.168.100.50 'cat /lib/passwd' > ./usr/lib/passwd
$ ssh admin@192.168.100.50 'cat /lib/group' > ./usr/lib/group

  2. Include the missing RHEL for Edge packages in the bootc based system by specifying them in a Containerfile. Additionally, use the COPY command to include the group and passwd content that was extracted from the RHEL for Edge system. The following is an example: 

    FROM registry.redhat.io/rhel9/rhel-bootc
WORKDIR /tmp
RUN dnf -y install ModemManager \
                   NetworkManager-wifi \
                   NetworkManager-wwan \
                   audit \
                   checkpolicy \
                   clevis \
                   clevis-dracut \
                   clevis-luks \
                   clevis-pin-tpm2 \
                   clevis-systemd \
                   containernetworking-plugins \
                   dnsmasq \
                   dracut-config-generic \
                   fdo-client \
                   fdo-owner-cli \
                   firewalld \
                   firewalld-filesystem \
                   greenboot \
                   greenboot-default-health-checks \
                   grubby \
                   ignition \
                   ignition-edge \
                   ipset \
                   iwl100-firmware \
                   iwl1000-firmware \
                   iwl105-firmware \
                   iwl135-firmware \
                   iwl2000-firmware \
                   iwl2030-firmware \
                   iwl3160-firmware \
                   iwl5000-firmware \
                   iwl5150-firmware \
                   iwl6050-firmware \
                   iwl7260-firmware \
                   libsecret \
                   pinentry \
                   policycoreutils-python-utils \
                   python3-distro \
                   python3-setools \
                   rsync \
                   setools-console \
                   tmux \
                   traceroute \
                   usbguard \
                   usbguard-selinux \
                   wireless-regdb \
                   wpa_supplicant

COPY etc /etc
# You can find the passwd and group content that were extracted from the RHEL for Edge system usr/lib/ in your current working directory. You can copy the content into the container image with the following step:
COPY usr /usr

  3. Build the bootc image and push it to the registry: 

    $ podman build -f Containerfile -t quay.io/<namespace>/<image>:<tag> .
$ podman push quay.io/<namespace>/<image>:<tag>

  4. Run the bootc switch command to the newly created bootable container image. 

    $ ssh admin@192.168.100.50
$ sudo bootc switch quay.io/<namespace>/<image>:<tag>
$ sudo reboot

Verification

After rebooting the edge system into the bootable container image, confirm that the contents of /lib/passwd and /lib/group match the content that was extracted from the OSTree system.

  1. Check the content of /lib/passwd. 

    $ cat /lib/passwd

  2. Check the content of /lib/group. 

    $ cat /lib/group

2.6.1. Converting a RHEL 9.6 raw image deployment to image mode
Copia collegamento

Use an RHEL 9.6 or later for Edge deployed as a raw image to convert it to image mode for RHEL. After the conversion, you can rebase your current operating system onto a bootable container image, enabling the bootc update workflow for future lifecycle management.

Prerequisites

  • An existing 9.6 RHEL for Edge installed with a raw image.

Procedure

  1. Update your image. See Updating RHEL for Edge images.

  2. Switch your existing image from RHEL image builder to image mode.

    1. Build an image from rhel-bootc. For example: 

      $ cat Containerfile
FROM registry.redhat.io/rhel9/rhel-bootc:latest
RUN dnf install -y  \
    clevis  \
    clevis-dracut  \
    clevis-luks  \
    fdo-client  \
    fdo-owner-cli

  3. Build the <image> image by using Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

  4. Push the image to a registry. 

    $ podman push quay.io/<namespace>/<image>:_<tag>_

  5. Run bootc switch on the device. 

    $ bootc switch quay.io/<namespace>/<image>:_<tag>_

  6. Run systemctl reboot. 

    $ sudo systemctl reboot

Verification

  • Connect to your RHEL for Edge system and use bootc status: 

    # bootc status

You can convert existing RHEL 9.6 and later for Edge systems, deployed by using the simplified-installer, to image mode for RHEL. The resulting bootable container image turns into a dynamic bootc workflow without requiring a physical re-installation.

Prerequisites

  • An existing 9.6 or later RHEL for Edge installed with a simplified-installer image.

Procedure

  1. Check if bootc is installed: 

    $ rpm -qa | bootc

    Update your image to the latest rpm-ostree installation. See Updating RHEL for Edge images.

    1. Build an image from rhel-bootc. For example: 

      $ cat Containerfile
FROM registry.redhat.io/rhel9/rhel-bootc:latest
RUN dnf install -y  \
    clevis  \
    clevis-dracut  \
    clevis-luks  \
    fdo-client  \
    fdo-owner-cli

  2. Build the <image> image by using Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

    1. Push the image to a registry. 

      $ podman push quay.io/<namespace>/<image>:_<tag>_

    2. Run bootc switch to switch the device to the image you pushed to the registry. 

      $ bootc switch quay.io/<namespace>/<image>:_<tag>_

    3. Run systemctl reboot. 

      $ sudo systemctl reboot

  3. Verification

    • Connect to your RHEL for Edge system and use bootc status: 

      # bootc status

2.6.3. Upgrading existing RHEL for Edge 9.6 to RHEL 10 and later image mode
Copia collegamento

You can upgrade an existing RHEL for Edge 9.6 system to RHEL 10.0 by using image mode for RHEL. By converting your current systems to a bootc workflow, you can manage host updates by using container images while retaining your existing edge deployments.

Prerequisites

  • An existing 9.6 or later RHEL for Edge system.

Procedure

  1. Update your image. See Updating RHEL for Edge images. 

    $ sudo rpm-ostree upgrade
$ sudo systemctl reboot

  2. Build a bootc image that uses RHEL 10.0. For example: 

    $ cat Containerfile
FROM registry.redhat.io/rhel10/rhel-bootc:10.0
RUN dnf install -y  \
    clevis  \
    clevis-dracut  \
    clevis-luks  \
    fdo-client  \
    fdo-owner-cli

  3. Build the <image> image by using Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

  4. Push the image to a registry. 

    $ podman push quay.io/<namespace>/<image>:_<tag>_

  5. Run bootc switch on the device. 

    $ bootc switch quay.io/<namespace>/<image>:_<tag>_

  6. Reboot the system. 

    $ sudo systemctl reboot

Verification

  • Connect to your RHEL for Edge system and use bootc status: 

    # bootc status
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima