Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 8. Red Hat Cloud Access program overview

As part of your relationship with Red Hat, you are eligible to receive a number of benefits when running Red Hat products on the public cloud. These benefits make it easier for you to use Red Hat products and services.

These include gold images, which allow you to deploy Red Hat products in certified cloud and service providers, and also makes it simple to connect your systems to the Red Hat Content Delivery Network and analytic services such as Red Hat Insights.

8.1. Understanding gold images

Red Hat gold images are cloud-ready Red Hat virtual machine (VM) images available in select Red Hat Certified Cloud and Service Providers (CCSP) environments for Cloud Access customers. These images provide customers with an alternative to creating and using their own custom images from their own previously purchased subscriptions. Gold images are built and maintained by a trusted source and are available to customers with valid Red Hat subscriptions.

You can use gold images to deploy Red Hat instances in the cloud without having to build, maintain, and import your own images into the cloud provider’s environment.

8.1.1. When should I use a gold image?

Gold images are useful when you require little customization of the operating system or you will apply your customizations to the system at runtime, using an automation tool, such as Red Hat Ansible Automation Platform.

8.1.2. When should I not use a gold image?

Gold images are less useful if you require extreme customization of the operating system at build time, or if you prefer to include the customizations into the image itself. For example, many security hardening specifications, such the the DISA STIG require users to have exacting partition layouts. Gold images will generally not meet these requirements by default. It is recommended that RHEL image builder be used to create custom images for these types of stringent requirements.

8.1.4. Updates and repository availability

Options for delivering updates and patches to cloud instances deployed from gold images vary by image type and cloud provider.

8.2. Using gold images on Amazon Web Services (AWS)

Gold images can be used to provision VMs in AWS by using the standard interfaces: AWS GUI, AWS CLI, EC2 Console and AWS PowerShell Cmdlet.

AWS is preconfigured to use the Red Hat Update Infrastructure (RHUI).

AWS gold images meet the following conditions:

  • Built, maintained, and published by Red Hat
  • Available in AWS commercial regions but not in China or GovCloud (US)
  • Preconfigured to use the Red Hat Update Infrastructure (RHUI) running in EC2
  • RHEL, RHEL for SAP, Red Hat Middleware, and Red Hat Storage images

Additional resources

8.2.1. Naming and identifying gold images on AWS

There are multiple ways to search for and launch RHEL Amazon Machine Images (AMIs) in AWS. This includes the EC2 Management Console, AWS CLI, and PowerShell Cmdlet. The naming convention for the Red Hat AMIs in AWS is listed below.

  • Initial GA AMI release: [Red Hat Product]-[Version]-[Virtualization Type]_[Red Hat Release Type]-[Release Date]-[Minor Version Release AMI Iteration]-[Subscription Model]-[EBS Volume Type]
  • After the initial GA AMI release: [Red Hat Product]-[Version]-[Virtualization Type]-[Release Date]-[Minor Version Release AMI Iteration]-[Subscription Model]-[EBS Volume Type]
Note

The Red Hat gold images will have the designation of Access in the AMI Name representing the subscription model.

Red Hat gold images are published under the Owner ID 309956199498. You can ensure that you are using official Red Hat gold images by looking for this Owner ID when you choose an image.

8.2.2. Locating gold images in the AWS GUI

  1. Go to the Hybrid Cloud Console and sign in to your Red Hat account.

  2. Create a connection between your Red Hat account and your cloud provider account in the Integrations application.

    1. Select the Settings icon.
    2. Click Integrations.
  3. Select Amazon Web Services.
  4. Enter a descriptive name for the source, for example, AWS_prod, and click Next.

  5. Select the configuration mode you want to use:

    • Account Authorization: When selecting this option, you will provide your AWS access key ID and secret access keys so that Red Hat can verify ownership of the cloud account. Additionally, this information is saved so that additional Red Hat services (such as cost management) can be configured.

      Note

      On the Select applications page, RHEL management is selected by default. This selection is required.

    • Manual Authorization: When selecting this option, you will provide an Amazon Resource Number (ARN) which will be used only for this service.

8.2.3. Locating gold images in the AWS CLI

This example command displays all of the RHEL 8.3 AMIs in the US-East-1 region that were shared with the AWS account provided during enrollment in Cloud Access using the AWS CLI. The AWS CLI Command Reference provides additional documentation regarding available options, commands, subcommands, and parameters. 

$ aws ec2 describe-images --owners 309956199498 \
> --filters "Name=is-public,Values=false" \>
"Name=name,Values=RHEL*8.3*GA*Access*" \
> --region us-east-1

8.2.4. Locating gold images in the AWS EC2 Console

When working in the EC2 Management Console, there is a menu item for AMIs under the IMAGES section within the left-side navigation pane. In this view, using the designation of Private images displays the gold images that have been shared with the AWS account provided during enrollment.

Note

When in this section of the EC2 Management Console, it is possible to add a filter of Owner : 309956199498, which limits the displayed AMIs to those that were shared with the AWS account after enrolling in Cloud Access.

It is possible to further filter the list of displayed AMIs by adding an additional filter representing different aspects of the AMI Name that Red Hat uses, such as AMI Name : RHEL, AMI Name :.

An example AMI Name is RHEL-8.3.0_HVM-20201031-x86_64-0-Access2-GP2.

If you use the Launch Instance button from the EC2 Dashboard section of the EC2 Management Console and you select My AMIs, the filter Shared with me filters the listed AMIs to show the gold images that have been shared with the AWS account provided during enrollment.

8.2.5. Locating gold images in the AWS PowerShell Cmdlet

This example command displays all of the RHEL 8.3 AMIs in the US-East-1 region that were shared with the AWS account provided during enrollment in Cloud Access using the AWS Tools for Cmdlet. 

PS > Get-EC2Image -Region us-east-1 `
>> -Owner 309956199498 -Filter `
>> @{ Name="name" ; Values="RHEL*8.3*" }

8.3. Using gold images on Azure

Gold images can be used to provision RHEL VMs in Azure for bring your own subscription (BYOS) by using the standard interfaces: Azure Portal, Azure CLI, or PowerShell Cmdlet.

Azure gold images meet the following conditions:

  • Built, maintained, and published by Microsoft
  • Available in Azure commercial regions but not in China or government regions.
  • RHEL images only
  • Not eligible for Azure Hybrid Benefit

Additional resources

8.3.1. Naming and identifying gold images on Azure

There are multiple ways to search for and launch RHEL gold images in Azure. This includes the Azure Portal, Azure CLI, and PowerShell Cmdlet. The naming convention for the Red Hat gold images in Azure is RedHat:[Offering Name]:[Red Hat Product]-[OS Disk Type]-[Azure VM Generation]:[Red Hat Version].[Red Hat Release].[Image Creation Date].

An example gold image Uniform Resource Name (URN) is RedHat:rhel-byos:rhel-lvm8-gen2:8.0.20200715.

8.3.2. Locating gold images using Azure Lighthouse

Procedure

  1. Enter a descriptive name for the source, for example, Azure_build, and click Next.

  2. Select the RHEL management bundle service and click Next.

    Note

    Cost Management is only used for Red Hat OpenShift Container Platform.

  3. Follow the steps to create an offline token.
  4. Complete the configuration steps in Azure Lighthouse.
  5. When you return to the wizard, click Next.
  6. Log in to your Azure account and navigate to your subscriptions. Copy the subscription ID that you want to use and paste it into the Subscription ID field.
  7. Click Next.
  8. Review the details of your integration, and then click Add to add the integration.

If you want to complete registration in Azure with an Ansible script, use the following steps:

Prerequisites

You can run the Ansible commands on any system with package ansible-galaxy installed that also has access to an Azure instance running inside your Azure account.

Procedure

  1. Follow the steps to create an offline token. See Red Hat API Tokens to generate an offline token.

    Note

    If you have generated an offline token in the last thirty days, you do not need to generate a new token.

  2. Save the offline token where it can be easily accessed for the next step.

  3. Download the Ansible playbook and run the Ansible commands remotely against a running Azure VM, substituting your Azure instance hostname or IP address and your offline token. 

    [user@machine ~] ansible-galaxy collection install redhatinsights.subscriptions

[user@machine ~] ansible-playbook -i <{Microsoft}_VM_HOSTNAME_OR_IP>, -u azureuser -b ~/.ansible/collections/ansible_collections/redhatinsights/subscriptions/playbooks/verify_account.yml -e rh_api_refresh_token=<OFFLINE_AUTH_TOKEN> --private-key ./<PEM_FILE_FOR_VM_AUTH>

    You can also run the following commands directly on a running Azure VM: 

    [azureuser@vm ~]$ ansible-galaxy collection install redhatinsights.subscriptions

[azureuser@vm ~]$ ansible-playbook -i <AZURE_VM_HOSTNAME>, --connection=local -b ~/.ansible/collections/ansible_collections/redhatinsights/subscriptions/playbooks/verify_account.yml -e rh_api_refresh_token=<OFFLINE)AUTH_TOKEN>
    Note

    The integration will be displayed in the Integrations list, but will not reflect true status or resources for this integration. You cannot monitor this integration from the Integrations service in the Hybrid Cloud Console.

  4. When the Ansible commands complete successfully, click Next.
  5. Review the details and then click Add to finish the Azure integration creation.

You can use the Integrations configuration dashboard to view, modify, or remove any of your cloud integrations. This dashboard also provides links where you can learn more about related Red Hat services, such as Insights and the subscriptions service.

Additional resources

8.3.3. Locating gold images in the Azure CLI

  1. Make sure that you are using an Azure subscription that was enabled for Cloud Access. 

    az account show

  2. Display the list of available RHEL gold images. 

    az vm image list --publisher RedHat --offer rhel-byos --all
  3. Find the gold image version you want to use and copy the URN. You need this URN to provision a VM.

8.3.4. Locating gold images in the Azure PowerShell Cmdlet

This example command displays all of the RHEL gold images in the US East region that were shared with the Azure account provided during enrollment in Cloud Access. 

Get-AzVMImageSku -Location "East US" -PublisherName RedHat -Offer rhel-byos

8.3.5. Using gold images on Azure

Using the Azure Portal

  1. View the private offers as described in Steps 3 and 4 of Locating gold images in Azure Lighthouse
  2. Click the Create drop-down menu to select the RHEL gold image version that you want to use. The remaining provisioning steps are the same as any other RHEL Marketplace image.

Using the Azure CLI

  1. Use the image URN from Step 3 of Locating gold images in the Azure CLI to accept Azure terms (only once per Azure Subscription, per image). 

    az vm image terms accept --urn RedHat:rhel-byos:rhel-lvm8-gen2:8.0.20200715
Note

You must have a resource group defined before you run the following command.

  1. Provision a VM by using the az vm create command. 

    az vm create -n my-rhel-byos-vm -g my-rhel-byos-group --image RedHat:rhel-byos:rhel-lvm8-gen2:8.0.20200715

8.4. Using gold images on Google

Gold images can be used to provision RHEL VMs in Google Cloud for bring your own subscription (BYOS) by using the standard interfaces: Google Cloud Console, Google Cloud shell, and gcloud CLI.

Google Cloud gold images meet the following conditions:

  • Built, maintained, and published by Google
  • Available in Google Cloud commercial regions
  • RHEL images only

The following steps show how to identify the gold images and deploy a RHEL VM from a gold image by using the Google Cloud Console UI, Google Cloud Cloud Shell, and gcloud CLI.

Additional resources

8.4.1. Naming and identifying gold images on Google

After your Google group has been granted access to the Google Cloud gold images, you will be able to find them in the rhel-byos-cloud google project. This is a special project that limits access to the RHEL gold images for only Cloud Access customers.

The naming convention for Red Hat gold images in Google Cloud is: [Red Hat Product]-[Version]-byos-[Image Creation Date].

Examples:

  • rhel-7-byos-v20210916
  • rhel-8-byos-v20210916

8.4.2. Locating gold images in the Google Cloud console

Procedure

  1. Sign in to the Google Cloud console at Google Cloud using a Google group or account that has been enabled for Cloud Access.
  2. Create or select the project where you want to deploy the RHEL VM.

  3. Verify you can see the RHEL gold images.

    1. Open a Cloud Shell.

    2. Enter the following command to list all of the available RHEL gold images: 

      gcloud compute images list --project rhel-byos-cloud --no-standard-images

8.4.3. Locating gold images in the gcloud CLI

  1. Make sure that you are using a Google group or account that has been enabled for cloud access: 

    gcloud info | grep account

  2. Display the list of available Red Hat gold images: 

    gcloud compute images list --project rhel-byos-cloud --no-standard-images

  3. View details of a specific image: 

    gcloud compute images describe rhel-8-byos-v20210916 --project rhel-byos-cloud

8.4.4. Creating a new Red Hat Enterprise Linux VM using a Google gold image

Procedure

Using the Google Cloud Console

  1. Navigate to Google Cloud Console>Home>Dashboard.
  2. From the Navigation menu, select Compute Engine>VM Instances.
  3. Click Create Instances.
  4. Find the Boot Disk section on the VM instance configuration page and click Change.
  5. Select the Custom Images tab.
  6. Click Select A Project and select the rhel-byos-cloud project.
  7. From the Images dropdown list, choose the gold image that you want to use and click Select.
  8. Change any other VM instance configuration settings and then click Create.

Using the Google Cloud shell or gcloud CLI

  1. Use the gcloud compute images list command to find the name of the gold image that you want to use.

  2. Create a new RHEL VM: 

    gcloud compute instances create my-rhel8-byos --image rhel-8-byos-v20210916 --image-project rhel-byos-cloud --zone us-east1-b

  3. View details of the new RHEL VM: 

    gcloud compute instances describe my-rhel8-byos --zone us-east1-b

8.5. Understanding auto-registration

In certain cloud providers, Red Hat supports an account-wide registration method known as auto-registration. When auto-registration is enabled, instead of running a command on each system to register it to Red Hat, an administrator can configure their cloud provider account such that any kind of Red Hat Enterprise Linux that is instantiated in that cloud provider account will automatically connect to Red Hat.

Auto-registration allows Red Hat Enterprise Linux systems within a trusted cloud provider account to register to Red Hat, for updates and Red Hat Insights without additional manual configuration by the system administrator.

For example, to register a system to Red Hat for updates or analytics, previously, an administrator would run the subscription-manager or rhc command on each system to connect them.

With auto-registration, these steps are no longer required. Systems in a trusted cloud account will automatically connect to Red Hat updates and Red Hat Insights.

Auto-registration requires three core components.

  • A version of the subscription-manager package which can (and has been explicitly configured to) perform the auto-registration process for the cloud provider in question.
  • A service hosted by Red Hat which maintains a mapping of Red Hat accounts and cloud provider accounts.
  • An interface to allow the user to associate their Red Hat account with their cloud provider account.

Figure 8.1. Cloud-based autoregistration workflow

Cloud Based Auto-Registration for Red Hat Enterprise Linux

8.5.1. What cloud providers support auto-registration

Amazon Web Services (AWS), Microsoft Azure, and Google Government. Disconnected regions (such as AWS GovCloud or Microsoft Azure Government) do not support auto-registration.

8.5.2. How do I know if my system supports auto-registration?

Red Hat Enterprise Linux versions 7.9.z, 8.3.1, 9.0 or newer all support auto-registration.

8.5.3. How do I know if my system is configured to use auto-registration?

You can confirm if your system is using auto-registration by running the subscription-manager config command, which displays the contents of /etc/rhsm/rhsm.conf 

[server]

hostname = [subscription.rhsm.redhat.com]
insecure = [0]
no_proxy = []
port = [443]
prefix = [/subscription]
proxy_hostname = []
proxy_password = []
proxy_port = []
proxy_scheme = [http]
proxy_user = []
server_timeout = [180]
ssl_verify_depth = [3]

[rhsm]

auto_enable_yum_plugins = [1]
baseurl = [https://cdn.redhat.com]
ca_cert_dir = [/etc/rhsm/ca/]
consumercertdir = [/etc/pki/consumer]
entitlementcertdir = [/etc/pki/entitlement]
full_refresh_on_yum = [0]
inotify = [1]
manage_repos = 0
package_profile_on_trans = [0]
pluginconfdir = [/etc/rhsm/pluginconf.d]
plugindir = [/usr/share/rhsm-plugins]
productcertdir = [/etc/pki/product]
repo_ca_cert = /etc/rhsm/ca/redhat-uep.pem
repomd_gpg_url = []
report_package_profile = [1]

[rhsmcertd]

auto_registration = 1
auto_registration_interval = [60]
autoattachinterval = [1440]
certcheckinterval = [240]
disable = [0]
splay = [1]

[logging]
default_log_level = [INFO]

[] - Default value in use

Of note, there are four key settings:

  • auto_registration = 1 - This is the setting that tells subscription-manager to actually attempt to auto-register. The default value for this is 0. This value is changed to 1 during the production of cloud images for clouds which support autoregistration.
  • auto_registration_interval = 60 - This setting defines the interval which auto-registration is attempted. Auto-registration is attempted three times per invocation of the rhsmcertd service at this interval. Example: with this value set to 60, a system will attempt to auto-register three times, 60 minutes apart. If auto-registration is unsuccessful after three tries, the rhsmcertd will attempt no further registration attempts until the service is restarted.
Note

In cloud images, rhsmcertd is configured to run at boot time, so a restart of the instance restarts this process too.

  • manage_repos = 0 - This tells subscription-manager to not manage Red Hat Content Delivery Network provided content in /etc/yum.repos.d/redhat.repo. The default is 1, which allows Red Hat Enterprise Linux systems to use either content from the CDN or from a Red Hat Satellite Server. In public clouds, content is generally delivered via Red Hat Update Infrastructure (RHUI), so this value is set to 0. A hybrid approach using both RHUI and the CDN for updates is fairly uncommon, but can be supported by setting this value back to its default of '1'.
  • splay = 1 - This setting applies a random offset during registration to randomize the check-in of systems. This distributes load so that a large number of systems started up at roughly the same time don’t all check in at the same time.

8.5.4. Configuring the system to use Red Hat Insights

Once a system has been registered, the system can be configured to use the Insights services by running either the insights-client -register command OR by running the rhc connect command. Depending on your version of Red Hat Enterprise Linux and the configuration of your cloud images, the redhat-cloud-client-configuration package may be installed. In this scenario, it is not necessary to run a command to configure the system to use the Insights services. This is done automatically in that case.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.