Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 10. Using Red Hat subscriptions in builds
Use the following sections to run entitled builds on OpenShift Container Platform.
10.1. Creating an image stream tag for the Red Hat Universal Base Image
To use Red Hat subscriptions within a build, you create an image stream tag to reference the Universal Base Image (UBI).
To make the UBI available in every project in the cluster, you add the image stream tag to the openshift namespace. Otherwise, to make it available in a specific project, you add the image stream tag to that project.
The benefit of using image stream tags this way is that doing so grants access to the UBI based on the registry.redhat.io credentials in the install pull secret without exposing the pull secret to other users. This is more convenient than requiring each developer to install pull secrets with registry.redhat.io credentials in each project.
Procedure
To create an
ImageStreamTagin theopenshiftnamespace, so it is available to developers in all projects, enter:$ oc tag --source=docker registry.redhat.io/ubi7/ubi:latest ubi:latest -n openshift
To create an
ImageStreamTagin a single project, enter:$ oc tag --source=docker registry.redhat.io/ubi7/ubi:latest ubi:latest
10.2. Adding subscription entitlements as a build secret
Builds that use Red Hat subscriptions to install content must include the entitlement keys as a build secret.
Prerequisites
You must have access to Red Hat entitlements through your subscription, and the entitlements must have separate public and private key files.
Procedure
Create a secret containing your entitlements, ensuring that there are separate files containing the public and private keys:
$ oc create secret generic etc-pki-entitlement --from-file /path/to/entitlement/{ID}.pem \ > --from-file /path/to/entitlement/{ID}-key.pem ...Add the secret as a build input in the build configuration:
source: secrets: - secret: name: etc-pki-entitlement destinationDir: etc-pki-entitlement
10.3. Running builds with Subscription Manager
10.3.1. Docker builds using Subscription Manager
Docker strategy builds can use the Subscription Manager to install subscription content.
Prerequisites
The entitlement keys, subscription manager configuration, and subscription manager certificate authority must be added as build inputs.
Procedure
Use the following as an example Dockerfile to install content with the Subscription Manager:
FROM registry.redhat.io/rhel7:latest
USER root
# Copy entitlements
COPY ./etc-pki-entitlement /etc/pki/entitlement
# Copy subscription manager configurations
COPY ./rhsm-conf /etc/rhsm
COPY ./rhsm-ca /etc/rhsm/ca
# Delete /etc/rhsm-host to use entitlements from the build container
RUN rm /etc/rhsm-host && \
# Initialize /etc/yum.repos.d/redhat.repo
# See https://access.redhat.com/solutions/1443553
yum repolist --disablerepo=* && \
subscription-manager repos --enable <enabled-repo> && \
yum -y update && \
yum -y install <rpms> && \
# Remove entitlements and Subscription Manager configs
rm -rf /etc/pki/entitlement && \
rm -rf /etc/rhsm
# OpenShift requires images to run as non-root by default
USER 1001
ENTRYPOINT ["/bin/bash"]10.4. Running builds with Red Hat Satellite subscriptions
10.4.1. Adding Red Hat Satellite configurations to builds
Builds that use Red Hat Satellite to install content must provide appropriate configurations to obtain content from Satellite repositories.
Prerequisites
You must provide or create a
yum-compatible repository configuration file that downloads content from your Satellite instance.Sample repository configuration
[test-<name>] name=test-<number> baseurl = https://satellite.../content/dist/rhel/server/7/7Server/x86_64/os enabled=1 gpgcheck=0 sslverify=0 sslclientkey = /etc/pki/entitlement/...-key.pem sslclientcert = /etc/pki/entitlement/....pem
Procedure
Create a
ConfigMapcontaining the Satellite repository configuration file:$ oc create configmap yum-repos-d --from-file /path/to/satellite.repo
Add the Satellite repository configuration to the
BuildConfig:source: configMaps: - configMap: name: yum-repos-d destinationDir: yum.repos.d
10.4.2. Docker builds using Red Hat Satellite subscriptions
Docker strategy builds can use Red Hat Satellite repositories to install subscription content.
Prerequisites
- The entitlement keys and Satellite repository configurations must be added as build inputs.
Procedure
Use the following as an example Dockerfile to install content with Satellite:
FROM registry.redhat.io/rhel7:latest
USER root
# Copy entitlements
COPY ./etc-pki-entitlement /etc/pki/entitlement
# Copy repository configuration
COPY ./yum.repos.d /etc/yum.repos.d
# Delete /etc/rhsm-host to use entitlements from the build container
RUN sed -i".org" -e "s#^enabled=1#enabled=0#g" /etc/yum/pluginconf.d/subscription-manager.conf 1
#RUN cat /etc/yum/pluginconf.d/subscription-manager.conf
RUN yum clean all
#RUN yum-config-manager
RUN rm /etc/rhsm-host && \
# yum repository info provided by Satellite
yum -y update && \
yum -y install <rpms> && \
# Remove entitlements
rm -rf /etc/pki/entitlement
# OpenShift requires images to run as non-root by default
USER 1001
ENTRYPOINT ["/bin/bash"]- 1
- If adding Satellite configurations to builds using
enabled=1fails, addRUN sed -i".org" -e "s#^enabled=1#enabled=0#g" /etc/yum/pluginconf.d/subscription-manager.confto the Dockerfile.
10.5. Squash layers with docker builds
Docker builds normally create a layer representing each instruction in a Dockerfile. Setting the imageOptimizationPolicy to SkipLayers merges all instructions into a single layer on top of the base image.
Procedure
Set the
imageOptimizationPolicytoSkipLayers:strategy: dockerStrategy: imageOptimizationPolicy: SkipLayers
