Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Operating system images for the Red Hat Edge Manager

Red Hat Edge Manager 1.0

Operating system images overview

Red Hat Edge Manager Documentation Team

Abstract

This document provides an overview of Operating system images for Red Hat Edge Manager.

Chapter 1. Operating system images for the Red Hat Edge Manager
링크 복사

Image-based operating systems allow the operating system and the configuration and applications to be versioned, deployed, and updated as a single unit. Using an image-based operating system reduces operational risks with the following capability:

  • Minimizing drift between tested and deployed environments.
  • Reducing failed updates through transactional updates and rollbacks, and reducing maintenance and replacement costs.

The Red Hat Edge Manager focuses on image-based Linux operating systems that run bootable container image (bootc). For more information, see https://bootc-dev.github.io/bootc/.

Important: The bootc tool does not update package-based operating systems.

See the following description for the operating system images process:

  • Choose a base bootc operating system image, such as a Fedora, CentOS, or RHEL image.

  • Create a container file that layers the following items onto the base bootc image:

    • The Red Hat Edge Manager agent and configuration.
    • Optional: Any drivers specific to your target deployment environment.
    • Optional: Host configuration, for example certificate authority bundles, and application workloads that are common to all deployments.
  • Build, publish, and sign a bootc operating system image using podman and skopeo.
  • Create an operating system disk image by using bootc-image-builder.
  • Build, publish, and sign an operating system disk image using skopeo.

Note: The operating system disk image contains partitions, volumes, the file system, and the initial bootc image. The operating system disk image only needs to be created once, during provisioning.

For subsequent device updates, only the bootc operating system image is required, which contains the files in the file system.

See the following image building topics:

1.1. Special considerations for building images
링크 복사

1.1.1. Build-time configuration over dynamic runtime configuration
링크 복사

Add configuration to the operating system image at build time. Adding configuration at build time ensures that the configurations are tested, distributed, and updated together. In cases when build-time configuration is not feasible or desirable, you can dynamically configure devices at runtime instead with the Red Hat Edge Manager.

Dynamic runtime configuration is preferable in the following cases:

  • You have a configuration that is deployment or site-specific, such as a hostname or a site-specific network credential.
  • You have secrets that are not secure to distribute with the image.
  • You have application workloads that need to be added, updated, or deleted without reboot or they are on a faster cadence than the operating system.

1.1.2. Configuration in /usr directory
링크 복사

Place configuration files in the /usr directory if the configuration is static and the application or service supports that configuration. By placing the configuration in the /usr directory, the configuration remains read-only and fully defined by the image.

It is not feasible or desirable to place the configuration in the /usr directory in the following cases:

  • The configuration is deployment or site-specific.
  • The application or service only supports reading configuration from the /etc directory.
  • The configuration might need to be changed at runtime.

1.1.3. Drop-in directories
링크 복사

Use drop-in directories to add, replace, or remove configuration files that the service aggregates. Do not directly edit your configuration files that might cause deviation from the target configuration.

Note: You can identify drop-in directories by the .d/ at the end of the directory name. For example, /etc/containers/certs.d, /etc/cron.d, and /etc/NetworkManager/conf.d.

1.1.4. Operating system images with scripts
링크 복사

Avoid executing scripts or commands that change the file system. The bootc or the Red Hat Edge Manager can overwrite the changed files that might cause a deviation or failed integrity checks.

Instead, run such scripts or commands during image building, so changes are part of the image. Alternatively, use the configuration management mechanisms of the Red Hat Edge Manager.

1.1.5. Additional resources
링크 복사

1.2. Building a bootc operating system image for the Red Hat Edge Manager
링크 복사

  • To prepare your device to be managed by the Red Hat Edge Manager, build a bootc operating system image that contains the Red Hat Edge Manager agent. Then build an operating system disk image for your devices.

For more information, read the following sections: * Optional: Requesting an enrollment certificate for early binding * Optional: Using image pull secrets * Building the operating system image with bootc * Signing and publishing the bootc operating system image by using Sigstore * Building the operating system disk image * Signing and publishing the operating system disk image to an Open Container Initiative registry

1.2.1. Prerequisites
링크 복사

See the following prerequisites for building a bootc operating system image:

1.2.2. Installing the Red Hat Edge Manager CLI
링크 복사

To install the Red Hat Edge Manager CLI, complete the following steps:

  1. Enable the subscription manager for the repository appropriate for your system by running the following command: 

    sudo subscription-manager repos --enable edge-manager-1.0-for-rhel-9-x86_64-rpms
    Copy to Clipboard Toggle word wrap

    For a full list of available repositories for the Red Hat Edge Manager, see the Additional resources section.

  2. Install the flightctl CLI with your package manager by running the following command: 

    sudo dnf install -y flightctl-cli
    Copy to Clipboard Toggle word wrap

1.2.3. Optional: Requesting an enrollment certificate for early binding
링크 복사

If you want to include an agent configuration in the image, complete the following steps:

  1. Get the Red Hat Edge Manager API interface server. Run the following command: 

    export RHEM_API_SERVER_URL=$(oc get route -n open-cluster-management flightctl-api-route -o json | jq -r .spec.host)
    Copy to Clipboard Toggle word wrap

  2. Authenticate with the Red Hat Edge Manager service by using the flightctl CLI. Run the following command: 

    flightctl login --username=<your_user> --password=<your_password> https://$RHEM_API_SERVER_URL
    Copy to Clipboard Toggle word wrap

    Note: The CLI uses the certificate authority pool of the host to verify the identity of the Red Hat Edge Manager service. The verification can lead to a TLS verification error when using self-signed certificates, if you do not add your certificate authority certificate to the pool. You can bypass the server verification by adding the --insecure-skip-tls-verify flag to your command.

  3. Obtain the enrollment credentials in the format of an agent configuration file by running the following command: 

    flightctl certificate request --signer=enrollment --expiration=365d --output=embedded > config.yaml
    Copy to Clipboard Toggle word wrap

    Notes:

    • The --expiration=365d option specifies that the credentials are valid for a year.

    • The --output=embedded option specifies that the output is an agent configuration file with the enrollment credentials embedded.

      The returned config.yaml contains the URLs of the Red Hat Edge Manager service, the certificate authority bundle, and the enrollment client certificate and key for the agent. See the following example: 

    enrollment-service:
  authentication:
    client-certificate-data: LS0tLS1CRUdJTiBD...
    client-key-data: LS0tLS1CRUdJTiBF...
  service:
    certificate-authority-data: LS0tLS1CRUdJTiBD...
    server: https://agent-api.flightctl.127.0.0.1.nip.io:7443
  enrollment-ui-endpoint: https://ui.flightctl.127.0.0.1.nip.io:8081
    Copy to Clipboard Toggle word wrap

1.2.4. Optional: Using image pull secrets
링크 복사

If your device relies on containers from a private repository, you must configure a pull secret for the registry. Complete the following steps:

  1. Depending on the kind of container image you use, place the pull secret in one or both of the following system paths on the device:

    • Operating system images use the /etc/ostree/auth.json path.
    • Application container images use the /root/.config/containers/auth.json path.

    Important: The pull secret must exist on the device before the secret can be consumed.

  2. Ensure that the pull secrets have the following format: 

    {
  "auths": {
    "registry.example.com": {
      "auth": "base64-encoded-credentials"
    }
  }
}
    Copy to Clipboard Toggle word wrap

For more information, see the Additional resources section.

1.2.5. Building the operating system image with bootc
링크 복사

Build the operating system image with bootc that contains the Red Hat Edge Manager agent. You can optionally include the following items in your operating system image:

  • The agent configuration for early binding
  • Any drivers
  • Host configuration
  • Application workloads that you need

Note: You must build the operating system image on a Red Hat Enterprise Linux host that has the required entitlement for the specified rhem repository.

Complete the following steps:

  1. Create a Containerfile file with the following content to build a Red Hat Enterprise Linux based operating system image that includes the Red Hat Edge Manager agent and configuration. Replace rhem-<2.x> and rhel-<version> with the version of the products that you are using: 

    FROM registry.redhat.io/rhel9/rhel-bootc:<required_os_version>
    1 
    

RUN dnf config-manager --set-enabled rhem-<2.x>-for-rhel-<version>-$(uname -m)-rpms && \
    dnf -y install flightctl-agent && \
    dnf -y clean all && \
    systemctl enable flightctl-agent.service && \
    systemctl mask bootc-fetch-apply-updates.timer
    2
    Copy to Clipboard Toggle word wrap
    1
    The base image that is referenced in FROM is a bootable container (bootc) image that already contains a Linux kernel, which allows you to reuse existing standard container build tools and workflows.
    2
    Disables the default automatic updates. The updates are managed by the Red Hat Edge Manager.

    Important: If your device relies on containers from a private repository, the device pull secret must be placed in the /etc/ostree/auth.json path. The pull secret must exist on the device before the secret can be consumed.

    1. Optional: To enable podman-compose application support, add the following section to the Containerfile file: 

      RUN dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
    dnf -y install podman-compose && \
    dnf -y clean all && \
    systemctl enable podman.service
      Copy to Clipboard Toggle word wrap

    2. Optional: If you created the config.yaml for early binding, add the following section to the Containerfile: 

      ADD config.yaml /etc/flightctl/
      Copy to Clipboard Toggle word wrap

    For more information, see Optional: Requesting an enrollment certificate for early binding.

  2. Define the Open Container Initiative (OCI) registry by running the following command: 

    OCI_REGISTRY=registry.redhat.io
    Copy to Clipboard Toggle word wrap

  3. Define the image repository that you have permissions to write to by running the following command: 

    OCI_IMAGE_REPO=${OCI_REGISTRY}/<your_org>/<your_image>
    Copy to Clipboard Toggle word wrap

  4. Define the image tag by running the following command: 

    OCI_IMAGE_TAG=v1
    Copy to Clipboard Toggle word wrap

  5. Build the operating system image for your target platform: 

    sudo podman build -t ${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG} .
    Copy to Clipboard Toggle word wrap

1.2.6. Signing and publishing the bootc operating system image by using Sigstore
링크 복사

To sign the bootc operating system image by using Sigstore, complete the following steps:

  1. Generate a Sigstore key pair named signingkey.pub and signingkey.private: 

    skopeo generate-sigstore-key --output-prefix signingkey
    Copy to Clipboard Toggle word wrap

  2. Configure container tools such as Podman and Skopeo to upload Sigstore signatures together with your signed image to your OCI registry: 

    sudo tee "/etc/containers/registries.d/${OCI_REGISTRY}.yaml" > /dev/null <<EOF
docker:
    ${OCI_REGISTRY}:
        use-sigstore-attachments: true
EOF
    Copy to Clipboard Toggle word wrap

  3. Log in to your OCI registry by running the following command: 

    sudo podman login ${OCI_REGISTRY}
    Copy to Clipboard Toggle word wrap

  4. Sign and publish the operating system image by running the following command: 

    sudo podman push \
    --sign-by-sigstore-private-key ./signingkey.private \
    ${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG}
    Copy to Clipboard Toggle word wrap

1.2.7. Building the operating system disk image
링크 복사

Build the operating system disk image that contains the file system for your devices. Complete the following steps:

  1. Create a directory called output by running the following command: 

    mkdir -p output
    Copy to Clipboard Toggle word wrap

  2. Use bootc-image-builder to generate an operating system disk image of type iso from your operating system image. Run the following command: 

    sudo podman run --rm -it --privileged --pull=newer \
    --security-opt label=type:unconfined_t \
    -v "${PWD}/output":/output \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    registry.redhat.io/rhel9/bootc-image-builder:latest \
    --type iso \
    ${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG}
    Copy to Clipboard Toggle word wrap

When the bootc-image-builder completes, you can find the ISO disk image at the ${PWD}/output/bootiso/install.iso path.

Sign and publish your disk image to your Open Container Initiative (OCI) registry. Optionally, you can compress and publish the disk image as an OCI artifact to the same OCI registry as your bootc images, which facilitates a unified hosting and distribution of bootc and disk images. To publish your ISO disk image to a repository named after your bootc image with /diskimage-iso appended, complete the following steps:

1.2.8.1. Prerequisites
링크 복사

Sign and publish your disk image to your OCI registry. Complete the following steps:

  1. Change the owner of the directory where the ISO disk image is located from root to your current user. Run the following command: 

    sudo chown -R $(whoami):$(whoami) "${PWD}/output"
    Copy to Clipboard Toggle word wrap

  2. Define the OCI_DISK_IMAGE_REPO environmental variable to be the same repository as your bootc image with /diskimage-iso appended. Run the following command: 

    OCI_DISK_IMAGE_REPO=${OCI_IMAGE_REPO}/diskimage-iso
    Copy to Clipboard Toggle word wrap

  3. Create a manifest list by running the following command: 

    sudo podman manifest create \
    ${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG}
    Copy to Clipboard Toggle word wrap

  4. Add the ISO disk image to the manifest list as an OCI artifact by running the following command: 

    sudo podman manifest add \
    --artifact --artifact-type application/vnd.diskimage.iso \
    --arch=amd64 --os=linux \
    ${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG} \
    "${PWD}/output/bootiso/install.iso"
    Copy to Clipboard Toggle word wrap

  5. Sign the manifest list with your private Sigstore key and push the image to the registry. Run the following command: 

    sudo podman manifest push --all \
     --sign-by-sigstore-private-key ./signingkey.private \
    ${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG} \
    docker://${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG}
    Copy to Clipboard Toggle word wrap

1.2.9. Additional resources
링크 복사

1.3. Building for specific target platforms
링크 복사

For optimized provisioning and integration with Red Hat OpenShift Virtualization and VMware vSphere, enrollment certificates and agent configurations can be provided with cloud-init utility, rather than embedding them in the image. Additionally, you can include appropriate guest tools for better platform integration. This process generates platform-specific image formats, such as QCOW2 for Red Hat OpenShift Virtualization and VMDK for vSphere.

1.3.1. Building images for Red Hat OpenShift Virtualization
링크 복사

When building operating system images and disk images for Red Hat OpenShift Virtualization, you can follow the Building a bootc operating system image for the Red Hat Edge Manager process with the following changes:

  • Use late binding by injecting the enrollment certificate or the agent configuration through cloud-init when provisioning the virtual device.
  • Add the open-vm-tools guest tools to the image.
  • Build a disk image of type qcow2 instead of iso.

Note: You must build the operating system image on a Red Hat Enterprise Linux host that has the required entitlement for the specified rhacm repository.

Complete the generic steps with changes to the following steps:

  1. Build an operating system image that is based on RHEL 9 that includes the Red Hat Edge Manager agent and virtual machine guest tools, but excludes the agent configuration.

  2. Create a file named Containerfile with the following content. Replace rhacm-<2.x> and rhel-<version> with the version of the products that you are using: 

    FROM registry.redhat.io/rhel9/bootc-image-builder:latest

RUN dnf config-manager --set-enabled rhacm-<2.x>-for-rhel-<version>-$(uname -m)-rpms && \
    dnf -y install flightctl-agent && \
    dnf -y clean all && \
    systemctl enable flightctl-agent.service

RUN dnf -y install cloud-init open-vm-tools && \
    dnf -y clean all && \
    ln -s ../cloud-init.target /usr/lib/systemd/system/default.target.wants && \
    systemctl enable vmtoolsd.service
    Copy to Clipboard Toggle word wrap

  3. Optional: To enable podman-compose application support, add the following section to the Containerfile file: 

    RUN dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
    dnf -y install podman-compose && \
    dnf -y clean all && \
    systemctl enable podman.service
    Copy to Clipboard Toggle word wrap

Build, sign, and publish the bootc operating system image by following the generic image building process.

  1. Create a directory called output by running the following command: 

    mkdir -p output
    Copy to Clipboard Toggle word wrap

  2. Generate an operating system disk image of type qcow2 from your operating system image by running the following command: 

    sudo podman run --rm -it --privileged --pull=newer \
    --security-opt label=type:unconfined_t \
    -v "${PWD}/output":/output \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    registry.redhat.io/rhel9/bootc-image-builder:latest \
    --type qcow2 \
    ${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG}
    Copy to Clipboard Toggle word wrap

When bootc-image-builder completes, you can find the disk image in the ${PWD}/output/vmdk/disk.vmdk path.

Red Hat OpenShift Virtualization can download disk images from an Open Container Initiative (OCI) registry, but it uses a container disk image instead of an OCI artifact.

Complete the following steps to build, sign, and upload the QCoW2 disk image:

  1. Create a file that is named Containerfile.qcow2 with the following content: 

    FROM registry.access.redhat.com/ubi9/ubi:latest AS builder
ADD --chown=107:107 output/qcow2/disk.qcow2 /disk/
    1 
    
RUN chmod 0440 /disk/*
    2 
    
FROM scratch
COPY --from=builder /disk/* /disk/
    3
    Copy to Clipboard Toggle word wrap
    1
    Adds the QCoW2 disk image to a builder container to set the required 107 file ownership, which is the QEMU user.
    2
    Sets the required 0440 file permissions.
    3
    Copies the file to a scratch image.

  2. Build, sign, and publish your disk image. Run the following command: 

    sudo chown -R $(whoami):$(whoami) "${PWD}/output"
OCI_DISK_IMAGE_REPO=${OCI_IMAGE_REPO}/diskimage-qcow2
sudo podman build -t ${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG} -f Containerfile.qcow2 .
sudo podman push --sign-by-sigstore-private-key ./signingkey.private ${OCI_DISK_IMAGE_REPO}:${OCI_IMAGE_TAG}
    Copy to Clipboard Toggle word wrap

1.3.2. Building images for VMware vSphere
링크 복사

When building operating system images and disk images for VMware vSphere, you can follow the Building a bootc operating system image for the Red Hat Edge Manager process with the following changes:

  • Using late binding by injecting the enrollment certificate or the agent configuration through cloud-init when provisioning the virtual device.
  • Adding the open-vm-tools guest tools to the image.
  • Building a disk image of type vmdk instead of iso.

Build an operating system image that is based on RHEL 9 that includes the Red Hat Edge Manager agent and VM guest tools, but excludes the agent configuration.

Note: You must build the operating system image on a Red Hat Enterprise Linux host that has the required entitlement for the specified rhacm repository.

Complete the generic steps with changes to the following steps:

  1. Create a file that is named Containerfile with the following content. Replace rhacm-<2.x> and rhel-<version> with the version of the products that you are using: 

    FROM registry.redhat.io/rhel9/bootc-image-builder:latest

RUN dnf config-manager --set-enabled rhacm-<2.x>-for-rhel-<version>-$(uname -m)-rpms && \
    dnf -y install flightctl-agent && \
    dnf -y clean all && \
    systemctl enable flightctl-agent.service && \

RUN dnf -y install cloud-init open-vm-tools && \
    dnf -y clean all && \
    ln -s ../cloud-init.target /usr/lib/systemd/system/default.target.wants && \
    systemctl enable vmtoolsd.service
    Copy to Clipboard Toggle word wrap

  2. Create a directory named output by running the following command: 

    mkdir -p output
    Copy to Clipboard Toggle word wrap

  3. Generate an operating system disk image of type vmdk from your operating system image by running the following command: 

    sudo podman run --rm -it --privileged --pull=newer \
    --security-opt label=type:unconfined_t \
    -v "${PWD}/output":/output \
    -v /var/lib/containers/storage:/var/lib/containers/storage \
    registry.redhat.io/rhel9/bootc-image-builder:latest \
    --type vmdk \
    ${OCI_IMAGE_REPO}:${OCI_IMAGE_TAG}
    Copy to Clipboard Toggle word wrap

When bootc-image-builder completes, you can find the disk image in the ${PWD}/output/vmdk/disk.vmdk path.

Legal Notice
링크 복사

Copyright © Red Hat.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2026 Red Hat맨 위로 이동