Red Hat Summit2.6. Switching from an existing rpm-ostree installation to image mode for RHEL 9.6
You can use image mode for RHEL on your existing RHEL for Edge system by using the bootc switch command.
2.6.1. Adding existing system groups and users information to a Containerfile
When switching between different host builds, you can use the bootc switch command to migrate your existing deployed system to a bootc based system.
Some user and group IDs differ between rhel-bootc images and RHEL for Edge. This affects several groups and users, such as ssh_keys. As a consequence, the private keys belong to a group with a misconfigured ID, and you will not be able to use public keys to access the edge system.
The Image Mode system uses altfiles to manage users at /user/lib/passwd and groups at /user/lib/group. To workaround this, you must extract the groups and users information of the existing RHEL for Edge system and fixating them as part of the Containerfile. Configure the Containerfile to copy a local lib/group file to the container image.
You can manually change the permissions of private keys, the /etc folder is mutable in edge systems. However, it does not solve the problem, because after running the bootc switch command, the Image Mode based system has the ssh_keys group configured with the ID 999. This value comes from the RHEL bootc base image, and this drift from ID 101 to ID 999 left the edge system unreachable through SSH. To fix this issue, follow the steps:
Prerequisites
-
An existing RHEL for Edge
rpm-ostreebased system. - You have a subscribed RHEL 9 system. For more information, see Getting Started with RHEL System Registration documentation.
- You have a container registry. You can create your registry locally or create a free account on the Quay.io service. To create the Quay.io account, see Red Hat Quay.io page.
- You have a Red Hat account with either production or developer subscriptions. No cost developer subscriptions are available on the Red Hat Enterprise Linux Overview page.
- You have authenticated to registry.redhat.io. For more information, see Red Hat Container Registry Authentication article.
Procedure
Extract the information of users and groups from the RHEL for Edge system.
$ mkdir -p ./usr/lib $ ssh admin@192.168.100.50 'cat /lib/passwd' > ./usr/lib/passwd $ ssh admin@192.168.100.50 'cat /lib/group' > ./usr/lib/groupInclude the missing RHEL for Edge packages in the bootc based system by specifying them in a Containerfile. Additionally, use the COPY command to include the
groupandpasswdcontent that was extracted from the RHEL for Edge system. The following is an example:FROM registry.redhat.io/rhel9/rhel-bootc WORKDIR /tmp RUN dnf -y install ModemManager \ NetworkManager-wifi \ NetworkManager-wwan \ audit \ checkpolicy \ clevis \ clevis-dracut \ clevis-luks \ clevis-pin-tpm2 \ clevis-systemd \ containernetworking-plugins \ dnsmasq \ dracut-config-generic \ fdo-client \ fdo-owner-cli \ firewalld \ firewalld-filesystem \ greenboot \ greenboot-default-health-checks \ grubby \ ignition \ ignition-edge \ ipset \ iwl100-firmware \ iwl1000-firmware \ iwl105-firmware \ iwl135-firmware \ iwl2000-firmware \ iwl2030-firmware \ iwl3160-firmware \ iwl5000-firmware \ iwl5150-firmware \ iwl6050-firmware \ iwl7260-firmware \ libsecret \ pinentry \ policycoreutils-python-utils \ python3-distro \ python3-setools \ rsync \ setools-console \ tmux \ traceroute \ usbguard \ usbguard-selinux \ wireless-regdb \ wpa_supplicant COPY etc /etc # You can find the passwd and group content that were extracted from the RHEL for Edge system usr/lib/ in your current working directory. You can copy the content into the container image with the following step: COPY usr /usrBuild the bootc image and push it to the registry:
$ podman build -f Containerfile -t quay.io/<namespace>/<image>:<tag> . $ podman push quay.io/<namespace>/<image>:<tag>Run the
bootc switchcommand to the newly created bootable container image.$ ssh admin@192.168.100.50 $ sudo bootc switch quay.io/<namespace>/<image>:<tag> $ sudo reboot
Verification
After rebooting the edge system into the bootable container image, confirm that the contents of /lib/passwd and /lib/group match the content that was extracted from the OSTree system.
Check the content of
/lib/passwd.$ cat /lib/passwdCheck the content of
/lib/group.$ cat /lib/group
2.6.2. Switching a 9.6 RHEL for Edge installed by using a raw image to image mode
Use an existing 9.6 RHEL for Edge that you installed by using a raw image to switch to image mode for RHEL .
Prerequisites
- An existing 9.6 RHEL for Edge installed with a raw image.
Procedure
- Update your image. See Updating RHEL for Edge images.
Switch your existing image from RHEL image builder to image mode.
Build an image from rhel-bootc. For example:
$ cat Containerfile FROM registry.redhat.io/rhel9/rhel-bootc:latest RUN dnf install -y \ clevis \ clevis-dracut \ clevis-luks \ fdo-client \ fdo-owner-cli
Build the <image> image by using
Containerfilein the current directory:$ podman build -t quay.io/<namespace>/<image>:<tag> .Push the image to a registry
$ podman push quay.io/<namespace>/<image>:_<tag>_Run
bootc switchon the device.$ bootc switch quay.io/<namespace>/<image>:_<tag>_Run
systemctl reboot.$ sudo systemctl reboot
Verification
Connect to your RHEL for Edge system and use
bootc status:# bootc status
Use an existing 9.6 RHEL for Edge that you installed by using a simplified-installer image.
Prerequisites
-
An existing 9.6 RHEL for Edge installed with a
simplified-installerimage.
Procedure
Check if
bootcis installed:$ rpm -qa | bootcUpdate your image to the latest
rpm-ostreeinstallation. See Updating RHEL for Edge images.Build an image from
rhel-bootc. For example:$ cat Containerfile FROM registry.redhat.io/rhel9/rhel-bootc:latest RUN dnf install -y \ clevis \ clevis-dracut \ clevis-luks \ fdo-client \ fdo-owner-cli
Build the <image> image by using
Containerfilein the current directory:$ podman build -t quay.io/<namespace>/<image>:<tag> .Push the image to a registry.
$ podman push quay.io/<namespace>/<image>:_<tag>_Run
bootc switchto switch the device to the image you pushed to the registry.$ bootc switch quay.io/<namespace>/<image>:_<tag>_Run systemctl reboot.
$ sudo systemctl reboot
Verification
Connect to your RHEL for Edge system and use
bootc status:# bootc status
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}