Red Hat SummitChapter 9. Using Red Hat subscriptions in builds
Use the following sections to install Red Hat subscription content within Red Hat OpenShift Service on AWS builds.
9.1. Creating an image stream tag for the Red Hat Universal Base Image
To install Red Hat Enterprise Linux (RHEL) packages within a build, you can create an image stream tag to reference the Red Hat Universal Base Image (UBI).
To make the UBI available in every project in the cluster, add the image stream tag to the openshift namespace. Otherwise, to make it available in a specific project, add the image stream tag to that project.
Image stream tags grant access to the UBI by using the registry.redhat.io credentials that are present in the install pull secret, without exposing the pull secret to other users. This method is more convenient than requiring each developer to install pull secrets with registry.redhat.io credentials in each project.
Procedure
To create an
ImageStreamTagresource in a single project, enter the following command:oc tag --source=docker registry.redhat.io/ubi9/ubi:latest ubi:latest
$ oc tag --source=docker registry.redhat.io/ubi9/ubi:latest ubi:latestCopy to Clipboard Copied! TipYou can alternatively apply the following YAML to create an
ImageStreamTagresource in a single project:apiVersion: image.openshift.io/v1 kind: ImageStream metadata: name: ubi9 spec: tags: - from: kind: DockerImage name: registry.redhat.io/ubi9/ubi:latest name: latest referencePolicy: type: SourceapiVersion: image.openshift.io/v1 kind: ImageStream metadata: name: ubi9 spec: tags: - from: kind: DockerImage name: registry.redhat.io/ubi9/ubi:latest name: latest referencePolicy: type: SourceCopy to Clipboard Copied!
9.2. Adding subscription entitlements as a build secret
Builds that use Red Hat subscriptions to install content must include the entitlement keys as a build secret.
Prerequisites
-
You must have access to the cluster as a user with the
cluster-adminrole or you have permission to access secrets in theopenshift-config-managedproject.
Procedure
Copy the entitlement secret from the
openshift-config-managednamespace to the namespace of the build by entering the following commands:cat << EOF > secret-template.txt kind: Secret apiVersion: v1 metadata: name: etc-pki-entitlement type: Opaque data: {{ range \$key, \$value := .data }} {{ \$key }}: {{ \$value }} {{ end }} EOF oc get secret etc-pki-entitlement -n openshift-config-managed -o=go-template-file --template=secret-template.txt | oc apply -f -$ cat << EOF > secret-template.txt kind: Secret apiVersion: v1 metadata: name: etc-pki-entitlement type: Opaque data: {{ range \$key, \$value := .data }} {{ \$key }}: {{ \$value }} {{ end }} EOF $ oc get secret etc-pki-entitlement -n openshift-config-managed -o=go-template-file --template=secret-template.txt | oc apply -f -Copy to Clipboard Copied! Add the etc-pki-entitlement secret as a build volume in the build configuration’s Docker strategy:
strategy: dockerStrategy: from: kind: ImageStreamTag name: ubi9:latest volumes: - name: etc-pki-entitlement mounts: - destinationPath: /etc/pki/entitlement source: type: Secret secret: secretName: etc-pki-entitlementstrategy: dockerStrategy: from: kind: ImageStreamTag name: ubi9:latest volumes: - name: etc-pki-entitlement mounts: - destinationPath: /etc/pki/entitlement source: type: Secret secret: secretName: etc-pki-entitlementCopy to Clipboard Copied!
9.3. Running builds with Subscription Manager
9.3.1. Docker builds using Subscription Manager
Docker strategy builds can use yum or dnf to install additional Red Hat Enterprise Linux (RHEL) packages.
Prerequisites
- The entitlement keys must be added as build strategy volumes.
Procedure
Use the following as an example Dockerfile to install content with the Subscription Manager:
FROM registry.redhat.io/ubi9/ubi:latest RUN rm -rf /etc/rhsm-host RUN yum --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms install \ nss_wrapper \ uid_wrapper -y && \ yum clean all -y RUN ln -s /run/secrets/rhsm /etc/rhsm-hostFROM registry.redhat.io/ubi9/ubi:latest RUN rm -rf /etc/rhsm-host1 RUN yum --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms install \2 nss_wrapper \ uid_wrapper -y && \ yum clean all -y RUN ln -s /run/secrets/rhsm /etc/rhsm-host3 Copy to Clipboard Copied! - 1
- You must include the command to remove the
/etc/rhsm-hostdirectory and all its contents in your Dockerfile before executing anyyumordnfcommands. - 2
- Use the Red Hat Package Browser to find the correct repositories for your installed packages.
- 3
- You must restore the
/etc/rhsm-hostsymbolic link to keep your image compatible with other Red Hat container images.
9.4. Running builds with Red Hat Satellite subscriptions
9.4.1. Adding Red Hat Satellite configurations to builds
Builds that use Red Hat Satellite to install content must provide appropriate configurations to obtain content from Satellite repositories.
Prerequisites
You must provide or create a
yum-compatible repository configuration file that downloads content from your Satellite instance.Sample repository configuration
[test-<name>] name=test-<number> baseurl = https://satellite.../content/dist/rhel/server/7/7Server/x86_64/os enabled=1 gpgcheck=0 sslverify=0 sslclientkey = /etc/pki/entitlement/...-key.pem sslclientcert = /etc/pki/entitlement/....pem
[test-<name>] name=test-<number> baseurl = https://satellite.../content/dist/rhel/server/7/7Server/x86_64/os enabled=1 gpgcheck=0 sslverify=0 sslclientkey = /etc/pki/entitlement/...-key.pem sslclientcert = /etc/pki/entitlement/....pemCopy to Clipboard Copied!
Procedure
Create a
ConfigMapobject containing the Satellite repository configuration file by entering the following command:oc create configmap yum-repos-d --from-file /path/to/satellite.repo
$ oc create configmap yum-repos-d --from-file /path/to/satellite.repoCopy to Clipboard Copied! Add the Satellite repository configuration and entitlement key as a build volumes:
strategy: dockerStrategy: from: kind: ImageStreamTag name: ubi9:latest volumes: - name: yum-repos-d mounts: - destinationPath: /etc/yum.repos.d source: type: ConfigMap configMap: name: yum-repos-d - name: etc-pki-entitlement mounts: - destinationPath: /etc/pki/entitlement source: type: Secret secret: secretName: etc-pki-entitlementstrategy: dockerStrategy: from: kind: ImageStreamTag name: ubi9:latest volumes: - name: yum-repos-d mounts: - destinationPath: /etc/yum.repos.d source: type: ConfigMap configMap: name: yum-repos-d - name: etc-pki-entitlement mounts: - destinationPath: /etc/pki/entitlement source: type: Secret secret: secretName: etc-pki-entitlementCopy to Clipboard Copied!
9.4.2. Docker builds using Red Hat Satellite subscriptions
Docker strategy builds can use Red Hat Satellite repositories to install subscription content.
Prerequisites
- You have added the entitlement keys and Satellite repository configurations as build volumes.
Procedure
Use the following example to create a
Dockerfilefor installing content with Satellite:FROM registry.redhat.io/ubi9/ubi:latest RUN rm -rf /etc/rhsm-host RUN yum --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms install \ nss_wrapper \ uid_wrapper -y && \ yum clean all -y RUN ln -s /run/secrets/rhsm /etc/rhsm-hostFROM registry.redhat.io/ubi9/ubi:latest RUN rm -rf /etc/rhsm-host1 RUN yum --enablerepo=codeready-builder-for-rhel-9-x86_64-rpms install \2 nss_wrapper \ uid_wrapper -y && \ yum clean all -y RUN ln -s /run/secrets/rhsm /etc/rhsm-host3 Copy to Clipboard Copied! - 1
- You must include the command to remove the
/etc/rhsm-hostdirectory and all its contents in your Dockerfile before executing anyyumordnfcommands. - 2
- Contact your Satellite system administrator to find the correct repositories for the build’s installed packages.
- 3
- You must restore the
/etc/rhsm-hostsymbolic link to keep your image compatible with other Red Hat container images.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}