Red Hat SummitTesting frameworks for images built via Red Hat Lightspeed image builder
Building images for cloud deployments or on-premises servers provides a number of challenges. In this learning path by Gianluca Zuccarelli and Obinna Ezeakachi, we’ll explore how to use Red Hat Insights image builder to deploy pre-hardened images then monitor the systems with our compliance tool.
This learning path is for operations teams or system administrators
Developers might want to check out Testing frameworks for images built via Lightspeed image builder on developers.redhat.com.
Creating images using OpenSCAP via Red Hat Lightspeed image builder
Red Hat® Lightspeed (formerly Insights) image builder makes the process of hardening images much simpler since it is able to leverage OpenSCAP remediations at build time before the image has even been launched. This is desirable since some options, such as filesystem customizations, are hard to remediate once an image has been built and booted. Let’s get started by walking through how to create images using OpenSCAP via Red Hat Lightspeed image builder.
What will you learn?
- Building images with Lightspeed image builder using OpenSCAP via the UI
- Building images with Lightspeed image builder using the API
What do you need before starting?
- Cloud service provider account credentials
- Red Hat account
Building images with Lightspeed image builder
There are two ways we can build images using image builder in the console. The first way is making an API request to the backend image builder application and then deploying the resulting image to AWS. Alternatively, we can use the front end to build pre-hardened images. This guide will take you through both methods.
Building images using OpenSCAP via the UI
Since April 2024, it is possible to build pre-hardened images using OpenSCAP in the console environment. To get started building an image, navigate to Image Builder. and click on the Create Image button. We will skip ahead a few steps through the wizard with the following assumptions:
- A RHEL 9 image was selected
- An AWS Amazon Machine Image (AMI) was selected as the target environment
- The system was registered with an Access Key
From the OpenSCAP compliance step, choose an OpenSCAP profile from the dropdown menu, and select the “PCI-DSS” profile:
The “PCI-DSS” doesn’t have any partitioning requirements. For profiles that do have required partitions, the filesystem step in the wizard will be pre-populated with recommended partition sizes based on the requirements of the selected profile. These sizes can be amended. Additional mount points can also be added.
Similarly, the required packages for the selected profile are pre-populated; these packages may be removed, and additional packages can be added, as desired.
Note that amending the suggested file system layout or removing suggested packages may impact your image’s compliance score.
Click through the remaining steps, select the options as desired, then start the image build. Once the build is complete, we can launch the image and move on to the next step.
Building images via the API
To start off with, we will build an image for AWS using the Lightspeed image builder’s API. First, navigate to the operation to compose an image in the console.
Scroll down to the compose image section, click on the Try it out button, and input the following JSON script. Amend the following values as you see fit:
- distribution
- image_name
- architecture
- image_type
- type, share_with_accounts
- profile_id
```bash
{
"distribution": "rhel-92",
"image_name": "obi",
"image_requests": [
{
"architecture": "x86_64",
"image_type": "ami",
"upload_request": {
"type": "aws",
"options": {
"share_with_accounts": [ "AWS_Account_ID" ]
}
}
}
],
"customizations": {
"packages": [ "zsh" ],
"openscap": {
"profile_id": "xccdf_org.ssgproject.content_profile_pci-dss"
}
}
}
```
Then hit the Execute button to build the image. Head to https://console.redhat.com/insights/image-builder and monitor the build process for the AMI. The AMI will be ready to use once you see the green tick and ready message.
To share to AWS, click on the three dots in the right corner of the screen and click the option, Share to new region. Choose the region in which you want to raise your AMI.
With this done, you’re ready to learn about compliance monitoring and testing frameworks in the next resource.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}