Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 13. Pushing a container to a registry and embedding it into an image

With RHEL image builder, you can build security-hardened images by using the OpenSCAP tool. You can take advantage of the support for container customization in the blueprints to create a container and embed it directly into the image you create.

13.1. Customizing a blueprint to embed a container into an image
Copiar o link

Embed a container from registry.access.redhat.com by adding a container customization to your blueprint. RHEL image builder pulls the container during the image build and stores the container in the image.

The default local container storage location depends on the image type, so that all supported container-tools, such as Podman, can work with it.

Prerequisites

  • You have created a blueprint.

Procedure

  • Customize your blueprint with the container: 
[[containers]]
source = "registry.access.redhat.com/ubi10/ubi:latest"
name =  "_<local_name>_"
tls-verify = true
  • source - Mandatory field. It is a reference to the container image at a registry. This example uses the registry.access.redhat.com registry. You can specify a tag version. The default tag version is the latest.
  • name - The name of the container in the local registry.

  • tls-verify - Boolean field. The tls-verify boolean field controls the transport layer security. The default value is true.

    To access protected container resources, you can use a containers-auth.json file.

13.2. Pushing a container artifact directly to a container registry
Copiar o link

You can push container artifacts directly to a container registry after you build them by using the RHEL image builder CLI.

Prerequisites

  • Access to quay.io registry. This example uses the quay.io container registry as a target registry, but you can use a container registry of your choice.

Procedure

  1. Set up a registry-config.toml file to select the container provider. The credentials are optional. 

    provider = "<container_provider>"
[settings]
tls_verify = false
username = "<admin>"
password = "<your_password>"

  2. Create a blueprint in the .toml format. This is a blueprint for the container in which you install an nginx package into the blueprint. 

    name = "simple-container"
description = "Simple RHEL container"
version = "0.0.1"
[[packages]]
name = "nginx"
version = "*"

  3. Build the container image, by passing the registry and the repository to the image-builder tool as arguments. 

    # image-builder build --blueprint <simple-container> --extra-repo "quay.io:8080/<namespace>/<repository>" --extra-repo registry-config.toml
    Note

    Building the container image takes time because of resolving dependencies of the customized packages.

  4. After the image build finishes, the container you created is available in quay.io.

Verification

  1. Open quay.io and click Repository Tags. You can see details about the container you created, such as:

    • Last modified
    • Image size
    • The manifest ID that you can copy to the clipboard.
  2. Copy the manifest ID value to build the image in which you want to embed a container.

13.3. Building an image and pulling the container into the image
Copiar o link

After you create a container image, build your customized image and pull the container image into it. Use the container customization specification in the blueprint and the container name for the final image. It fetches the container image and add it to the local Podman container storage.

Prerequisites

Procedure

  1. Create a blueprint to build a qcow2 image. The blueprint must contain the [[containers]] customization. 

    name = "image"
description = "A qcow2 image with a container"
version = "0.0.1"
distro = "rhel-10"
[[packages]]
name = "podman"
version = "*"
[[containers]]
source = "registry.access.redhat.com/ubi10:8080/image/container/container-image@sha256:manifest-ID-from-Repository-tag: tag-version"
name =  "source"
tls-verify = true

  2. Build the container image: 

    # image-builder build qcow2 --blueprint <blueprint>
    Note

    Building the image takes time because it checks the container on quay.io registry.

    You can use the qcow2 image you created and downloaded to create a VM.

Verification

  1. Locate the resulting qcow2 image.
  2. Start the qcow2 image in a VM. See Creating a virtual machine from a KVM guest image.
  3. The qemu wizard opens. Log in to the qcow2 image by entering the username and password. These can be the username and password you set up in the .qcow2 blueprint in the customizations.user section, or created at boot time with cloud-init.

  4. Run the container image and open a shell prompt inside the container: 

    # podman run -it registry.access.redhat.com/ubi10:8080/<organization>/<repository>/bin/bash/

    registry.access.redhat.com is the target registry, <organization> is the organization, and repository is the location to push the container when it finishes building.

  5. Check that the packages you added to the blueprint are available: 

    # type -a nginx

    The output shows you the nginx package path.

Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2026 Red HatVoltar ao topo