红帽全球峰会2.3. Equivalence between blueprint customizations and Containerfile customizations
The following table contains the blueprint customization options and the equivalent command to be used in the Containerfile. .Table
| Blueprint | Command instructions |
|---|---|
| distro = "rhel-10." | FROM rhel-bootc:10 |
| [[packages]] name = "openssh-server" version = "8.*" | RUN dnf install <package name> |
| [[groups]] name = "anaconda-tools" | RUN dnf group install <group_name> |
| [[containers]] source = "quay.io/rhel/rhel:latest" | RUN podman pull docker.io/library/postgres:alpine |
| [customizations.kernel] name = "kernel-debug" append = "nosmt=force" |
RUN mkdir -p /usr/lib/bootc/kargs.d RUN cat <<`EOF` >> /usr/lib/bootc/kargs.d/console.toml kargs = ["console=ttyS0,114800n8","kernel-debug"] match-architectures = ["x86_64"] |
| [customizations.rhsm.config.dnf_plugins.product_id] enabled = true [customizations.rhsm.config.dnf_plugins.subscription_manager] enabled = true [customizations.rhsm.config.subscription_manager.rhsm] manage_repos = true [customizations.rhsm.config.subscription_manager.rhsmcertd] auto_registration = true | COPY ./rhsm.conf /etc/rhsm/rhsm.conf |
| [customizations.rpm.import_keys] files = [ "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-18-primary", "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-19-primary" ] | RUN mkdir -p /etc/pki/rpm-gpg/ COPY <host_path>/gpg_key /etc/pki/rpm-gpg//gpg_key |
| [[customizations.sshkey]] user = "root" key = "PUBLIC SSH KEY" | # SSH keys COPY test.pub container_key.pub RUN mkdir -p .ssh && \ cat container_key.pub >> .ssh/authorized_keys && \ chmod 600 .ssh/authorized_keys && \ rm -f container_path_to_key.pub |
| [customizations.timezone] timezone = "US/Eastern" ntpservers = ["0.north-america.pool.ntp.org", "1.north-america.pool.ntp.org"] | RUN ln -sf /usr/share/zoneinfo/Asia/Bangkok /etc/localtime |
| [customizations.locale] languages = ["en_US.UTF-8"] keyboard = "us" |
RUN cat <<`EOF` >> /etc/locale.conf LANG="en_US.UTF-8" |
| [customizations.firewall] ports = ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp", "30000-32767:tcp", "30000-32767:udp"] | RUN dnf install -y firewalld && \ dnf clean all && \ firewall-offline-cmd --new-zone=customzone && \ firewall-offline-cmd --zone=customzone --set-description="Custom firewall rules for the container" && \ firewall-offline-cmd --zone=customzone --add-service=ftp && \ firewall-offline-cmd --zone=customzone --add-service=ntp && \ firewall-offline-cmd --zone=customzone --add-service=dhcp && \ firewall-offline-cmd --zone=customzone --add-port=22/tcp && \ firewall-offline-cmd --zone=customzone --add-port=80/tcp && \ firewall-offline-cmd --zone=customzone --add-port=53/tcp && \ firewall-offline-cmd --zone=customzone --add-port=53/udp && \ firewall-offline-cmd --zone=customzone --add-port=30000-32767/tcp && \ firewall-offline-cmd --zone=customzone --add-port=30000-32767/udp && \ firewall-offline-cmd --set-default-zone=customzone |
| [[customizations.directories]] path = "/etc/<dir-name>" mode = "0755" user = "root" group = "root" ensure_parents = false | #Directory: RUN mkdir /etc/<dir> RUN chown -R admin:wheel /etc/<dir> && \ chmod -R 644 /etc/<dir> #Files: RUN touch /etc/<myfile> RUN chown :widget /etc/<myfile> && \ chmod 600 /etc/<myfile> |
| [customizations] installation_device = "/dev/sda" |
RUN mkdir -p /usr/lib/bootc/kargs.d && \ cat <<`EOF` >> /usr/lib/bootc/kargs.d/console.toml kargs = ["inst.device=/dev/sda"] |
| [customizations.ignition.embedded] config = "eyJpZ25pdG….xIn1dfX0=" |
RUN mkdir -p /usr/lib/bootc/kargs.d && \ cat <<`EOF` >> /usr/lib/bootc/kargs.d/console.toml kargs = ["ignition.config.url=http://192.168.122.1/fiot.ign","rd.neednet=1"] |
| [customizations.fdo] manufacturing_server_url = "http://192.168.122.199:8080" diun_pub_key_insecure = "true" di_mfg_string_type_mac_iface = "enp2s0" | RUN dnf install -y fdo-init fdo-client && \ systemctl enable fdo-client-linuxapp.service |
| [customizations.openscap] datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml" profile_id = "xccdf_org.ssgproject.content_profile_cis" [customizations.openscap.json_tailoring] profile_id = "<name-of-profile-used-in-json-tailoring>-file" filepath = "/some/path/tailoring-file.json" [[customizations.files]] path = "/the/path/tailoring-file.json" data = "<json-tailoring-file-contents>" | RUN dnf install -y openscap-utils && \ autotailor --output /some/path/tailoring-file.json \ --new-profille-id xccdf_org.ssgproject.content_profile_cis |
| [customizations] fips = true |
RUN mkdir -p /usr/lib/bootc/kargs.d && \ cat <<`EOF` >> /usr/lib/bootc/kargs.d/01-fips.toml kargs = ["fips=1"] |
To create edge images by using image mode for RHEL, you must manually install some missing packages that are common to an OSTree commit. Most of these packages are part of the bootc images, but there are a few missing packages, such as:
-
clevis -
clevis-dracut -
clevis-luks -
greenboot -
greenboot-default-health-checks -
fdo-client -
fdo-owner-cli
To install the missing packages and create your similar RHEL for Edge image, follow these steps:
Prerequisites
- An existing RHEL for Edge rpm-ostree based deployed system.
Procedure
Create a Containerfile with the following content:
FROM registry.io.redhat.com/rhel10/rhel-bootc:latest RUN dnf install -y \ clevis \ clevis-dracut \ clevis-luks \ greenboot \ greenboot-default-health-checks \ fdo-client \ fdo-owner-cli # (Optionl) Extra packages often used in edge # RUN dnf install -y # dracut-config-generic \ # platform-python \ # pinentry \ # firewalld \ # iptables \ # NetworkManager-wifi \ # NetworkManager-wwan \ # wpa_supplicant \ # traceroute \ # rootfiles \ # policycoreutils-python-utils \ # setools-console \ # rsync \ # usbguard RUN systemctl enable NetworkManager.service \ greenboot-grub2-set-counter.service \ greenboot-grub2-set-success.service \ greenboot-healthcheck.service \ greenboot-rpm-ostree-grub2-check-fallback.service \ greenboot-status.service \ greenboot-task-runner.service redboot-auto-reboot.service \ redboot-task-runner.service"Build your similar RHEL for Edge customized bootc image:
$ podman build -t quay.io/<namespace>/<image>:<tag> .Optional: push the image:
$ podman push quay.io/<namespace>/<image>:<tag>
Verification
List all images:
$ podman images
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}