$ oc tag --source=docker registry.redhat.io/ubi7/ubi:latest ubi:latest
Use the following sections to run entitled builds on OpenShift Container Platform.
To use Red Hat subscriptions within a build, you should create an ImageStream
to reference the universal base image (UBI).
Builds that reference the UBI directly from registry.redhat.io will require a pull secret.
You must create a pull secret for registry.redhat.io, and link it to a user project.
To create an imagestreamtag
in a single project:
$ oc tag --source=docker registry.redhat.io/ubi7/ubi:latest ubi:latest
To create an imagestreamtag
in the OpenShift Container Platform namespace, making it available to
developers in all projects:
$ oc tag --source=docker registry.redhat.io/ubi7/ubi:latest ubi:latest -n openshift
Builds that use Red Hat subscriptions to install content must include the entitlement keys as a build secret.
You must have access to Red Hat entitlements through your subscription, and the entitlements must have separate public and private key files.
Create a secret containing your entitlements, ensuring that there are separate files containing the public and private keys:
$ oc create secret generic etc-pki-entitlement --from-file /path/to/entitlement/{ID}.pem \ > --from-file /path/to/entitlement/{ID}-key.pem ...
Add the secret as a build input in the build configuration:
source:
secrets:
- secret:
name: etc-pki-entitlement
destinationDir: etc-pki-entitlement
There are two paths to pulling in the base RHEL image:
Add the pull secret to registry.redhat.io to your project.
Create an imagestream in the OpenShift namespace for the RHEL-based image. This makes the imagestream available across the cluster.
Builds that use the Subscription Manager to install content must provide appropriate configuration files and certificate authorities for subscribed repositories.
You must have access to the Subscription Manager’s configuration and certificate authority files.
Create a configmap for the Subscription Manager configuration:
$ oc create configmap rhsm-conf --from-file /path/to/rhsm/rhsm.conf
Create a configmap for the certificate authority:
$ oc create configmap rhsm-ca --from-file /path/to/rhsm/ca/redhat-uep.pem
Add the Subscription Manager configuration and certificate authority to the BuildConfig:
source:
configmaps:
- configmap:
name: rhsm-conf
destinationDir: rhsm-conf
- configmap:
name: rhsm-ca
destinationDir: rhsm-ca
Docker strategy builds can use the Subscription Manager to install subscription content.
The entitlement keys, subscription manager configuration, and subscription manager certificate authority must be added as build inputs.
Use the following as an example Dockerfile
to install content with the
Subscription Manager:
FROM registry.redhat.io/rhel7:latest USER root # Copy entitlements COPY ./etc-pki-entitlement /etc/pki/entitlement # Copy subscription manager configurations COPY ./rhsm-conf /etc/rhsm COPY ./rhsm-ca /etc/rhsm/ca # Delete /etc/rhsm-host to use entitlements from the build container RUN rm /etc/rhsm-host && \ # Initialize /etc/yum.repos.d/redhat.repo # See https://access.redhat.com/solutions/1443553 yum repolist --disablerepo=* && \ subscription-manager repos --enable <enabled-repo> && \ yum -y update && \ yum -y install <rpms> && \ # Remove entitlements and Subscription Manager configs rm -rf /etc/pki/entitlement && \ rm -rf /etc/rhsm # OpenShift requires images to run as non-root by default USER 1001 ENTRYPOINT ["/bin/bash"]
Builds which use Satellite to install content must provide appropriate configurations to obtain content from Satellite repositories.
You must provide or create a yum-compatible repository configuration file, that downloads content from your Satellite instance.
Create a configmap containing the Satellite repository configuration file:
$ oc create configmap yum-repos-d --from-file /path/to/satellite.repo
Add the Satellite repository configuration to the BuildConfig:
source:
configmaps:
- configmap:
name: yum-repos-d
destinationDir: yum.repos.d
Docker strategy builds can use Satellite repositories to install subscription content.
The entitlement keys and Satellite repository configurations must be added as build inputs.
Use the following as an example Dockerfile to install content with Satellite:
FROM registry.redhat.io/rhel7:latest USER root # Copy entitlements COPY ./etc-pki-entitlement /etc/pki/entitlement # Copy repository configuration COPY ./yum.repos.d /etc/yum.repos.d # Delete /etc/rhsm-host to use entitlements from the build container RUN rm /etc/rhsm-host && \ # yum repository info provided by Satellite yum -y update && \ yum -y install <rpms> && \ # Remove entitlements rm -rf /etc/pki/entitlement # OpenShift requires images to run as non-root by default USER 1001 ENTRYPOINT ["/bin/bash"]
Docker builds normally create a layer representing each instruction in a
Dockerfile
. Setting the imageOptimizationPolicy
to SkipLayers
will merge
all instructions into a single layer on top of the base image.
Set the imageOptimizationPolicy
to SkipLayers
:
strategy: dockerStrategy: imageOptimizationPolicy: SkipLayers (1)
1 | Layers are always squashed in OpenShift Container Platform 4.1. |
See Managing imagestreams for more information.