Announced Redhat Summit 2019, distribution of containers based on RHEL using their universal base image is now a thing.
So, let us say you want to do some container stuff at home and use UBIs?
Registering and using a service account
- Sort yourself out with a Redhat login: redhat.com || login || register
- Logged in to Redhat, go to https://developers.redhat.com and log in there; it’ll pick up on your account and go through the terms and condtions etc.
- You will then get an active subscription – view it at https://access.redhat.com/management/products
- The recommended approach is to set up a service account; from https://access.redhat.com/containers/ select service accounts (top right).
- I did all these steps in one sitting, and couldn’t do this step.
- After 12 hours, this was still returning Access Denied.
- About four days later, this function was working.
Obviously, I gave up within a few hours of not being able to create a service account, and looked for an alternative approach.
When you look at the download instructions for a number of Redhat containers, there’s two authenticated options, and one unauthenticated option.
Spoiler: for what I wanted to download, unauthenticated worked fine.
Certificate issues on Centos 7
Docker wants to get container images from docker hub.
To use another repository, you have to put in place the necessary certificates, sort of.
# docker version Client: Version: 1.13.1 API version: 1.26 Package version: docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64 Go version: go1.10.3 Git commit: b2f74b2/1.13.1 Built: Wed May 1 14:55:20 2019 OS/Arch: linux/amd64 # docker pull registry.access.redhat.com/ubi7/ruby-25 Using default tag: latest Trying to pull repository registry.access.redhat.com/ubi7/ruby-25 ... open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory
Internet directs me to python-rhsm-certificates which is now replaced by subscription-manager-rhsm-certificates and was already installed.
There appears to be a bug (or feature) on Centos 7 – the new package doesn’t contain:
# file /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: broken symbolic link to `/etc/rhsm/ca/redhat-uep.pem'
Funny thing. Folk commenting on the bug tried quite hard to put a valid certificate in place, but it turns out you don’t need to.
# touch /etc/rhsm/ca/redhat-uep.pem # docker pull registry.access.redhat.com/ubi7/ruby-25 Using default tag: latest Trying to pull repository registry.access.redhat.com/ubi7/ruby-25 ... latest: Pulling from registry.access.redhat.com/ubi7/ruby-25 26df34a7cd86: Downloading [==============================================> ] 71.06 MB/75.85 MB f840832afa6e: Download complete 1827265676ce: Download complete 24c8c07ccf14: Downloading [================================> ] 63.19 MB/97.7 MB
So it doesn’t actually validate the certificate?
As good a reason as any to investigate alternatives to docker (podman, and so on) .. just want to get something working first.
Investigating the ruby 2.5 UBI
# docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.access.redhat.com/ubi7/ruby-25 latest 18a91a0c04b8 13 days ago 538 MB # docker run -it registry.access.redhat.com/ubi7/ruby-25 bash bash-4.2$ ruby --version ruby 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux] $ which bundle /opt/rh/rh-ruby25/root/usr/bin/bundle $ which rake /opt/rh/rh-ruby25/root/usr/bin/rake $ git --version git version 184.108.40.206