using Red Hat Universal Base Images

Announced Redhat Summit 2019, distribution of containers based on RHEL using their universal base image is now a thing.

So, let us say you want to do some container stuff at home and use UBIs?

Registering and using a service account

Sources

  1. Sort yourself out with a Redhat login:  redhat.com || login || register
  2. Logged in to Redhat, go to https://developers.redhat.com and log in there; it’ll pick up on your account and go through the terms and condtions etc.
  3. You will then get an active subscription – view it at https://access.redhat.com/management/products
  4. The recommended approach is to set up a service account; from https://access.redhat.com/containers/ select service accounts (top right).
    • I did all these steps in one sitting, and couldn’t do this step.
    • After 12 hours, this was still returning Access Denied.
    • About four days later, this function was working.

Obviously, I gave up within a few hours of not being able to create a service account, and looked for an alternative approach.

Unauthenticated downloads

When you look at the download instructions for a number of Redhat containers, there’s two authenticated options, and one unauthenticated option.

Spoiler: for what I wanted to download, unauthenticated worked fine.

 

Certificate issues on Centos 7

Docker wants to get container images from docker hub.

To use another repository, you have to put in place the necessary certificates, sort of.

# docker version
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-96.gitb2f74b2.el7.centos.x86_64
Go version: go1.10.3
Git commit: b2f74b2/1.13.1
Built: Wed May 1 14:55:20 2019
OS/Arch: linux/amd64
# docker pull registry.access.redhat.com/ubi7/ruby-25
Using default tag: latest
Trying to pull repository registry.access.redhat.com/ubi7/ruby-25 ... 
open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory

Internet directs me to python-rhsm-certificates which is now replaced by subscription-manager-rhsm-certificates and was already installed.

There appears to be a bug (or feature) on Centos 7 – the new package doesn’t contain:

# file /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt
/etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: broken symbolic link to `/etc/rhsm/ca/redhat-uep.pem'

Funny thing. Folk commenting on the bug tried quite hard to put a valid certificate in place, but it turns out you don’t need to.

# touch /etc/rhsm/ca/redhat-uep.pem
# docker pull registry.access.redhat.com/ubi7/ruby-25
Using default tag: latest
Trying to pull repository registry.access.redhat.com/ubi7/ruby-25 ... 
latest: Pulling from registry.access.redhat.com/ubi7/ruby-25
26df34a7cd86: Downloading [==============================================>    ] 71.06 MB/75.85 MB
f840832afa6e: Download complete 
1827265676ce: Download complete 
24c8c07ccf14: Downloading [================================>                  ] 63.19 MB/97.7 MB

So it doesn’t actually validate the certificate?

As good a reason as any to investigate alternatives to docker (podman, and so on) .. just want to get something working first.

Investigating the ruby 2.5 UBI

# docker images
REPOSITORY                                TAG                 IMAGE ID            CREATED             SIZE
registry.access.redhat.com/ubi7/ruby-25   latest              18a91a0c04b8        13 days ago         538 MB
# docker run -it registry.access.redhat.com/ubi7/ruby-25 bash
bash-4.2$ ruby --version
ruby 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux]
$ which bundle
/opt/rh/rh-ruby25/root/usr/bin/bundle
$ which rake
/opt/rh/rh-ruby25/root/usr/bin/rake
$ git --version
git version 1.8.3.1

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s