Table of Contents
Using the Red Hat Container Catalog (RHCC), you can find container images that have been tested, secured, and verified by Red Hat. To help you get started using the RHCC, this article steps you through the different ways to find Red Hat container images using search or explore techniques. Once you find the images that interest you, use this article to identify important information for evaluating, acquiring, and using those images.
Checking out the RHCC Home Page
To start, you should visit the Red Hat Container Catalog home page. Figure 1 shows an example of that page:
Figure 1: Red Hat Container Catalog Home Page
Here are some highlights of the Red Hat Container Catalog home page:
Search Box: Type one or more keyword terms to search the RHCC for container images and application categories.
Explore: Select this button to explore the catalog based on Repository Activity, Popular Products, Popular Applications, or Image Architecture.
Get Started: Select this button to view this article on using the RHCC.
FAQ: Select this button to see a list of questions and answers related to general container information, ways of exploring the RHCC, techniques for acquiring container images, using container images, and container security.
Favorites: Select this button to view a page of Image Repositories and Products you selected as Favorites (identified with a star) in the RHCC.
Recently Updated: View descriptions of the three RHCC image repositories that have most recently had updated images included in their repositories.
Recently Added: View descriptions of the three newest image repositories that have been created and added to the RHCC.
Products: View links identified by Red Hat Product names to see lists of containers associated with those products.
Application Categories: View links identified by application categories (virtualization platform, container platform, and operating system) to see containers associated with those application categories.
Image Architectures: View links identified by image types (Application, Builder, Base, and Ansible Playbook Bundle images) to see containers associated with those types of images.
Scroll down to see more information about using Red Hat container images.
Searching for a container image
To start a search of the Red Hat Container Catalog, enter one or more search terms. The search box suggests a list of Image Repositories and Products based on entered search terms. Figure 2 shows an example of a search for the term rhel7 and the suggested products and repositories that appear as you type:
Figure 2: The RHCC recommends products and image repositories as you type
Select SEARCH to see a list of search results, or select a suggested product or image repository to see details for it. Figure 3 shows the results from selecting the SEARCH button for rhel7.
Figure 3: View search results, organized by Image Repositories and Products
Search results are divided into two categories: Image Repositories and Products. Select the Images Repository or Products tab to see results that include the following information:
Image Repositories: A list of image repositories associated with the search term that may span multiple products. For each repository that appears in the list, you can see its name, a short description, when it was most recently updated, the latest version and its health grade. Select the image repository that interests you to see more details about it.
Products: A list of products that contain the search term. Each product whose description or related image repositories include the search term will appear on the product list. You will see the product name, the vendor (usually Red Hat), and the application category associated with the product. Select a product to see all image repositories associated with the product, as well as links to more information about that product.
NOTE: You can search for a particular release of an image when multiple versions exist. For example, instead of searching for rhel6 (which results in multiple images being found), you could search for rhel6.8 to find a specific version of the image.
Examining an image repository
Once you select an image repository, a page representing the image repository appears. Figure 4 shows an example of the rsyslog image repository page.
Figure 4: Get information about an image from its image repository page
There is a wealth of information on each image page. Starting at the top, here is the type of content you can find:
Name, By and Product: Along with the base name of the image (rsyslog in this case) you can see the organization that created it (by Red Hat, Inc.) and the product it is associated with (in Product Red Hat Enterprise Linux).
Full image identity: The registry name (registry.access.redhat.com), along with the repository and image name (rhel7/rsyslog) needed to identify the image when you go to pull it.
NOTE: The Red Hat container registry is in the process of moving from registry.access.redhat.com to registry.redhat.io. The new registry requires authentication. See Red Hat Container Registry Authentication for details.
Most recent tag: When an image is updated, a new tag is added to the image. In this example, the most recent tag is 7.3-18. Other information associated with that tag includes the date this image was updated and a link to any advisory associated with the image. The image advisory link leads to an errata description of features added to the most recent update of the image and descriptions of any bugs that have been resolved.
Health Index: The health grade associated with the image. Grades range from A to F. A grade of "A" indicates the highest level of confidence that the content of the image is secure and up to date. In particular, it means that any Critical or Important security updates associated with the image have all been applied and that the image was built fairly recently. See Container Health Index grades as used inside the Red Hat Container Catalog for details on the meaning of each grade.
Details about the image are available on the Overview, Get this image, Tech Details, Documentation, and Tags tabs. The deepest set of information is available from the Tags tab, where you can find detailed security information on the health associated with each version of the image (as indicated by each tag name).
Overview: A short description of the image. The Repository Specifications table shows additional information about the image.
Get this Image: From this tab, select the drop-down box under “Choose your platform” to see descriptions of different ways of acquiring the image. For the rsyslog image, the recommended way to acquire the image is with Atomic. Using “atomic install”, the image is pulled to the local system, appropriate permissions are opened to the host system, and needed files are mounted from the host. Try other selections (Red Hat Satellite, OpenShift, Docker, and Runc) to see other commands you can use to acquire the image.
Tech Details: Environment variables, the default command run by the container, labels, and other useful information from inside the container is displayed under this tab.
Documentation: Links from this tab take you to documentation that describes either the image itself or how to use the software contained in the image.
Tags: The most critical security information for a repository is contained on the Tags tab. The next section describes how to evaluate the security of an image based on information you can find on the Tags tab.
Checking security for a particular image tag
Each image, represented by the base image name and specific tag representing the version of the image, has its own security evaluation that you can see from the Tags tab on the image repository page. As security updates are applied to an image, it becomes more secure (healthier). That's why in most cases you want to use the most recent version tag available for an image. Figure 5 shows an example of the Tags tab for the rsyslog image repository.
Figure 5: The Tags tab displays the tag name, date pushed, image advisory, health index, signing information, and Docker Image ID for each image in a repository
The Tags tab was designed to determine the health and history of the images in a repository in both graphical and table form. The table on the Tags tab provides a quicker way to view each tag version and adds information about support streams and any floating tags associated with a particular tag version.
Select a particular tag name to see more details about it. Figure 6 shows an example of the most recent tag for the rsyslog image.
Figure 6: Determine the health, package list and Dockerfile for a tag
Because the latest rsyslog tag was recently built and contains all known updates, it has an "A" health rating. If there were known Critical or Important security vulnerabilities available that had not been applied, it would receive a lower rating. Moderate and Low vulnerabilities don't impact the grade.
To get an idea of what the package contains, select the Package List tab. That tab displays a list of RPM packages contained in the image, along with each package's version number and short description. You can search that list of package names and descriptions for search terms that interest you. By selecting the Dockerfile tab, you can see the instructions contained in the Dockerfile that was used to build this particular image (if it is available).
If you were to select an image tag representing an older image that doesn't contain all available updates, you will receive a warning that an updated image is available. The image will carry a lower health index grade and a list of affected packages will show which needs to be upgraded and the impact of the fix in that package (critical, important, moderate, or low).
Figure 7 shows an earlier image tag associated with the rsyslog repository. As you can see, the fact that there is a more recent image that contains a critical update that was not applied to this image has brought this image tag's health index to a "C" grade. By scrolling down, you could see the affected packages and click on links to associated security advisories.
Figure 7: A low health index reflects that Critical or Important vulnerabilities have gone unpatched for a period of time
Exploring the RHCC
An alternative way of finding images from the RHCC is using the Explore feature. From the RHCC home page, select the Explore or Explore the Catalog button. Figure 8 shows the RHCC Explore page:
Figure 8: Select Explore to find container images by exploring image categories
Here are some ways to find images from the Explore the Catalog page:
Repository Activity: Images that are new, updated or in the top 50 most popular in the past 30 days are available through links under this heading.
Popular Products: From this section, you can see popular products, representing links to the images that go with those products. This includes images for Red Hat Enterprise Linux, Red Hat OpenShift, and Red Hat Gluster Storage.
Popular Application Categories: Image repositories here are grouped by the type of applications they are associated with. There are categories such as Mobile Application Development Platform, and Operating System.
Image Architectures: Choose images by their type, including application image (intended to run on their own), base image (small, generic images used to build other images), and builder image (images that are themselves built with base images, with extra software added so you can build applications that require special run-time environments from them).
Learning more about each image
To get a better understanding of each image listed in the RHCC, there are ways that you can dig out other useful details about the image. Here are some examples:
How can I see a list of all versions of an image inside a repository?
Image versions are indicated by tags. To see the tags associated with an image repository, go to the main page for an image repository and select the Tags tab. If there are multiple versions associated with a repository, they are represented by a list of Tag Names displayed on that page.
What do the different Docker tags mean on the Tag tab?
Many of the images in the RHCC have multiple tags associated with them. The tag is the part of the image name that appears at the end of the base image name. If you try to pull an image using the base name alone, with no tag added, it implies that the tag to be used is :latest. So, for example, the image repository named registry.access.redhat.com/rhel7/rhel actually implies registry.access.redhat.com/rhel7/rhel:latest.
Besides :latest, image tags are typically used to identify the version of the image. For example, the latest container image for RHEL 7.3 could be identified as :7.3-82 (the 82nd iteration of the 7.3 image), :7.3 (the latest 7.3 image available) and :latest (the latest RHEL 7 image available).