RHEL Docker Base Image

Latest response

I have a couple of questions about RHEL and Docker:

  1. Is there an official RHEL Docker base image?

  2. Are there official Docker user space tools or is the version in the EPEL the current, "most official" version?

  3. Are there official Red Hat documents on how to use Docker in RHEL?

Responses

  1. The only indication I have seen regarding Docker and RHEL is its inclusion in Fedora and comments regarding its potential inclusion in RHEL7, so I can't imagine there are any official base images currently available.

  2. There is no docker IO package in the current RHEL 5/6 repositories so you will likely have to wait until RHEL 7 for this (anyone confirm if docker-io is in RHEL 7 Beta 1 repo?). I wouldn't necessarily interpret inclusion in EPEL as 'official' in any sense, 'most convenient' probably better describes it. If you are just looking to experiment/test docker out, I would suggest trying Fedora which already has it rolled in.

  3. See 1. The only official documentation I have seen regarding containers (not Docker specific) is in the RHEL 7 Beta documentation here:
    https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Containers_Guide/

Docker site itself states "Docker is still under heavy development! We don’t recommend using it in production yet, but we’re getting closer with each release." so it's probably a bit premature to expect official anything from Red Hat at this point in time (although I am keen to find out otherwise!)

It's cool tech, and it will be a great inclusion if/when it makes its way in.

Thanks for the feedback. I should have originally posted that I had read this announcement and took it to mean that docker was supported in RHEL 6.5/7.

I have been playing with RHEL7 (in Docker :-) under RHEL 6.5 with user space tools from the EPEL), and I can verify that the Beta of RHEL 7 does not have the docker-io user space tools available....yet. This is partially what caused the confusion. I have seen announcements that Docker will be officially supported in RHEL 7.

Yes, I have followed the Docker announcements quite closely. The greater community is definitely hungry to use Docker with RHEL, even if just for testing.

Thanks for the feedback. I should have originally posted that I had read this announcement and took it to mean that docker was supported in RHEL 6.5/7.

I have been playing with RHEL7 (in Docker :-) under RHEL 6.5 with user space tools from the EPEL), and I can verify that the Beta of RHEL 7 does not have the docker-io user space tools available....yet. This is partially what caused the confusion. I have seen announcements that Docker will be officially supported in RHEL 7.

Yes, I have followed the Docker announcements quite closely. The greater community is definitely hungry to use Docker with RHEL, even if just for testing.

Interested to know what you plan to use Docker for, do you have a specific commercial application that you have in mind? security segregation? alternative to full virtualisation? software distribution / deployment?

I have used containers in commercial environments in the past and have been through the docker documentation and examples but I am falling short on where I would find a practical use for it currently (ie. where it could drastically improve something in the environments I am managing).

Keen to hear what your plans are!

Have been spending more time in docker and can say that it is relatively straightforward to build a RHEL base image using the mkimage-yum.sh script found here:
https://github.com/dotcloud/docker/blob/master/contrib/mkimage-yum.sh

It's awesome to see just how seriously Red Hat are taking this tech and I assume that the inclusion of production ready container management is what may be slowing down the RHEL 7 release :)

RH Summit Press Conference also outlined that it was be included in the upcoming RHEL7 RC1 (dropped in a ~week apparently) with a more complete version included in the RC2 release (don't believe there was a date given)

RHEL 7 RC1 is released for Partners by now.
General available on Monday 21th

Interestingly the link on the download page now says 'Release Candidate' but the isos are still the beta (with same sha 256 sum).

https://access.redhat.com/downloads/content/226/ver=/rhel---7/x86_64/product-downloads

I don't think that link is public yet...

I browsed to it through the RHEL Beta download page... I don't have any specific privilege in my RHN account.

It's linked to from here:
https://access.redhat.com/downloads/content/rhel_beta

I don't know where everyone is getting their info - please refer to the actual press release from Summit:

http://www.redhat.com/about/news/press-archive/2014/4/linux-container-innovations - more specifically:

"High-Touch Beta Program – an expansion of the Red Hat Enterprise Linux 7 high-touch beta program to include Red Hat Enterprise Linux Atomic Host and Docker container technologies that will enable select customers to evaluate these new container technologies in enterprise environments."

"A High-Touch Beta Program including Red Hat Enterprise Linux Atomic Host and Docker container technologies will be available for select customers in the coming months. General availability for Red Hat Enterprise Linux Atomic Host will be announced at a later date."

So don't expect a fully-supported generally available production use Docker as part of RHEL 7 GA.

As for the Release Candidate, not sure where people are getting the 21-Apr date from either. We hope that the RC will be pushed sometime this week though.

My comments are referring to the RHEL 7 RC1 which is apparently including a partially functional but not feature complete implementation of Docker (from the press conference).

This information was straight from the press conference video (will get a link). I don't know where the April 21st date came from, that's for Jan to answer :D.

If anyone reading this thread is waiting to try Atomic host, i'd suggest grabbing the Fedora 20 version from the upstream project:
http://www.projectatomic.io/download/

-edit-

To clarify, the comment from the press conference regarding RHEL 7 RC1 was:
"Will have some of the core enablement for containers"

Press conference was "Taking Applications To The Open Hybrid Cloud" by Paul Cormier and the comment was in response to a question (response wasn't from Paul).

The conference Q&A also provided the ~1 week timeline for the RC1 drop which I mentioned.

Can you (or anyone else) clarify if the docker-io packages will be in RC1 in any form?

The RHEL 7 RC will not contain docker userspace packages required to enable the kernel-side pieces, AFAIK. This is where the High Touch Beta comes in - those participants will get access to all packages needed for in-RHEL 7 docker enablement.

In case you weren't at Summit last week - check out this breakout session that could be relevant:

2014 Red Hat Summit: Application Centric Packaging with Docker and Linux Containers

Watched it yesterday. Was a well put together presentation and have forwarded it on to a few devs to get them on board.

I think it failed to fully address the point of security patching containers. Yes you can just redeploy the image with new versions but if you are running all manner of containers from all manner of ISV's, having an overall status of installed / running application libraries becomes difficult.

This was semi-addressed in the heartbleed discussion with the suggestion that OpenSSL termination could be run in its own container and then a replacement of that container resolves the SSL patching, but I think deeper discussion on the other example eg. multiple Java stacks needs to be had.

If I have a production environment with application centric packaged apps (ie. each running their own bespoke Java configuration) as an administrator of that container host i'd have no visibility of what libraries are running or exposed to the outside world from within the containers. I concede that the risk is mitigated slightly due to the limited context of the application's container but the likelihood is that the application container will still have access to content eg. from an persistent DB/File resource if compromised.

I believe not being able to provide a patch compliance status for the environment overall is going to be a shortfall in enterprise environments and am interested to know what Red Hat is working on in this space?

Could we harness the packaging infrastructure to help with this? If the Docker Host inspected the containers for their packages lists you would have good, but not comprehensive, coverage lists. [I am not speaking for Red Hat]

This could be a possibility if we were in Red Hatopia, but I would expect with the flexibility that Docker brings users/devs/vendors will run all manner of distribution flavours inside their Docker images (and fetch them from all manner of different sources). In saying that though, if they were Red Hat Docker images it would definitely be nice to have some method of unified management of their patching compliance.

My greater concern is with external vendors providing Docker images as has been suggested as a software distribution method that could be leveraged in the future. With internal developers you will possibly have the opportunity to 'steer' their choice of distribution towards Red Hat. If a third party were to supply a Docker image with their product you will have no visibility of how they have configured it (unless you pull it apart) or what distro/version/configuration they are using.

Anyone who has had the pleasure of installing Linux software from third party vendors will likely agree that security and best practice are the first casualties in the install process (there are a few exceptions) and having this hidden from view may not be optimal.

I think the tech is awesome and it is genuine 'game changer', I guess my concern is that the enterprise management side will lag behind and Linux admins will become the tech 'party poopers' . I would love to see an initiative from Red Hat to certify vendors and their products (in docker images), as I find the current self certification yields some interesting interpretations of 'compatible'.

The RHEL 7 RC is now available publicly (since 21st) just as was promised at the summit. You can get to it from the regular redhat ftp site.
ftp://ftp.redhat.com/redhat/rhel/rc/7/
But I can't find the 'promised' docker user land tools?

As Andrius has said above, the RC only includes kernel side portions and not user space tools (as I interpreted the 'core enablement of for containers' to mean).

Unless you get access to the high touch beta, I think Fedora or RHEL 6 with EPEL docker-io packages is probably the closest alternative.

PixelDrift is Correct! There was never any promise of making docker userspace publicly available. It isn't ready. Also, the RC was available on the 23rd (not the 21st).

Andrius,

What's involved in registering to be part of the high touch beta?

ping your TAM (Technical Account Manager). Having a TAM is a requirement to the high touch beta for guaranteeing a consistent interface to the product teams.

Hi the docker images is ready on:
https://access.redhat.com/search/browse/docker-images#?

Thanks Mario,

What kind of subscription is required to get this image? I receive the following error:
"A subscription is required to download this software. Start an evaluation or purchase a subscription now."

Also, are you able to provide the script that was used to build this image?

Lastly, do Red Hat plan to release RHEL 5 and RHEL 6 docker images for migration purposes? (ie. migrating legacy apps to RHEL 7 using docker).

Thanks again!

It appears it was a timing issue. Tried to download again this morning and it worked fine.

Still keen to get access to the build scripts for the images if they are made available.

All, check out the Docker FAQ page, which links to the Getting Started guide. This should help get you going.

Can someone please clarify this question from the FAQ, it's a little ambiguous:

What subscriptions are required?
Red Hat Enterprise Linux Server subscriptions are required to enable the complete docker-based container workflow.

If I run a RHEL docker base image on a non RHEL host, do I need a full RHEL subscription?
I assume because of licensing this image can't really be used to derivative works / distribution, how is this handled when vendors want to distribute a product using docker with RHEL as base?

With what appears to be a high focus on everything to do with subscriptions at the moment (from Red Hat), can we get some clarity around exactly what license is required to run docker images in RHEL 7 as well. Does the basic RHEL 7 license alone cover unlimited docker containers on a RHEL 7 host?

Will Red Hat be releasing a RHEL 6 docker image to ease migration of third party applications to RHEL 7?

All,

I tried using the containers officially provided by RH (e.g. for RH 6.5). Once I install a small thing (e.g. sudo) from same version (no OS upgrade to 6.6), container size increases for no obvious reason. Even with docker-squash, the size is still up from 155Mb to ~300Mb only by adding sudo, even after including cleanup and flattening (docker-squash with export|import). For cleanup I used https://github.com/docker/docker/blob/master/contrib/mkimage-rinse.sh , etc, yum clean all, quite few rm -rf, the image is still increased a lot more than expected.

Can anyone point to other official or non-official cleanup methods to decrease the size of containers to their real values above the methods above?