Chapter 11. Red Hat Enterprise Linux Atomic Host

Included in the release of Red Hat Enterprise Linux 7.1 is Red Hat Enterprise Linux Atomic Host - a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. It has been designed to take advantage of the powerful technology available in Red Hat Enterprise Linux 7. Red Hat Enterprise Linux Atomic Host uses SELinux to provide strong safeguards in multi-tenant environments, and provides the ability to perform atomic upgrades and rollbacks, enabling quicker and easier maintenance with less downtime. Red Hat Enterprise Linux Atomic Host uses the same upstream projects delivered via the same RPM packaging as Red Hat Enterprise Linux 7.
Red Hat Enterprise Linux Atomic Host is pre-installed with the following tools to support Linux containers:
Red Hat Enterprise Linux Atomic Host makes use of the following technologies:
  • OSTree and rpm-OSTree - These projects provide atomic upgrades and rollback capability.
  • systemd - The powerful new init system for Linux that enables faster boot times and easier orchestration.
  • SELinux - Enabled by default to provide complete multi-tenant security.

New features in Red Hat Enterprise Linux Atomic Host 7.1.4

  • The iptables-service package has been added.
  • It is now possible to enable automatic "command forwarding" when commands that are not found on Red Hat Enterprise Linux Atomic Host, are seamlessly retried inside the RHEL Atomic Tools container. The feature is disabled by default (it requires a RHEL Atomic Tools pulled on the system). To enable it, uncomment the export line in the /etc/sysconfig/atomic file so it looks like this:
    export TOOLSIMG=rhel7/rhel-tools
    
  • The atomic command:
    • You can now pass three options (OPT1, OPT2, OPT3) to the LABEL command in a Dockerfile. Developers can add environment variables to the labels to allow users to pass additional commands using atomic. The following is an example from a Dockerfile:
      LABEL docker run ${OPT1}${IMAGE}
      This line means that running the following command:
      atomic run --opt1="-ti" image_name
      is identical to running
      docker run -ti image_name
    • You can now use ${NAME} and ${IMAGE} anywhere in your label, and atomic will substitute it with an image and a name.
    • The ${SUDO_UID} and ${SUDO_GID} options are set and can be used in image LABEL.
    • The atomic mount command attempts to mount the file system belonging to a given container/image ID or image to the given directory. Optionally, you can provide a registry and tag to use a specific version of an image.

New features in Red Hat Enterprise Linux Atomic Host 7.1.3

  • Enhanced rpm-OSTee to provide a unique machine ID for each machine provisioned.
  • Support for remote-specific GPG keyring has been added, specifically to associate a particular GPG key with a particular OSTree remote.
  • the atomic command:
    • atomic upload — allows the user to upload a container image to a docker repository or to a Pulp/Crane instance.
    • atomic version — displays the "Name Version Release" container label in the following format: ContainerID;Name-Version-Release;Image/Tag
    • atomic verify — inspects an image to verify that the image layers are based on the latest image layers available. For example, if you have a MongoDB application based on rhel7-1.1.2 and a rhel7-1.1.3 base image is available, the command will inform you there is a later image.
    • A dbus interface has been added to verify and version commands.

New features in Red Hat Enterprise Linux Atomic Host 7.1.2

The atomic command-line interface is now available for Red Hat Enterprise Linux 7.1 as well as Red Hat Enterprise Linux Atomic Host. Note that the feature set is different on both systems. Only Red Hat Enterprise Linux Atomic Host includes support for OSTree updates. The atomic run command is supported on both platforms.
  • atomic run allows a container to specify its run-time options via the RUN meta-data label. This is used primarily with privileges.
  • atomic install and atomic uninstall allow a container to specify install and uninstall scripts via the INSTALL and UNINSTALL meta-data labels.
  • atomic now supports container upgrade and checking for updated images.
The iscsi-initiator-utils package has been added to Red Hat Enterprise Linux Atomic Host. This allows the system to mount iSCSI volumes; Kubernetes has gained a storage plugin to set up iSCSI mounts for containers.
You will also find Integrity Measurement Architecture (IMA), audit and libwrap available from systemd.

Important

Red Hat Enterprise Linux Atomic Host is not managed in the same way as other Red Hat Enterprise Linux 7 variants. Specifically:
  • The Yum package manager is not used to update the system and install or update software packages. For more information, see Installing Applications on Red Hat Enterprise Linux Atomic Host.
  • There are only two directories on the system with write access for storing local system configuration: /etc/ and /var/. The /usr/ directory is mounted read-only. Other directories are symbolic links to a writable location - for example, the /home/ directory is a symlink to /var/home/. For more information, see Red Hat Enterprise Linux Atomic Host File System.
  • The default partitioning dedicates most of available space to containers, using direct Logical Volume Management (LVM) instead of the default loopback.
Red Hat Enterprise Linux Atomic Host 7.1.1 provides new versions of Docker and etcd, and maintenance fixes for the atomic command and other components.