Chapter 3. Creating system images with Image Builder command-line interface
Image Builder is a tool for creating custom system images. To control Image Builder and create your custom system images, use the command-line interface which is currently the preferred method to use Image Builder.
3.1. Image Builder command-line interface
Image Builder command-line interface is currently the preferred method to use Image Builder. It offers more functionality than the Web console interface. To use this interface, run the composer-cli command with suitable options and subcommands.
The workflow for the command-line interface can be summarized as follows:
- Export (save) the blueprint definition to a plain text file
- Edit this file in a text editor
- Import (push) the blueprint text file back into Image Builder
- Run a compose to build an image from the blueprint
- Export the image file to download it
Apart from the basic subcommands to achieve this procedure, the composer-cli command offers many subcommands to examine the state of configured blueprints and composes.
To run the composer-cli command as non-root, user must be in the weldr or root groups.
3.2. Creating an Image Builder blueprint with command-line interface
This procedure describes how to create a new Image Builder blueprint using the command-line interface.
Procedure
Create a plain text file with the following contents:
name = "BLUEPRINT-NAME" description = "LONG FORM DESCRIPTION TEXT" version = "0.0.1" modules = [] groups = []
Replace BLUEPRINT-NAME and LONG FORM DESCRIPTION TEXT with a name and description for your blueprint.
Replace 0.0.1 with a version number according to the Semantic Versioning scheme.
For every package that you want to be included in the blueprint, add the following lines to the file:
[[packages]] name = "package-name" version = "package-version"
Replace package-name with name of the package, such as httpd, gdb-doc, or coreutils.
Replace package-version with a version to use. This field supports
dnfversion specifications:- For a specific version, use the exact version number such as 8.30.
- For latest available version, use the asterisk *.
- For a latest minor version, use format such as 8.*.
Blueprints can be customized in a number of ways. For this example, Simultaneous Multi Threading (SMT) can be disabled by performing the steps below. For additional customizations available, please see Supported Image Customizations.
[customizations.kernel] append = "nosmt=force"
- Save the file as BLUEPRINT-NAME.toml and close the text editor.
Push (import) the blueprint:
# composer-cli blueprints push BLUEPRINT-NAME.tomlReplace BLUEPRINT-NAME with the value you used in previous steps.
To verify that the blueprint has been pushed and exists, list the existing blueprints:
# composer-cli blueprints list
Check whether the components and versions listed in the blueprint and their dependencies are valid:
# composer-cli blueprints depsolve BLUEPRINT-NAME
You are able to create images using the composer-cli command as non-root. To do so, add your user to the weldr or root groups. To add your user to the weldr group, perform the following steps:
# usermod -a -G weldr user
$ newgrp weldr3.3. Editing an Image Builder blueprint with command-line interface
This procedure describes how to edit an existing Image Builder blueprint in the command-line interface.
Procedure
Save (export) the blueprint to a local text file:
# composer-cli blueprints save BLUEPRINT-NAME- Edit the BLUEPRINT-NAME.toml file with a text editor of your choice and make your changes.
Before finishing with the edits, make sure the file is a valid blueprint:
Remove this line, if present:
packages = []
- Increase the version number. Remember that Image Builder blueprint versions must use the Semantic Versioning scheme. Note also that if you do not change the version, the patch component of version is increased automatically.
Check if the contents are valid TOML specifications. See the TOML documentation for more information.
NoteTOML documentation is a community product and is not supported by Red Hat. You can report any issues with the tool at https://github.com/toml-lang/toml/issues
- Save the file and close the editor.
Push (import) the blueprint back into Image Builder:
# composer-cli blueprints push BLUEPRINT-NAME.tomlNote that you must supply the file name including the
.tomlextension, while in other commands you use only the name of the blueprint.To verify that the contents uploaded to Image Builder match your edits, list the contents of blueprint:
# composer-cli blueprints show BLUEPRINT-NAMECheck whether the components and versions listed in the blueprint and their dependencies are valid:
# composer-cli blueprints depsolve BLUEPRINT-NAME
3.4. Creating a system image with Image Builder in the command-line interface
This procedure shows how to build a custom image using the Image Builder command-line interface.
Prerequisites
- You have a blueprint prepared for the image.
Procedure
Start the compose:
# composer-cli compose start BLUEPRINT-NAME IMAGE-TYPE
Replace BLUEPRINT-NAME with name of the blueprint, and IMAGE-TYPE with the type of image. For possible values, see output of the
composer-cli compose typescommand.The compose process starts in the background and the UUID of the compose is shown.
Wait until the compose is finished. Please, notice that this may take several minutes.
To check the status of the compose:
# composer-cli compose status
A finished compose shows a status value FINISHED. Identify the compose in the list by its UUID.
Once the compose is finished, download the resulting image file:
# composer-cli compose image UUIDReplace UUID with the UUID value shown in the previous steps.
You can also download the logs using the
composer-cli compose logs UUIDcommand, or the metadata using thecomposer-cli compose metadata UUIDcommand.
3.5. Basic Image Builder command-line commands
The Image Builder command-line interface offers the following subcommands.
Blueprint manipulation
- List all available blueprints
# composer-cli blueprints list
- Show a blueprint contents in the TOML format
# composer-cli blueprints show BLUEPRINT-NAME- Save (export) blueprint contents in the TOML format into a file
BLUEPRINT-NAME.toml # composer-cli blueprints save BLUEPRINT-NAME- Remove a blueprint
# composer-cli blueprints delete BLUEPRINT-NAME- Push (import) a blueprint file in the TOML format into Image Builder
# composer-cli blueprints push BLUEPRINT-NAME
Composing images from blueprints
- Start a compose
# composer-cli compose start BLUEPRINT COMPOSE-TYPE
Replace BLUEPRINT with name of the blueprint to build and COMPOSE-TYPE with the output image type.
- List all composes
# composer-cli compose list
- List all composes and their status
# composer-cli compose status
- Cancel a running compose
# composer-cli compose cancel COMPOSE-UUID- Delete a finished compose
# composer-cli compose delete COMPOSE-UUID- Show detailed information about a compose
# composer-cli compose info COMPOSE-UUID- Download image file of a compose
# composer-cli compose image COMPOSE-UUID
Additional resources
The composer-cli(1) manual page provides a full list of the available subcommands and options:
$ man composer-cli
The
composer-clicommand provides help on the subcommands and options:# composer-cli help
3.6. Image Builder blueprint format
Image Builder blueprints are presented to the user as plain text in the Tom’s Obvious, Minimal Language (TOML) format.
The elements of a typical blueprint file include:
- The blueprint metadata
name = "BLUEPRINT-NAME" description = "LONG FORM DESCRIPTION TEXT" version = "VERSION"
Replace BLUEPRINT-NAME and LONG FORM DESCRIPTION TEXT with a name and description for your blueprint.
Replace VERSION with a version number according to the Semantic Versioning scheme.
This part is present only once for the whole blueprint file.
The entry modules describe the package names and matching version glob to be installed into the image.
The entry group describes a group of packages to be installed into the image. Groups categorize their packages in:
- Mandatory
- Default
Optional
Blueprints installs the mandatory packages. There is no mechanism for selecting optional packages.
- Groups to include in the image
[[groups]] name = "group-name"Replace group-name with the name of the group, such as anaconda-tools, widget, wheel or users.
- Packages to include in the image
[[packages]] name = "package-name" version = "package-version"
Replace package-name with the name of the package, such as httpd, gdb-doc, or coreutils.
Replace package-version with a version to use. This field supports
dnfversion specifications:- For a specific version, use the exact version number such as 8.30.
- For latest available version, use the asterisk *.
- For a latest minor version, use format such as 8.*.
Repeat this block for every package to include.
3.7. Supported Image Customizations
A number of image customizations are supported at this time within blueprints. In order to make use of these options, they must be initially configured in the blueprint and imported (pushed) to Image Builder.
These customizations are not currently supported within the accompanying cockpit-composer GUI.
Procedure
Set the image hostname:
[customizations] hostname = "baseimage"User specifications for the resulting system image:
[[customizations.user]] name = "USER-NAME" description = "USER-DESCRIPTION" password = "PASSWORD-HASH" key = "PUBLIC-SSH-KEY" home = "/home/USER-NAME/" shell = "/usr/bin/bash" groups = ["users", "wheel"] uid = NUMBER gid = NUMBER
NoteThe GID is optional and must already exist in the image, be created by a package, or be created by the blueprint
[[customizations.group]]entry.ImportantTo generate the hash, you must install python3 on your system. The following command will install the python3 package.
# yum install python3
Replace PASSWORD-HASH with the actual password hash. To generate the hash, use a command such as:
$ python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'Replace PUBLIC-SSH-KEY with the actual public key.
Replace the other placeholders with suitable values.
Leave out any of the lines as needed, only the user name is required.
Repeat this block for every user to include.
Group specifications for the resulting system image:
[[customizations.group]] name = "GROUP-NAME" gid = NUMBER
Repeat this block for every group to include.
Set an existing users ssh key:
[[customizations.sshkey]] user = "root" key = "PUBLIC-SSH-KEY"
NoteThis option is only applicable for existing users. To create a user and set an ssh key, use the User specifications for the resulting system image customization.
Append a kernel boot parameter option to the defaults:
[customizations.kernel] append = "KERNEL-OPTION"Define a kernel name to be used in an image:
[customizations.kernel.name] name = "KERNEL-NAME"Set the timezone and the Network Time Protocol (NTP) servers for the resulting system image:
[customizations.timezone] timezone = "TIMEZONE" ntpservers = "NTP_SERVER"
If you do not set a timezone, the system uses Universal Time, Coordinated (UTC) as default. Setting NTP servers is optional.
Set the locale settings for the resulting system image:
[customizations.locale] languages = ["LANGUAGE"] keyboard = "KEYBOARD"
Setting both language and keyboard options is mandatory. You can add multiple languages. The first language you add will be the primary language and the other languages will be secondary.
Set the firewall for the resulting system image:
[customizations.firewall] port = ["PORTS"]You can use the numeric ports, or theirs names from the
/etc/servicesfile to enable lists.Customize the firewall services:
Review the available firewall services.
$ firewall-cmd --get-services
In the blueprint, under section
customizations.firewall.service, specify the firewall services that you want to customize.[customizations.firewall.services] enabled = ["SERVICES"] disabled = ["SERVICES"]
The services listed in
firewall.servicesare different from the names available in the/etc/servicesfile.You can optionally customize the firewall services for the system image that you plan to create.
NoteIf you do not want to customize the firewall services, omit the
[customizations.firewall]and[customizations.firewall.services]sections from the blueprint.Set which services to enable during the boot time:
[customizations.services] enabled = ["SERVICES"] disabled = ["SERVICES"]
You can control which services to enable during the boot time. Some image types already have services enabled or disabled so that the image works correctly and this setup cannot be overridden.
Add files from a git repository to your blueprint:
[[repos.git]] rpmname = "RPM-NAME" rpmversion = "RPM-VERSION" rpmrelease = "RPM-RELEASE" summary = "RPM-SUMMARY" repo = "REPO-URL" ref = "GIT-REF" destination = "SERVICES"
You can use entries to add files from a git repository to the created image.
For example, to create an RPM package named
server-config-1.0-1.noarch.rpm, add the following information to your blueprint:Replace _RPM-NAME with the name of the RPM package to create. This is also the prefix name in the resulting tar archive.
Replace RPM-VERSION with the version of the RPM package, for example, "1.0.0".
Replace RPM-RELEASE with the version of the RPM package release, for example, "1".
Replace RPM-SUMMARY with the summary string for the RPM package.
Replace REPO-URL with the URL of the get repository to clone and create the archive from it.
Replace GIT-REF with the git reference to check out, for example,
origin/branch-name,git tag, orgit commit hash.Replace SERVICES with the path to install the directory of the git repository when installing the RPM package.
As a consequence, the git repository you provided is cloned, the specified git reference is checked out and an RPM package is created to install the files to a destination path, for example,
/opt/server/. The RPM includes a summary with the details of the repository and reference used to create it. The RPM package is also included in the image build metadata.NoteEach time a build starts, it clones the repository. If you refer to a repository with a large amount of history, it might take a while to clone and use a significant amount of disk space. Also, the clone is temporary and is removed once the RPM package is created.
3.8. Installed Packages
When you create a system image using Image Builder, by default, the system installs a set of base packages. The base list of packages are the members of the comps core group. By default, Image Builder uses the core yum group.
Table 3.1. Default packages to support image type creation
| Image type | Default Packages |
|---|---|
| ami | checkpolicy, chrony, cloud-init, cloud-utils-growpart, @Core, dhcp-client, gdisk, insights-client, kernel, langpacks-en, net-tools, NetworkManager, redhat-release, redhat-release-eula, rng-tools, rsync, selinux-policy-targeted, tar, Yum-utils |
| openstack | @Core, langpacks-en |
| qcow2 | @Core, chrony, dnf, kernel, yum, nfs-utils, dnf-utils, cloud-init, python3-jsonschema, qemu-guest-agent, cloud-utils-growpart, dracut-norescue, tar, tcpdump, rsync, dnf-plugin-spacewalk, rhn-client-tools, rhnlib, rhnsd, rhn-setup, NetworkManager, dhcp-client, cockpit-ws, cockpit-system, subscription-manager-cockpit, redhat-release, redhat-release-eula, rng-tools, insights-client |
| rhel-edge-commit | glibc, glibc-minimal-langpack, nss-altfiles, kernel, dracut-config-generic, dracut-network, basesystem, bash, platform-python,shadow-utils, chrony, setup, shadow-utils, sudo, systemd, coreutils, util-linux, curl, vim-minimal, rpm, rpm-ostree, polkit, lvm2, cryptsetup, pinentry, e2fsprogs, dosfstools, keyutils, gnupg2, attr, xz, gzip, firewalld, iptables, NetworkManager, NetworkManager-wifi, NetworkManager-wwan, wpa_supplicant, dnsmasq, traceroute, hostname, iproute, iputils, openssh-clients, procps-ng, rootfiles, openssh-server, passwd, policycoreutils, policycoreutils-python-utils, selinux-policy-targeted, setools-console, less, tar, rsync, fwupd, usbguard, bash-completion, tmux, ima-evm-utils, audit, rng-tools, podman, container-selinux, skopeo, criu, slirp4netns, fuse-overlayfs, clevis, clevis-dracut, clevis-luks, greenboot, greenboot-grub2, greenboot-rpm-ostree-grub2, greenboot-reboot, greenboot-status |
| tar | policycoreutils, selinux-policy-targeted |
| vhd | @Core, langpacks-en |
| vmdk | @Core, chrony, firewalld, kernel, langpacks-en, open-vm-tools, selinux-policy-targeted |
When you add additional components to your blueprint, you must make sure that the packages in the components you added do not conflict with any other package components, otherwise the system fails to solve dependencies. As a consequence, you are not able to create your customized image.
Additional resources
3.9. Enabled Services
When you configure the custom image, the services enabled are the defaults services for the RHEL8 release you are running osbuild-composer from, additionally the services enabled for specific image types.
For example, the .ami image type enables the services sshd, chronyd and cloud-init and without these services, the custom image does not boot.
Table 3.2. Enabled services to support image type creation
| Image type | Enabled Services |
|---|---|
| ami | No default service |
| openstack | sshd, cloud-init, cloud-init-local, cloud-config, cloud-final |
| qcow2 | No default service |
| rhel-edge-commit | No default service |
| tar | No default service |
| vhd | sshd, chronyd, waagent, cloud-init, cloud-init-local, cloud-config, cloud-final |
| vmdk | sshd, chronyd, vmtoolsd |
Note: You can customize which services to enable during the system boot. However, for image types with services enabled by default, the customization does not override this feature.
Additional resources
3.10. Disks and Partitions Configuration using Image Builder
Image Builder does not allow disks to be partitioned. The output types that have a partitioned disk will have a single partition and additionally any platform-specific partitions that are required to boot the system image. For example, qcow2 image type has a single root partition, and possibly a platform specific boot partition - like PReP for PPC64 system - that the image requires to boot.