Red Hat Training
A Red Hat training course is available for RHEL 8
Chapter 3. Configuring RHEL image builder repositories
To use RHEL image builder, you must ensure that the repositories are configured. You can use the following types of repositories in RHEL image builder:
- Official repository overrides
- Use these if you want to download base system RPMs from elsewhere than the Red Hat Content Delivery Network (CDN) official repositories, for example, a custom mirror in your network. Using official repository overrides disables the default repositories, and your custom mirror must contain all the necessary packages.
- Custom third-party repositories
- Use these to include packages that are not available in the official RHEL repositories.
3.1. Adding custom third-party repositories to RHEL image builder
You can add custom third-party sources to your repositories and manage these repositories by using the composer-cli.
Prerequisites
- You have the URL of the custom third-party repository.
Procedure
Create a repository source file, such as
/root/repo.toml. For example:id = "k8s" name = "Kubernetes" type = "yum-baseurl" url = "https://server.example.com/repos/company_internal_packages/" check_gpg = false check_ssl = false system = false
The
typefield accepts the following valid values:yum-baseurl,yum-mirrorlist, andyum-metalink.- Save the file in the TOML format.
Add the new third-party source to RHEL image builder:
$ composer-cli sources add <file-name>.toml
Verification
Check if the new source was successfully added:
$ composer-cli sources listCheck the new source content:
$ composer-cli sources info <source_id>
3.2. Adding third-party repositories with specific distributions to RHEL image builder
You can specify a list of distributions in the custom third-party source file by using the optional field distro. The repository file uses the distribution string list while resolving dependencies during the image building.
Any request that specifies rhel-8 uses this source. For example, if you list packages and specify rhel-8, it includes this source. However, listing packages for the host distribution do not include this source.
Prerequisites
- You have the URL of the custom third-party repository.
- You have the list of distributions that you want to specify.
Procedure
Create a repository source file, such as
/root/repo.toml. For example, to specify the distribution:check_gpg = true check_ssl = true distros = ["rhel-8"] id = "rh9-local" name = "packages for RHEL" system = false type = "yum-baseurl" url = "https://local/repos/rhel8/projectrepo/"- Save the file in the TOML format.
Add the new third-party source to RHEL image builder:
$ composer-cli sources add <file-name>.toml
Verification
Check if the new source was successfully added:
$ composer-cli sources listCheck the new source content:
$ composer-cli sources info <source_id>
3.3. Checking repositories metadata with GPG
To detect and avoid corrupted packages, you can use the DNF package manager to check the GNU Privacy Guard (GPG) signature on RPM packages, and also to check if the repository metadata has been signed with a GPG key.
You can either enter the gpgkey that you want to do the check over https by setting the gpgkeys field with the key URL. Alternatively, to improve security, you can also embed the whole key into the gpgkeys field, to import it directly instead of fetching the key from the URL.
Prerequisites
- The directory that you want to use as a repository exists and contains packages.
Procedure
Access the folder where you want to create a repository:
$ cd repo/Run the
createrepo_cto create a repository from RPM packages:$ createrepo_c .Access the directory where the repodata is:
$ cd repodata/Sign your
repomd.xmlfile:$ gpg -u <_gpg-key-email_> --yes --detach-sign --armor /srv/repo/example/repomd.xmlTo enable GPG signature checks in the repository:
-
Set
check_repogpg = truein the repository source. Enter the
gpgkeythat you want to do the check. If your key is available overhttps, set thegpgkeysfield with the key URL for the key. You can add as many URL keys as you need.The following is an example:
check_gpg = true check_ssl = true id = "signed local packages" name = "repository_name" type = "yum-baseurl" url = "https://local/repos/projectrepo/" check_repogpg = true gpgkeys=["https://local/keys/repokey.pub"]
As an alternative, add the GPG key directly in the
gpgkeysfield, for example:check_gpg = true check_ssl = true check_repogpg id = "custom-local" name = "signed local packages" type = "yum-baseurl" url = "https://local/repos/projectrepo/" gpgkeys=["https://remote/keys/other-repokey.pub", '''-----BEGIN PGP PUBLIC KEY BLOCK----- … -----END PGP PUBLIC KEY BLOCK-----''']
If the test does not find the signature, the GPG tool shows an error similar to the following one:
$ GPG verification is enabled, but GPG signature is not available. This may be an error or the repository does not support GPG verification: Status code: 404 for http://repo-server/rhel/repodata/repomd.xml.asc (IP: 192.168.1.3)
If the signature is invalid, the GPG tool shows an error similar to the following one:
repomd.xml GPG signature verification error: Bad GPG signature
-
Set
Verification
Test the signature of the repository manually:
$ gpg --verify /srv/repo/example/repomd.xml.asc
3.4. RHEL image builder official repository overrides
RHEL image builder osbuild-composer back end does not inherit the system repositories located in the /etc/yum.repos.d/ directory. Instead, it has its own set of official repositories defined in the /usr/share/osbuild-composer/repositories directory. This includes the Red Hat official repository, which contains the base system RPMs to install additional software or update already installed programs to newer versions. If you want to override the official repositories, you must define overrides in /etc/osbuild-composer/repositories/. This directory is for user defined overrides and the files located there take precedence over those in the /usr/share/osbuild-composer/repositories/ directory.
The configuration files are not in the usual YUM repository format known from the files in /etc/yum.repos.d/. Instead, they are JSON files.
3.5. Overriding a system repository
You can configure your own repository override for RHEL image builder in the /etc/osbuild-composer/repositories directory.
Prior to RHEL 8.5 release, the name of the repository overrides is rhel-8.json. Starting from RHEL 8.5, the names also respect the minor version: rhel-84.json, rhel-85.json, and so on.
Prerequisites
- You have a custom repository that is accessible from your host system.
Procedure
Create the
/etc/osbuild-composer/repositories/directory to store your repository overrides:$ sudo mkdir -p /etc/osbuild-composer/repositories
Create a JSON file, using a name corresponding to your RHEL version. Alternatively, you can copy the file for your distribution from
/usr/share/osbuild-composer/and modify its content.For RHEL 8.9, use
/etc/osbuild-composer/repositories/rhel-89.json.Add the following structure to your JSON file. Specify only one of the following attributes, in the string format:
-
baseurl- The base URL of the repository. -
metalink- The URL of a metalink file that contains a list of valid mirror repositories. mirrorlist- The URL of a mirrorlist file that contains a list of valid mirror repositories. The remaining fields, such asgpgkey, andmetadata_expire, are optional.For example:
{ "x86_64": [ { "name": "baseos", "baseurl": "http://mirror.example.com/composes/released/RHEL-8/8.0/BaseOS/x86_64/os/", "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…)", "check_gpg": true } ] }Alternatively, you can copy the JSON file for your distribution, by replacing
rhel-version.jsonwith your RHEL version, for example: rhel-8.json.$ cp /usr/share/osbuild-composer/repositories/rhel-version.json /etc/osbuild-composer/repositories/
-
Optional: Verify the JSON file:
$ json_verify /etc/osbuild-composer/repositories/<file>.json
Edit the
baseurlpaths in therhel-8.jsonfile and save it. For example:$ /etc/osbuild-composer/repositories/rhel-version.jsonRestart the
osbuild-composer.service:$ sudo systemctl restart osbuild-composer.service
Verification
Check if the repository points to the correct URLs:
$ cat /etc/yum.repos.d/redhat.repo
You can see that the repository points to the correct URLs which are copied from the
/etc/yum.repos.d/redhat.repofile.
Additional resources
3.6. Overriding a system repository that requires subscriptions
You can set up the osbuild-composer service to use system subscriptions that are defined in the /etc/yum.repos.d/redhat.repo file. To use a system subscription in osbuild-composer, define a repository override that has the following details:
-
The same
baseurlas the repository defined in/etc/yum.repos.d/redhat.repo. The value of
”rhsm”: truedefined in the JSON object.Noteosbuild-composerdoes not automatically use repositories defined in/etc/yum.repos.d/. You need to manually specify them either as a system repository override or as an additionalsourceby usingcomposer-cli. The “BaseOS” and “AppStream” repositories usually use system repository overrides, whereas all the other repositories usecomposer-clisources.
Prerequisites
-
Your system has a subscription defined in
/etc/yum.repos.d/redhat.repo - You have created a repository override. See Overriding a system repository.
Procedure
Get the
baseurlfrom the/etc/yum.repos.d/redhat.repofile:# cat /etc/yum.repos.d/redhat.repo [AppStream] name = AppStream mirror example baseurl = https://mirror.example.com/RHEL-8/8.0/AppStream/x86_64/os/ enabled = 1 gpgcheck = 0 sslverify = 1 sslcacert = /etc/pki/ca1/ca.crt sslclientkey = /etc/pki/ca1/client.key sslclientcert = /etc/pki/ca1/client.crt metadata_expire = 86400 enabled_metadata = 0Configure the repository override to use the same
baseurland setrhsmto true:{ "x86_64": [ { "name": "AppStream mirror example", "baseurl": "https://mirror.example.com/RHEL-8/8.0/AppStream/x86_64/os/", "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…)", "check_gpg": true, "rhsm": true } ] }Restart the
osbuild-composer.service:$ sudo systemctl restart osbuild-composer.service
Additional resources
