Chapter 3. Managing image builder repositories

You can use the following types of repositories in image builder:

Custom third-party repositories
Use these to include packages that are not available in the official RHEL repositories.
Official repository overrides
Use these if you want to download base system RPMs from elsewhere than the official repositories, for example, a custom mirror in your network. Because using official repository overrides disables the default repositories, your custom mirror must contain all the necessary packages.

3.1. Adding custom third-party repositories

You can add custom third-party sources to your repositories and manage these repositories by using the composer-cli.

Prerequisites

  • You have the URL of the custom third-party repository.

Procedure

  1. Create a repository source file: 

    id = "repository_id"
name = "repository_name"
type = "repository_type"
url = "repository-url"
check_gpg = false
check_ssl = false

    For example: 

    id = "k8s"
name = "Kubernetes"
type = "yum-baseurl"
url = "https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64"
check_gpg = false
check_ssl = false
system = false
  2. Save the file in the TOML format.

  3. Add the new third-party source with the following command: 

    $ composer-cli sources add <file-name>.toml

Verification

  • Check if the new source was successfully added: 

    $ composer-cli sources list

  • Check the new source content: 

    $ composer-cli sources info <source_id>

3.2. Adding third-party repositories with specific distributions

You can specify a list of distributions in the custom third-party source file by using the optional field distro. The repository file uses the distribution string list while resolving dependencies during the image building.

Any request that specifies rhel-9 will use this source. For example, if you list packages and specify rhel-9, it will include this source. However, listing packages for the host distribution will not include this source.

Procedure

  1. Create a repository source file: 

    check_gpg = true
check_ssl = true
distros = ["list_of_distributions"]
id = "repository_id"
name = "repository-name"
system = false
type = ""repository_type"
url = "repository-url"

    For example, to specify the distribution: 

    check_gpg = true
check_ssl = true
distros = ["rhel-9"]
id = "rh9-local"
name = "packages for RHEL"
system = false
type = "yum-baseurl"
url = "http://local/repos/rhel9/projectrepo/"
  2. Save the file in the TOML format.

3.3. Checking repositories metadata with GPG

To detect and avoid corrupted packages, you can use the DNF package manager to check the GNU Privacy Guard (GPG) signature on RPM packages, and also to check if the repository metadata has been signed with a GPG key.

For security reasons, you can distribute the key in a separate channel from the RPMs, by making your GPG key available over https. You can indicate which GPG key to use to do the check, by setting check_repogpg = true in the source. If the key is available over https, set the gpgkeys entry to the URL for the key. Optionally, you can also embed the whole key into the source gpgkeys entry to import it directly instead of fetching it from the URL.

Procedure

  1. Access the folder where you want to create a repository: 

    $ cd repo/

  2. Run the createrepo_c to create a repository from RPM packages: 

    $ createrepo_c .

  3. Access the directory where the repodata is: 

    $ cd repodata/

  4. Set up a repository by signing your repomd.xml file: 

    $ gpg -u YOUR-GPG-KEY-EMAIL --yes --detach-sign --armor repomd.xml

  5. Check the GPG signature.

    1. Set check_repogpg = true in the repository source.

    2. If your key is available over https, set the gpgkeys field with the key URL for the key. You can add as many URL keys as you need The following is an example: 

      check_gpg = true
check_ssl = true
id = "repository_id"
name = "repository_name"
system = false
type = "repository_type"
url = "repository_URL"
check_repogpg = true
gpgkeys=["_GPG_key_URL"]

    3. Optional: You can embed the whole key into the gpgkeys field. You can add as many keys as you need. For example, add the GPG key directly in the gpgkeys field: 

      check_gpg = true
check_ssl = true
check_repogpg
id = "repository_id"
name = "repository_name"
system = false
type = "repository_type"
url = "repository_URL"
gpgkeys=["GPG_key"]

Verification

  • Test the signature of the repository manually: 

    $ gpg --verify repomd.xml.asc

  • If the test does not find the signature, you will be prompt with an error similar to the following one: 

    $ GPG verification is enabled, but GPG signature is not available.
This may be an error or the repository does not support GPG verification:
Status code: 404 for http://repo-server/rhel/repodata/repomd.xml.asc (IP: 192.168.1.3)

  • If the signature is invalid, you will be prompt with an error similar to the following one: 

    repomd.xml GPG signature verification error: Bad GPG signature

3.4. Image builder default system repositories

The osbuild-composer back end does not inherit the system repositories located in the /etc/yum.repos.d/ directory. Instead, it has its own set of official repositories defined in the /usr/share/osbuild-composer/repositories directory. This includes the Red Hat official repository, which contains the base system RPMs to install additional software or update already installed programs to newer versions. If you want to override the official repositories, you must define overrides in /etc/osbuild-composer/repositories. This directory is for user defined overrides and the files located there take precedence over those in the /usr directory.

The configuration files are not in the usual DNF repository format known from the files in /etc/yum.repos.d/. Instead, they are simple JSON files.

3.5. Overriding a system repository

You can configure a repository override for image builder in the /etc/osbuild-composer/repositories directory with the following steps.

Prerequisites

  • You have a custom repository that is accessible from the host system

Procedure

  1. Create a directory where you want to store your repository overrides: 

    $ sudo mkdir -p /etc/osbuild-composer/repositories
  2. You can create your own JSON file structure.

  3. Create a JSON file, using a name corresponding to your RHEL version. Alternatively, you can copy the file for your distribution from /usr/share/osbuild-composer/ and modify its content.

    For RHEL 9, use /etc/osbuild-composer/repositories/rhel-92.json.

  4. Add the following structure to your JSON file, for example: 

    {
    "<ARCH>": [
        {
            "name": "baseos",
            "baseurl": "http://mirror.example.com/composes/released/RHEL-9/9.0/BaseOS/x86_64/os/",
            "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…​)",
            "check_gpg": true,
            "metadata_expire": ""
        }
    ]
}

    Specify only one of the following attributes:

    • baseurl - string: a base URL of the repository.
    • metalink - string: a URL of a metalink file that contains a list of valid mirror repositories.

    • mirrorlist - string: a URL of a mirrorlist file that contains a list of valid mirror repositories

      The remaining fields are optional.

      1. Alternatively, you can copy the JSON file for your distribution.

        1. Copy the repository file to the directory you created. In the following command, replace rhel-version.json with your RHEL version, for example: rhel-9.json. 

          $  cp /usr/share/osbuild-composer/repositories/rhel-version.json /etc/osbuild-composer/repositories/

  5. Using a text editor, edit the baseurl paths in the rhel-9.json file and save it. For example: 

    $ vi /etc/osbuild-composer/repositories/rhel-version.json

  6. Restart the osbuild-composer.service: 

    $ sudo systemctl restart osbuild-composer.service

Verification

  • Check if the repository points to the correct URLs: 

    $ cat /etc/yum.repos.d/redhat.repo

    You can see that the repository points to the correct URLs which are copied from the /etc/yum.repos.d/redhat.repo file.

Additional resources

3.6. Overriding a system repository with support for subscriptions

The osbuild-composer service can use system subscriptions that are defined in the /etc/yum.repos.d/redhat.repo file. To use a system subscription in osbuild-composer, define a repository override that has:

  • The same baseurl as the repository defined in /etc/yum.repos.d/redhat.repo.
  • The value of ”rhsm”: true defined in the JSON object.

Prerequisites

Procedure

  1. Obtain the baseurl from the /etc/yum.repos.d/redhat.repo file: 

    # cat /etc/yum.repos.d/redhat.repo
[AppStream]
name = AppStream mirror example
baseurl = https://mirror.example.com/RHEL-9/9.0/AppStream/x86_64/os/
enabled = 1
gpgcheck = 0
sslverify = 1
sslcacert = /etc/pki/ca1/ca.crt
sslclientkey = /etc/pki/ca1/client.key
sslclientcert = /etc/pki/ca1/client.crt
metadata_expire = 86400
enabled_metadata = 0

  2. Configure the repository override to use the same baseurl and set rhsm to true: 

    {
    "x86_64": [
        {
            "name": "AppStream mirror example",
            "baseurl": "https://mirror.example.com/RHEL-9/9.0/AppStream/x86_64/os/",
            "gpgkey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n\n (…​)",
            "check_gpg": true,
            "rhsm": true
        }
    ]
}
    Note

    osbuild-composer does not automatically use repositories defined in /etc/yum.repos.d/. You need to manually specify them either as a system repository override or as an additional source using composer-cli. System repository overrides are usually used for “BaseOS” and “AppStream” repositories, whereas composer-cli sources are used for all the other repositories.

As a result, image builder reads the /etc/yum.repos.d/redhat.repo file from the host system and uses it as a source of subscriptions.

Additional resources