Release Notes

Red Hat Enterprise Linux Atomic Host 7

Release Notes

Red Hat Atomic Host Documentation Team

Abstract

Information about each release, including known issues and technology previews

Chapter 1. Overview

This book covers the updates from the following CDN channels:

  • Atomic Host - delivers the cumulative, image-based updates for the Atomic Host - the OSTree, as well as updates to the individual RPMs that contain tooling used to build and manage ostrees, and to the OSTree components which enable the use of container applications, for example cockpit-ostree and openscap. However, such RPMs cannot be downloaded and used on Red Hat Enterprise Linux.
  • Extras-7 - delivers updates on container-related RPMs, most of which as also available as part of the OSTree for RHEL Atomic Host. The packages marked with an asterisk (*) are only available for Red Hat Enterprise Linux, and are not part of the Atomic Host OSTree. This channel also delivers updates on the official Container Images based on Red Hat Enterprise Linux.

For detailed information on the Red Hat Enterprise Linux Atomic Host cycle, see https://access.redhat.com/support/policy/updates/extras/.

All official Red Hat container images are available from Red Hat Registry.

To update you RHEL Atomic Host to the latest OSTree, run the atomic host upgrade command.

1.1. Red Hat Enterprise Linux Atomic Host

Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. It is pre-installed with the following tools to support Linux containers:

  • docker - an open source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere
  • atomic - defines the entrypoint for Atomic hosts
  • kubernetes - provides container cluster management
  • etcd - provides a highly-available key value store for shared configuration
  • flannel - contains an etcd-driven address management agent, which manages IP addresses of overlay networks between systems running containers that need to communicate with one another

Red Hat Enterprise Linux Atomic Host makes use of the following technologies:

  • OSTree and rpm-OSTree - These projects provide atomic upgrades and rollback capability
  • systemd - a new init system for Linux that enables faster boot times and easier orchestration
  • SELinux - enabled by default to provide complete multi-tenant security

Also, Cockpit is available on Red Hat Enterprise Linux as a separate Extras package and on Red Hat Enterprise Linux Atomic Host, as the cockpit-ws Container Image. Cockpit is a server administration interface that makes it easy to administer Red Hat Enterprise Linux servers through a web browser.

Chapter 2. Red Hat Enterprise Linux Atomic Host 7.5.1

2.1. Atomic Host

OStree update:

New Tree Version: 7.5.1 (hash: c0211e0b703930dd0f0df8b9f5e731901fce8e15e00b3bc76d3cf00df44eb6e8)
Changes since Tree Version 7.5.0 (hash: 5df677dcfef08a87dd0ace55790e184a35716cf11260239216bfeba2eb7c60b0)

Updated packages:

  • cockpit-ostree-165-3.el7

2.2. Extras

Updated packages:

  • docker-1.13.1-63.git94f4240.el7
  • buildah-0.16.0-2.git6f7d05b.el7
  • skopeo-0.1.29-3.dev.git7add6fc.el7
  • atomic-1.22.1-3.git2fd0860.el7
  • docker-distribution-2.6.2-2.git48294d9.el7
  • cockpit-165-3.el7
  • etcd-3.2.18-1.el7
  • runc-1.0.0-27.rc5.dev.git4bb1fe4.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

New packages:

  • podman-0.4.1-4.gitb51d327.el7

2.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux 7.5 Container Image (rhel7.5, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic Net-SNMP Container Image (rhel7/net-snmp)
  • Red Hat Enterprise Linux Atomic OpenSCAP Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic Support Tools Container Image (rhel7/support-tools)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)

Chapter 3. Red Hat Enterprise Linux Atomic Host 7.5.0

3.1. Atomic Host

OStree update:

New Tree Version: 7.5.0 (hash: 5df677dcfef08a87dd0ace55790e184a35716cf11260239216bfeba2eb7c60b0)
Changes since Tree Version 7.4.5 (hash: 6cb4d618030f69aa4a5732aa0795cb7fe2c167725273cffa11d0357d80e5eef0)

Updated packages:

  • openscap-daemon-0.1.10-1.el7
  • rpm-ostree-client-2018.1-1.atomic.el7

3.2. Extras

Updated packages:

  • buildah-0.15-1.gitd1330a5.el7
  • cockpit-160-3.el7
  • container-selinux-2.55-1.el7
  • container-storage-setup-0.9.0-1.rhel75.gite0997c3.el7
  • docker-1.13.1-58.git87f2fab.el7
  • docker-latest-1.13.1-58.git87f2fab.el7
  • dpdk-17.11-7.el7
  • etcd-3.2.15-2.el7
  • flannel-0.7.1-3.el7
  • ostree-2018.1-4.el7
  • rhel-system-roles-0.6-3.el7 *
  • skopeo-0.1.29-1.dev.gitb08350d.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

3.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux 7.5 Container Image (rhel7.5, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic Net-SNMP Container Image (rhel7/net-snmp)
  • Red Hat Enterprise Linux Atomic OpenSCAP Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic Support Tools Container Image (rhel7/support-tools)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)

3.3. New Features

  • overlay2 is now the default storage driver

    The default storage driver for Docker has changed from devicemapper to overlay2. In existing installations of versions of Atomic Host prior to 7.5.0, devicemapper remains the default driver. Upgrading such existing installations does not change the configured driver.

    For more information on the overlay2 driver and for instructions on switching from devicemapper to overlay2, see Using the Overlay Graph Driver.

  • Red Hat container registry will require authentication

    In future, the Red Hat container registry will move from registry.access.redhat.com to registry.redhat.io. As part of this change, containers will eventually become available only to subscribed and authenticated systems.

    For more information, see Red Hat Container Registry Authentication.

  • Buildah is now fully supported

    The buildah tool has been upgraded from a Technology Preview to a fully supported feature.

    The buildah tool facilitates building of OCI container images. It enables you to:

    • Create a working container, either from scratch or using an image as a starting point.
    • Create an image, either from a working container or using the instructions in a Dockerfile.
    • Build both Docker and OCI images.
    • Mount a working container’s root filesystem for manipulation.
    • Unmount a working container’s root filesystem.
    • Use the updated contents of a container’s root filesystem as a filesystem layer to create a new image.
    • Delete a working container or an image.

    See Building container images with buildah for more information and usage instructions.

  • User namespaces in docker now fully supported

    While the user namespaces features is fully supported beginning with the RHEL 7.4 kernel, the implementation of user namespaces associated with the docker service was a Technology Preview until RHEL Atomic Host 7.5. Now it is fully supported.

    See User namespaces options for more information and usage instructions.

  • Manual setup of Kubernetes is deprecated

    As announced earlier, beginning with RHEL 7.5 and RHEL Atomic Host 7.5 Red Hat will no longer support the manual setup of Kubernetes. Manual Kubernetes setups from previous releases, likewise, are not supported. Components impacted by this change include the following deprecated Kubernetes RPM packages, images, and associated documentation:

    RPM Packages:

    • kubernetes
    • kubernetes-devel
    • kubernetes-client
    • kubernetes-master
    • kubernetes-node
    • kubernetes-unit-test
    • cadvisor

    Container Images:

    • registry.access.redhat.com/rhel7/kubernetes-apiserver
    • registry.access.redhat.com/rhel7/kubernetes-controller-mgr
    • registry.access.redhat.com/rhel7/kubernetes-scheduler
    • registry.access.redhat.com/rhel7/pod-infrastructure

    Documentation:

    From now on, none of the software or documentation listed will be updated. For information on Red Hat’s officially supported Kubernetes-based products, see the following documentations sets:

  • docker-latest deprecated, to be removed later

    The docker-latest version of Docker is still available, but is now deprecated. In a later release, it will be removed.

  • docker and docker-latest are now the same version (1.13)

    docker and docker-latest are now the same version, which is 1.13.

  • ansible removed from the Extras channel

    Ansible and its dependencies have been removed from the Extras channel. Instead, the Red Hat Ansible Engine product has been made available and will provide access to the official Ansible Engine channel. Customers who have previously installed Ansible and its dependencies from the Extras channel are advised to enable and update from the Ansible Engine channel, or uninstall the packages as future errata will not be provided from the Extras channel.

    Ansible was previously provided in Extras (for AMD64 and Intel 64 architectures, and IBM POWER, little endian) as a runtime dependency of, and limited in support to, the Red Hat Enterprise Linux (RHEL) System Roles. Ansible Engine is available today for AMD64 and Intel 64 architectures, with IBM POWER, little endian availability coming soon.

    Note that Ansible in the Extras channel was not a part of the Red Hat Enterprise Linux FIPS validation process.

    The following packages have been deprecated from the Extras channel:

    • ansible
    • ansible-doc
    • libtomcrypt
    • libtommath
    • libtommath-devel
    • python2-crypto
    • python2-jmespath
    • python-httplib2
    • python-paramiko
    • python-paramiko-doc
    • python-passlib
    • sshpass

    The python2-crypto, libtomcrypt, and libtommath packages are no longer needed as Ansible dependencies in the new Red Hat Ansible Engine product and will probably not be updated. Customers are advised to uninstall them.

    For more information and guidance, see this Knowledgebase article.

    Note that Red Hat Enterprise Linux System Roles, available as a Technology Preview, continue to be distributed through the Extras channel. Although Red Hat Enterprise Linux System Roles no longer depend on the ansible package, installing ansible from the Ansible Engine repository is still needed to run playbooks that use Red Hat Enterprise Linux System Roles.

Chapter 4. Red Hat Enterprise Linux Atomic Host 7.4.5

4.1. Atomic Host

OStree update:

New Tree Version: 7.4.5 (hash: 4af8e7e81f8051abc4a49dce23c8a75574abe8ad33faa5d52b59d992330d7f27)
Changes since Tree Version 7.4.4 (hash: 91b59e14c4eef641f388cbc5b2cbbdd4653a89f4053d684217d9c1c9394c3dd3)

Updated packages:

  • cockpit-ostree-160-1.el7

4.2. Extras

Updated packages:

  • atomic-1.22.1-1.gitd36c015.el7
  • buildah-0.11-3.git49095a8.el7
  • cockpit-160-1.el7
  • container-selinux-2.42-1.gitad8f0f7.el7
  • docker-1.13.1-53.git774336d.el7
  • docker-latest-1.13.1-53.git774336d.el7
  • etcd-3.2.15-1.el7
  • gomtree-0.5.0-0.2.git16da0f8.el7
  • oci-register-machine-0-6.git2b44233.el7
  • oci-systemd-hook-0.1.15-2.gitc04483d.el7
  • oci-umount-2.3.3-3.gite3c9055.el7
  • rhel-system-roles-0.6-1.el7 *
  • runc-1.0.0-26.rc4.dev.git9f9c962.el7
  • skopeo-0.1.28-1.git0270e56.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

4.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux 7.4 Container Image (rhel7.4, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic Net-SNMP Container Image (rhel7/net-snmp)
  • Red Hat Enterprise Linux Atomic OpenSCAP Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic Support Tools Container Image (rhel7/support-tools)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)

4.3. New Features

  • docker and docker-latest are now the same version

    In RHEL Atomic Host 7.4.5, docker and docker-latest are both version 1.13.1. In RHEL Atomic Host 7.5.0, docker-latest will be available, but deprecated. In a later version of RHEL Atomic Host, docker-latest will be removed.

  • ansible deprecated in the Extras channel

    Ansible and its dependencies are no longer updated through the Extras channel. For more information, see the 7.5.0 release note about Ansible removal.

Chapter 5. Red Hat Enterprise Linux Atomic Host 7.4.4

5.1. Atomic Host

OStree update:

New Tree Version: 7.4.4 (hash: 91b59e14c4eef641f388cbc5b2cbbdd4653a89f4053d684217d9c1c9394c3dd3)
Changes since Tree Version 7.4.3 (hash: 83350a7fb3a3ebd09c5996eec5ec8307f61bbb463b999bdfece223288927a60f)

Updated packages:

  • cockpit-ostree-157-1.el7
  • rpm-ostree-client-2017.11-1.atomic.el7

5.2. Extras

Updated packages:

  • ansible-2.4.2.0-2.el7 *
  • buildah-0.9-1.git04ea079.el7
  • cockpit-157-1.el7
  • container-selinux-2.36-1.gitff95335.el7
  • docker-1.12.6-71.git3e8e77d.el7
  • docker-latest-1.13.1-37.git9a813fa.el7
  • etcd-3.2.11-1.el7
  • gomtree-0.4.2-2.1.el7
  • oci-register-machine-0-3.14.gitcd1e331.el7
  • oci-systemd-hook-0.1.14-2.git9b1e622.el7
  • oci-umount-2.3.1-2.gitbf16163.el7
  • ostree-2017.14-2.el7
  • rhel-system-roles-0.5-3.el7 *
  • runc-1.0.0-23.rc4.dev.git1d3ab6d.el7
  • skopeo-0.1.27-3.dev.git14245f2.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

5.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux 7.4 Container Image (rhel7.4, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic Net-SNMP Container Image (rhel7/net-snmp)
  • Red Hat Enterprise Linux Atomic OpenSCAP Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic Support Tools Container Image (rhel7/support-tools)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)

5.3. New Features

  • Enhanced documentation for buildah

    Enhanced coverage of the buildah command describes several new features, including how to build containers from scratch. See Building container images with Buildah.

  • The rpm-ostree command now has several new features. The most notable of them:

    • rpm-ostree ex livefs --replace
    • --download-only and --cache-only
    • rpm-ostree refresh-md

    have been documented in Package Layering.

    For other new rpm-ostree features, see the upstream rpm-ostree release notes.

Chapter 6. Red Hat Enterprise Linux Atomic Host 7.4.3

6.1. Atomic Host

OStree update:

New Tree Version: 7.4.3 (hash: 13fe9e86d640fd257afe831e4b33ad1eb6183d7de2a550dc7397a7b4b1f6ef25)
Changes since Tree Version 7.4.2-1 (hash: 36d9eb2d9b734e5e8552dcdbbe029bb250c00262dffc49f614b1c7a61eb53555)

Updated packages:

  • cockpit-ostree-155-1.el7

6.2. Extras

Updated packages:

  • atomic-1.20.1-3.git840732d.el7
  • cockpit-155-1.el7
  • container-selinux-2.33-1.git86f33cd.el7
  • container-storage-setup-0.8.0-3.git1d27ecf.el7
  • docker-1.12.6-68.gitec8512b.el7
  • docker-latest-1.13.1-36.git9a813fa.el7
  • etcd-3.2.9-3.el7
  • oci-umount-2.3.0-1.git51e7c50.el7
  • runc-1.0.0-21.rc4.dev.gitaea4f21.el7
  • skopeo-0.1.26-2.dev.git2e8377a.el7

New packages:

  • buildah-0.8-1.gitbf40000.el7

6.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux 7.4 Container Image (rhel7.4, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic OpenSCAP Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)

New:

  • Red Hat Enterprise Linux Atomic Net-SNMP Container Image (rhel7/net-snmp)
  • Red Hat Enterprise Linux Atomic Support Tools Container Image (rhel7/support-tools)

6.3. New Features

  • RHEL Tools Container image is now much smaller

    The size of the RHEL Tools Container image (rhel-tools) has been reduced from about 1400MB to about 400MB. These changes took place:

    • A new support-tools container image is now available, which consists of the sos, redhat-support-tool, tcpdump and strace packages. The sos and redhat-support-tool packages have been removed from the rhel-tools image.
    • Documentation has been removed.
    • Packages previously installed only for providing documentation, such as atomic, docker, and kubernetes, have been removed.
    • The systemtap and kernel packages have removed. They are available in the devtoolset-6-toolchain-perftools container image.
    • The gcc and gdb packages have been removed. They are available in the devtoolset-6-toolchain-rhel7 container image.
    • The full list of removed packages is this: abrt, atomic, btrfs-progs, container-selinux, docker, docker-latest, docker-v1.10-migrator, gcc, gdb, gdb-gdbserver, glibc-common, gomtree, kernel, kubernetes, kubernetes-master, kubernetes-client, kubernetes-node, man-db, ostree, pcp, pcp-collector, pcp-export-pcp2graphite, pcp-export-zabbix-agent, procps-ng, python-docker-py, python-rhsm, redhat-support-tool, sos, subscription-manager, systemd, systemtap, systemtap-client, vim-minimal, xorg-x11-xauth.

      See Using the Atomic Tools Container Image and Using the Atomic Support Tools Container Image for more information and usage instructions of rhel-tools and support-tools.

  • For new rpm-ostree features, see the upstream rpm-ostree release notes.

Chapter 7. Red Hat Enterprise Linux Atomic Host 7.4.2

7.1. Atomic Host

OStree update:

New Tree Version: 7.4.2-1 (hash: 36d9eb2d9b734e5e8552dcdbbe029bb250c00262dffc49f614b1c7a61eb53555)
Changes since Tree Version 7.4.1 (hash: ee6c16cac30b7d6fcfcad0ed6f7a8d99e2539755b8fd46f08e1bb2f9bc3eba4c)

Updated packages:

  • cockpit-ostree-151-1.el7
  • rpm-ostree-client-2017.9-1.atomic.el7

New packages:

  • anaconda-21.48.22.121-3.rhelah.0.el7

7.2. Extras

Updated packages:

  • ansible-2.4.0.0-5.el7 *
  • atomic-1.19.1-4.gitb39a783.el7
  • cockpit-151-1.el7
  • container-selinux-2.28-1.git85ce147.el7
  • container-storage-setup-0.7.0-1.git4ca59c5.el7
  • docker-1.12.6-61.git85d7426.el7
  • docker-latest-1.13.1-26.git1faa135.el7
  • etcd-3.2.7-1.el7
  • oci-register-machine-0-3.13.gitcd1e331.el7
  • oci-systemd-hook-0.1.14-1.git1ba44c6.el7
  • ostree-2017.11-1.el7
  • python-docker-py-1.10.6-3.el7
  • python-flask-0.10.1-4.el7
  • python-websocket-client-0.32.0-116.el7
  • python-werkzeug-0.9.1-2.el7
  • rhel-system-roles-0.5-1.el7 *
  • runc-1.0.0-14.rc4dev.git84a082b.el7
  • skopeo-0.1.24-1.dev.git28d4e08.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

New packages:

  • python-jmespath-0.9.0-3.el7
  • oci-umount-2.0.0-1.git299e781.el7

7.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux 7.4 Container Image (rhel7.4, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)

7.3. New Features

  • Beginning RHEL Atomic Host 7.4.2, you can configure /var to be a mount point. This allows placing /var into a separate partition, which prevents other mount points from getting full if /var gets full. For more information and instructions, see Manual Partitioning.
  • The skopeo tool now by default requires a TLS connection. It fails when trying to use an unencrypted connection. To override the default and use an http registry, prepend http: to the <registry>/<image> string. For information on using skopeo, see Using skopeo to work with container registries.
  • The oci-umount package, which was previously shipped as a subpackage of docker, is now shipped separately.

    The oci-umount package provides an OCI hook program. If you add it to the runc JSON data file as a hook, runc will execute the application after the container process is created, but before it is executed, with a prestart flag. Docker adds the oci-umount as a container hook to the runc configuration when it is installed in the $HOOKSDIR directory. To modify the list of file systems to umount, edit the /etc/oci-umount.conf file.

Chapter 8. Red Hat Enterprise Linux Atomic Host 7.4.1

8.1. Atomic Host

OStree update:

New Tree Version: 7.4.1 (hash: e83c16780259c5272684221e2a6007300d94bbfdc5432f9ab6025300f447145b)
Changes since Tree Version 7.4.0 (hash: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a)

Updated packages:

  • cockpit-ostree-148-1.el7
  • rpm-ostree-client-2017.6-6.atomic.el7

8.2. Extras

Updated packages:

  • ansible-2.3.2.0-1.el7 *
  • atomic-1.18.1-4.git64843d3.el7
  • cockpit-148-1.el7
  • container-selinux-2.21-2.gitba103ac.el7
  • container-storage-setup-0.6.0-1.gite67c964.el7
  • docker-1.12.6-54.gitc4618fb.el7
  • docker-distribution-2.6.2-1.git48294d9.el7
  • docker-latest-1.13.1-23.git28ae36d.el7
  • etcd-3.2.5-1.el7
  • gomtree-0.4.0-1.1.el7
  • oci-systemd-hook-0.1.12-1.git1e84754.el7
  • rhel-system-roles-0.3-2.el7 *
  • skopeo-0.1.23-1.git1bbd87f.el7
  • storaged-2.5.2-4.el7 *

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

8.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux 7.4 Container Image (rhel7.4, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)

Chapter 9. Red Hat Enterprise Linux Atomic Host 7.4.0

9.1. Atomic Host

OStree update:

New Tree Version: 7.4.0 (hash: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a)
Changes since Tree Version 7.3.6 (hash: e073a47baa605a99632904e4e05692064302afd8769a15290d8ebe8dbfd3c81b)

Updated packages:

  • atomic-devmode-0.3.7-2.el7
  • cockpit-ostree-141-2.el7
  • redhat-release-atomic-host-7.4-20170427.0.atomic.el7.1
  • rpm-ostree-client-2017.6-5.atomic.el7

9.2. Extras

Updated packages:

  • atomic-1.18.1-3.1.git0705b1b.el7
  • cockpit-141-4.el7
  • container-selinux-2.21-1.el7
  • docker-1.12.6-48.git0fdc778.el7
  • docker-distribution-2.6.1-1.1.gita25b9ef.el7
  • docker-latest-1.13.1-21.1.gitcd75c68.el7
  • dpdk-16.11.2-4.el7 *
  • etcd-3.1.9-2.el7
  • flannel-0.7.1-2.el7
  • gomtree-0.3.1-2.1.el7
  • libev-4.15-7.el7 *
  • libssh-0.7.1-3.el7 *
  • oci-register-machine-0-3.11.1.gitdd0daef.el7
  • oci-systemd-hook-0.1.8-4.1.gite533efa.el7
  • ostree-2017.7-1.el7
  • python-backports-lzma-0.0.2-9.el7 *
  • python-gevent-1.0-3.el7 *
  • python-greenlet-0.4.2-4.el7 *
  • runc-1.0.0-12.1.gitf8ce01d.el7
  • skopeo-0.1.20-2.1.gite802625.el7
  • storaged-2.5.2-3.el7 *

New packages:

  • container-storage-setup-0.3.0-3.git927974f.el7
  • sshpass-1.06-2.el7 *
  • python-httplib2-0.9.1-3.el7 *
  • libtommath-0.42.0-6.el7 *
  • python-passlib-1.6.5-2.el7 *
  • python-paramiko-2.1.1-2.el7 *
  • ansible-2.3.1.0-3.el7 *
  • python-crypto-2.6.1-15.el7 *
  • libtomcrypt-1.17-26.el7 *
  • rhel-system-roles-0.2-2.el7 *
  • driverctl-0.95-1.el7 *

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

9.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux 7.4 Container Image (rhel7.4, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)

9.3. New Features

  • Limited support for containers on little-endian IBM power systems

    Now containers have limited support on the little-endian variant of IBM power Systems (PPCle). See the Supported Architectures for Containers on RHEL for details.

    Notably, packages from the Extras channel are now provided for the little-endian variant of IBM power Systems, along with the rhel7-ppc64le base container. This enables using containers on these systems with Red Hat Enterprise Linux 7.4.

  • overlay2 storage driver now available

    The overlay2 graph driver has been upgraded from a Technology Preview to a fully supported feature.

    The overlay2 graph driver, along with overlay, uses OverlayFS, a copy-on-write union file system that features page-cache sharing between containers. However, overlay2 is the more performant option.

    To enable the driver, specify overlay2 in the /etc/sysconfig/docker-storage-setup file:

    STORAGE_DRIVER=overlay2
  • OverlayFS now can be run with SELinux enforced

    Previously, SELinux had to be in permissive or disabled mode for OverlayFS to work. Now you can run the OverlayFS file system with SELinux in enforcing mode.

    For more information on OverlayFS, see Overlay Graph Driver.

  • SSSD in a container is now fully supported

    The System Security Services Daemon (SSSD) in a container has been upgraded from a Technology Preview to a fully supported feature.

    SSSD allows Red Hat Enterprise Linux Atomic Host authentication subsystem to be connected to central identity providers such as Red Hat Identity Management and Microsoft Active Directory.

    To install this new image, use the atomic install rhel7/sssd command.

    For full documentation on SSSD, see Configuring SSSD.

  • Package layering is now fully supported

    The pkg-add subcommand of the rpm-ostree tool has been upgraded from a Technology Preview to a fully supported feature.

    The rpm-ostree install commands installs layered packages that are persistent across reboots. This command can be used to install individual packages that are not part of the original OSTree, such as diagnostics tools. For detailed information about package layering, see Package Layering.

  • Image signing is now fully supported

    The image signing and validation functionality has been upgraded from a Technology Preview to a fully supported feature.

    Signing container images on RHEL and RHEL Atomic Host systems provides a means of validating where a container image came from, checking that the image has not been tampered with, and setting policies to determine which validated images you will allow to use on your systems.

    The main image signing tasks can be done as follows:

    • To sign and distribute an image, use the atomic sign and atomic push commands.
    • To get and verify a signed image, use the atomic pull and atomic verify commands.
    • To designate a signed image as trusted and acceptable on the local system, use the atomic trust command.

    For the current release, image signing is only supported when pushing and pulling between Docker v2 registries (such as the registry software included in the docker-distribution package) and the Docker Hub (docker.io).

    To learn more about image signing, see Image Signing.

  • GPG verification changes for OSTree commits

    For new installations of RHEL Atomic Host 7.4.0 and later, the GPG verification of OSTree commits is enabled by default. If you upgrade from RHEL Atomic Host 7.3, you can enable GPG verification manually.

    To enable GPG verification, set the gpg-verify directive in the /etc/ostree/remotes.d/redhat.conf file to true.

    If GPG verification is enabled, the output of the atomic host status command shows information about the GPG signature of the commit.

  • docker-storage-setup renamed to container-storage-setup

    The docker-storage-setup utility has been renamed to container-storage-setup for RHEL7.4 and RHEL Atomic Host 7.4. Note that:

    • The name of the package has also changed to container-storage-setup.
    • The name of the service is still docker-storage-setup.
    • The default configuration is in the /usr/share/container-storage-setup/container-storage-setup file, but your configuration should go to /etc/sysconfig/docker-storage-setup, which overrides configuration from /usr/share/container-storage-setup/container-storage-setup.

Chapter 10. Red Hat Enterprise Linux Atomic Host 7.3.6

10.1. Atomic Host

OStree update:

New Tree Version: 7.3.6 (hash: e073a47baa605a99632904e4e05692064302afd8769a15290d8ebe8dbfd3c81b)
Changes since Tree Version 7.3.5-1 (hash: c04cab425084ce81d66d1717f464e292bc5a908a86802faf0da7dd22d74d3727)

Updated packages:

  • atomic-devmode-0.3.7-1.el7
  • cockpit-ostree-141-1.el7
  • librhsm-0.0.1-2.el7

10.2. Extras

Updated packages:

  • atomic-1.17.2-9.git2760e30.el7
  • cockpit-141-1.el7
  • container-selinux-2.19-2.1.el7
  • docker-1.12.6-32.git88a4867.el7
  • docker-latest-1.13.1-13.gitb303bf6.el7
  • etcd-3.1.9-1.el7
  • flannel-0.7.1-1.el7
  • kubernetes-1.5.2-0.7.git269f928.el7 *
  • oci-systemd-hook-0.1.7-4.gite533efa.el7
  • ostree-2017.5-3.el7
  • skopeo-0.1.20-2.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

10.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux 7.3 Container Image (rhel7.3, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)

10.3. New Features

  • Red Hat Enterprise Linux 6 Init Container Image is now available

    The new Red Hat Enterprise Linux 6 Init Image allows creating containerized services based on RHEL6 init scripts. This container image enables running one or more services in a RHEL6 user space using init scripts.

    For details on using rhev6-init, see Using the Atomic RHEL6 Init Container Image in the Managing Containers Guide.

Chapter 11. Red Hat Enterprise Linux Atomic Host 7.3.5

11.1. Atomic Host

OStree update:

New Tree Version: 7.3.5 (hash: 0ccf9138962e5c2c3794969a228e751d13bb780f5b0a1f15f4a9649df06ba80a)
Changes since Tree Version 7.3.4-1 (hash: d6c7a5639cdeb6c21cf40d80259d516d047176e35411c8684cae40a93eedbed0)

Updated packages:

  • cockpit-ostree-138-5.el7
  • redhat-release-atomic-host-7.3-20161129.0.atomic.el7.5
  • rpm-ostree-client-2017.5-1.atomic.el7

11.2. Extras

Updated packages:

  • atomic-1.17.2-3.git2760e30.el7
  • cockpit-138-6.el7
  • container-selinux-2.12-2.gite7096ce.el7
  • docker-1.12.6-28.git1398f24.el7
  • docker-distribution-2.6.1-1.el7
  • docker-latest-1.13.1-11.git3a17ad5.el7
  • etcd-3.1.7-1.el7
  • kubernetes-1.5.2-0.6.gitd33fd89.el7 *
  • ostree-2017.5-1.el7
  • skopeo-0.1.19-1.el7
  • WALinuxAgent-2.2.10-1.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

11.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux 7.3 Container Image (rhel7.3, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)

New:

  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)

11.3. New Features

  • Red Hat Enterprise Linux 7 Init Container Image is now available

    The new Red Hat Enterprise Linux 7 Init Image allows creating containerized services based on the systemd init system. This container image configures systemd in an OCI container and enables running one or more services in a RHEL7 user space using unit files, init scripts, or both.

    For details on using rhev7-init, see Using the Atomic RHEL7 Init Container Image in the Managing Containers Guide.

Chapter 12. Red Hat Enterprise Linux Atomic Host 7.3.4

12.1. Atomic Host

OStree update:

New Tree Version: 7.3.4 (hash: 4be47184245cc6d1c97a7bb2546c776e9124e3532ca4804a85227f8ebff24432)
Changes since Tree Version 7.3.3 (hash: bfc591ba1a4395c6b8e54d34964b05df4a61e0d82d20cc1a2fd817855c7e2da5)

Updated packages:

  • atomic-devmode-0.3.6-2.el7
  • cockpit-ostree-135-4.el7
  • libdnf-0.7.4-3.el7 (not available as an RPM package)
  • rpm-ostree-client-2017.3-1.atomic.el7

12.2. Extras

Updated packages:

  • atomic-1.16.5-1.el7
  • cockpit-135-4.el7 *
  • container-selinux-2.10-2.el7
  • docker-1.12.6-16.el7
  • docker-latest-1.13.1-4.el7
  • etcd-3.1.3-1.el7
  • kubernetes-1.5.2-0.5.gita552679.el7 *
  • oci-register-machine-0-3.11.gitdd0daef.el7
  • oci-systemd-hook-0.1.7-2.git2788078.el7
  • ostree-2017.3-2.el7
  • runc-1.0.0-6.gite800860.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

12.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Atomic Identity Management Server (rhel7/ipa-server)
  • Red Hat Enterprise Linux Container Image (rhel7.3, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Image (rhel-atomic, rhel7-atomic, rhel7/rhel-atomic)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)

12.3. New Features

  • Ability to generate initramfs on the client

    By default, Atomic Host uses a generic initramfs image built on the server side. This is distinct from the yum-based Red Hat Enterprise Linux, where initramfs is generated for each installation. However, in some situations, additional configuration or content may need to be added, which requires generating initramfs on the client side.

    With this update, the Atomic Host component rpm-ostree, which is used for updates of the host, has the new initramfs command. The new command allows generating initramfs on the client side using the dracut program.

    For details on using rpm-ostree initramfs, see Generating the initramfs Image on the Client in the Installation and Configuration Guide.

  • The managed plugin API changed in docker-latest

    In Docker 1.13, the managed plugin API changed compared to the experimental version introduced in Docker 1.12. Before upgrading to Docker 1.13, you must uninstall plugins that you installed with Docker 1.12. To uninstall plugins, use the docker plugin rm command.

    If you have already upgraded to Docker 1.13 without uninstalling previously installed plugins, you may see this message when the Docker daemon starts:

    Error starting daemon: json: cannot unmarshal string into Go value of type
    types.PluginEnv

    To resolve this problem:

    1. Remove the plugins.json file from /var/lib/docker/plugins/.
    2. Restart Docker. Verify that the docker daemon starts with no errors.
    3. Reinstall your plugins.

Chapter 13. Red Hat Enterprise Linux Atomic Host 7.3.3

13.1. Atomic Host

OStree update:

New Tree Version: 7.3.3 (hash: bfc591ba1a4395c6b8e54d34964b05df4a61e0d82d20cc1a2fd817855c7e2da5)
Changes since Tree Version 7.3.2-1 (hash: 69a74a4ed6954492a7c82279f6efe59bffb8952e95577f8359a6717d57a36774)

Updated packages:

  • cockpit-ostree-131-3.el7
  • rpm-ostree-client-2017.1-6.atomic.el7

New packages (rhel-atomic container only):

  • librhsm-0.0.1-1.el7
  • libdnf-0.7.4-2.el7
  • microdnf-2-2.el7.1.1

13.2. Extras

Updated packages:

  • atomic-1.15.3-1.el7
  • cockpit-131-3.el7
  • docker-latest-1.12.6-11.el7
  • docker-distribution-2.6.0-1.el7 *
  • flannel-0.7.0-1.el7
  • kubernetes-1.5.2-0.2.gitc55cf2b.el7
  • etcd-3.1.0-2.el7
  • openscap-docker-7.3.3-2
  • python-docker-py-1.10.6-1.el7
  • gomtree-0.3.1-1.el7
  • runc-1.0.0-2.rc2.el7
  • skopeo-0.1.18-1.el7

New packages:

  • container-selinux-2.9-4.el7
  • ostree-2017.1-3.atomic.el7
  • ostree-fuse-2017.1-3.atomic.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

13.2.1. Container Images

New

  • Red Hat Enterprise Linux Atomic Image (rhel7/rhel-atomic)

Updated:

  • Red Hat Enterprise Linux 7.3.3 Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic openscap (rhel7/openscap)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)

13.3. New Features

  • MicroDNF

    The microdnf package (microdnf-2-2.el7.1.1) contains a limited functionality package manager written in C. This minimal subscription-manager plugin implementation for microdnf does not enable any repositories by default. As a consequence, all repositories managed by subscription-manager are disabled in container. To enable the necessary repositories, use the --enablerepo option. For example:

        microdnf install --enablerepo rhel-7-server-rpms httpd

    This way, you can install packages from repositories managed by subscription-manager by enabling them manually.

    The microdnf package is added to the rhel-atomic minimal base image to replace the yum facility. It has a limited number of features from the dnf command that only allow you to enable or disable repositories, install and remove packages, and clean out cache. Run microdnf --help from inside of the rhel-atomic container to see all available options.

Chapter 14. Red Hat Enterprise Linux Atomic Host 7.3.2

14.1. Atomic Host

OStree update:

New Tree Version: 7.3.2 (hash: 96826a0d917d7ff10f9fd0289581649f2ffbddd76f3b80efd3d95cc11915cacb)
Changes since Tree Version 7.3.1 (hash: 42cfe1ca3305defb16dfd59cd0be5c539f19ea720dba861ed11e13941423ae86)

Updated packages:

  • cockpit-ostree-126-1.el7
  • ostree-2016.15-1.atomic.el7
  • rpm-ostree-2016.13-1.atomic.el7
  • rpm-ostree-client-2016.13-1.atomic.el7

14.2. Extras

Updated packages:

  • atomic-1.14.1-5.el7
  • cockpit-126-1.el7
  • docker-1.12.5-14.el7
  • docker-latest-1.12.5-14.el7
  • etcd-3.0.15-1.el7
  • flannel-0.5.5-2.el7
  • gomtree-0.3.0-1.el7
  • kubernetes-1.4.0-0.1.git87d9d8d.el7
  • oci-register-machine-0-1.11.gitdd0daef.el7
  • oci-systemd-hook-0.1.4-9.git671c428.el7
  • runc-1.0.0-1.rc2.el7 *
  • skopeo-0.1.17-1.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

14.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd) (Technology Preview)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server) (Technology Preview)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap) (Technology Preview)

14.3. New Features

  • the etcd3 package has been deprecated

    The etcd3 package and the Red Hat Enterprise Linux Atomic etcd3 Container Image have been deprecated and are no longer available in the Red Hat Enterprise Linux 7 Extras channel. Users that have the etcd3 component installed can update to etcd version 3.0.15 or later, which provides the same functionality and is backwards compatible with etcd3.

  • Cockpit has been rebased to version 126

    Most notable changes:

    • Show security scan information about containers.
    • Display OSTree signatures on RHEL Atomic Host.
    • During login users can choose whether their password is cached and reused.
    • Allow renaming of active devices in the networking interface.
    • More clearly indicate when checking for network connectivity.
    • Allow more time for rollback when making network changes.
    • The "remotectl" command can now combine certificate and key files.
    • Domain join operations can now be properly canceled.
    • Kerberos authentication now works even if gss-proxy is in use.
    • When proxied, support for the X-Forwarded-Proto HTTP header.
    • Ignore block devices with zero size in the storage interface.
    • Expand logical volumes and partitions inline on their devices.
    • No longer offer to format read-only block devices.
    • Use stored passphrases for LUKS devices properly.
    • System shutdown can be scheduled by date.
    • Properly terminate user sessions on the Accounts page.
    • Fixed regression on login screen in older Internet Explorer browsers.

Chapter 15. Red Hat Enterprise Linux Atomic Host 7.3.1

15.1. Atomic Host

OStree update:

New Tree Version: 7.3.1 (hash: 42cfe1ca3305defb16dfd59cd0be5c539f19ea720dba861ed11e13941423ae86)
Changes since Tree Version 7.3 (hash: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97)

Updated packages:

  • cockpit-ostree-122-1.el7
  • ostree-2016.11-1.atomic.el7
  • rpm-ostree-2016.11-2.atomic.el7
  • rpm-ostree-client-2016.11-2.atomic.el7

15.2. Extras

Updated packages:

  • atomic-1.13.8-1.el7
  • cockpit-122-3.el7
  • docker-1.10.3-59.el7
  • docker-distribution-2.5.1-1.el7
  • docker-latest-1.12.3-2.el7
  • etcd3-3.0.14-2.el7
  • kubernetes-1.3.0-0.3.git86dc49a.el7
  • oci-register-machine-0-1.10.gitfcdbff0.el7
  • oci-systemd-hook-0.1.4-7.gita9c551a.el7
  • skopeo-0.1.17-0.7.git1f655f3.el7

New packages:

  • gomtree-0-0.3.git8c6b32c.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

15.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd) (Technology Preview)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap) (Technology Preview)

New:

  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server) (Technology Preview)

15.3. New Features

  • new gomtree package

    The gomtree packages contain a command-line tool and a Go library to support the mtree file system hierarchy validation tooling and format. The gomtree packages are necessary for the functionality of the atomic verify command.

  • skopeo-containers moved from atomic packages to skopeo packages

    The skopeo-containers subpackage which contains configurations files for working with image signatures has now been moved to the skopeo package set.

  • A bug where docker push did not complete on NFS has been fixed

    A regression was introduced in the docker registry 2.4 where file descriptors weren’t closed during blob uploads. This has caused image push failures when the registry was running on top of NFS file system. A new version of upstream docker registry is available with a fix to the leaking file descriptors. As a result, image pushes now succeed on NFS file systems.

  • *Standardizing labels for Docker-formatted containers"

    *Red Hat is trying to standardize the use of Docker-formatted labels in its images. For details on that subject see: Using Labels In Container Images

  • Cockpit has been rebased to version 122

    Most notable changes:

    • Cockpit can now rollback network configuration that would otherwise disconnect an administrator from the system.
    • Unmanaged network devices are now shown.
    • The list of docker containers can be filtered and expanded inline.
    • Cockpit can be a "bastion host" by using the login page to connect to an alternate system through SSH.
    • Only connect to an alternate system if it has a known SSH host key.
    • When connecting to other systems, each SSH connection is run in a separate process.
    • Fixes bugs that prevent the "Logs" page from working in Firefox 49.
    • A network proxy can be used when registering with Red Hat Enterprise Linux.
    • A system can be unregistered when using Red Hat Enterprise Linux subscriptions.
    • The default flags for new VLAN devices have been fixed.

Chapter 16. Red Hat Enterprise Linux Atomic Host 7.3

16.1. Atomic Host

OStree update:

New Tree Version: 7.3 (hash: 90c9735becfff1c55c8586ae0f2c904bc0928f042cd4d016e9e0e2edd16e5e97)
Changes since Tree Version 7.2.7 (hash: 347c3f5eb641e69fc602878c646cf42c4bcd5d9f36847a1f24ff8f3ec80f17b1)

Updated packages:

  • atomic-devmode-0.3.5-1.el7
  • cockpit-ostree-118-2.el7.x86_64
  • openscap-daemon-0.1.6-1.el7
  • ostree-2016.10-1.atomic.el7
  • redhat-release-atomic-host-7.3-20160824.0.atomic.el7.3
  • rpm-ostree-2016.9-1.atomic.el7
  • rpm-ostree-client-2016.9-1.atomic.el7

16.2. Extras

Updated packages:

  • atomic-1.12.5-2.el7
  • cockpit-118-2.el7
  • docker-1.10.3-57.el7
  • docker-distribution-2.5.0-1.el7 *
  • docker-latest-1.12.1-3.el7
  • flannel-0.5.5-1.el7
  • kubernetes-1.3.0-0.2.gitc5ee292.el7
  • oci-register-machine-0-1.9.gitaf6c129.el7
  • oci-systemd-hook-0.1.4-6.git337078c.el7
  • python-docker-py-1.9.0-1.el7
  • skopeo-0.1.14-0.6.el7

New packages:

  • etcd3-3.0.3-1.el7 *

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

16.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd) (Technology Preview)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap) (Technology Preview)

New:

  • Red Hat Enterprise Linux Atomic etcd3 Container Image (rhel7/etcd3) (Technology Preview)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel) (Technology Preview)

16.3. New Features

  • Features, previously available as a Technology Preview, are now fully supported

    The following features that have been available as a Technology Preview are now fully supported:

    • runc - runC is a lightweight, portable implementation of the the Open Container Format (OCF) that provides container runtime. The runc command-line tool can be used for spawning and running containers according to the Open Container Project (OCP) specification. Containers are started as a child process of runC and can be embedded into various other systems without having to run a docker daemon.
    • skopeo - The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files without using the docker daemon or the docker command. For detailed information, see the Red Hat Enterprise Linux Atomic Host 7 Getting Started with Containers Guide
    • atomic-devmode - The atomic-devmode package allows users to easily try the Red Hat Atomic Cloud Image. It adds a new GRUB2 menu item labeled Developer Mode which allows users to boot the system without having to set up cloud-init. When in Developer Mode, a root password will automatically be generated, and users will be logged automatically into an interactive session in which Cockpit is downloaded and started.
    • openscap - The Red Hat Enterprise Linux Atomic openscap Container Image contains the OpenSCAP-daemon, a service that performs SCAP scans of bare-metal machines, virtual machines and containers. Running the openscap container enables container vulnerability scanning with the atomic scan command. To install this new image, use:

      # atomic install rhel7/openscap

    Additionally, the openscap RPM available for Red Hat Enterprise Linux is also now fully supported.

  • System containers now available as a Technology Preview

    System containers provide a way to containerize services that need to run before the docker daemon is running. They use different technologies than the Docker-formatted containers, ostree for storage, runc for runtime, skopeo for searching and systemd for service management. Previously, such services were provided in the system as packages, or as part of the ostree in Atomic Host and containerizing them makes the system itself smaller. Red Hat provides the etcd and flannel services as system containers.

    Note that the new etcd system container image replaces the etcd Docker-formatted container that has been available until Red Hat Enterprise Linux Atomic Host 7.3. The new etcd3 container image provided with this release is a Docker-formatted image. For more information on system containers and how to run etcd and flannel, see Running System Containers.

  • Manual Kubernetes Cluster Configuration No Longer Supported

    The Kubernetes software that is available in Red Hat Enterprise Linux and Red Hat Enterprise Linux Atomic Host is packaged and configured differently than the Kubernetes included in OpenShift. We recommend you use the OpenShift version of Kubernetes for permanent setups and production use. The procedure described in Get Started Orchestrating Containers with Kubernetes should only be used as a convenient way to try out Kubernetes on an all-in-one RHEL or RHEL Atomic Host system.

    As of RHEL 7.3, support for the procedure for configuring a Kubernetes cluster (separate master and multiple nodes) directly on RHEL and RHEL Atomic Host has ended. For further details on Red Hat support for Kubernetes, see How are container orchestration tools supported with Red Hat Enterprise Linux?.

  • Cockpit features

    There are several new Cockpit features in this release. Some of these features are:

    • Support for two factor password authentication using PAM conversations
    • Webpack is used to build the Cockpit interface
    • Components can require a minimum Cockpit version
    • Forced password reset option enabled
    • Cockpit URLs can be proxied with a configured HTTP path prefix
    • SELinux audit failures can be diagnosed and solutions applied to the system
    • Storage can be configured for Docker containers and images
  • rhevm-guest-agent

    The rhevm-guest-agent container image is a Docker-formatted container that is used to run an agent inside of virtual machines on Red Hat Virtualization hosts. Communications between that agent and the Red Hat Virtualization Manager allows that manager to both monitor and change the state of the agent’s virtual machine.

    For more information about RHEV Guest Agent, see the RHEV Guest Agent Container section in the Red Hat Enterprise Linux Atomic Host Managing Containers Guide.

Chapter 17. Red Hat Enterprise Linux Atomic Host 7.2.7

This release doesn’t include any updated images and the latest version of Atomic Host cloud images remains at 7.2.6-1. The latest "Red Hat Atomic Host Installer" ISO image remains at 7.2.3-1 as well. OSTree has been updated and new deployments can be created with any of those images and updated to the latest release by running the atomic host upgrade command.

17.1. Atomic Host

OStree update:

New Tree Version: 7.2.7 (hash: dae35767902aad07b087d359be20f234d244da79fdd4734cd2fbc3ee39b12cf8)
Changes since Tree Version 7.2.6 (hash: 347c3f5eb641e69fc602878c646cf42c4bcd5d9f36847a1f24ff8f3ec80f17b1)

Updated packages:

  • selinux-policy-3.13.1-63.atomic.el7.7

17.2. Extras

Updated packages:

  • docker-1.10.3-46.el7.14
  • docker-latest-1.12.1-2.el7
  • etcd-2.3.7-4.el7
  • oci-register-machine-0-1.8.gitaf6c129.el7

17.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd) (Technology Preview)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap) (Technology Preview)

17.3. New Features

  • docker-latest has been upgraded to version 1.12.1

    The docker-latest packages are now version 1.12.1. The following article has been updated to reflect the changes Introducing docker-latest for RHEL 7 and RHEL Atomic Host.

  • docker 1.12 uses runc as a runtime environment

    Since docker version 1.11, runc is used instead of libcontainer for container runtime. The docker-latest packages contain 1.12, and runc can be found in /usr/libexec/docker/docker-runc. However, docker-runc is for internal use only by docker. If you want to use the runc command, you still need the runc package installed on your system. For RHEL Atomic Host, it is part of the OSTree by default, and for Red Hat Enterprise Linux 7, it is available as a separate package.

    Important

    Red Hat does not support modifying which runc binary is used by docker.

  • docker swarm is now available

    As of 1.12 release, the upstream Docker project has embedded Docker Swarm in the docker binary. To avoid any unintended bugs, Red Hat has chosen to include Swarm as an unsupported add-on. For container orchestration, Red Hat recommends OpenShift and Kubernetes.

Chapter 18. Red Hat Enterprise Linux Atomic Host 7.2.6

18.1. Atomic Host

OStree update:

New Tree Version: 7.2.6 (hash: b672bf8a457cb28e003dee20c53749636ef5fce3e4743afe4aaad269d3aaa62a)
Changes since Tree Version 7.2.5 (hash: 9bfe1fb65094d43e420490196de0e9aea26b3923f1c18ead557460b83356f058)

Updated packages:

  • glib2-2.46.2-3.el7
  • cockpit-ostree-0.114-2.el7
  • libsolv-0.6.20-5.el7
  • ostree-2016.7-2.atomic.el7
  • rpm-ostree-client-2016.5-1.atomic.el7
  • rpm-ostree-2016.5-1.atomic.el7

18.2. Extras

Updated packages:

  • atomic-1.10.5-7.el7
  • cockpit-0.114-2.el7
  • docker-1.10.3-46.el7.10
  • docker-latest-1.10.3-46.el7.10
  • docker-distribution-2.4.1-2.el7 *
  • etcd-2.3.7-2.el7
  • kubernetes-1.2.0-0.13.gitec7364b.el7
  • runc-0.1.1-5.el7 (Technology Preview) *
  • storaged-2.5.2-2.el7 *

New packages:

  • oci-systemd-hook-0.1.4-4.git41491a3.el7
  • oci-register-machine-0-1.7.git31bbcd2.el7
  • skopeo-0.1.13-8.el7 (Technology Preview)

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

18.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd) (Technology Preview)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap) (Technology Preview)

18.3. New Features

  • Containerized core Kubernetes master services coming in 7.3 release

    The Red Hat Enterprise Linux Atomic Host build will be further optimized for size and improved flexibility of Kubernetes version management starting with the 7.3 release. The core Kubernetes masters services (kube-apiserver, kube-controller-manager and kube-scheduler) will be installed as containers after Atomic Host is booted. Instructions on migrating to a containerized Kubernetes are available here and users should prepare for this in advance.

  • Cockpit has been rebased to version 0.114

    Most notable changes:

    • The protocol of cockpit-bridge and Cockpit’s javascript API is now stable. Plugins written against the javascript API should not experience changes from this point on.
    • Red Hat subscriptions can now specify activation keys and organization.
    • SSH Host keys are now shown on the system page.
    • tuned is now disabled correctly when clearing a performance profile.
    • Improved password score error messages are now displayed.
    • An erroneous docker dependency has been removed from the cockpit package.
    • Network configuration of the Ethernet Maximum Transmission Unit (MTU) is now available.
    • The "active-backup" mode is now used as the default for new network bonds.
    • Network interfaces where NM_CONTROLLED=no is set are no longer displayed.
    • The network on/off switch for unknown or unmanaged interfaces is now disabled.

      The packages also include numerous other bug fixes and admin interface improvements.

Chapter 19. Red Hat Enterprise Linux Atomic Host 7.2.5

19.1. Atomic Host

OStree update:

New Tree Version: 7.2.5 (hash: 9bfe1fb65094d43e420490196de0e9aea26b3923f1c18ead557460b83356f058)
Changes since Tree Version 7.2.4 (hash: b060975ce3d5abbf564ca720f64a909d1a4d332aae39cb4de581611526695a0c)

Updated packages:

  • rpm-ostree-client-2016.3.1.g5bd7211-2.atomic.el7.1
  • rpm-ostree-2016.3.1.g5bd7211-1.atomic.el7
  • ostree-2016.5-3.atomic.el7
  • cockpit-ostree-0.108-1.el7

New packages:

  • openscap-daemon-0.1.5-1.el7

19.2. Extras

Updated packages:

  • atomic-1.10.5-5.el7
  • cockpit-0.108-1.el7
  • docker-1.10.3-44.el7
  • docker-distribution-2.4.1-1.el7 *
  • docker-latest-1.10.3-44.el7
  • dpdk-2.2.0-3.el7 *
  • etcd-2.2.5-2.el7
  • kubernetes-1.2.0-0.12.gita4463d9.el7
  • runc-0.1.1-4.el7 (Technology Preview) *

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

19.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd) (Technology Preview)

New:

  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap) (Technology Preview)

19.3. New Features

  • ostree admin unlock command now available

    Red Hat Enterprise Linux Atomic Host 7.2.5 introduces the new command ostree admin unlock. It allows users to unlock the current ostree deployment and install packages temporarily. This is done by mounting a writable overlayfs on /usr. When a user reboots, the overlayfs is unmounted and the packages are no longer installed. Use the ostree admin unlock --hotfix option for the changes, such as package installs to persist across reboots. This command provides the same capabilities as atomic-pkglayer, which is now deprecated. There are known issues with overlayfs and SELinux, so this functionality is not intended for long term use.

  • Strict browser security policy for Cockpit is now enforced

    This defines what code can be run in a Cockpit session and mitigates a number of browser-based attacks.

Chapter 20. Red Hat Enterprise Linux Atomic Host 7.2.4

20.1. Atomic Host

OStree update:

New Tree Version: 7.2.4 (hash: b060975ce3d5abbf564ca720f64a909d1a4d332aae39cb4de581611526695a0c)
Changes since Tree Version 7.2.3-1 (hash: 644fcc603549e996f051b817ba75a746f23f392cfcc7e05ce00342dec6084ea8)

Updated packages:

  • cockpit-ostree-0.103-1.el7

New packages:

  • atomic-devmode-0.3.3-3.el7 (Technology Preview) *

20.2. Extras

Updated packages:

  • cockpit-0.103-1.el7
  • docker-1.9.1-40.el7
  • docker-distribution-2.4.0-2.el7 *
  • kubernetes-1.2.0-0.11.git738b760.el7
  • runc-0.1.0-3.el7 (Technology Preview) *

New packages:

  • docker-latest-1.10.3-22.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

20.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd) (Technology Preview)

20.3. New Features

  • Beginning with the Atomic Host 7.2.4 release, two versions of the docker service will be included in the operating system: docker 1.9 and docker 1.10.

    The following Knowledgebase article contains all information you need to know about using these two versions of docker: https://access.redhat.com/articles/2317361.

  • Introduced conflict between docker 1.9 and atomic-openshift 3.1 / origin 1.1 has been removed

    Previously, due to stability issues between docker 1.9 and atomic-openshift 3.1 / origin 1.1, docker 1.9 has been packaged to conflict with atomic-openshift versions older than 3.2 and origin versions older than 1.2. As a consequence, running yum update on an OpenShift Enterprise 3.1 system failed due to that introduced conflict. This bug has been fixed, and running yum update now does not cause conflicts, successfully solves the dependencies and installs docker 1.9.

  • Updated kubernetes packages

    Kubernetes updated to ose v3.2.0.16 corresponding to Kubernetes v1.2.0. Additionally, support for exposing secret keys in environment variables introduced.

  • Cockpit has been rebased to version 0.103

    Most notable changes:

    • When Cockpit fails to connect to a host, relevant SSH command or host details are now displayed to help resolve the issue.
    • Docker restart policy can now be configured when starting a new container.
    • Creating logical volumes has been combined into a single dialog.
    • Joining IPA domains no longer offers a Computer OU option.
    • Binary journal data is now displayed correctly.
    • Disk or file system sizes are displayed using IEC names, such as MiB.
    • Logical volumes can no longer be shrunk and the file system partition dialog prevents negative sizes.
    • Strict Content-Security-Policy is implemented on most of Cockpit to prevent a number of browser based attacks. The packages also include numerous other bug fixes and admin interface improvements.

Chapter 21. Red Hat Enterprise Linux Atomic Host 7.2.3

21.1. Atomic Host

OStree update:

New Tree Version: 7.2.3 (hash: d620e841861c746b5a296337c1659e6625abfeff96844099d48540fc93717656)
Changes since Tree Version 7.2.2-2 (hash: 8b2cf24b420d659179dc866eab1bb341748839204ba56ed46a86218010789e91)

New packages:

  • atomic-pkglayer-2016.1.1.gfbf8dde-2.el7 *

21.2. Extras

Updated packages:

  • atomic-1.9-4.gitff44c6a.el7
  • cockpit-0.96-2.el7
  • docker-1.9.1-25.el7
  • docker-distribution-2.3.1-1.el7 *
  • dpdk-2.2.0-2.el7 *
  • etcd-2.2.5-1.el7
  • kubernetes-1.2.0-0.9.alpha1.gitb57e8bd.el7
  • python-docker-py-1.7.2-1.el7

New packages:

  • runc-0.0.8-1.git4155b68.el7 (Technology Preview) *

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

21.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)

New:

  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd) (Technology Preview)

21.3. New Features

  • Cockpit has been rebased to version 0.96

    Cockpit packages that are part of Red Hat Enterprise Linux Atomic Host 7.2.3 include cockpit-bridge, cockpit-shell, cockpit-docker, and cockpit-ostree. Other cockpit-related software can be added to a Red Hat Enterprise Linux Atomic Host via containers (such as the rhel7/cockpit-ws container). Cockpit 0.96 is compatible with docker 1.10.

    This version fixes previous bugs with memory leaks, mostly related to DBus, and various navigation and connection issues. Also, you can now limit concurrent authentication similar to ssshd using the MaxStartups setting.

  • New sub-commands added to the atomic CLI

    The atomic command-line tool for managing Atomic systems and containers now includes the "top", "diff" and "migrate" sub-commands. For more information on the syntax and usage, see https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/version-7/cli-reference/#cli_commands.

  • Support for customization of the host system

    The new atomic-pkglayer packages contain a tool to install debug packages on Atomic Host systems. It is intended only for use inside the Red Hat Enterprise Linux Atomic Tools container image (rhel7/rhel-tools). It provides a mechanism to add RPM packages to an Atomic Host by allowing you to include them in local ostree layers on the existing system. See Installing RPMs on an Atomic Host with atomic-pkglayer for a description of the atomic-pkglayer tool.

Chapter 22. Red Hat Enterprise Linux Atomic Host 7.2.2

22.1. Atomic Host

OStree update:

New Tree Version: 7.2.2 (hash: a9036292783ddfd389459d9bab69df5a655a0d6bb4dc6239a0aeff0f5d356f2e)

22.2. Extras

Updated packages:

  • atomic-1.8-6.git1bc3814.el7
  • cockpit-0.93-1.el7
  • docker-1.8.2-10.el7
  • docker-distribution-2.2.1-1.el7 *
  • etcd-2.2.2-5.el7
  • flannel-0.5.3-9.el7
  • kubernetes-1.2.0-0.6.alpha1.git8632732.el7
  • python-docker-py-1.6.0-1.el7

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

22.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)

22.3. New Features

  • The v1beta3 API is no longer supported in kubernetes

    Using v1beta3 in configuration files is no longer supported. Creating a v1beta3-style object with the kubectl command will fail with the following error:

    error validating data: the server could not find the requested resource; if you choose to ignore these errors, turn validation off with --validate=false

    Using the --validate=false option will create an object, but the object will appear as a v1 object instead.

  • A separate cockpit-docker subpackage is now shipped

    Previously, the Cockpit docker support was shipped with the cockpit-shell subpackage. Now, the cockpit-docker subpackage is available to be installed separately on Red Hat Enterprise Linux and is included in the OSTree available for RHEL Atomic Host.

  • Cockpit has been rebased to version 0.93

    Most notable changes:

    • Distribute licenses of included components in the source RPM.
    • Reworked TLS certificates for Cockpit.
    • Cockpit now offers to activate multipathd for multipath disks.
    • Added user interface for OSTree upgrades and rollbacks.
    • Added OAuth login support.
    • Add SOS report to the User Interface.
    • Added support for the Tuned power management tool.

Chapter 23. Red Hat Enterprise Linux Atomic Host 7.2

23.1. Atomic Host

OStree update:

New Tree Version: 7.2 (hash: ec85fba1bf789268d5fe954aac09e6bd58f718e47a2fcb18bf25073b396e695d)
Changes since Tree Version 7.1.6 (hash: 23d96474f6775c27cf258e9872330b23f20e80ff4e0b61426debd00ca11a953f)

23.2. Extras

Updated packages:

  • atomic-1.6-6.gitca1e384.el7
  • cockpit-0.77-3.1.el7
  • docker-1.8.2-8.el7
  • flannel-0.5.3-8.el7
  • kubernetes-1.0.3-0.2.gitb9a88a7.el7
  • python-docker-py-1.4.0-118.el7
  • python-websocket-client-0.32.0-116.el7
  • storaged-2.2.0-3.el7 *

New packages:

  • docker-distribution-2.1.1-3.el7 *

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

23.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Container Image (rhel7/rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux Atomic rsyslog Container Image (rhel7/rsyslog)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)

New:

  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic Kubernetes-controller Container Image (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes-apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes-scheduler Container Image (rhel7/kubernetes-scheduler)

23.3. New Features

  • docker has been upgraded to version 1.8.2

    Notable changes:

    • docker now displays a warning message if you are using the loopback device as a backend storage option.
    • The docker info command now shows the rpm version of the client and server.
    • The default mount propagation is Slave instead of Private. This allows volume (bind) mounts, to be altered on the host and the new mounts show up inside of the container.
    • The --add-registry and --block-registry options have been added. This allows additional registries to be specified in addition to docker.io in /etc/sysconfig/docker.
    • You can now inspect the content of remote repositories and check for newer versions. This functionality is implemented in the atomic verify command from the atomic command-line tool.
  • flannel has been upgraded to version 0.5.3

    Notable changes:

    • flannel’s network prefix was changed from coreos.com/network to atomic.io/network.
    • flannel’s behavior when the first ping packet was lost has been fixed.
    • The flanneld.service now starts after the network is ready.
  • Cockpit has been rebased to version 0.77

    Notable changes:

    • Cockpit now displays the limit for the number of supported hosts when adding servers to the dashboard.
    • Cleaner bookmarkable URLs.
    • Includes basic SSH key authentication functionality.
    • Basic interactions with multipath storage have been fixed.
    • When password authorization is not possible, Cockpit displays an informative message.
    • Authentication now works when embedding Cockpit.
  • Removed systemd socket activation

    For security reasons, systemd socket activation, which was supported in earlier versions of docker, has been removed. Now, it is not recommended to use the docker group as a mechanism for talking to the docker daemon as a non-privileged user. Instead, set up sudo for this type of access. If the docker daemon is not running after the upgrade, create the /etc/sysconfig/docker.rpmnew file, add any local customization to it and replace /etc/sysconfig/docker with it. Additionally, remove the -H fd:// line from /etc/sysconfig/docker if it is present.

Chapter 24. Technology Previews

  • podman now available

    The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

    Beginning RHEL Atomic Host 7.5.1, podman is available as a technology preview. For podman documentation, see Using podman to work with containers.

  • LiveFS now available

    Previously, layering packages on Atomic Host required a reboot for the software to be available on the system. The LiveFS feature removes the need to reboot, making layered packages available instantly.

    See Package Layering for more information and usage instructions.

  • Identity Management in a container

    Identity Management (IdM) in a container is provided as a Technology Preview. To install this new image, use the atomic install --hostname <IPA_server_hostname> rhel7/ipa-server command. In addition to --hostname, The atomic install command supports the following keywords for specifying the style of the container to be run:

    • net-host - share the host’s network to the container
    • publish - publish all ports to the host’s interfaces
    • cap-add - add a capability to the container

    You can also use the atomic install rhel7/ipa-server help command to list these keywords and their usage.

Chapter 25. Known Issues

  • ostree remote configuration might be missing on new installations

    The 'ostree' remote configuration might be missing on new installations of RHEL Atomic Host 7.5.0. Consequently, when the rpm-ostreed daemon starts, it does not find configuration of the remote, which causes the rpm-ostree command to hang.

    So far, this issue has been found on new Kickstart installations, but not on ISO or cloud installations.

    To fix the problem, follow these steps:

    1. Populate the /etc/ostree/remotes.d/ directory with an ostree remote configuration. This configuration should match the remote in the .origin file that is in /sysroot/ostree/deploy/rhel-atomic-host/deploy/. Example contents of /etc/ostree/remotes.d/redhat.conf:

      [remote "rhel-atomic-host-ostree"]
      url=file:///install/ostree/repo
    2. Restart the rpm-ostreed service:

      # systemctl restart rpm-ostreed.service

      Alternatively, you can fix the problem by simply registering the system with subscription-manager.

  • Containers running systemd do not work

    Prior to Atomic Host 7.5.0, due to a bug, the container_manage_cgroup SELinux boolean permitted containers to modify cgroup settings whether the boolean is on or off. In 7.5.0, this has been fixed. Now, if you need to run containers with systemd, you need to set the boolean to on:

    # setebool -P container_manage_cgroup on

    See this Knowledgebase solution for more information.

  • Old LVM configuration file sometimes not available after upgrading

    If an LVM operation happens during an Atomic Host upgrade, the old LVM configuration file might not be available after the upgrade. You would see this error message:

    Failed to read modified config file 'lvm/...'

    To work around this, ensure that no LVM operation happens during an upgrade.

    A common LVM operation that might happen is thin-pool auto-extension. To prevent thin-pool auto-extension, upgrade as follows:

    1. Disable auto-extension:

      # lvchange --monitor n VG/ThinPoolLV
    2. Upgrade:

      atomic host upgrade
    3. After upgrade or reboot, enable auto-extension:

      # lvchange --monitor y VG/ThinPoolLV

      In an extremely rare case, this scenario will break LVM. To allow recovery from broken LVM, back up /etc/lvm before upgrading.

      (BZ#1365297)

  • The root partition might have too little space for upgrades

    The default Atomic Host root partition might be too small for upgrades. To upgrade, you might need to expand the root logical volume. See these sections:

    Alternatively, you can free space on the root partition by pruning the previous deployment.

    For background information on the root partition, see Managing Storage in Red Hat Enterprise Linux Atomic Host.

  • atomic uninstall uninstalls all sssd containers

    Running this command on an sssd container:

    $ atomic uninstall --name=container-name

    incorrectly uninstalls not only the container-name sssd container, but all sssd containers.

    To mitigate this, do not uninstall an sssd container if you use any other sssd containers.

  • Cannot use memory cgroups without swap on IBM POWER8 series

    The "runc exec" command on the little-endian variant of IBM Power Systems uses significantly more memory than on AMD64 and Intel 64. Therefore, to prevent running out of memory, do not set cgroup memory limit to less than 100 megabytes.

  • By default, no user namespaces are allowed

    By default, the new 7.4 kernel restricts the number of user namespaces to 0.

    To work around this, increase the user namespace limit:

    # echo 15000 > /proc/sys/user/max_user_namespaces
  • Cockpit can start dockerd when using docker, but not docker-latest

    Beginning with RHEL Atomic Host 7.3.5, service-related functions in Cockpit might not work as expected if you run with docker-latest instead of docker. Notably, Cockpit fails to start the docker daemon when running with docker-latest.

  • Exposing the docker daemon through a TCP port is not secure

    The docker daemon does no authentication, so binding it to a TCP port would give root access to any process with access to that TCP port. Red Hat advices against binding docker to a TCP port. See Access port options for details.

  • atomic scan will try to connect to the Internet if you do not use atomic install first

    When you install the openscap container image with the atomic install command, the /etc/oscapd/oscapd.ini configuration file is placed on the host machine and gets exposed to the container. The oscapd.ini file contains the information about where to fetch Open Vulnerability and Assessment Language (OVAL) content from. The default setting is to use the CVE data from inside the container and won’t connect to the Internet unless you explicitly configure it so. When you do not use atomic install and directly start scanning with atomic scan, atomic will fetch the container and run it immediately ignoring the INSTALL label. This means that /etc/oscapd/oscapd.ini won’t be placed on the host system and be exposed to the container and the default behavior of the openscap-daemon itself inside the container will be used. The default behavior is to download CVE data from Red Hat’s URL, connecting to the Internet. Because of this. it is recommended that you use atomic install before scanning containers so that the settings from the opscapd.ini file are used. If not, scanning will still work, but be aware of the difference in the behavior of the openscap-daemon in both cases.

  • Red Hat Enterprise Linux Atomic Host does not support FIPS mode

    FIPS mode cannot be enabled on RHEL Atomic Host.

  • Upgrade to 7.3 from release versions older than 7.2.7 fails with an error on Atomic Host

    Attempting to upgrade from RHEL Atomic Host 7.2.6-1 or older to 7.3 fails with the following error:

    "error: fsetxattr: Invalid argument"

    There are three possible workarounds:

    1) Disable SELinux and upgrade as usual:

    # setenforce 0
    # atomic host upgrade

    2) Stop rpm-ostreed and change the SELinux context:

    #	systemctl stop rpm-ostreed
    #	cp /usr/libexec/rpm-ostreed /usr/local/bin/rpm-ostreed
    #	chcon -t install_exec_t /usr/local/bin/rpm-ostreed
    #	/usr/local/bin/rpm-ostreed
    #	atomic host upgrade

    3) Deploy Atomic Host 7.2.7 first and then upgrade:

    #	 atomic host deploy 7.2.7
    #	 systemctl reboot
    #	 atomic host upgrade
  • Atomic Host does not support /usr as a mount point

    Atomic Host does not support /usr as a mount point. As a consequence, Anaconda could crash if such a partition layout is configured. To work around this issue, do not make /usr a mount point.

  • etcdctl backup now reuses backup of the previous etcd member to avoid data loss

    Previously, a member failed to be added to the etcd cluster when the database size was more than 700 MB, resulting in data loss. To work around this usse, the etcdctl backup command has been extended with options to reuse backup of the previous etcd member.

  • rhel-push-plugin service does not restart after package upgrade

    The docker service requires rhel-push-plugin to be started before itself. However, after upgrading the docker and docker-rhel-push-plugin packages, the docker daemon restarts while using the already existing rhel-push-plugin service in memory without restarting it. To work around this issue, manually restart rhel-push-plugin first, and the docker service afterwards.

  • etcd will not start if its current version is older than the etcd cluster version

    etcd checks if the etcd version is older than the etcd cluster version. If this is the case, etcd will not start and applications dependent on etcd can fail. This issue prevents RHEL Atomic Host from cleanly rolling back from version 7.2.6 to earlier versions.

  • In a kubernetes cluster, if the nodes are newer than the master, they may fail to start.

    In a kubernetes cluster, if the master contains an older version of kubernetes than the nodes, the nodes may fail to start. To work around this issue, always upgrade the master nodes first. As a result, the cluster will continue to function as expected.

  • docker 1.10 introduced a secomp filter which will cause some syscalls to fail inside containers.

    As a workaround, pass the --security-opt seccomp:unconfined option to docker when creating a container. Docker maintains a help page with a comprehensive list of blocked calls and the reasoning behind them, see https://docs.docker.com/engine/security/seccomp/. Note that the list is not entirely identical to what is blocked in Red Hat Enterprise Linux.

  • Upgrade of docker from 1.9 to 1.10 loses image metadata

    Under certain circumstances, upgrading from docker 1.9 to docker 1.10 can result in a loss of docker image tag metadata. The underlying image layers remain intact and can be seen by running docker images -a. The metadata can be recovered, if it is present on a remote registry by simply re-running docker pull. This command will restore the metadata while avoiding a transfer of the already existing layer data.

  • Atomic Host installation offers BTRFS but it is not supported.

    The RHEL Atomic Host installer offers BTRFS as a partition option, but the tree does not include btrfs-progs. Consequently, if you choose this option in the installer, you will not be able to proceed with the installation until you choose another option.

  • When the root partition runs out of free space

    RHEL Atomic Host allocates 3GB of storage to the root partition, which includes the docker volumes (units of storage that a running container can request from the host system). This makes it easy for the root partition to run out of storage space. If insufficient space is available, upgrading with atomic host upgrade will fail. In order to support more volume space, more physical storage must be added to the system, or the root Logical Volume must be extended. By default, 40% from the other volume, will be reserved for storing the container images. The other 60% can be used to extend the root partition. For detailed instructions, see https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/version-7/getting-started-with-containers/#changing_the_size_of_the_root_partition_after_installation.

  • Rescue mode does not work in RHEL Atomic Host.

    The Anaconda installer is unable to find a previously installed Atomic Host system when in rescue mode. Consequently, rescue mode does not work and should not be used.

  • The brandbot.path service may cause subscription-manager to change the /etc/os-release file in 7.1 installations.

    The /etc/os-release file may still specify the 7.1 version even after Atomic Host has been upgraded to 7.2 using the atomic host upgrade command. This occurs because the underlying ostree tool preserves modified files in /etc. As a workaround, after upgrading to 7.2, run the following command:

    cp /usr/etc/os-release /etc

    This way, the /etc/os-release file will return to an unmodified state, and because brandbot.path is masked in 7.2.0, it will not be modified in the future by subscription-manager, and future upgrades will show the correct version.

  • When running kube-apiserver on port 443 in secure mode, some capabilities are missing.

    As a workaround, the kube-apiserver binary has to be modified by running

    # chown root:root /usr/bin/kube-apiserver
    # chmod 700 /usr/bin/kube-apiserver
    # setcap CAP_NET_BIND_SERVICE=ep /usr/bin/kube-apiserver

Chapter 26. Amazon Machine Image IDs

With every release of RHEL Atomic Host, new versions of Amazon Machine Images (AMIs) are uploaded to the Amazon Web Services (AWS). The ID for an AMI is different in each AWS region and they all change for each release. Some areas consist of multiple regions with the same name, such as us-east-1 and us-east-2. For more information on AWS Regions, see Regions and Availability Zones.

This chapter provides lists of AMIs of RHEL Atomic Host that are currently in production and available on AWS.

Warning

The AMIs in this list represent official, supported Atomic Host images that are available for use in AWS. If you have an image that is not on this list, and you believe that it is an official Red Hat Atomic Host image, you can check it by typing the following command:

ostree show rhel-atomic-host/7/x86_64/standard

The result will show if the image contains a valid signature from Red Hat, Inc.

26.1. RHEL Atomic Host 7.4.5

ami-30440456 : Cloud Access GP2 offering in ap-northeast-1 for x86_64
ami-eb4ae785 : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-b7b2edd8 : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-a92c66d5 : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-f062a492 : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-d09d1ab4 : Cloud Access GP2 offering in ca-central-1 for x86_64
ami-60a7cb0f : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-bab9fec3 : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-6f49ad08 : Cloud Access GP2 offering in eu-west-2 for x86_64
ami-ff62d482 : Cloud Access GP2 offering in eu-west-3 for x86_64
ami-44612a28 : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-68ee1915 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-d5c6f1b0 : Cloud Access GP2 offering in us-east-2 for x86_64
ami-ca5f55aa : Cloud Access GP2 offering in us-west-1 for x86_64
ami-b56be0cd : Cloud Access GP2 offering in us-west-2 for x86_64

26.2. RHEL Atomic Host 7.4.4

ami-2981ec4f : Cloud Access GP2 offering in ap-northeast-1 for x86_64
ami-048f2c6a : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-6289d80d : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-6287ff1e : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-0c16e86e : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-442eab20 : Cloud Access GP2 offering in ca-central-1 for x86_64
ami-a1138ace : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-2eafc857 : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-49465c2d : Cloud Access GP2 offering in eu-west-2 for x86_64
ami-aad96fd7 : Cloud Access GP2 offering in eu-west-3 for x86_64
ami-335e125f : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-7c280006 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-7fe4d405 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-cb94beae : Cloud Access GP2 offering in us-east-2 for x86_64
ami-eefaf78e : Cloud Access GP2 offering in us-west-1 for x86_64
ami-3db60945 : Cloud Access GP2 offering in us-west-2 for x86_64

26.3. RHEL Atomic Host 7.4.3

ami-132aa67c : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-ce12aaa8 : Cloud Access GP2 offering in ap-northeast-1 for x86_64
ami-29d59b46 : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-73712310 : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-cc48f3a8 : Cloud Access GP2 offering in ca-central-1 for x86_64
ami-627d6306 : Cloud Access GP2 offering in eu-west-2 for x86_64
ami-d012e7b2 : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-1e7e577b : Cloud Access GP2 offering in us-east-2 for x86_64
ami-9b17b0f5 : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-4895d124 : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-ca14cdb2 : Cloud Access GP2 offering in us-west-2 for x86_64
ami-ac910ed6 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-bb45f7c2 : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-567ccb2b : Cloud Access GP2 offering in eu-west-3 for x86_64
ami-c8a79ca8 : Cloud Access GP2 offering in us-west-1 for x86_64

26.4. RHEL Atomic Host 7.4.2

ami-6a04190e : Cloud Access GP2 offering in eu-west-2 for x86_64
ami-defc2ea4 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-1f7ec770 : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-505b6630 : Cloud Access GP2 offering in us-west-1 for x86_64
ami-29e3394f : Cloud Access GP2 offering in ap-northeast-1 for x86_64
ami-6f975517 : Cloud Access GP2 offering in us-west-2 for x86_64
ami-2746ab45 : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-637a030f : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-87edc1e2 : Cloud Access GP2 offering in us-east-2 for x86_64
ami-5b64c135 : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-bb7531d8 : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-a2fcbfcd : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-1bbd057f : Cloud Access GP2 offering in ca-central-1 for x86_64
ami-5825fb21 : Cloud Access GP2 offering in eu-west-1 for x86_64

26.5. RHEL Atomic Host 7.4.1

ami-53b2693d : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-7dfdb912 : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-4dd9b62e : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-e2ae4a80 : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-010ab465 : Cloud Access GP2 offering in ca-central-1 for x86_64
ami-bedb6fd1 : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-1b65a162 : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-1fb5a57b : Cloud Access GP2 offering in eu-west-2 for x86_64
ami-4cc8bb20 : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-b24941c9 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-cca9b8b7 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-116e4c74 : Cloud Access GP2 offering in us-east-2 for x86_64
ami-707c4b10 : Cloud Access GP2 offering in us-west-1 for x86_64
ami-f50afe8d : Cloud Access GP2 offering in us-west-2 for x86_64

26.6. RHEL Atomic Host 7.4.0

ami-b546a2cd : Cloud Access GP2 offering in us-west-2 for x86_64
ami-31ea7552 : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-783c4a14 : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-d9c2eab9 : Cloud Access GP2 offering in us-west-1 for x86_64
ami-c3cbd5a0 : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-d31636b6 : Cloud Access GP2 offering in us-east-2 for x86_64
ami-f9738680 : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-07f14f63 : Cloud Access GP2 offering in ca-central-1 for x86_64
ami-ce3c2daa : Cloud Access GP2 offering in eu-west-2 for x86_64
ami-ebba9e90 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-5d512a32 : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-3cf42d52 : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-fbbb1494 : Cloud Access GP2 offering in eu-central-1 for x86_64

26.7. RHEL Atomic Host 7.3.6

ami-5920ff37 : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-784b3517 : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-65fe7706 : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-852536e6 : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-378f3053 : Cloud Access GP2 offering in ca-central-1 for x86_64
ami-71fd5c1e : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-8a53b6f3 : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-c1382ea5 : Cloud Access GP2 offering in eu-west-2 for x86_64
ami-18422874 : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-30774426 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-cb2100ae : Cloud Access GP2 offering in us-east-2 for x86_64
ami-d8f3dfb8 : Cloud Access GP2 offering in us-west-1 for x86_64
ami-6e312717 : Cloud Access GP2 offering in us-west-2 for x86_64

26.8. RHEL Atomic Host 7.3.5

ami-2846564b : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-256acd4a : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-6894b20d : Cloud Access GP2 offering in us-east-2 for x86_64
ami-8dafa5f4 : Cloud Access GP2 offering in us-west-2 for x86_64
ami-c8aea4af : Cloud Access GP2 offering in ap-northeast-1 for x86_64
ami-88a8849e : Cloud Access GP2 offering in us-east-1 for x86_64
ami-94baa3f2 : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-ab5cd1c8 : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-6dd60903 : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-84ed92eb : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-62563d0e : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-bcfdd0dc : Cloud Access GP2 offering in us-west-1 for x86_64
ami-dddc63b9 : Cloud Access GP2 offering in ca-central-1 for x86_64
ami-5f77613b : Cloud Access GP2 offering in eu-west-2 for x86_64

26.9. RHEL Atomic Host 7.2.6

ami-0be48a78 : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-98cc8cf8 : Cloud Access GP2 offering in us-west-1 for x86_64
ami-a40ff8cb : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-509b0847 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-daa47ab9 : Cloud Access GP2 offering in ap-southeast-1 for x86_64
ami-13468172 : Cloud Access GP2 offering in ap-northeast-1 for x86_64
ami-b389bcd0 : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-f91dd499 : Cloud Access GP2 offering in us-west-2 for x86_64
ami-1c39ae70 : Cloud Access GP2 offering in sa-east-1 for x86_64

26.10. RHEL Atomic Host 7.2.5

ami-18e27774 : Cloud Access GP2 offering in sa-east-1 for x86_64
ami-c3bfd5ac : Cloud Access GP2 offering in ap-south-1 for x86_64
ami-57688038 : Cloud Access GP2 offering in eu-central-1 for x86_64
ami-f8c90e98 : Cloud Access GP2 offering in us-west-2 for x86_64
ami-3312e552 : Cloud Access GP2 offering in ap-northeast-1 for x86_64
ami-9d905df0 : Cloud Access GP2 offering in us-east-1 for x86_64
ami-a95ac2da : Cloud Access GP2 offering in eu-west-1 for x86_64
ami-66529908 : Cloud Access GP2 offering in ap-northeast-2 for x86_64
ami-8e7e3aee : Cloud Access GP2 offering in us-west-1 for x86_64
ami-86e8c0e5 : Cloud Access GP2 offering in ap-southeast-2 for x86_64
ami-cea674ad : Cloud Access GP2 offering in ap-southeast-1 for x86_64

Legal Notice

Copyright © 2018 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.