Chapter 2. Using Red Hat Base Container Images (standard and minimal)

Red Hat Enterprise Linux base images should be used as the foundation for building all containerized applications that will run on Red Hat Enterprise Linux or Red Hat Enterprise Linux Atomic Host. By using Red Hat base images, your own images start with a foundation that:

  • Supported: Is fully supported by Red Hat for use with your containerized applications. Contains the same secured, tested, and certified software packages you have in Red Hat Enterprise Linux.
  • Updated: Offers a well-defined update schedule, so you know you are getting the latest software (see Red Hat Container Image Updates).
  • Tracked: Is tracked by errata, to help you understand the changes that go into each update.
  • Reusable: Only needs to be downloaded and cached in your production environment once, where it can be reused by all containers that include it as their foundation.
  • RHEL Based: Leverages subscriptions from your RHEL host system, so you can install well-known RHEL software packages inside the image.

Red Hat develops two types of base images: standard and minimal. Which base image you choose depends on how you want to use that image:

  • Standard base images (rhel6 and rhel7): There are both RHEL 6 and RHEL 7 versions of the standard platform images, each representing a different point release. Each of these base images comes with a complete set of tools and some language runtimes you might need as the basis for your own containerized applications, middleware and utilities. The size of the latest standard RHEL 7 base image is about 192M, with the latest RHEL 6 image coming in at about 166M.
  • Minimal base images (rhel-atomic): The minimal base image (named rhel-atomic) is a much smaller base image, currently only available for RHEL 7. With this minimal image, you have runtime compatibility with the standard RHEL base images, without carrying the unneeded packages and binaries. If you want to run a simple binary or add your own runtime languages and tools, the rhel-atomic base image provides a much smaller foundation for you to start with (only about 75M on disk; 28M compressed).

Red Hat strongly recommends that you use RHEL standard or minimal base images as the basis for your containers. Using these images provide the best foundation of secure, tested, and compliant software on which to build your images. While images built from other base images will often run on RHEL systems, Red Hat does not officially support those images.

An alternative to using RHEL base images directly (described later in this chapter) is to use official Red Hat Intermediate images, which are built on RHEL base images, but include software for different runtime environments that might be appropriate for your applications.

The next section provides more details on the different types of Red Hat base images, along with information on how to use them.

2.1. Using Standard RHEL Base Images (rhel6 and rhel7)

For most containers that you build and run on Red Hat systems, a standard base image should suit your needs. Red Hat Base images offer foundational software needed to run most applications, while staying at a reasonable size. To keep the size down, a standard base image contains a small set of runtime components, an init system, and a few common tools.

Despite its small size, the standard RHEL base images have a robust set of software features that include the following:

  • init system: All the features of the systemd initialization system you need to manage systemd services are available in the rhel7 base images. The rhel6 base images include a minimalistic init system similar to System V. These init systems let you install RPM packages that are pre-configured to start up services automatically, such as a Web server (httpd) or FTP server (vsftpd).
  • yum: Software needed to install software packages is included via the standard set of yum commands (yum, yum-config-manager, yumdownloader, and so on). When a standard base image is run on a RHEL system, you will be able to enable repositories and add packages as you do directly on a RHEL system, while using entitlements available on the host.
  • utilities: The rhel7 base image includes some useful utilities for working inside the container. Utilities that are in this base image that are not in the minimal image include ps, tar, cpio, dmidecode, gzip, lsmod (and other module commands), getfacl (and other acl commands), dmsetup (and other device mapper commands), and others.
  • python: Python runtime libraries and modules (currently Python 2.7) are included in the rhel7 standard base image. No python packages are included in the minimal base image.

If you have a Red Hat system installed with the docker service running, finding and acquiring a Red Hat base container is easy.

2.1.1. Finding standard base images

Supported base images are available from the Red Hat Registry. To see a list of supported base images you can check the Red Hat Container Catalog (RHCC) or use the docker search command. Search the RHCC for the latest RHEL 7 images follows:

  1. Go to the Red Hat Container Catalog
  2. Type rhel7/rhel and select search.
  3. From the Images box, select Base Images. A list of repositories containing RHEL 7 base images appears.
  4. Select rhel7 (to get the latest RHEL 7 image) or one of the other RHEL point releases.
  5. Refer to the Get This Image tab to see which command (docker, atomic, etc.) can be used to pull the image to your system.

Another way to find images is from the command line. To find RHEL 7 base images using the docker search command, type this from a Red Hat system running the docker service:

# docker search rhel7 | grep redhat.com/rhel7 | grep platform
redhat.com registry.access.redhat.com/rhel7      This platform image... 0
redhat.com registry.access.redhat.com/rhel7.0    This platform image... 0
redhat.com registry.access.redhat.com/rhel7.1    This platform image... 0
redhat.com registry.access.redhat.com/rhel7.2    This platform image... 0
redhat.com registry.access.redhat.com/rhel7.3    This platform image... 0
redhat.com registry.access.redhat.com/rhel7/rhel This platform image... 0

2.1.2. Examining standard base images

With a base image pulled to your system, you can examine it in different way. With docker inspect, you can see a description of the container image. Then run the base image to open a shell inside the image to investigate it further:

# docker pull registry.access.redhat.com/rhel7/rhel
# docker inspect registry.access.redhat.com/rhel7/rhel | grep description
                "description": "The Red Hat Enterprise Linux Base image is designed to be a fully supported foundation for your containerized applications.  This base image provides your operations and application teams with the packages, language runtimes and tools necessary to run, maintain, and troubleshoot all of your applications. This image is maintained by Red Hat and updated regularly. It is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. When used as the source for all of your containers, only one copy will ever be downloaded and cached in your production environment. Use this image just like you would a regular Red Hat Enterprise Linux distribution. Tools like yum, gzip, and bash are provided by default. For further information on how this image was built look at the /root/anaconda-ks.cfg file.",

To open a shell inside the container, type the following:

# docker run -it registry.access.redhat.com/rhel7/rhel

Once you are inside the container, here are a few commands to investigate what is inside. The anaconda-ks.cfg shows the instructions that were used to build this base image. Snippets of interesting information related to how the image was installed are shown below:

# cat /root/anaconda-ks.cfg
...
network  --bootproto=dhcp --device=eth0 --ipv6=auto --activate
...
ln -s /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
ln -s /run/secrets/rhsm /etc/rhsm-host
...
#Certificate specifying product - RHEL Server
cat <<EOF > /etc/pki/product/69.pem
...
%packages --excludedocs --nocore --instLangs=en
bash findutils gdb-gdbserver kexec-tools python-rhsm rootfiles subscription-manager
systemd  vim-minimal  yum  yum-plugin-ovl  yum-utils  -e2fsprogs  -firewalld  -kernel
-kexec-tools  -xfsprogs

From anaconda-ks.cfg, you can see the container is set to get an IP address from an available DHCP server (made available from the docker service by default). Entitlements are added to the container from the host using the /run/secrets directory. The RHEL Server product certificate also is added inside the container.

When packages are installed, documentation is excluded (--excludedocs) and only English language localization files are used. You can see which packages are added (bash, findutils, and so on) and which are excluded so they don’t get pulled in with dependencies (-e2fsprogs, -firewalld, and so on). Because of dependencies, nearly 150 packages are installed ultimately. From inside the container, you can see all installed packages with the following command:

# rpm -qa
tzdata-2016j-1.el7.noarch
setup-2.8.71-7.el7.noarch
basesystem-10.0-7.el7.noarch
glibc-common-2.17-157.el7_3.1.x86_64
glibc-2.17-157.el7_3.1.x86_64
...

When you are done looking around in the container, you can quit by typing:

# exit

2.1.3. Building container images with standard base images

To build your own container images using a standard rhel base image, you must include the base image you want on the FROM line of your Dockerfile and use yum commands to enable repositories and install software. Here’s an example of a Dockerfile for building your own Web server container from a standard base image:

FROM registry.access.redhat.com/rhel7/rhel
MAINTAINER John W. Jones <jjones@example.com>
# Add Web server, update image, and clear cache
RUN yum -y install httpd && yum -y update; yum clean all
# Add some data to web server
RUN echo "This Web server is working." > /var/www/html/index.html
EXPOSE 80
ENTRYPOINT [ "/usr/sbin/httpd" ]
CMD [ "-D", "FOREGROUND" ]

The FROM registry.access.redhat.com line pulls rhel7/rhel from registry.access.redhat.com and builds a new layer on it from each command in the Dockerfile. With the Dockerfile in the current directory, you can build the image with:

# docker build --rm -t webserver .

To run the image (as a daemon with port 80 exposed), then check that it is working, type:

# docker run -d -p 80:80 webserver
68ecaf723823ad11840557040cb19774533d74b6bfb74902f4f9f9d31a602627
# curl localhost:80
This Web server is working.

2.1.4. Updating standard base images

Red Hat updates its base images on a regular schedule with the intention of providing an easy way to rebuild your images to always include the latest RHEL software. Rebuilding your images, rather than updating packages during the build process, keeps your RHEL base packages up to date without adding layers that increase the size. Red Hat customers are alerted when critical security fixes are available. See Red Hat Container Image Updates to learn about how Red Hat schedules updates of its container images.

2.2. Using RHEL Atomic Base Images (minimal)

If you are looking for the smallest possible base image to use as part of the larger Red Hat ecosystem, you can start with the minimal Red Hat Atomic Base Image (rhel-atomic). The rhel-atomic image provides a base for your own containers that is less than half the size of the standard Red Hat base image, while still being able to draw on RHEL software repositories and maintain any compliance requirements your software has.

Here are some features of the RHEL minimal (rhel-atomic) base image:

  • Small size: The rhel-atomic image is about 75M on disk and 28M compressed. This makes it less than half the size of the rhel7 base image (192M).
  • Software installation (microdnf): Instead of including the full-blown yum facility for working with software repositories and RPM software packages, the rhel-atomic image includes the microdnf utility. Microdnf is a scaled-down version of the dnf utility. It includes only what is needed to enable and disable repositories, as well as install, remove, and update packages. It also has a clean option, to clean out cache after packages have been installed.
  • Based on RHEL packaging: Because the rhel-atomic image incorporates regular RHEL software RPM packages, with a few features removed such as extra language files or documentation, you can continue to rely on RHEL repositories for building your images. This allows you to still maintain any compliance requirements you have that are based on RHEL software. Features of rhel-atomic make it perfect for trying out applications you want to run with RHEL, while carrying the smallest possible amount of overhead. What you don’t get with the rhel-atomic image is an initialization and service management system (systemd or System V init), a Python run-time environment, and a bunch of common shell utilities.

If your goal, however is just to try to run some simple binaries or pre-packaged software that doesn’t have a lot of requirements from the operating system, the rhel-atomic base container image might suit your needs. If your application does have dependencies on other software from RHEL, you can simply use microdnf to install the needed packages at build time.

Red Hat intends for you to always use the latest version of the minimal container (rhel-atomic:latest), which is implied by simply requesting rhel-atomic. Red Hat does not expect to support older versions of rhel-atomic images going forward.

2.2.1. Examining minimal base images (rhel-atomic)

There is currently only one Red Hat minimal base image (although it comes under multiple names: rhel7/rhel-atomic and rhel-atomic). You can pull and inspect the minimal base image from a system running the docker service as follows:

# docker pull registry.access.redhat.com/rhel7/rhel-atomic
# docker inspect registry.access.redhat.com/rhel7/rhel-atomic \
    | grep description
                "description": "The Red Hat Enterprise Linux Base image is designed to be a minimal, fully supported base image where several of the traditional operating system components such as python an systemd have been removed. The Atomic Image also includes a simple package manager called microdnf which can add/update packages as needed."

From the description, you can see that Python runtime components and systemd have been removed and yum has been replaced with microdnf. As with the standard base image, you can run the rhel-atomic image, then try a few commands to investigate it further:

# docker run -it registry.access.redhat.com/rhel7/rhel-atomic
# cat /root/anaconda-ks.cfg
...
%packages --excludedocs --nobase --nocore --instLangs=en bash
kexec-tools microdnf systemd -e2fsprogs -firewalld -kernel
-kexec-tools  -xfsprogs
...
# rpm -qa
bash-4.2# rpm -qa | head
redhat-release-server-7.3-7.el7.x86_64
filesystem-3.2-21.el7.x86_64
ncurses-base-5.9-13.20130511.el7.noarch
glibc-common-2.17-157.el7_3.1.x86_64
glibc-2.17-157.el7_3.1.x86_64
ncurses-libs-5.9-13.20130511.el7.x86_64
...

If you look at how the image was built from the anaconda-ks.cfg file, you will see that fewer packages were installed and that a lot of commands were run to remove unneeded components of the remaining packages. Currently, the rhel-atomic image begins with only 81 RPM packages (many of which are trimmed further), compared to the standard base rhel7 image which begins with 149 RPM packages.

2.2.2. Building container images with the minimal base image

To build an image from a Dockerfile that is based on the rhel-atomic base image, you need to use the microdnf command instead of the yum command to install packages. You can see how the Dockerfile could be modified from the docker build example in the standard base image section to get similar results:

FROM registry.access.redhat.com/rhel7/rhel-atomic
MAINTAINER John W. Jones <jjones@example.com>
# Add Web server, update image, and clear cache
RUN microdnf install httpd --enablerepo=rhel-7-server-rpms && \
    microdnf update; microdnf clean all
EXPOSE 80
ENTRYPOINT [ "/usr/sbin/httpd" ]
CMD [ "-D", "FOREGROUND" ]

By default, no repositories are enabled in the rhel-atomic base image. So, as you can see, the --enablerepo=rhel-7-server-rpms option is added to the microdnf command line in the Dockerfile. Another microdnf command updates existing packages in the container and a third clears out any cached data from the packages and metadata that were added from the microdnf command. With the Dockerfile in the current directory, you can build the image with:

# docker build --rm -t miniweb .

After docker pulls the registry.access.redhat.com/rhel7/rhel-atomic image, it builds layers on it from each command in the Dockerfile. To run the image (as a daemon with port 80 exposed), then check that it is working, type:

# docker run -d -p 80:80 miniweb
68ecaf723823ad11840557040cb19774533d74b6bfb74902f4f9f9d31a602627
# curl localhost:80
This Web server is working.

Keep in mind that if you are building images with a Dockerfile that was used with a standard base image, you need to modify that Dockerfile in ways that are similar to what was done here. In particular, you need to change any yum commands to use microdnf.

2.2.3. Updating minimal base images

Red Hat expects to update minimal base images in the same way that the standard images are updated, with one exception: older versions of the standard rhel container images will remain available (although they will become deprecated over time), while Red Hat only intends to keep the most recent minimal rhel-atomic images available. See Red Hat Container Image Updates to learn about how Red Hat schedules updates of its container images.

2.3. Using Intermediate Images instead of Base Images

Red Hat offers another set of container images that you can use as the basis for your container builds called Intermediate Images.

Intermediate images are built on RHEL standard base images, but include additional software you might want to use for specific runtime environments. So, if you expect to build multiple images that require, for example, perl runtime software, you can use provide a more consistent platform for those images by starting with a Red Hat Perl intermediate image.

Here are examples of Red Hat intermediate container images, available from the Red Hat Registry (registry.access.redhat.com), that you can as the basis for your own images:

  • rhscl/nodejs-4-rhel7: Node.js 4 platform for building and running applications. Used by Node.js 4 Source-To-Image builds
  • rhscl/perl-520-rhel7: Perl 5.20 platform for building and running applications
  • rhscl/perl-524-rhel7: Platform for building and running Perl 5.24 applications.
  • rhscl/php-56-rhel7: PHP 5.6 platform for building and running applications
  • rhscl/php-70-rhel7: PHP 7.0 platform for building and running applications
  • rhscl/python-27-rhel7: Python 2.7 platform for building and running applications

Red Hat Intermediate container images are updated every time standard base images are updated. Search the Red Hat Container Catalog for details on any of these images. For more information on update schedules, see Red Hat Container Image Updates.