Chapter 29. Red Hat Enterprise Linux Atomic Host 7.4.0

29.1. Atomic Host

OStree update:

New Tree Version: 7.4.0 (hash: 846fb0e18e65bd9a62fc9d952627413c6467c33c2d726449a1d7ad7690bbb93a)
Changes since Tree Version 7.3.6 (hash: e073a47baa605a99632904e4e05692064302afd8769a15290d8ebe8dbfd3c81b)

Updated packages:

  • atomic-devmode-0.3.7-2.el7
  • cockpit-ostree-141-2.el7
  • redhat-release-atomic-host-7.4-20170427.0.atomic.el7.1
  • rpm-ostree-client-2017.6-5.atomic.el7

29.2. Extras

Updated packages:

  • atomic-1.18.1-3.1.git0705b1b.el7
  • cockpit-141-4.el7
  • container-selinux-2.21-1.el7
  • docker-1.12.6-48.git0fdc778.el7
  • docker-distribution-2.6.1-1.1.gita25b9ef.el7
  • docker-latest-1.13.1-21.1.gitcd75c68.el7
  • dpdk-16.11.2-4.el7 *
  • etcd-3.1.9-2.el7
  • flannel-0.7.1-2.el7
  • gomtree-0.3.1-2.1.el7
  • libev-4.15-7.el7 *
  • libssh-0.7.1-3.el7 *
  • oci-register-machine-0-3.11.1.gitdd0daef.el7
  • oci-systemd-hook-0.1.8-4.1.gite533efa.el7
  • ostree-2017.7-1.el7
  • python-backports-lzma-0.0.2-9.el7 *
  • python-gevent-1.0-3.el7 *
  • python-greenlet-0.4.2-4.el7 *
  • runc-1.0.0-12.1.gitf8ce01d.el7
  • skopeo-0.1.20-2.1.gite802625.el7
  • storaged-2.5.2-3.el7 *

New packages:

  • container-storage-setup-0.3.0-3.git927974f.el7
  • sshpass-1.06-2.el7 *
  • python-httplib2-0.9.1-3.el7 *
  • libtommath-0.42.0-6.el7 *
  • python-passlib-1.6.5-2.el7 *
  • python-paramiko-2.1.1-2.el7 *
  • ansible-2.3.1.0-3.el7 *
  • python-crypto-2.6.1-15.el7 *
  • libtomcrypt-1.17-26.el7 *
  • rhel-system-roles-0.2-2.el7 *
  • driverctl-0.95-1.el7 *

The asterisk (*) marks packages which are available for Red Hat Enterprise Linux only.

29.2.1. Container Images

Updated:

  • Red Hat Enterprise Linux Atomic cockpit-ws Container Image (rhel7/cockpit-ws)
  • Red Hat Enterprise Linux Atomic etcd Container Image (rhel7/etcd)
  • Red Hat Enterprise Linux Atomic flannel Container Image (rhel7/flannel)
  • Red Hat Enterprise Linux Atomic Identity Management Server Container Image (rhel7/ipa-server)
  • Red Hat Enterprise Linux Atomic Kubernetes apiserver Container Image (rhel7/kubernetes-apiserver)
  • Red Hat Enterprise Linux Atomic Kubernetes controller-manager Container (rhel7/kubernetes-controller-mgr)
  • Red Hat Enterprise Linux Atomic Kubernetes scheduler Container Image (rhel7/kubernetes-scheduler)
  • Red Hat Enterprise Linux Atomic open-vm-tools Container Image (rhel7/open-vm-tools)
  • Red Hat Enterprise Linux Atomic openscap Container Image (rhel7/openscap)
  • Red Hat Enterprise Linux 7.4 Container Image (rhel7.4, rhel7, rhel7/rhel, rhel)
  • Red Hat Enterprise Linux Atomic Tools Container Image (rhel7/rhel-tools)
  • Red Hat Enterprise Linux 7 Init Container Image (rhel7/rhel7-init)
  • Red Hat Enterprise Linux Atomic sadc Container Image (rhel7/sadc)
  • Red Hat Enterprise Linux Atomic SSSD Container Image (rhel7/sssd)

29.3. New Features

  • Limited support for containers on little-endian IBM power systems

    Now containers have limited support on the little-endian variant of IBM power Systems (PPCle). See the Supported Architectures for Containers on RHEL for details.

    Notably, packages from the Extras channel are now provided for the little-endian variant of IBM power Systems, along with the rhel7-ppc64le base container. This enables using containers on these systems with Red Hat Enterprise Linux 7.4.

  • overlay2 storage driver now available

    The overlay2 graph driver has been upgraded from a Technology Preview to a fully supported feature.

    The overlay2 graph driver, along with overlay, uses OverlayFS, a copy-on-write union file system that features page-cache sharing between containers. However, overlay2 is the more performant option.

    To enable the driver, specify overlay2 in the /etc/sysconfig/docker-storage-setup file:

    STORAGE_DRIVER=overlay2
  • OverlayFS now can be run with SELinux enforced

    Previously, SELinux had to be in permissive or disabled mode for OverlayFS to work. Now you can run the OverlayFS file system with SELinux in enforcing mode.

    For more information on OverlayFS, see Overlay Graph Driver.

  • SSSD in a container is now fully supported

    The System Security Services Daemon (SSSD) in a container has been upgraded from a Technology Preview to a fully supported feature.

    SSSD allows Red Hat Enterprise Linux Atomic Host authentication subsystem to be connected to central identity providers such as Red Hat Identity Management and Microsoft Active Directory.

    To install this new image, use the atomic install rhel7/sssd command.

    For full documentation on SSSD, see Configuring SSSD.

  • Package layering is now fully supported

    The pkg-add subcommand of the rpm-ostree tool has been upgraded from a Technology Preview to a fully supported feature.

    The rpm-ostree install commands installs layered packages that are persistent across reboots. This command can be used to install individual packages that are not part of the original OSTree, such as diagnostics tools. For detailed information about package layering, see Package Layering.

  • Image signing is now fully supported

    The image signing and validation functionality has been upgraded from a Technology Preview to a fully supported feature.

    Signing container images on RHEL and RHEL Atomic Host systems provides a means of validating where a container image came from, checking that the image has not been tampered with, and setting policies to determine which validated images you will allow to use on your systems.

    The main image signing tasks can be done as follows:

    • To sign and distribute an image, use the atomic sign and atomic push commands.
    • To get and verify a signed image, use the atomic pull and atomic verify commands.
    • To designate a signed image as trusted and acceptable on the local system, use the atomic trust command.

    For the current release, image signing is only supported when pushing and pulling between Docker v2 registries (such as the registry software included in the docker-distribution package) and the Docker Hub (docker.io).

    To learn more about image signing, see Image Signing.

  • GPG verification changes for OSTree commits

    For new installations of RHEL Atomic Host 7.4.0 and later, the GPG verification of OSTree commits is enabled by default. If you upgrade from RHEL Atomic Host 7.3, you can enable GPG verification manually.

    To enable GPG verification, set the gpg-verify directive in the /etc/ostree/remotes.d/redhat.conf file to true.

    If GPG verification is enabled, the output of the atomic host status command shows information about the GPG signature of the commit.

  • docker-storage-setup renamed to container-storage-setup

    The docker-storage-setup utility has been renamed to container-storage-setup for RHEL7.4 and RHEL Atomic Host 7.4. Note that:

    • The name of the package has also changed to container-storage-setup.
    • The name of the service is still docker-storage-setup.
    • The default configuration is in the /usr/share/container-storage-setup/container-storage-setup file, but your configuration should go to /etc/sysconfig/docker-storage-setup, which overrides configuration from /usr/share/container-storage-setup/container-storage-setup.