Chapter 7. Building certified container images
You can use the partner Build Service to build your application containers for certification. The Build Service builds containers from Git repositories that are Internet-accessible publicly or privately with an SSH key.
Use the automated Build Service as part of Red Hat OpenStack and NFV Zone to automatically build containerized partner platform plugins to Red Hat OpenStack Platform (RHOSP) 16.1 base containers.
- Register with Red Hat Connect for Technology Partners.
- Apply for Zone access to the Red Hat OpenStack and NFV zone.
- Create a Product. The information you provide is used when the certification is published in the Red Hat catalog.
- Create a git repository for your plugin, with your Dockerfile and any components that you want to include in the container.
If you have any problems when you register with or access the Red Hat Connect site, contact the Red Hat Technology Partner Success Desk: https://connect.redhat.com/support/technology-partner/
7.1. Adding a container project
One project represents one partner image. If you have multiple images, you must create multiple projects.
- Log into Red Hat Connect for Technology Partners and click Zones.
- Scroll down and select the Red Hat OpenStack & NFV zone. Click anywhere in the box.
- Click Certify to access the existing products and projects of your company.
- Click Add Project to create a new project.
Set the Project Name.
- The project name is not visible outside the system.
The project name must include the following elements:
For Red Hat OpenStack Platform (RHOSP) purposes, the format is
Select the Product, Product Version, and Release Category based on your product or plugin, and its version.
- Create the product and its version prior to creating projects.
- Set the label release category to Tech Preview. Generally Available is not an option until you have completed API testing with Red Hat Certification. Refer to the plugin certification requirements when you have certified your container image.
- Select the Red Hat Product and Red Hat Product Version based on the base image that you want to modify with your partner plugin. For this release, select Red Hat OpenStack Platform and 16.1.
- Click Submit to create the new project.
Red Hat assesses and confirms the certification of your project.
Send an email to email@example.com stating whether the plugin is in tree or out of tree in regards to the upstream code.
- In Tree means the plugin is included in the OpenStack upstream code base and the plugin image is built by Red Hat and distributed with Red Hat OpenStack Platform 16.1.
- Out of Tree means the plugin image is not included in the OpenStack upstream code base and not distributed within RHOSP 16.1.
7.2. Following the container certification checklist
Certified containers meet Red Hat standards for packaging, distribution, and maintenance. Containers that are certified by Red Hat have a high level of trust and supportability from container-capable platforms, including Red Hat OpenStack Platform (RHOSP). To maintain this, partners must keep their images up-to-date.
- Click Certification Checklist.
- Complete all sections of the checklist. If you need more information about an item on the checklist, click the drop-down arrow on the left to view the item information and links to other resources.
The checklist includes the following items:
- Update your company profile
- Ensures that your company profile is up to date.
- Update your product profile
- This page details to the product profile, including the product type, description, repository URL, version, and contact distribution list.
- Accept the OpenStack Appendix
- Site Agreement for the Container Terms.
- Update project profile
- Check that the image settings such as auto publish, registry namespace, release category, supported platforms are correct.
In the Supported Platforms section, you must select an option so that you can save other required fields on this page.
- Package and test your application as a container
- Follow the instructions on this page to configure the build service. The build service is dependent on the completion of the previous steps.
- Upload documentation and marketing materials
- This redirects you to the product page. Scroll to the bottom and click Add new Collateral to upload your product information.
You must provide a minimum of three materials. The first material must be a
- Provide a container registry namespace
- This is the same as the project page profile page.
- Provide sales contact information
- This information is the same as the company profile.
- Obtain distribution approval from Red Hat
- Red Hat provides approval for this step.
- Configure Automated Build Service
- The configuration information to perform the build and scan of the container image.
The last item in the checklist is Configure Automated Build Service. Before you configure this service, you must ensure that your project contains a dockerfile that conforms to Red Hat certification standards.
7.3. Dockerfile requirements
As a part of the image build process, the build service scans your built image to ensure that it complies with Red Hat standards. Use the following guidelines as a basis for the dockerfile to include with your project:
- The base image must be a Red Hat image. Any images that use Ubuntu, Debian, and CentOS as a base do not pass the scanner.
You must configure the required labels:
You must include a software license as a text file within the image. Add the software license to the
licensesdirectory at the root of your project.
You must configure a user that is not the
The following dockerfile example demonstrates the required information for the scan:
FROM registry.redhat.io/rhosp-rhel8/openstack-cinder-volume MAINTAINER VenderX Systems Engineering <maintainer@vendorX.com> ###Required Labels LABEL name="rhosp-rhel8/openstack-cinder-volume-vendorx-plugin" \ maintainer="maintainer@vendorX.com" \ vendor="VendorX" \ version="3.7" \ release="1" \ summary="Red Hat OpenStack Platform 16.1 cinder-volume VendorX PluginY" \ description="Red Hat OpenStack Platform 16.1 cinder-volume VendorX PluginY" USER root ###Adding package ###repo exmple COPY vendorX.repo /etc/yum.repos.d/vendorX.repo ###adding package with curl RUN curl -L -o /verdorX-plugin.rpm http://vendorX.com/vendorX-plugin.rpm ###adding local package COPY verdorX-plugin.rpm / # Enable a repo to install a package RUN dnf clean all RUN yum-config-manager --enable openstack-16.1-for-rhel-8-x86_64-rpms RUN dnf install -y vendorX-plugin RUN yum-config-manager --disable openstack-16.1-for-rhel-8-x86_64-rpms # Add required license as text file in Liceses directory (GPL, MIT, APACHE, Partner End User Agreement, etc) RUN mkdir /licenses COPY licensing.txt /licenses USER cinder
7.4. Setting project details
You must set details for your project including the namespace and registry for your container image.
- Click Project Settings.
Ensure that your project name is in the correct format. Optionally, set Auto-Publish to ON if you want to automatically publish containers that pass certification. Certified containers are published in the Red Hat Container Catalog.
To set the
Container Registry Namespace, follow the online instructions.
- The container registry namespace is the name of your company.
The final registry URL is
To set the Outbound Repository Name and Outbound Repository Descriptions, follow the online instructions. The outbound repository name must be the same as the project name.
For Red Hat OpenStack Platform (RHOSP) purposes, the format is
The final registry URL is
Add additional information about your project in the relevant fields:
- Repository Description
- Supporting Documentation for Primed
- Click Submit.
7.5. Building a container image with the build service
Build the container image for your partner plugin.
- Click Build Service.
Click Configure Build Service to configure your build details.
- Ensure that the Red Hat Container Build is set to ON.
- Add your Git Source URL and optionally add your Source Code SSH Key if your git repository is protected. The URL can be HTML or SSH. SSH is required for protected git repositories.
Optional: Add Dockerfile Name or leave blank if your Dockerfile name is
- Optional: Add the Context Directory if the docker build context root is not the root of the git repository. Otherwise, leave this field blank.
- Set the Branch in your git repository to base the container image on.
- Click Submit to finalize the Build Service settings.
- Click Start Build.
Add a Tag Name and click Submit. It can take up to six minutes for the build to complete.
- The tag name must be a version of your plugin.
The final reference URL is
- Click Refresh to check that your build is complete. Optional: Click the matching Build ID to view the build details and logs.
The build service both builds and scans the image. This normally takes 10-15 minutes to complete. When the scan completes, click the
Viewlink to expand the scan results.
7.6. Correcting failed scan results
The Scan Details page displays the result of the scan, including any failed items. If your image scan reports a FAILED status, use the following procedure to investigate how to correct the failure.
- On the Container Information page, click the View link to expand the scan results.
Click the failed item. For example, in the following screenshot, the
- Click the failed item to open the Policy Guide at the relevant section and view more information about how to correct the issue.
If you receive an Access Denied warning when you access the Policy Guide, email firstname.lastname@example.org
7.7. Publishing a container image
After the container image passes the scan, you can publish the container image.
- On the Container Information page, click the Publish link to publish the container image live.
- The Publish link changes to Unpublish. To unpublish a container, click the Unpublish link.
When you publish the link, check the certification documentation for more information about certifying your plugin. For more links to certification documentation, see Section 1.1, “Partner integration prerequisites”.