Chapter 7. Building certified container images

You can use the partner Build Service to build your application containers for certification. The Build Service builds containers from Git repositories that are Internet-accessible publicly or privately with an SSH key.

Use the automated Build Service as part of Red Hat OpenStack and NFV Zone to automatically build containerized partner platform plugins to Red Hat OpenStack Platform (RHOSP) 16.2 base containers.

Prerequisites

  • Register with Red Hat Connect for Technology Partners.
  • Apply for Zone access to the Red Hat OpenStack and NFV zone.
  • Create a Product. The information you provide is used when the certification is published in the Red Hat catalog.
  • Create a git repository for your plugin, with your Dockerfile and any components that you want to include in the container.

If you have any problems when you register with or access the Red Hat Connect site, contact the Red Hat Technology Partner Success Desk.

7.1. Adding a container project

One project represents one partner image. If you have multiple images, you must create multiple projects.

Procedure

  1. Log in to Red Hat Connect for Technology Partners and click Zones.
  2. Scroll down and select the Red Hat OpenStack & NFV zone. Click anywhere in the box.
  3. Click Certify to access the existing products and projects of your company.
  4. Click Add Project to create a new project.
  5. Set the Project Name.

    • The project name is not visible outside the system.
    • The project name must include the following elements: [product][version]-[extended-base-container-image]-[your-plugin]
    • For Red Hat OpenStack Platform (RHOSP) purposes, the format is rhospXX-baseimage-myplugin.
    • Example: rhosp16-openstack-cinder-volume-myplugin
  6. Select the Product, Product Version, and Release Category based on your product or plugin, and its version.

    • Create the product and its version prior to creating projects.
    • Set the label release category to Tech Preview. Generally Available is not an option until you have completed API testing with Red Hat Certification. Refer to the plugin certification requirements when you have certified your container image.
  7. Select the Red Hat Product and Red Hat Product Version based on the base image that you want to modify with your partner plugin. For this release, select Red Hat OpenStack Platform and 16.2.
  8. Click Submit to create the new project.

Result:

Red Hat assesses and confirms the certification of your project.

Send an email to connect@redhat.com​ stating whether the plugin is in tree or out of tree in regards to the upstream code.

  • In Tree​ means the plugin is included in the OpenStack upstream code base and the plugin image is built by Red Hat and distributed with Red Hat OpenStack Platform 16.2.
  • Out of Tree​ means the plugin image is​ not included in the OpenStack upstream code base and ​not distributed within RHOSP 16.2.

7.2. Following the container certification checklist

Certified containers meet Red Hat standards for packaging, distribution, and maintenance. Containers that are certified by Red Hat have a high level of trust and supportability from container-capable platforms, including Red Hat OpenStack Platform (RHOSP). To maintain this, partners must keep their images up-to-date.

Procedure

  1. Click Certification Checklist.
  2. Complete all sections of the checklist. If you need more information about an item on the checklist, click the drop-down arrow on the left to view the item information and links to other resources.

CertificationChecklist

The checklist includes the following items:

Update your company profile
Ensures that your company profile is up to date.
Update your product profile
This page details to the product profile, including the product type, description, repository URL, version, and contact distribution list.
Accept the OpenStack Appendix
Site Agreement for the Container Terms.
Update project profile
Check that the image settings such as auto publish, registry namespace, release category, supported platforms are correct.
Note

In the Supported Platforms section, you must select an option so that you can save other required fields on this page.

Package and test your application as a container
Follow the instructions on this page to configure the build service. The build service is dependent on the completion of the previous steps.
Upload documentation and marketing materials
This redirects you to the product page. Scroll to the bottom and click Add new Collateral ​ to upload your product information.
Note

You must provide a minimum of three materials. The first material must be a document type.

Provide a container registry namespace
This is the same as the project page profile page.
Provide sales contact information
This information is the same as the company profile.
Obtain distribution approval from Red Hat
Red Hat provides approval for this step.
Configure Automated Build Service
The configuration information to perform the build and scan of the container image.

The last item in the checklist is Configure Automated Build Service. Before you configure this service, you must ensure that your project contains a dockerfile that conforms to Red Hat certification standards.

7.3. Dockerfile requirements

As a part of the image build process, the build service scans your built image to ensure that it complies with Red Hat standards. Use the following guidelines as a basis for the dockerfile to include with your project:

  • The base image​ must​ be a Red Hat image. Any images that use Ubuntu, Debian, and CentOS as a base do not​ pass the scanner.
  • You must configure the required labels:

    • name
    • maintainer
    • vendor
    • version
    • release
    • summary
  • You must include a software license​ as a text file within the image. Add the software license​ to the licenses directory at the root of your project.
  • You must configure a user that is not the root user.

The following dockerfile example demonstrates the required information for the scan:

FROM registry.redhat.io/rhosp-rhel8/openstack-cinder-volume
MAINTAINER VenderX Systems Engineering <maintainer@vendorX.com>

###Required Labels
LABEL name="rhosp-rhel8/openstack-cinder-volume-vendorx-plugin" \
      maintainer="maintainer@vendorX.com" \
      vendor="VendorX" \
      version="3.7" \
      release="1" \
      summary="Red Hat OpenStack Platform 16.2 cinder-volume VendorX PluginY" \
      description="Red Hat OpenStack Platform 16.2 cinder-volume VendorX PluginY"


USER root

###Adding package
###repo exmple
COPY vendorX.repo /etc/yum.repos.d/vendorX.repo

###adding package with curl
RUN curl -L -o /verdorX-plugin.rpm http://vendorX.com/vendorX-plugin.rpm

###adding local package
COPY verdorX-plugin.rpm /

# Enable a repo to install a package
RUN dnf clean all
RUN yum-config-manager --enable openstack-16.2-for-rhel-8-x86_64-rpms
RUN dnf install -y vendorX-plugin
RUN yum-config-manager --disable openstack-16.2-for-rhel-8-x86_64-rpms

# Add required license as text file in Liceses directory (GPL, MIT, APACHE, Partner End User Agreement, etc)
RUN mkdir /licenses
COPY licensing.txt /licenses

USER cinder

7.4. Setting project details

You must set details for your project including the namespace and registry for your container image.

Procedure

  1. Click Project Settings.
  2. Ensure that your project name is in the correct format. Optionally, set Auto-Publish to ON if you want to automatically publish containers that pass certification. Certified containers are published in the Red Hat Container Catalog.

    ProjectSettings01

  3. To set the Container Registry Namespace, follow the online instructions.

    ProjectSettings02

    • The container registry namespace is the name of your company.
    • The final registry URL is registry.connect.redhat.com/namespace/repository:tag.
    • Example: registry.connect.redhat.com/mycompany/rhosp16-openstack-cinder-volume-myplugin:1.0
  4. To set the Outbound Repository Name and Outbound Repository Descriptions, follow the online instructions. The outbound repository name must be the same as the project name.

    ProjectSettings03

    • [product][version]-[extended_base_container_image]-[your_plugin]
    • For Red Hat OpenStack Platform (RHOSP) purposes, the format is rhospXX-baseimage-myplugin
    • The final registry URL is registry.connect.redhat.com/namespace/repository:tag
    • Example: registry.connect.redhat.com/mycompany/rhosp16-openstack-cinder-volume-myplugin:1.0
  5. Add additional information about your project in the relevant fields:

    • Repository Description
    • Supporting Documentation for Primed
  6. Click Submit.

7.5. Building a container image with the build service

Build the container image for your partner plugin.

Procedure

  1. Click Build Service.
  2. Click Configure Build Service to configure your build details.

    1. Ensure that the Red Hat Container Build is set to ON.
    2. Add your Git Source URL and optionally add your Source Code SSH Key if your git repository is protected. The URL can be HTML or SSH. SSH is required for protected git repositories.
    3. Optional: Add Dockerfile Name or leave blank if your Dockerfile name is Dockerfile.
    4. Optional: Add the Context Directory if the docker build context root is not the root of the git repository. Otherwise, leave this field blank.
    5. Set the Branch in your git repository to base the container image on.
    6. Click Submit to finalize the Build Service settings.
  3. Click Start Build.
  4. Add a Tag Name and click Submit. It can take up to six minutes for the build to complete.

    • The tag name must be a version of your plugin.
    • The final reference URL is registry.connect.redhat.com/namespace/repository:tag.
    • Example: registry.connect.redhat.com/mycompany/rhosp16-openstack-cinder-volume-myplugin:1.0
  5. Click Refresh to check that your build is complete. Optional: Click the matching Build ID to view the build details and logs.
  6. The build service both builds and scans the image. This normally takes 10-15 minutes to complete. When the scan completes, click the View link to expand the scan results.

7.6. Correcting failed scan results

The Scan Details page displays the result of the scan, including any failed items. If your image scan reports a FAILED status, use the following procedure to investigate how to correct the failure.

Procedure

  1. On the Container Information page, click the View link to expand the scan results.
  2. Click the failed item. For example, in the following screenshot, the has_licenses check failed.

    ScanDetails

  3. Click the failed item to open the Policy Guide at the relevant section and view more information about how to correct the issue.
Note

If you receive an Access Denied warning when you access the Policy Guide, email ​connect@redhat.com

7.7. Publishing a container image

After the container image passes the scan, you can publish the container image.

Procedure

  1. On the Container Information page, click the Publish link to publish the container image live.
  2. The Publish link changes to Unpublish. To unpublish a container, click the Unpublish link.

When you publish the link, check the certification documentation for more information about certifying your plugin. For more links to certification documentation, see Section 1.1, “Partner integration prerequisites”.