Chapter 13. Managing Container Images
With Satellite, you can import container images from various sources and distribute them to external containers using Content Views.
For information about containers, see Getting Started with Containers in Red Hat Enterprise Linux Atomic Host 7.
13.1. Importing Container Images
You can import container image repositories from Red Hat Registry or from other image registries.
This procedure uses repository discovery to find container images and import them as repositories. For more information about creating a product and repository manually, see Chapter 6, Importing Content.
To use the CLI instead of the Satellite web UI, see the CLI procedure.
- In the Satellite web UI, navigate to Content > Products and click Repo Discovery.
- From the Repository Type list, select Container Images.
- In the Registry to Discover field, enter the URL of the registry to import images from.
- In the Registry Username field, enter the name that corresponds with your user name for the container image registry.
- In the Registry Password field, enter the password that corresponds with the user name that you enter.
- In the Registry Search Parameter field, enter any search criteria that you want to use to filter your search, and then click Discover.
- Optional: To further refine the Discovered Repository list, in the Filter field, enter any additional search criteria that you want to use.
- From the Discovered Repository list, select any repositories that you want to import, and then click Create Selected.
- Optional: To change the download policy for this docker repository to on demand, see Section 6.9, “Changing the Download Policy for a Repository”.
- Optional: If you want to create a product, from the Product list, select New Product.
- In the Name field, enter a product name.
- Optional: In the Repository Name and Repository Label columns, you can edit the repository names and labels.
- Click Run Repository Creation.
- When repository creation is complete, you can click each new repository to view more information.
- Optional: To filter the content you import to a repository, click a repository, and then navigate to Limit Sync Tags. Click to edit, and add any tags that you want to limit the content that synchronizes to Satellite.
- In the Satellite web UI, navigate to Content > Products and select the name of your product.
- Select the new repositories and then click Sync Now to start the synchronization process.
To view the progress of the synchronization, navigate to Content > Sync Status and expand the repository tree.
When the synchronization completes, you can click Container Image Manifests to list the available manifests. From the list, you can also remove any manifests that you do not require.
Create the custom
Red Hat Container Catalogproduct:
# hammer product create \ --description "Red Hat Container Catalog content" \ --name "Red Hat Container Catalog" \ --organization "My_Organization" \ --sync-plan "My_Sync_Plan"
Create the repository for the container images:
# hammer repository create \ --name "RHEL7" \ --content-type "docker" \ --url "http://registry.access.redhat.com/" \ --docker-upstream-name "rhel7" \ --product "Red Hat Container Catalog" \ --organization "My_Organization"
Synchronize the repository:
# hammer repository synchronize \ --name "RHEL7" \ --product "Red Hat Container Catalog" \ --organization "My_Organization"
13.2. Managing Container Name Patterns
When you use Satellite to create and manage your containers, as the container moves through Content View versions and different stages of the Satellite lifecycle environment, the container name changes at each stage. For example, if you synchronize a container image with the name
ssh from an upstream repository, when you add it to a Satellite product and organization and then publish as part of a Content View, the container image can have the following name:
my_organization_production-custom_spin-my_product-custom_ssh. This can create problems when you want to pull a container image because container registries can contain only one instance of a container name. To avoid problems with Satellite naming conventions, you can set a registry name pattern to override the default name to ensure that your container name is clear for future use.
If you use a registry name pattern to manage container naming conventions, because registry naming patterns must generate globally unique names, you might experience naming conflict problems. For example:
If you set the
repository.docker_upstream_nameregistry name pattern, you cannot publish or promote Content Views with container content with identical repository names to the
If you set the
lifecycle_environment.nameregistry name pattern, this can prevent the creation of a second container repository with the identical name.
You must proceed with caution when defining registry naming patterns for your containers.
To manage container naming with a registry name pattern, complete the following steps:
- In the Satellite web UI, navigate to Content > Lifecycle Environments, and either create a lifecycle environment or select a lifecycle environment to edit.
- In the Container Image Registry area, click the edit icon to the right of Registry Name Pattern area.
- Use the list of variables and examples to determine which registry name pattern you require.
In the Registry Name Pattern field, enter the registry name pattern that you want to use. For example, to use the
<%= repository.docker_upstream_name %>
- Click Save.
13.3. Managing Container Registry Authentication
You can manage the authentication settings for accessing containers images from Satellite. By default, users must authenticate to access containers images in Satellite.
You can specify whether you want users to authenticate to access container images in Satellite in a lifecycle environment. For example, you might want to permit users to access container images from the
Production lifecycle without any authentication requirement and restrict access the
QA environments to authenticated users.
- In the Satellite web UI, navigate to Content > Lifecycle Environments.
- Select the lifecycle environment that you want to manage authentication for.
- To permit unauthenticated access to the containers in this lifecycle environment, select the Unauthenticated Pull checkbox. To restrict unauthenticated access, clear the Unauthenticated Pull checkbox.
- Click Save.
13.4. Configuring Podman and Docker to trust the Certificate Authority
Podman uses two paths to locate the CA file, namely,
Copy the root CA file to one of these locations, with the exact path determined by the server hostname, and naming the file
In the following examples, replace
capsule-server.example.com, depending on your use case.
You might first need to create the relevant location using:
# mkdir -p /etc/containers/certs.d/hostname.example.com
# mkdir -p /etc/docker/certs.d/hostname.example.com
For podman, use:
# cp rootCA.pem /etc/containers/certs.d/hostname.example.com/ca.crt
Alternatively, if you are using Docker, copy the root CA file to the equivalent Docker directory:
# cp rootCA.pem /etc/docker/certs.d/hostname.example.com/ca.crt
You no longer need to use the
--tls-verify=false option when logging in to the registry:
$ podman login hostname.example.com Username: admin Password: Login Succeeded!
13.5. Using Container Registries
Podman and Docker can be used to fetch content from container registries.
Container Registries on Capsules
On Capsules with content, the Container Gateway Capsule plugin acts as the container registry. It caches authentication information from Katello and proxies incoming requests to Pulp. The Container Gateway is available by default on Capsules with content.
Logging in to the container registry:
# podman login satellite.example.com
Listing container images:
# podman search satellite.example.com/
Pulling container images:
# podman pull satellite.example.com/my-image:<optional_tag>