Chapter 6. Working with Containers

Docker is an open source project that automates the deployment of applications inside Linux containers, and provides the capability to package an application with its runtime dependencies into a container. Linux containers enable rapid application deployment, simpler testing, maintenance, and troubleshooting while improving security. For more information, see the Get Started with Docker Formatted Container Images on Red Hat Systems article on the Red Hat Customer Portal[1].
A container in the Docker format is composed of the following parts:
  • Container: An application sandbox. Each container is based on an image that holds necessary configuration data. When you launch a container from an image, a writable layer is added on top of this image. Every time you commit a container a new image layer is added to store your changes.
  • Image: A static snapshot of the container's configuration that is never modified. Any changes made to the container can be saved only by creating a new image layer. Each image depends on one or more parent images.
  • Platform image: An image that has no parent. Platform images define the runtime environment, packages and utilities necessary for containerized applications to run. The platform image is not writable, so any changes are reflected in the copied images stacked on top of it. For information on how to access Red Hat Enterprise Linux platform images from Red Hat Satellite see Example 6.1, “Creating a Red Hat Enterprise Linux Container in Satellite”.
  • Registry: A public or private archive that contains images available for download. Some registries allow users to upload images to make them available to others. Red Hat Satellite allows you to import images from local and external registries. Satellite itself can act as an image registry for hosts, however, hosts cannot push changes back to the registry. For more information, see Section 6.1.1, “Creating Containers”
  • Tag: A mark used to differentiate images in a repository, typically by the version of the application stored in the image. Repositories are used to group similar images in a container registry. Images only have unique alphanumeric identifiers, so naming in form or repository:tag provides a human-readable way of identifying images. For more information, see Section 6.5, “Using Container Tags” and Section 6.2, “Managing Repositories”.
With Red Hat Satellite, you can create an on-premise registry, import images from various sources and distribute them to containers using content views (see Section 3.2, “Adding Repositories to the Content View” for more information on loading images to a content view). Satellite supports creating one or more Docker compute resources that act as servers for running containers. This way, you can import an image, start a container based on this image, monitor the container's activity, and commit its state to a new image layer that can be further propagated.

6.1. Managing Containers

The following sections show how to create, view, start, stop, and commit a container.

Prerequisites

In Red Hat Satellite, you can deploy containers only on a compute resource of the Docker provider type. Therefore, when you attempt to view or create containers for the first time, Satellite prompts you to create a Docker compute resource. To do so, first create a container host, then specify this host as a compute resource.

Procedure 6.1. To Prepare a Container Host:

  1. Prepare a Red Hat Enterprise Linux 7 server for hosting images and enable the docker service on this server as described in the Getting Docker in RHEL 7 section of the Get Started with Docker Formatted Container Images on Red Hat Systems guide on the Red Hat Customer Portal[2]. You can deploy the container host either on the same machine as the Satellite Server or independently.

    Note

    Red Hat Enterprise Linux 7 is currently the only supported system for a container host. The docker package is available in the rhel-7-server-extras-rpms repository. Red Hat Enterprise Linux 6 systems are currently not supported to host containers.
  2. Run the following command on the container host to install the Satellite Server's CA certificate: 
    rpm -Uvh https://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm
    Here, satellite.example.com is the fully qualified domain name of your Satellite Server. Skip this step if the container host is already registered as a Satellite host.
  3. Depending on the location of the container host, perform the following tasks:
    • If the container host is on the same machine as the Satellite Server:
      1. Create a docker user group and add the foreman user to it: 
        # groupadd docker
# usermod -aG docker foreman
      2. Modify the OPTIONS variable in the /etc/sysconfig/docker file as follows: 
        OPTIONS='--selinux-enabled -G docker'
      3. Restart the affected services to apply the changes: 
        # systemctl restart docker.service
# katello-service restart
    • If the container host is on a different machine than the Satellite Server:
      1. Open a port on the container host to communicate with the Satellite Server. To do so, modify the OPTIONS variable in the /etc/sysconfig/docker file as follows: 
        OPTIONS='--selinux-enabled -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock'
        You can use port 2376 if TLS is enabled.
      2. Restart the docker service and verify your settings as follows: 
        # systemctl restart docker.service
# systemctl status docker.service

Procedure 6.2. To Create a Docker Compute Resource:

  1. Make sure the port 5000 is enabled on the Satellite Server. The container host uses this port to pull images from Content Views on the Satellite Server.
  2. Create the compute resource as described in Section 9.3.4, “Compute Resources”. Specify the resource URL according to the location of the container host:
    1. If the container host is on the same machine as the Satellite Server, set unix://var/run/docker.sock as the resource URL.
    2. If the container host is on a different machine than the Satellite Server, specify the URL in the form of: 
      http://container_host_fqdn:2375
      Here, container_host_fqdn stands for the fully qualified domain name of the container host, and the port number opened on the container host for communication with Satellite can be either 2375 or, if using TLS, 2376.
  3. Click Test Connection to test if the container host is available.
  4. Click Submit to create the compute resource.

6.1.1. Creating Containers

When there is at least one Docker compute resource present in your Satellite, you can create containers. To create a new container, follow the steps described in Procedure 6.3, “To Create a Container:”. For instructions on how to monitor existing containers, see Section 6.1.2, “Monitoring Containers”.
To create a container, you must first import an image, which can be a platform image or a previously created layered image. Satellite supports the following image sources:
  • Local content: represented by the Content View option when creating a container. This option allows you to import an image from a repository that is already present on a Capsule Server in a certain content view and life cycle environment. For more information on how to create and populate a local registry, see Section 6.2, “Managing Repositories”.
  • Docker Hub: allows you to search the Docker Hub registry and pull images from there. Make sure that you pull only trusted images with verified content.
  • External Registry: allows you to import images from a previously created external registry. For more information on creating registries in Red Hat Satellite, see Section 6.3, “Importing External Registries”.

Note

You cannot change the configuration of an existing container. To alter the configuration, you have to create a replacement container with modified settings as described in Procedure 6.3, “To Create a Container:”. Therefore, make sure that containers can be replaced in your workflow.

Procedure 6.3. To Create a Container:

  1. Navigate to ContainersNew Container. Alternatively, navigate to ContainersAll Containers and click New container.
  2. In the Preliminary stage of container creation, configure the following settings:
    • On the Compute resource tab, select the compute resource from the Deployed on drop-down menu. For more information on compute resources, see Section 9.3.4, “Compute Resources”.
    • On the Locations tab, select the locations where the new container will be available.
    • On the Organizations tab, select the organizations where the new container will be available.
    Click Next to proceed.
  3. In the Image stage of container creation, import an image that will act as a base for your container. This can be a platform image, or a previously created layered image. Select from one of the following options:
    • Select the Content View tab to import the image from a life cycle environment. Specify the life cycle environment, content view, repository, tag, and Capsule Server.
    • Select the Docker hub tab to import the image from the Docker Hub registry. After you type the image name to the Search field, Satellite automatically searches the compute resource. Click the looking glass icon to search the Docker Hub. Select the image from the list of search results and pick a tag from the drop-down list.
    • Select the External registry tab to import the image from an existing registry. Select the registry from the drop-down menu, and search it by the image name. Satellite populates the Tag field with tags available for the selected image name. For more information, see Section 6.3, “Importing External Registries”.
    Click Next to proceed.
  4. In the Configuration stage of container creation, set the following parameters:
    • Provide the container name.
    • Specify a command to run inside the container.
    • Specify an entrypoint, which is a command that is executed automatically as soon as the container starts. The default entrypoint is /bin/sh -c.
    • Assign CPUs to the container. For example, 0-2,16 represents CPUs 0, 1, 2, and 16.
    • Define the relative share of CPU time for the container.
    • Specify a memory limit for the container. For example, 512m limits the container memory usage to 512 MB.
    Click Next to proceed.
  5. In the final stage of container creation named Environment, select if you want to allocate a pseudo-tty, attach STDIN, STDOUT, and STDERR to the container. Click Add environment variable to create a custom environment variable for the container. Select the Run? check box to start the container automatically after it is created.
  6. Click Submit to create the container.
After creating a container, Satellite displays a summary of container metadata. By default, new containers are disabled (unless you selected the Run? check box when creating the container). For instructions how to start containers see Procedure 6.5, “To Start or Stop a Container:”.

Example 6.1. Creating a Red Hat Enterprise Linux Container in Satellite

To enable a Red Hat Enterprise Linux container in Red Hat Satellite, perform the following actions:
  1. Create a custom registry as described in Section 6.3, “Importing External Registries”. Specify registry.access.redhat.com as the registry URL.
  2. Create a new container as described in Section 6.1.1, “Creating Containers”. In the Image stage of container creation, navigate to the External registry tab and select the registry created in the previous step. Use the search field to find the desired version of the Red Hat Enterprise Linux image. Proceed through the Configuration and Environment stages to finalize the container.

6.1.2. Monitoring Containers

Red Hat Satellite provides the means to monitor the status of containers as well as processes running inside them. Some containers can be marked as managed, which means they were created and provisioned inside the Satellite environment.
The following procedure shows how to list containers of a selected organization and how to monitor the container metadata.

Procedure 6.4. To Investigate a Container:

  1. Navigate to ContainersAll Containers.
  2. On the Containers page, every Docker compute resource has a dedicated tab. Each of these tabs contains the table of available containers together with selected parameters of each container. Select the tab of the compute resource you want to inspect.
  3. To view the container metadata, click the name of the container you want to inspect. Satellite displays the table of container properties.
  4. On the Processes tab, you can view processes that are currently running in the container. Click on the process name to view the metadata of the process.
  5. If the container is running, you can view its standard output in the Logs tab. If you selected the allocate a pseudo-tty check box when creating a container, the console is interactive. Otherwise, it displays the initial standard output produced when the container started.

6.1.3. Starting, Committing, and Removing Containers

New containers are by default disabled. By enabling a container, you start the processes of the containerized application in the compute resource. Hosts are then able to communicate with the container as with a web application. The following procedure shows how to start and stop a container:

Procedure 6.5. To Start or Stop a Container:

  1. Navigate to ContainersAll Containers to view the list of available containers.
  2. Click Power On next to the container you want to start. After starting the container, the button changes to Power Off, which allows for stopping the container. These actions are equivalent to the docker start and docker stop commands.
The following procedure shows how to commit a container to create a new image layer that stores the status of the container.

Procedure 6.6. To Commit a Container:

  1. Navigate to ContainersAll Containers to view the list of available containers.
  2. Click the name of the container you want to commit.
  3. Click Commit. Satellite prompts you to:
    • Specify a repository name. This can be a single name or combined with the user name, for example user/my-rhel-image.
    • Assign a tag to the image.
    • Provide your contact information.
    • Provide an informative comment about the image.
  4. Click Submit.

Note

The container is committed to the repository of the original image. For example, if the container is based on an image pulled from the Docker Hub, the committed changes are pushed back to the Docker Hub.

Procedure 6.7. To Remove a Container:

  1. Navigate to ContainersAll Containers to view the list of available containers.
  2. Click the name of the container you want to delete.
  3. Click Delete.
  4. In the alert box, click OK to remove the container.