Chapter 8. Managing Containers

You can automate the deployment of applications inside Linux containers using RHUI. Using containers offers the following advantages:

  • Requires less storage and in-memory space than VMs: Because the containers hold only what is needed to run an application, saving and sharing is more efficient with containers than it is with VMs that include entire operating systems.
  • Improved performance: Because you are not running an entirely separate operating system, a container typically runs faster than an application that carries the overhead of a new VM.
  • Secure: Because a container typically has its own network interfaces, file system, and memory, the application running in that container can be isolated and secured from other activities on a host computer.
  • Flexible: With an application’s runtime requirements included with the application in the container, a container can run in multiple environments.
Note

Support for containers is not enabled by default. You must manually enable support by setting the --container-support-enabled flag.

8.1. Understanding containers in Red Hat Update Infrastructure

A container is an application sandbox. Each container is based on an image that holds necessary configuration data. When you launch a container from an image, a writable layer is added on top of this image. Every time you commit a container, a new image layer is added to store your changes.

An image is a read-only layer that is never modified. All changes are made in the top-most writable layer, and the changes can be saved only by creating a new image. Each image depends on one or more parent images.

A platform image is an image that has no parent. Platform images define the runtime environment, packages, and utilities necessary for a containerized application to run. The platform image is read-only, so any changes are reflected in the copied images stacked on top of it.

8.2. Adding a container to Red Hat Update Infrastructure

You can use the rhui-manager tool to add containers using the Repository Management section.

Procedure

  1. On the RHUA node, enable support for containers and apply it on all CDS nodes: 

    # rhui-installer --rerun --container-support-enabled True
# rhui-manager --noninteractive cds reinstall --all

  2. Optional: Edit the /etc/rhui/rhui-tools.conf file and set the container registry credentials in the RHUI configuration by removing the following lines in the [container] section.

    If you have a clean installation of RHUI 4.1.1 or newer, the last several lines contain a [container] section with podman-specific options and handy comments. If you have updated from an earlier version of RHUI, the section is available at the end of the etc/rhui/rhui-tools.conf.rpmnew file, and you can copy it to the rhui-tools.conf file. 

    [container]

registry_username: your_RH_login
registry_password: your_RH_password
    Note

    If you normally synchronize from a registry different from registry.redhat.io, also change the values of the registry_url and registry_auth options accordingly.

  3. On the RHUA node, run rhui-manager: 

    # rhui-manager

  4. Press r to access the Repository Management screen. 

    -= Red Hat Update Infrastructure Management Tool =-


-= Repository Management =-

  l list repositories currently managed by the RHUI
  i display detailed information on a repository
  a add a new Red Hat content repository
  ac add a new Red Hat container
  c create a new custom repository (RPM content only)
  d delete a repository from the RHUI
  u upload content to a custom repository (RPM content only)
  ur upload content from a remote web site (RPM content only)
  p list packages in a repository (RPM content only)

Connected: rhua.example.com

  5. Press ac to add a new Red Hat container. 

    rhui (repo) => ac Specify URL of registry [https://registry.redhat.io]:
  6. If the container you want to add exists in a non-default registry, enter the registry URL. Press Enter without entering anything to use the default registry.

  7. Enter the name of the container in the registry: 

    jboss-eap-6/eap64-openshift

  8. Enter a unique ID for the container.

    rhui-manager converts the name of the container from the registry to the format that is usable in Pulp by replacing slashes and dots with underscores. You can use such a converted name by pressing Enter or by entering a name of your choice.

  9. Enter a display name for the container. 

    jboss-eap-6_eap64-openshift
  10. Optional: Set your login and password in the RHUI configuration if prompted.

  11. Verify the displayed summary. 

    The following container will be added:
  Registry URL: http://registry.redhat.io
  Container Id: jboss-eap-6_eap64-openshift
  Display Name: jboss-eap-6_eap64-openshift
  Upstream Container Name: jboss-eap-6/eap64-openshift
Proceed? (y/n)

  12. Press y to proceed and add the container. 

    y
Successfully added container jboss-eap-6_eap64-openshift

8.3. Synchronizing container repositories

After you add your container to Red Hat Update Infrastructure, you can use the rhui-manager tool to synchronize the container.

Procedure

  1. On the RHUA node, run rhui-manager: 

    # rhui-manager
  2. Press s to access the synchronization status and scheduling screen.
  3. Press sr to synchronize an individual repository immediately.
  4. Enter the number of the repository that you wish to synchronize.
  5. Press c to confirm the selection.

  6. Verify the repository and press y to synchronize or n to cancel. 

    The following repositories will be scheduled for synchronization: jboss-eap-6_eap64-openshift
Proceed? (y/n) y
Scheduling sync for jboss-eap-6_eap64-openshift...
... successfully scheduled for the next available timeslot.

8.4. Generating container client configurations

RHUI clients can pull containers from RHUI using client configuration. The RPM contains the load balancer’s certificate and you can use it to add the load balancer to the container registry and to modify container configuration.

Procedure

  1. On the RHUA node, run rhui-manager: 

    # rhui-manager
  2. Press e to access the entitlement certificates and client configuration RPMs screen.
  3. Press d to create a container client configuration RPM.

  4. Enter the full path of a local directory where you want to save the configuration files. 

    /root/

  5. Enter the name of the RPM. 

    containertest
  6. Enter the version number of the configuration RPM. The default is 2.0.
  7. Enter the release number of the configuration RPM. The default is 1.

  8. Enter the number of days the certificate should be valid. The default is 365. 

    Successfully created client configuration RPM.
Location: /root/containertest-2.0/build/RPMS/noarch/containertest-2.0-1.noarch.rpm

8.5. Installing a container configuration RPM on the client

After generating the container configuration RPM, you can install it on a client by importing it to your local machine.

Procedure

  1. Retrieve the RPM from the RHUA node to your local machine: 

    # root@rhua.example.com:/root/containertest-2.0/build/RPMS/noarch/containertest-2.0-1.noarch.rpm .

  2. Transfer the RPM from the local machine to the client. 

    # scp containertest-2.0-1.noarch.rpm root@cli01.example.com:.

  3. Switch to the client and install the RPM: 

    [root@cli01 ~]# yum install containertest-2.0-1.noarch.rpm

8.6. Testing the podman pull command on the client

You can use the podman pull command to verify the content on the container.

Procedure

  1. Run the podman pull command. 

    [root@cli01 ~]# podman pull jboss-eap-6_eap64-openshift

Resolving "jboss-eap-6_eap64-openshift" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull cds.example.com/jboss-eap-6_eap64-openshift:latest...
Getting image source signatures
Copying blob b0e0b761a531 done
Copying blob aa23ac04e287 done
Copying blob 0d30ea1353f9 done
Copying config 3d0728c907 done
Writing manifest to image destination
Storing signatures
3d0728c907d55d9faedc4d19de003f21e2a1ebdf3533b3d670a4e2f77c6b35d2

  2. If the podman pull command fails, check the rhui-manager status. The synchronization probably has not been performed yet and you have to wait until it synchronizes. 

    Resolving "jboss-eap-6_eap64-openshift" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull cds.example.com/jboss-eap-6_eap64-openshift:latest...
Error: initializing source docker://cds.example.com/jboss-eap-6_eap64-openshift:latest: reading manifest latest in cds.example.com/jboss-eap-6_eap64-openshift: manifest unknown: Manifest not found.