Red Hat Container Images are trying to connect to https://cdn-ubi.redhat.com

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7, 8
  • Universal Base Images (UBI) 7, 8

Issue

  • When checking rhscl/nodejs-8-rhel7 (for example) or any other image built on UBI, we can see that this particular Image contains /etc/yum.repos.d/ubi.repo which points to repositories on https://cdn-ubi.redhat.com. This URL is not whitelisted within our proxy and due to this, builds are failing.

Resolution

All images part of Red Hat Enterprise Linux 8, select images in RHEL 7 and many layered products are built on Red hat Universal Base Image. Many Red Hat partners are also building on UBI. UBI provides a foundation for anyone looking to build on a supportable base image, while at the same time needing the ability to distribute on any registry server.

Red Hat provides container images which map to RHSCL in RHEL 7, and Application Streams in RHEL 8. These include things like PHP, Python, Ruby, NodeJS for Developers looking for easy to consume, pre-built images.

Red Hat provides freely available updates for UBI which can be without a subscription for Red Hat Enterprise Linux. This content is a subset of the current packages available in RHEL and Software Collections (SCL). More information around UBI, Container Support Policy, etc. can be found on Red Hat Container Support Policy.

In order to provide freely available updates for UBI based container images, a yum repository file (/etc/yum.repos.d/ubi.repo) has been added into the base UBI image, pointing to a public available Content Delivery Network hosted on https://cdn-ubi.redhat.com, providing the UBI RPM content.

Container engines do not provide a command line option to interact directly with package managers during build time, which means that during builds, every invocation of yum will try to access the content hosted on https://cdn-ubi.redhat.com.

In disconnected environments or environments using a proxy (where URL's need to be white-listed), this can cause builds to fail (CI/CD systems, etc) as the connectivity to https://cdn-ubi.redhat.com may fail and subsequently will cause yum to report an error (which can trigger Container Image builds to fail).

In restricted environments or when there are network connectivity issues, customers are advised to implement one of the following solutions:

Solution 1

Disable UBI specific repositories using yum utilities:

  • Using yum-config-manager:

    $ yum-config-manager --disable *ubi*

  • Using yum:

    $ yum --disablerepo=\*ubi\* -y install foo

Solution 2

Remove /etc/yum.repos.d/ubi.repo from the Container Images before invoking yum commands:

  • Moving the file into a temporary location:

    $ mv /etc/yum.repos.d/ubi.repo /tmp/ubi.repo

  • Removing the file:

    $ rm -f /etc/yum.repos.d/ubi.repo

To understand what other repositories are available in the Container Image to consume content and to enable additional or different repositories, review Enabling repositories inside a Docker-formatted container image and utilizing Red Hat subscriptions or entitlements to access repositories.

For more information, check out the full Universal Base Image Guide:

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments