You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: post_installation_configuration/coreos-layering.adoc
+37-42Lines changed: 37 additions & 42 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,40 +22,27 @@ RPMs installed through a custom layered image can conflict with RPMs installed b
22
22
23
23
As soon as you apply the custom layered image to your cluster, you effectively _take ownership_ of your custom layered images and those nodes. While Red Hat remains responsible for maintaining and updating the base {op-system} image on standard nodes, you are responsible for maintaining and updating images on nodes that use a custom layered image. You assume the responsibility for the package you applied with the custom layered image and any issues that might arise with the package.
24
24
25
+
To apply a custom layered image, you create a Containerfile that references an {product-title} image and the RPM that you want to apply. You then push the resulting custom layered image to an image registry. In a non-production {product-title} cluster, create a `MachineConfig` object for the targeted node pool that points to the new image.
26
+
27
+
[NOTE]
28
+
====
29
+
Use the same base {op-system} image installed on the rest of your cluster. Use the `oc adm release info --image-for rhel-coreos-8` command to obtain the base image used in your cluster.
30
+
====
31
+
25
32
:FeatureName: Image layering
26
33
include::snippets/technology-preview.adoc[]
27
34
28
-
Currently, {op-system} image layering allows you to work with Customer Experience and Engagement (CEE) to obtain and apply link:https://access.redhat.com/solutions/2996001[Hotfix packages] on top of your {op-system} image. In some instances, you might want a bug fix or enhancement before it is included in an official {product-title} release. {op-system} image layering allows you to easily add the Hotfix before it is officially released and remove the Hotfix when the underlying {op-system} image incorporates the fix.
35
+
{op-system} image layering allows you to use the following types of images to create custom layered images:
29
36
37
+
* *{product-title} Hotfixes*. You can work with Customer Experience and Engagement (CEE) to obtain and apply link:https://access.redhat.com/solutions/2996001[Hotfix packages] on top of your {op-system} image. In some instances, you might want a bug fix or enhancement before it is included in an official {product-title} release. {op-system} image layering allows you to easily add the Hotfix before it is officially released and remove the Hotfix when the underlying {op-system} image incorporates the fix.
38
+
+
30
39
[IMPORTANT]
31
40
====
32
41
Some Hotfixes require a Red Hat Support Exception and are outside of the normal scope of {product-title} support coverage or life cycle policies.
33
42
====
34
-
43
+
+
35
44
In the event you want a Hotfix, it will be provided to you based on link:https://access.redhat.com/solutions/2996001[Red Hat Hotfix policy]. Apply it on top of the base image and test that new custom layered image in a non-production environment. When you are satisfied that the custom layered image is safe to use in production, you can roll it out on your own schedule to specific node pools. For any reason, you can easily roll back the custom layered image and return to using the default {op-system}.
36
-
37
-
[NOTE]
38
-
====
39
-
It is planned for future releases that you can use {op-system} image layering to incorporate third-party software packages such as libreswan or numactl.
40
-
====
41
-
42
-
////
43
-
Future features
44
-
By using layering, you can extend your {op-system} in a number of ways, including:
45
-
46
-
* {op-system} Hotfixes
47
-
* Third-party RHEL packages.
48
-
* Bleeding edge drivers and kernel enhancements to improve performance or add capabilities.
49
-
* Foresic client tools to investigate possible and actual break-ins.
50
-
* Inventory agents that provide a coherent view of the entire fleet.
51
-
* Critical and important CVEs as soon as errata are available in RHEL to keep your systems secure.
52
-
* SSH Key management packages.
53
-
////
54
-
55
-
To apply a custom layered image, you create a Containerfile that references an {product-title} image and the Hotfix that you want to apply. For example:
56
-
57
-
// For example, the following Containerfile installs a Hotfix:
58
-
45
+
+
59
46
.Example Containerfile to apply a Hotfix
60
47
[source,yaml]
61
48
----
@@ -67,28 +54,36 @@ RUN rpm-ostree override replace https://example.com/myrepo/haproxy-1.0.16-5.el8.
67
54
ostree container commit
68
55
----
69
56
70
-
////
71
-
For example, the following Containerfile installs the libreswan package from quay.io:
72
-
[source,terminal]
57
+
* *{op-system-base} packages*. You can download {op-system-base-full} packages from the link:https://access.redhat.com/downloads/content/479/ver=/rhel---9/9.1/x86_64/packages[Red Hat Customer Portal], such as chrony, firewalld, and iputils.
58
+
+
59
+
.Example Containerfile to apply a RHEL package
60
+
[source,yaml]
73
61
----
74
-
# Using aa 4.12.0 image
75
-
FROM quay.io/openshift-release-dev/ocp-release@sha256:6499bc69a0707fcad481c3cb73225b867dc31b345c6e6204e28
76
-
RUN rpm-ostree install libreswan && \
77
-
rpm-ostree cleanup -m && \
62
+
FROM quay.io/openshift-release-dev/ocp-release@sha256:6499bc69a0707fcad481c3cb73225b867d
Use the same base {op-system} image installed on the rest of your cluster. Use the `oc adm release info --image-for rhel-coreos-8` command to obtain the base image used in your cluster.
85
-
====
86
-
87
-
Push the resulting custom layered image to an image registry. In a non-production {product-title} cluster, create a `MachineConfig` object for the targeted node pool that points to the new image.
88
-
89
-
The Machine Config Operator (MCO) updates the operating system with content provided in the machine config. This creates a custom layered image that overrides the base {op-system} image on those nodes.
70
+
* *Third-party packages*. You can download and install RPMs from third-party organizations, such as the following types of packages:
71
+
+
72
+
--
73
+
** Bleeding edge drivers and kernel enhancements to improve performance or add capabilities.
74
+
** Forensic client tools to investigate possible and actual break-ins.
75
+
** Security agents.
76
+
** Inventory agents that provide a coherent view of the entire cluster.
77
+
** SSH Key management packages.
78
+
--
79
+
+
80
+
.Example Containerfile to apply a third-party package from EPEL
0 commit comments