Skip to main content

Build with RHEL base images

If you wish to use a Red Hat Enterprise Linux (RHEL) based image to build upon, you will need to take some extra steps to get access to the RHEL Subscription included in the OpenShift Platform.

Popular choices for RHEL base images are ubi8 and openshift4/ose-cli.

Reminder: you can pull these via Artifactory as well via artifacts.developer.gov.bc.ca/redhat-docker-remote.

RHEL Entitlements

To use subscription content via yum or dnf you first need to add the RHEL Entitlement certificate into your build config. The platform now has an operator that ensures each tools namespace has a secret named platform-services-controlled-etc-pki-entitlement that is kept up to date as this cert changes (it changes often).

$ oc -n license-tools describe secret platform-services-controlled-etc-pki-entitlement
Name:         platform-services-controlled-etc-pki-entitlement
Namespace:    license-tools
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
8240953084206391739-key.pem:  3243 bytes
8240953084206391739.pem:      99071 bytes

Build Volumes

As of OCP 4.9 you can now make use of Build Volumes to inject Secrets and ConfigMaps directly into a build without needing to add anything to your Dockerfile, and ensure the files don't get captured in the output image.

Add the entitlement secret to your build as a volume.

apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: myapp
spec:
  output:
    to:
      kind: ImageStreamTag
      name: myapp:latest
  source:
    git:
      ref: main
      uri: https://github.com/myorg/myapp.git
    type: Git
  strategy:
    type: Docker
    dockerStrategy:
      volumes:
      - name: etc-pki-entitlement
        mounts:
        - destinationPath: /etc/pki/entitlement
        source:
          type: Secret
          secret:
            secretName: platform-services-controlled-etc-pki-entitlement

Dockerfile

When you perform an Entitlement Build using RHEL 7, you must have the following instructions in your Dockerfile before you run any yum commands:

RUN rm /etc/rhsm-host

The command above is not needed for RHEL 8 or 9 based images.

Then use yum or dnf to install your packages. Here's a sample of how to do that cleanly.

# Install some packages and clean up
RUN INSTALL_PKGS="space separated list of packages" && \
    dnf repolist --disablerepo='*' && \
    dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
    rpm -V $INSTALL_PKGS && \
    dnf -y clean all --enablerepo='*'

Related links: