Build with RHEL base images
If you wish to use a Red Hat Enterprise Linux (RHEL) based image to build upon, you will need to take some extra steps to get access to the RHEL Subscription included in the OpenShift Platform.
Popular choices for RHEL base images are ubi8 and openshift4/ose-cli.
Reminder: you can pull these via Artifactory as well via
To use subscription content via
dnf you first need to add the RHEL Entitlement certificate into your build config. The platform now has an operator that ensures each tools namespace has a secret named
platform-services-controlled-etc-pki-entitlement that is kept up to date as this cert changes (it changes often).
$ oc -n license-tools describe secret platform-services-controlled-etc-pki-entitlement Name: platform-services-controlled-etc-pki-entitlement Namespace: license-tools Labels: <none> Annotations: <none> Type: Opaque Data ==== 8240953084206391739-key.pem: 3243 bytes 8240953084206391739.pem: 99071 bytes
As of OCP 4.9 you can now make use of Build Volumes to inject Secrets and ConfigMaps directly into a build without needing to add anything to your Dockerfile, and ensure the files don't get captured in the output image.
Add the entitlement secret to your build as a volume.
apiVersion: build.openshift.io/v1 kind: BuildConfig metadata: name: myapp spec: output: to: kind: ImageStreamTag name: myapp:latest source: git: ref: main uri: https://github.com/myorg/myapp.git type: Git strategy: type: Docker dockerStrategy: volumes: - name: etc-pki-entitlement mounts: - destinationPath: /etc/pki/entitlement source: type: Secret secret: secretName: platform-services-controlled-etc-pki-entitlement
When you perform an Entitlement Build using RHEL 7, you must have the following instructions in your Dockerfile before you run any yum commands:
RUN rm /etc/rhsm-host
The command above is not needed for RHEL 8 or 9 based images.
dnf to install your packages. Here's a sample of how to do that cleanly.
# Install some packages and clean up RUN INSTALL_PKGS="space separated list of packages" && \ dnf repolist --disablerepo='*' && \ dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ rpm -V $INSTALL_PKGS && \ dnf -y clean all --enablerepo='*'