RH403 - ch09s03

Bookmark this page

Build an Image for Provisioning

Objectives

Configure a content host as an Image Builder server, and build images for host provisioning.

Create System Images by Using Image Builder

Image Builder is a utility to create consistent and supportable system images based on RHEL. Image Builder automatically configures the image with the required packages for each output type. With this feature, you can create images that are tailored to your environment, whether it is a cloud platform or a bare-metal environment. As a result, users can build predictable output images for the target environment.

One advantage of creating custom images is that you can limit the packages in the installed OS. You can also create users, services, SSH keys, and firewall rules from the image. This configuration reduces the image size and avoids the need for post-installation processes.

You use Image Builder software via the command-line interface or the graphical user interface in the RHEL web console. The following components and concepts are important to understand the OS image building process:

osbuild-composer: As of Red Hat Enterprise Linux 8.3, the osbuild-composer system service is the preferred tool to create OS images. The osbuild-composer service provides the REST APIs for the OS image-building process. This service uses a socket that acts as a back end for the composer-cli and the cockpit-composer tools.
cockpit-composer: The cockpit-composer tools is a GUI tool, and is also called Image Builder in the Cockpit console.
composer-cli: The composer-cli tool is a CLI tool to create OS images by using the osbuild-composer service. This tool is the preferred method to create OS images.
Blueprint: A blueprint is a plain text definition in TOML format of a custom system image. TOML is key-value pair format to define configuration files with minimal syntax. A blueprint can contain a list of packages, user definitions, and other system configuration. You can assign a version to a blueprint to keep track of the changes.
Compose: A compose is an individual image build of a particular version of a blueprint. The compose term refers to the whole components that surround the image build, such as logs, inputs, metadata, and the process itself.

For supported cloud providers, you can upload images that use the proper image format. The following table shows a list of supported image formats that you can define as output with Image Builder.

Table 9.4. Image Builder Formats

Format	`composer-cli` type	Image extension
QEMU QCOW2 Image	qcow2	.qcow2
Amazon Machine Image Disk	ami	.raw
Azure Disk Image	vhd	.vhd
VMware Virtual Machine Disk	vmdk	.vmdk
OpenStack	openstack	.qcow2
RHEL for Edge Commit	edge-commit	.tar
RHEL for Edge Container	edge-container	.tar
RHEL for Edge Raw	edge-raw-image	.tar
TAR Archive	tar	.tar
RHEL for Edge Installer	edge-installer	.iso
RHEL for Edge Simplified Installer	edge-simplified-installer	.iso
ISO image	image-installer	.iso

Many of the preceding image extension might be the same for different formats, but the default installed packages and other configuration might differ.

For example, the edge-commit and edge-container type have the .tar image extension, but the edge-commit type considers the installation of the NetworkManager package and the edge-container type does not.

Image Builder Installation

To install Image Builder, the system must meet the following requirements:

2 CPU cores
4 GB of RAM
20 GB of free space in the /var file system
Administrative account

You can use Image Builder in a system without internet connectivity. For this configuration to work, you must override the default Red Hat CDN repositories with the repositories that the Satellite Server provided.

To run Image Builder, install the following packages:

osbuild-composer: Contains the Image Builder software.
composer-cli: Enables the CLI tool to create images.
cockpit-composer: Enables the graphical interface to create images.
bash-completion: Enables the CLI option completion feature.

[root@host ~]# dnf install -y osbuild-composer composer-cli \
cockpit-composer bash-completion
...output omitted...
Complete!

Note

If you install Image Builder in an earlier system than RHEL 8.3, then install lorax-composer instead of the osbuild-composer package. The lorax-composer package is considered deprecated and receives only selected fixes for the reminder of the RHEL lifecycle.

Then, enable the osbuild-composer service and the command completion feature for the CLI. You can verify the Image Builder installation by listing the available image formats.

[root@host ~]# systemctl enable --now osbuild-composer.socket
Created symlink /etc/systemd/system/sockets.target.wants/osbuild-composer.socket → /usr/lib/systemd/system/osbuild-composer.socket.
[root@host ~]# source /etc/bash_completion.d/composer-cli
[root@host ~]# composer-cli compose types
...output omitted...

Image Builder Repository Configuration

The osbuild-composer service does not use the configured system repositories at the /etc/dnf.repos.d directory to create the image. Instead, the service uses JSON format repositories at the /usr/share/osbuild-composer/repositories/ directory. This default directory contains the definition of the baseos and appstream repositories for the aarch64, ppc64le, s390x, and x86_64 architectures. The JSON format repositories use the same parameter names as the DNF repositories, so you can add or update the parameters as needed.

The default repositories are configured to download the packages from Red Hat CDN. If you are running Image Builder in a system that uses Satellite Server, then you might want to override the repositories with the ones that Satellite provides. You can override the repositories by defining the repositories in the /etc/osbuild-composer/repositories directory.

For example, to use the RHEL 8 x86_64 repositories that are configured in a Satellite environment with the https://satellite.example.com endpoint, you can copy the rhel-8.json file from the default directory to the override directory.

First, create the repository override directory, if it does not exist. Then, copy and edit the rhel-8.json file to contain the repositories in the Satellite endpoint. Ensure that the repository definitions have the required information to communicate with Satellite, such as the SSL key and certificate. You can review the content of the /etc/dnf.repos.d file, or use DNF commands to complete the required information.

[root@host ~]# mkdir -p /etc/osbuild-composer/repositories
[root@host ~]# cp /usr/share/osbuild-composer/repositories/rhel-8.json \
/etc/osbuild-composer/repositories/
[root@host ~]# cat /etc/osbuild-composer/repositories/rhel-8.json
{
    "x86_64": [
        {
            "name": "baseos",
            "baseurl": "https://satellite.example.com/pulp/content/Organization/Environment/Base/content/dist/rhel8/8/x86_64/baseos/os",
            "gpgkey": "
            ...output omitted...
            ",
            "rhsm": true,
            "sslcacert": "/path/to/ca-cert.pem",
            "sslclientcert": "/path/to/client-cert.pem",
            "sslclientkey": "/path/to/client-key.pem",
            "sslverify": 1,
            "check_gpg": true
        },
        {
            "name": "appstream",
            "baseurl": "https://satellite.example.com/pulp/content/Organization/Environment/Base/content/dist/rhel8/8/x86_64/baseos/os",
            "gpgkey": "
            ...output omitted...
            ",
            "rhsm": true,
            "sslcacert": "/path/to/ca-cert.pem",
            "sslclientcert": "/path/to/client-cert.pem",
            "sslclientkey": "/path/to/client-key.pem",
            "check_gpg": true
        }
    ]
}

Important

The override repository files do not expand environment variables. Use the same value for the baseurl parameter as the repository in the /etc/dnf.repos.d/ directory, but replace any environment variable that the URL might have. For example, if the repository definition has the $releasever variable in the URL, then replace it with the corresponding system release version.

Create System Images by Using Image Builder

Red Hat recommends to use the composer-cli tool over the GUI when creating system images with the Image Builder software. Some image customization is not supported in the GUI, and you can view logs and journalctl output during the image compose process.

Create an Image from the CLI

You can create a blueprint by using the definition of an image in a plain text file in TOML syntax. The following example shows commonly used entries of a blueprint.

name = "BLUEPRINT-EXAMPLE"
description = "LONG FORM DESCRIPTION TEXT"
version = "0.0.1"

[[packages]]
name = "package-name"
version = "package-version"

[[groups]]
name = "group-name"

[customizations]
hostname = "HOSTNAME"

[customizations.kernel]
append = "KERNEL-OPTION"

[[customizations.user]]
name = "USER-NAME"
description = "USER-DESCRIPTION"
password = "PASSWORD-HASH"
key = "PUBLIC-SSH-KEY"
home = "/home/USER-NAME/"
shell = "/usr/bin/bash"
groups = ["users", "wheel"]
uid = NUMBER
gid = NUMBER

[customizations.services]
enabled = ["SERVICE1"]
disabled = ["SERVICE2"]

The version entry defines the version of the blueprint. The blueprint version control uses the Semantic Versioning scheme, so you must follow the MAJOR.MINOR.PATCH format to define your blueprint version.

The name, description, and version entries can be defined only once in a blueprint. Other entries, such as packages and customizations, can be defined as many times as required. You can define the exact version of a package (1.2.3), define the major version but not the minor version (1.*), or define the latest version available (*).

Some customizations might have prerequisites, such as the gid entry in the customizations.user section. This entry requires the existence of the group in the groups section of the blueprint.

Note

For more details about Image Builder customization, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_a_customized_rhel_system_image/index#image-customizations_creating-system-images-with-composer-command-line-interface

Use the composer-cli blueprints push command to import the blueprint definition to the osbuild-composer service. You can list the imported blueprints by using the composer-cli blueprints list command, and view them with the composer-cli blueprints show command.

[root@host ~]# composer-cli blueprints push blueprint-example.toml
[root@host ~]# composer-cli blueprints list
BLUEPRINT-EXAMPLE
[root@host ~]# composer-cli blueprints show webserver
name = "BLUEPRINT-EXAMPLE"
description = "LONG FORM DESCRIPTION TEXT"
version = "0.0.1"

[[packages]]
name = "package-name"
version = "package-version"
...output omitted...

You can delete an existing blueprint by using the composer-cli blueprints delete command. However, you might want to edit the text file and push a new blueprint version. It is recommended to update the blueprint version manually. If you do not update it, then the osbuild-composer service updates it automatically by increasing the patch version.

Use the composer-cli blueprints depsolve command to review the packages that are installed as dependencies, and also to test connectivity to the configured repositories.

[root@host ~]# composer-cli blueprints depsolve BLUEPRINT-EXAMPLE
blueprint: BLUEPRINT-EXAMPLE v0.0.1
    setup-2.13.7-6.el9.noarch
    libeconf-0.4.1-2.el9.x86_64
    ...output omitted...

If the repositories are not correctly configured, then you might see an error that the osbuild-composer service cannot download the repository metadata. When this error occurs, correct the repository file, remove the cache directory, and restart the service.

[root@host ~]# composer-cli blueprints depsolve BLUEPRINT-EXAMPLE
ERROR: BlueprintsError: BLUEPRINT-EXAMPLE: DNF error occured: RepoError: Error occurred when setting up repo: Failed to download metadata for repo '0': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
blueprint: BLUEPRINT-EXAMPLE v1.0.0
[root@host ~]# vi blueprint-example.toml
[root@host ~]# rm -rf /var/cache/osbuild-composer/
[root@host ~]# systemctl restart osbuild-composer

Use the composer-cli compose start BLUEPRINT FORMAT-TYPE command to create an image from a blueprint. The composer-cli compose start command starts the compose process in the background. You can view the process's progress by running the composer-cli compose status command. This command shows a list of the compose processes' status in the system.

[root@host ~]# composer-cli compose start BLUEPRINT-EXAMPLE tar
[root@host ~]# composer-cli compose status
64c8e9fb-... RUNNING  Wed Aug 10 18:13:15 2022 BLUEPRINT-EXAMPLE 0.0.1 tar
[root@host ~]# composer-cli compose status
64c8e9fb-... FINISHED Wed Aug 10 18:19:03 2022 BLUEPRINT-EXAMPLE 0.0.1 tar

Use the following commands to monitor the image compose process and to view logs.

[root@host ~]# journalctl | grep osbuild 
[root@host ~]# composer-cli compose info 64c8e9fb-fa1d-4b67-a193-c61c8614742f 
[root@host ~]# composer-cli compose logs 64c8e9fb-fa1d-4b67-a193-c61c8614742f 
[root@host ~]# less /var/lib/osbuild-composer/jobs/64c8e9fb-....json

	Shows the system journal for entries of the `osbuild-composer` service.
	Shows information about the blueprint packages and dependencies.
	Creates a `tar` archive with logs of the image compose process.
	Shows the compose manifest.

After the compose process finishes, download the image.

[root@host ~]# composer-cli compose image 64c8e9fb-fa1d-4b67-a193-c61c8614742f
64c8e9fb-fa1d-4b67-a193-c61c8614742f-root.tar.xz
[root@host ~]# ls -lh
total 388460
-rw-------. 1 root root 380M Aug 10 18:21 64c8e9fb-...-root.tar.xz
-rw-r--r--. 1 root root  277 Aug 10 17:43 webserver-blueprint.toml

Provision a Host that Uses a Custom Image

You can use the custom image that Image Builder created to provision hosts in Satellite Server. To provision a host, you must place the image in the /var/www/html/pub directory of the Satellite Server or Capsule Server. Ensure that the image has the correct SELinux and is reachable by the target host. You must use a tar-formatted image for host provisioning in Satellite.

[root@host ~]# restorecon -Rv /var/www/html/pub/
Relabeled /var/www/html/pub/64c8e9fb-fa1d-4b67-a193-c61c8614742f-root.tar.xz from unconfined_u:object_r:admin_home_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
[root@host ~]# chmod 644 \
/var/www/html/pub/64c8e9fb-fa1d-4b67-a193-c61c8614742f-root.tar.xz
[root@host ~]# ls -lh \
/var/www/html/pub/64c8e9fb-fa1d-4b67-a193-c61c8614742f-root.tar.xz
-rw-r--r--. 1 root root 380M Aug 17 29:58 /var/www/html/pub/d64c8e9fb-...-root.tar.xz

You can use a blueprint to create an image, and associate the image to a Satellite host group. This strategy helps you to create a standard environment with packages, services, and users that are configured in hosts of a host group. To associate the image with a host group, set the kickstart_liveimg parameter and add the image path in the Paramters tab of Configure → Host Groups. Click Submit.

Figure 9.4: Associate a custom image with a host group

When you create a host and select the host group, notice that the kickstart_liveimg parameter is automatically associated to the host group.

Figure 9.5: Image parameter associated to the host group

References

For more information, see the Using a Red Hat Image Builder Image for Provisioning chapter in the Red Hat Satellite Provisioning Hosts Guide at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/provisioning_hosts/index#Using_an_Image_Builder_Image_for_Provisioning_provisioning

For more information, see the Red Hat Composing a Customized RHEL System Image Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/composing_a_customized_rhel_system_image/index

Discuss Red Hat Satellite 6 Administration

Go to community

Welcome to the Red Hat Satellite 6 Administration (RH403) group in the Red Hat Learning Community!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Satellite 6 Administration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH403.Read more about Red Hat Satellite 6 Administration here.

Revision: rh403-6.11-3ad886e