Enabling repositories inside a Docker-formatted container image and utilizing Red Hat subscriptions or entitlements to access repositories

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat OpenShift Enterprise 3.x+
  • Red Hat Enterprise Linux Atomic Host
  • Docker-formatted container images being built/run

Issue

  • Running docker container runtime on a RHEL 7 host and need to enable or disable specific repositories inside the container
  • When using a Docker-formatted container image, how do I get software from Red Hat Network?
  • How can this be accomplished in a Dockerfile?
  • How are RHEL 6 repositories enabled inside a container running on RHEL 7?
  • I am seeing issues related to KB 203603
  • How to enable rhel-7-server-thirdparty-oracle-java-rpms repository inside the docker container ?

This content is not included.https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/sjis/os/repodata/repomd.xml:%20[Errno%2014]%20HTTPS%20Error%20404%20-%20Not%20Found

Resolution

The hosts running the container runtime should be subscribed to supported repositories by using Red Hat Subscription Manager. This host environment will have access to the same subscriptions (or "entitlements") that the host has. This means that the Docker-formatted container images that are built on the host can enable the repositories provided by the host's entitlements. Another way of thinking of this is "for a container to have access to a repository, the entitlements of the container's host must provide access to the desired repository".

[root@docker_host ~]# subscription-manager repos --list
  • This command shows a list of repositories that can enabled in containers on the host system from which the command is run. Any repository enabled by the host can be seen by the container automatically. Repositories do not explicitly need to be enabled on the host for containers to use them, the host system need only provide entitlements that have access to the repositories.
    • Note: This command is run on the docker host system.
Permanently Enabling/Disabling repositories within a running container

  • Entitlement information from the host is injected into the container when the first yum command in the container is run.

    • Thus, containers are not entitled, but they can access any repository the host can access based on those entitlements, even if the repositories are disabled on the host
    • NOTE: Until the first yum command is run, /etc/yum.repos.d/redhat.repo contains no repositories, so yum-config-manager will not enable/disable anything.

  • Populate /etc/yum.repos.d/redhat.repo

# yum repolist --disablerepo=*
  • Use yum-config-manager to enable or disable specific repositories:
# yum-config-manager --disable rhel-7-server-eus-rpms

or

# yum-config-manager --enable rhel-7-server-eus-rpms
  • If your entitlement provides access to the HTB, RS, HA, RT or EUS repositories and you do not wish for those to be active in the container you can use the following:
# yum-config-manager --disable \*-htb-* \*-rt-* \*-eus* \*-ha-*
Permanently Enabling/Disabling repositories from a Dockerfile
  • Here is an example that would disable every repo but rhel-7-server-rpms:
RUN yum repolist --disablerepo=* && \
    yum-config-manager --disable \* > /dev/null && \
    yum-config-manager --enable rhel-7-server-rpms > /dev/null

From this point on in the Dockerfile, the standard yum command can be used to install packages from the rhel-7-server-rpms repository.

RHEL6 repository access from a RHEL7 host

RHEL6 based containers can access the RHEL 6 repositories via yum-config-manager even though the repositories are not visible on the host.

NOTE: As above, the /etc/yum.repos.d/redhat.repo will be empty until the first yum command is run.

NOTE: In order for a container to be able to access repositories, the host system must be subscribed either directly to RHSM or to a Satellite 6 system. Satellite 5 and RHN Classic do not provide repository access inside a container and are thus unsupported for use inside the container.

Root Cause

This happens because Red Hat's version of Docker containerized environment has been modified slightly to provide entitlement information from the host to the container so that RHSM tools can interact with RHN, and ensure that this is picked up when the first yum command in the container is run.

Its important to distinguish, that the containers will always have access to the Entitlement/Subscription information that the host system has. So even if a Repository is or is not enabled on the host, if the host is using the subscription any containers on the host will be able to enable/disable any repositories offered by the host entitlements.

  • Note: repositories do not necessarily be enabled on the host for a container to use them.
  • Note: Currently Docker containerized environment supports this functionality only via Red Hat Subscription Manager (RHSM). Docker containerized environment does not support the use of Red Hat Update Infrastructure (RHUI).

Diagnostic Steps

  • Make sure of using Docker package from Red Hat repositories.
    Using Docker Community Edition as docker-ce will throw the error:
This system is not registered with an entitlement server. You can use subscription-manager to register
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.