Building a RHEL8-based container image on Azure

Azure IaaSのRHELは、Red Hat Networkのサーバではなく、AzureのDC内(と言ってもCDNやTraffic Managerを利用している)にある、RHUI(Red Hat Update Infrastructure)を見に行く。

$ sudo head -5 /etc/yum.repos.d/rh-cloud.repo 
[rhui-rhel-8-for-x86_64-baseos-rhui-rpms]
name=Red Hat Enterprise Linux 8 for x86_64 - BaseOS from RHUI (RPMs)
baseurl=https://rhui-1.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os
        https://rhui-2.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os
        https://rhui-3.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os

この環境で下記のようなDockerfileをビルドしようとすると、UBIイメージなので”Red Hat Universal Base Image 8 (RPMs) – BaseOS”などのレポを見に行って、dhcp-serverなるパッケージは見つからない、と文句を言われる。そう、見に行って欲しいのは、”Red Hat Enterprise Linux 8 for x86_64 – BaseOS from RHUI (RPMs)”である。

FROM registry.access.redhat.com/ubi8
USER root

# Update image
RUN dnf update --disableplugin=subscription-manager -y
RUN dnf -y --disableplugin=subscription-manager install dhcp-server && rm -rf /var/cache/dnf

# Add default Web page and expose port
EXPOSE 67

# Start the service
ENTRYPOINT ["/usr/sbin/dhcpd"]

じゃあ、ホストの/etc/yum.repos.d//etc/pki/をマウントしちゃえば良いだろうとやってみると、RHUIは見に行こうとするが通信出来てない。あれ?pki見せるのにTLSで通信出来てない?と思ったら、SELinuxが

type=AVC msg=audit(1561380527.507:2249): avc:  denied  { read } for  pid=72061 comm="yum" name="content.crt" dev="dm-5" ino=858 scontext=system_u:system_r:container_t:s0:c507,c992 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0

ですよねぇぇw

ひとまずビルドする間だけPermissiveにして何とかする。

# setenforce 0
# docker build -t rioriost/dhcp-server -v /etc/yum.repos.d/:/etc/yum.repos.d/ -v /etc/pki/:/etc/pki/ .
# setenforce 1

RHEL8 on Azure IaaS is connected not to Red Hat Network but to RHUI, Red Hat Update Infrastructure in Azure DC. But practically, RHUI is not a single server and consists of CDN, Traffic Manager, and so on.

$ sudo head -5 /etc/yum.repos.d/rh-cloud.repo 
[rhui-rhel-8-for-x86_64-baseos-rhui-rpms]
name=Red Hat Enterprise Linux 8 for x86_64 - BaseOS from RHUI (RPMs)
baseurl=https://rhui-1.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os
        https://rhui-2.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os
        https://rhui-3.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os

If you try to build a container with following Dockerfile on RHEL8 on Azure, you see an error message, ‘No match found’. Yum in a container based on UBI can’t find dhcp-server package because Yum is searching from “Red Hat Universal Base Image 8 (RPMs) – BaseOS”. I want Yum to explore it from “Red Hat Enterprise Linux 8 for x86_64 – BaseOS from RHUI (RPMs)”.

FROM registry.access.redhat.com/ubi8
USER root

# Update image
RUN dnf update --disableplugin=subscription-manager -y
RUN dnf -y --disableplugin=subscription-manager install dhcp-server && rm -rf /var/cache/dnf

# Add default Web page and expose port
EXPOSE 67

# Start the service
ENTRYPOINT ["/usr/sbin/dhcpd"]

I see. I try it by mounting /etc/yum.repos.d/ and /etc/pki/ on the host into the container, but Yum in the container tries to connect to RHUI and fails. I’m sure that /etc/pki/ is mounted in the container, but SELinux denies Yum to read the directory 😉

type=AVC msg=audit(1561380527.507:2249): avc:  denied  { read } for  pid=72061 comm="yum" name="content.crt" dev="dm-5" ino=858 scontext=system_u:system_r:container_t:s0:c507,c992 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0

The workaround is to turn SELinux to Permissive while building a container.

# setenforce 0
# docker build -t rioriost/dhcp-server -v /etc/yum.repos.d/:/etc/yum.repos.d/ -v /etc/pki/:/etc/pki/ .
# setenforce 1