Azure IaaSのRHELは、Red Hat Networkのサーバではなく、AzureのDC内(と言ってもCDNやTraffic Managerを利用している)にある、RHUI(Red Hat Update Infrastructure)を見に行く。
$ sudo head -5 /etc/yum.repos.d/rh-cloud.repo
[rhui-rhel-8-for-x86_64-baseos-rhui-rpms]
name=Red Hat Enterprise Linux 8 for x86_64 - BaseOS from RHUI (RPMs)
baseurl=https://rhui-1.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os
https://rhui-2.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os
https://rhui-3.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/osこの環境で下記のようなDockerfileをビルドしようとすると、UBIイメージなので”Red Hat Universal Base Image 8 (RPMs) – BaseOS”などのレポを見に行って、dhcp-serverなるパッケージは見つからない、と文句を言われる。そう、見に行って欲しいのは、”Red Hat Enterprise Linux 8 for x86_64 – BaseOS from RHUI (RPMs)”である。
FROM registry.access.redhat.com/ubi8
USER root
# Update image
RUN dnf update --disableplugin=subscription-manager -y
RUN dnf -y --disableplugin=subscription-manager install dhcp-server && rm -rf /var/cache/dnf
# Add default Web page and expose port
EXPOSE 67
# Start the service
ENTRYPOINT ["/usr/sbin/dhcpd"]じゃあ、ホストの/etc/yum.repos.d/と/etc/pki/をマウントしちゃえば良いだろうとやってみると、RHUIは見に行こうとするが通信出来てない。あれ?pki見せるのにTLSで通信出来てない?と思ったら、SELinuxが
type=AVC msg=audit(1561380527.507:2249): avc: denied { read } for pid=72061 comm="yum" name="content.crt" dev="dm-5" ino=858 scontext=system_u:system_r:container_t:s0:c507,c992 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0ですよねぇぇw
ひとまずビルドする間だけPermissiveにして何とかする。
# setenforce 0
# docker build -t rioriost/dhcp-server -v /etc/yum.repos.d/:/etc/yum.repos.d/ -v /etc/pki/:/etc/pki/ .
# setenforce 1RHEL8 on Azure IaaS is connected not to Red Hat Network but to RHUI, Red Hat Update Infrastructure in Azure DC. But practically, RHUI is not a single server and consists of CDN, Traffic Manager, and so on.
$ sudo head -5 /etc/yum.repos.d/rh-cloud.repo
[rhui-rhel-8-for-x86_64-baseos-rhui-rpms]
name=Red Hat Enterprise Linux 8 for x86_64 - BaseOS from RHUI (RPMs)
baseurl=https://rhui-1.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os
https://rhui-2.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/os
https://rhui-3.microsoft.com/pulp/repos/content/dist/rhel8/rhui/$releasever/x86_64/baseos/osIf you try to build a container with following Dockerfile on RHEL8 on Azure, you see an error message, ‘No match found’. Yum in a container based on UBI can’t find dhcp-server package because Yum is searching from “Red Hat Universal Base Image 8 (RPMs) – BaseOS”. I want Yum to explore it from “Red Hat Enterprise Linux 8 for x86_64 – BaseOS from RHUI (RPMs)”.
FROM registry.access.redhat.com/ubi8
USER root
# Update image
RUN dnf update --disableplugin=subscription-manager -y
RUN dnf -y --disableplugin=subscription-manager install dhcp-server && rm -rf /var/cache/dnf
# Add default Web page and expose port
EXPOSE 67
# Start the service
ENTRYPOINT ["/usr/sbin/dhcpd"]I see. I try it by mounting /etc/yum.repos.d/ and /etc/pki/ on the host into the container, but Yum in the container tries to connect to RHUI and fails. I’m sure that /etc/pki/ is mounted in the container, but SELinux denies Yum to read the directory 😉
type=AVC msg=audit(1561380527.507:2249): avc: denied { read } for pid=72061 comm="yum" name="content.crt" dev="dm-5" ino=858 scontext=system_u:system_r:container_t:s0:c507,c992 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=0The workaround is to turn SELinux to Permissive while building a container.
# setenforce 0
# docker build -t rioriost/dhcp-server -v /etc/yum.repos.d/:/etc/yum.repos.d/ -v /etc/pki/:/etc/pki/ .
# setenforce 1