Find containerized applications in container registries and get information about the runtime parameters of supported and community container images.
A container is an isolated runtime environment where applications are executed as isolated processes. The isolation of the runtime environment ensures that applications do not interfere with other containers or system processes.
A container image contains a packaged version of your application, with all the necessary dependencies for the application to run. Images can exist without containers. However, containers depend on images, because containers use container images to build a runtime environment to execute applications.
Containers can be split into two similar but distinct concepts: container images and container instances. A container image contains immutable data that defines an application and its libraries. You can use container images to create container instances, which are running processes that are isolated by a set of kernel namespaces.
You can use each container image many times to create many distinct container instances. These replicas can be split across multiple hosts. The application within a container is independent of the host environment.
Image registries are services that offer container images to download. Image creators and maintainers can store and distribute container images in a controlled manner to public or private audiences. Some examples of image registries include Quay.io, Red Hat Registry, Docker Hub, and Amazon ECR.
Red Hat distributes container images by using two registries: registry.access.redhat.com (where no authentication is required), and registry.redhat.io (where authentication is required).
The Red Hat Ecosystem Catalog, https://catalog.redhat.com/, provides centralized searching utility for both registries.
You can search the Red Hat Ecosystem Catalog for technical details about container images.
The catalog hosts a large set of container images, including from major open source projects, such as Apache, MySQL, and Jenkins.
Because the Red Hat Ecosystem Catalog is also searched for software products other than container images, you must navigate to https://catalog.redhat.com/software/containers/explore to specifically search for container images.
 |
The details page of a container image gives relevant information, such as technical data, the installed packages within the image, or a security scan. You can navigate through these options by using the tabs on the website. You can also change the image version by selecting a specific tag.
 |
The Red Hat internal security team vets all images in the container catalog. Red Hat rebuilds all components to avoid known security vulnerabilities.
Red Hat container images provide the following benefits:
Trusted source: All container images use sources that Red Hat knows and trusts.
Original dependencies: None of the container packages are tampered with, and include only known libraries.
Vulnerability-free: Container images are free of known critical vulnerabilities in the platform components or layers.
Runtime protection: All applications in container images run as non-root users, to minimize the exposure surface to malicious or faulty applications.
Red Hat Enterprise Linux (RHEL) compatible: Container images are compatible with all RHEL platforms, from bare metal to cloud.
Red Hat support: Red Hat commercially supports the complete stack.
Note
You must log in to the registry.redhat.io registry with a customer portal account or a Red Hat Developer account to use the stored container images in the registry.
Although the Red Hat Registry stores only images from Red Hat and certified providers, you can store your own images with Quay.io, another public image registry that Red Hat sponsors. Although storing public images in Quay is free of charge, some options are available only for paying customers. Quay also offers an on-premise version of the product, which you can use to set up an image registry in your own servers.
Quay.io introduces features such as server-side image building, fine-grained access controls, and automatic scanning of images for known vulnerabilities.
Quay.io offers live images that creators regularly update. Quay.io users can create their namespaces, with fine-grained access control, and publish their created images to that namespace. Container Catalog users rarely or never push new images, but consume trusted images from the Red Hat team.
 |
Image creators or maintainers might want to make their images publicly available. However, other image creators might prefer to keep their images private, for the following reasons:
Company privacy and secret protection
Legal restrictions and laws
Avoidance of publishing images in development
In some cases, private images are preferred. Private registries give image creators control over image placement, distribution, and usage. Private images are more secure than images in public registries.
Other public registries, such as Docker Hub and Amazon ECR, are also available for storing, sharing, and consuming container images.
These registries can include official images that the registry owners or the registry community users create and maintain.
For example, Docker Hub hosts a Docker Official Image of a WordPress container image.
Although the docker.io/library/wordpress container image is a Docker Official Image, the container image is not supported by WordPress, Docker, or Red Hat.
Instead, the Docker Community, a global group of Docker Hub users, supports and maintains the container image.
Support for this container image depends on the availability and skills of the Docker Community users.
Consuming container images from public registries brings risks.
For example, a container image might include malicious code or vulnerabilities, which can compromise the host system that executes the container image.
A host system can also be compromised by public container images, because the images are often configured with the privileged root user.
Additionally, the software in a container image might not be correctly licensed, or might violate licensing terms.
Before you use a container image from a public registry, review and verify the container image. Also ensure that you have the correct permissions to use the software in the container image.
Several objects provide identifying information about a container image.
-
Registry It is a content server, such as
registry.access.redhat.com, that is used to store and share container images. A registry consists of one or more repositories that contain tagged container images.-
Name It identifies the container image repository; it is a string that is composed of letters, numbers, and some special characters. This component refers to the name of the directory, or the container repository, within the container registry where the container image is.
For example, consider the fully qualified domain name (FQDN) of the
registry.access.redhat.com/ubi9/httpd-24:1-233container image. The container image is in theubi9/httpd-24repository in theregistry.access.redhat.comcontainer registry.-
ID/Hash It is the SHA (Secure Hash Algorithm) code to pull or verify an image. The SHA image ID cannot change, and always references the same container image content. The ID/hash is the true, unique identifier of an image. For example, the
sha256:4186a1ead13fc30796f951694c494e7630b82c320b81e20c020b3b07c888985bimage ID always refers to theregistry.access.redhat.com/ubi9/httpd-24:1-233container image.-
Tag It is a label for a container image in a repository, to distinguish from other images, for version control. The
tagcomes after the image repository name and is delimited by a colon (:).When an image tag is omitted, the floating tag,
latest, is used as the default tag. A floating tag is an alias to another tag. In contrast, a fixed tag points to a specific container build. For theregistry.access.redhat.com/ubi9/httpd-24:1-233.1669634588container image,1-233.1669634588is the fixed tag for the image, and at the time of writing, corresponds to the floatinglatestflag.
A container image is composed of multiple components.
-
Layers Container images are created from instructions. Each instruction adds a layer to the container image. Each layer consists of the differences between it and the following layer. The layers are then stacked to create a read-only container image.
-
Metadata Metadata includes the instructions and documentation for a container image.
Container image layers consist of instructions, or steps, and metadata for building the image. You can override instructions during container creation to adjust the container image according to your needs. Some instructions can affect the running container, and other instructions are for informational purposes only.
The following instructions affect the state of a running container:
-
ENV Defines the available environment variables in the container. A container image might include multiple
ENVinstructions. Any container can recognize additional environment variables that are not listed in its metadata.-
ARG It defines build-time variables, typically to make a customizable container build. Developers commonly configure the
ENVinstructions by using theARGinstruction. It is useful for preserving the build-time variables for run time.-
USER Defines the active user in the container. Later instructions run as this user. It is a good practice to define a user other than
rootfor security purposes. OpenShift does not honor the user in a container image, for regular cluster users. Only cluster administrators can run containers (pods) with their chosen user ID (UIDs) and group IDs (GIDs).-
ENTRYPOINT It defines the executable to run when the container is started.
-
CMD It defines the command to execute when the container is started. This command is passed to the executable that the
ENTRYPOINTinstruction defines. Base images define a defaultENTRYPOINTexecutable, which is usually a shell executable, such as Bash.-
WORKDIR It sets the current working directory within the container. Later instructions execute within this directory.
Metadata is used for documentation purposes, and does not affect the state of a running container. You can also override the metadata values during container creation.
The following metadata is for information only, and does not affect the state of the running container:
-
EXPOSE It indicates the network port that the application binds to within the container. This metadata does not automatically bind the port on the host, and is used only for documentation purposes.
-
VOLUME It defines where to store data outside the container. The value shows the path where your container runtime mounts the directory inside the container. More than one path can be defined to create multiple volumes.
-
LABEL Adds a key-value pair to the metadata of the image for organization and image selection.
Container engines are not required to honor metadata in a container image, such as USER or EXPOSE.
A container engine can also recognize additional environment variables that are not listed in the container image metadata.
A base image is the image that your resulting container image is built on. Your chosen base image determines the Linux distribution, and any of the following components:
Package manager
InitsystemFile system layout
Preinstalled dependencies and runtimes
The base image can also influence factors such as image size, vendor support, and processor compatibility.
Red Hat provides enterprise-grade container images that are engineered to be the base operating system layer for your containerized applications. These container images are intended as a common starting point for containers, and are known as universal base images (UBI). Red Hat UBI container images are Open Container Initiative (OCI) compliant images that contain portions of Red Hat Enterprise Linux (RHEL). UBI container images include a subset of RHEL content. They provide a set of prebuilt runtime languages, such as Python and Node.js, and associated DNF repositories that you can use to add application dependencies. UBI-based images can be distributed without cost or restriction. They can be deployed to both Red Hat and non-Red Hat platforms, and be pushed to your chosen container registry.
A Red Hat subscription is not required to use or distribute UBI-based images. However, Red Hat provides full support only for containers that are built on UBI if the containers are deployed to a Red Hat platform, such as a Red Hat OpenShift Container Platform (RHOCP) cluster or RHEL.
Red Hat provides four UBI variants: standard, init, minimal, and micro.
All UBI variants and UBI-based images use Red Hat Enterprise Linux (RHEL) at their core and are available from the Red Hat Container Catalog.
The main differences are as follows:
- Standard
This image is the primary UBI, which includes DNF, systemd, and utilities such as
gzipandtar.- Init
This image simplifies running multiple applications within a single container by managing them with systemd.
- Minimal
This image is smaller than the
initimage and provides nice-to-have features. This image uses themicrodnfminimal package manager instead of the full-sized version of DNF.- Micro
This image is the smallest available UBI, and includes only the minimum packages. For example, this image does not include a package manager.
Various tools can inspect and manage container images, including the oc image command and Skopeo.
Skopeo is another tool to inspect and manage remote container images.
With Skopeo, you can copy and sync container images from different container registries and repositories.
You can also copy an image from a remote repository and save it to a local disk.
If you have the appropriate repository permissions, then you can also delete an image from container registry.
You also can use Skopeo to inspect the configuration and contents of a container image, and to list the available tags for a container image.
Unlike other container image tools, Skopeo can execute without a privileged account, such as root.
Skopeo does not require a running daemon to execute various operations.
Skopeo is executed with the skopeo command-line utility, which you can install with various package managers, such as DNF, Brew, and APT.
The skopeo utility might already be installed on some Linux-based distributions.
You can install the skopeo utility on Fedora, CentOS Stream 8 and later, and Red Hat Enterprise Linux 8 and later systems by using the DNF package manager.
[user@host ~]$ sudo dnf -y install skopeoThe skopeo utility is currently not available as a packaged binary for Windows-based systems.
However, the skopeo utility is available as a container image from the quay.io/skopeo/stable container repository.
For more information about the Skopeo container image, refer to the skopeoimage overview guide in the Skopeo repository (https://github.com/containers/skopeo/blob/main/contrib/skopeoimage/README.md).
You can also build skopeo from source code in a container, or build it locally without using a container.
Refer to the installation guide in the Skopeo repository (https://github.com/containers/skopeo/blob/main/install.md#container-images) for more information about installing or building Skopeo from source code.
The skopeo utility provides commands to help you to manage and inspect container images and container image registries.
For container registries that require authentication, you must first log in to the registry before you can execute additional skopeo commands.
[user@host ~]$ skopeo login quay.ioNote
OpenShift clusters are typically configured with registry credentials.
When a pod is created from a container image in a remote repository, OpenShift authenticates to the container registry with the configured registry credentials, and then pulls, or copies, the image.
Because OpenShift automatically uses the registry credentials, you typically do not need to manually authenticate to a container registry when you create a pod.
By contrast, the oc image command and the skopeo utility require you first to log in to a container registry.
After you log in to a container registry (if required), you can execute additional skopeo commands against container images in a repository.
When you execute a skopeo command, you must specify the transport and the repository name.
A transport is the mechanism to transfer or move container images between locations.
Two common transports are docker and dir.
The docker transport is used for container registries, and the dir transport is used for local directories.
The oc image command and other tools default to the docker transport, and so you do not need to specify the transport when executing commands.
However, the skopeo utility does not define a default transport; you must specify the transport with the container image name.
Most skopeo commands use the skopeo format.
For example, the following command [command options] transport://IMAGE-NAMEskopeo list-tags command lists all available tags in a registry.access.redhat.com/ubi9/httpd-24 container repository by using the docker transport:
[user@host ~]$ skopeo list-tags docker://registry.access.redhat.com/ubi9/httpd-24
{
"Repository": "registry.access.redhat.com/ubi9/httpd-24",
"Tags": [
"1-229",
"1-217.1666632462",
"1-201",
"1-194.1655192191-source",
"1-229-source",
"1-194-source",
"1-201-source",
"1-217.1664813224",
"1-217.1664813224-source",
"1-210-source",
"1-233.1669634588",
"1",
"1-217.1666632462-source",
"1-233",
"1-194.1655192191",
"1-217.1665076049-source",
"1-217",
"1-233.1669634588-source",
"1-210",
"1-217.1665076049",
"1-217-source",
"1-233-source",
"1-194",
"latest"
]
}The skopeo utility includes other useful commands for container image management.
-
skopeo inspect View low-level information for an image name, such as environment variables and available tags. Use the
skopeo inspectcommand format. You can include the[command options]transport://IMAGE-NAME--configflag to view the configuration, metadata, and history of a container repository. The following example retrieves the configuration information for theregistry.access.redhat.com/ubi9/httpd-24container repository:[user@host ~]$
skopeo inspect --config docker://registry.access.redhat.com/ubi9/httpd-24...output omitted... "config": { "User": "1001", "ExposedPorts": { "8080/tcp": {}, "8443/tcp": {} }, "Env": [ ...output omitted... "HTTPD_MAIN_CONF_PATH=/etc/httpd/conf", "HTTPD_MAIN_CONF_MODULES_D_PATH=/etc/httpd/conf.modules.d", "HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d", "HTTPD_TLS_CERT_PATH=/etc/httpd/tls", "HTTPD_VAR_RUN=/var/run/httpd", "HTTPD_DATA_PATH=/var/www", "HTTPD_DATA_ORIG_PATH=/var/www", "HTTPD_LOG_PATH=/var/log/httpd" ], "Entrypoint": [ "container-entrypoint" ], "Cmd": [ "/usr/bin/run-httpd" ], "WorkingDir": "/opt/app-root/src", ...output omitted... } ...output omitted...-
skopeo copy Copy an image from one location or repository to another. Use the
skopeo copyformat. For example, the following command copies thetransport://SOURCE-IMAGEtransport://DESTINATION-IMAGEquay.io/skopeo/stable:latestcontainer image to theskopeorepository in theregistry.example.comcontainer registry:[user@host ~]$
skopeo copy docker://quay.io/skopeo/stable:latest \ docker://registry.example.com/skopeo:latest-
skopeo delete Delete a container image from a repository. You must use the
skopeo deleteformat. The following command deletes the[command options]transport://IMAGE-NAMEskopeo:latestimage from theregistry.example.comcontainer registry:[user@host ~]$
skopeo delete docker://registry.example.com/skopeo:latest-
skopeo sync Synchronize one or more images from one location to another. Use this command to copy all container images from a source to a destination. The command uses the
skopeo syncformat. The following command synchronizes the[command options]--srctransport--desttransportSOURCEDESTINATIONregistry.access.redhat.com/ubi8/httpd-24container repository to theregistry.example.com/httpd-24container repository:[user@host ~]$
skopeo sync --src docker --dest docker \ registry.access.redhat.com/ubi8/httpd-24 registry.example.com/httpd-24
Some registries require users to authenticate. For example, Red Hat containers that are based on RHEL typically require authenticated access:
[user@host ~]$skopeo inspect docker://registry.redhat.io/rhel8/httpd-24FATA[0000] Error parsing image name "docker://registry.redhat.io/rhel8/httpd-24":unable to retrieve auth token: invalid username/password: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials.Further instructions can be found here: https://access.redhat.com/RegistryAuthentication
You might choose a different image that does not require authentication, such as the UBI 8 image:
[user@host ~]$ skopeo inspect docker://registry.access.redhat.com/ubi8:latest
{
"Name": "registry.access.redhat.com/ubi8",
"Digest": "sha256:70fc...1173",
"RepoTags": [
"8.7-1054-source",
"8.6-990-source",
"8.6-754",
"8.4-203.1622660121-source",
...output omitted....Alternatively, you must execute the skopeo login command for the registry before you can access the RHEL 8 image.
[user@host ~]$skopeo login registry.redhat.ioUsername:YOUR_USERPassword:YOUR_PASSWORDLogin Succeeded! [user@host ~]$skopeo list-tags docker://registry.redhat.io/rhel8/httpd-24{ "Repository": "registry.redhat.io/rhel8/httpd-24", "Tags": [ "1-166.1645816922", "1-209", "1-160-source", "1-112", ...output omitted...
Skopeo stores the credentials in the ${XDG_RUNTIME_DIR}/containers/auth.json file, where the ${XDG_RUNTIME_DIR} refers to a directory that is specific to the current user.
The credentials are encoded in the base64 format:
[user@host ~]$cat ${XDG_RUNTIME_DIR}/containers/auth.json{ "auths": { "registry.redhat.io": { "auth":"dXNlcjpodW50ZXIy"} } } [user@host ~]$echo -n dXNlcjpodW50ZXIy | base64 -duser:hunter2
Note
For security reasons, the skopeo login command does not show your password in the interactive session.
Although you do not see what you are typing, Skopeo registers every key stroke.
After typing your full password in the interactive session, press Enter to start the login.
The OpenShift command-line interface provides the oc image command.
You can use this command to inspect, configure, and retrieve information about container images.
The oc image info command inspects and retrieves information about a container image.
You can use the oc image info command to identify the ID/hash SHA and to list the image layers of a container image.
You can also review container image metadata, such as environment variables, network ports, and commands.
If a container image repository provides a container image in multiple architectures, such as amd64 or arm64, then you must include the --filter-by-os tag.
For example, you can execute the following command to retrieve information about the registry.access.redhat.com/ubi9/httpd-24:1-233 container image that is based on the amd64 architecture:
[user@host ~]$ oc image info registry.access.redhat.com/ubi9/httpd-24:1-233 \
--filter-by-os amd64
Name: registry.access.redhat.com/ubi9/httpd-24:1-233
Digest: sha256:4186...985b
...output omitted...
Image Size: 130.8MB in 3 layers
Layers: 79.12MB sha256:d74e...1cad
17.32MB sha256:dac0...a283
34.39MB sha256:47d8...5550
OS: linux
Arch: amd64
Entrypoint: container-entrypoint
Command: /usr/bin/run-httpd
Working Dir: /opt/app-root/src
User: 1001
Exposes Ports: 8080/tcp, 8443/tcp
Environment: container=oci
...output omitted...
HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/
HTTPD_APP_ROOT=/opt/app-root
HTTPD_CONFIGURATION_PATH=/opt/app-root/etc/httpd.d
HTTPD_MAIN_CONF_PATH=/etc/httpd/conf
HTTPD_MAIN_CONF_MODULES_D_PATH=/etc/httpd/conf.modules.d
HTTPD_MAIN_CONF_D_PATH=/etc/httpd/conf.d
HTTPD_TLS_CERT_PATH=/etc/httpd/tls
HTTPD_VAR_RUN=/var/run/httpd
HTTPD_DATA_PATH=/var/www
HTTPD_DATA_ORIG_PATH=/var/www
HTTPD_LOG_PATH=/var/log/httpd
...output omitted...The oc image command provides more options to manage container images.
-
oc image append Use this command to add layers to container images, and then push the container image to a registry.
-
oc image extract You can use this command to extract or copy files from a container image to a local disk. Use this command to access the contents of a container image without first running the image as a container. A running container engine is not required.
-
oc image mirror Copy or mirror container images from one container registry or repository to another. For example, you can use this command to mirror container images between public and private registries. You can also use this command to copy a container image from a registry to a disk. The command mirrors the HTTP structure of a container registry to a directory on a disk. The directory on the disk can then be served as a container registry.
Running containers as the root user is a security risk, because an attacker could exploit the application, access the container, and exploit further vulnerabilities to escape from the containerized environment into the host system. Attackers might escape the containerized environment by exploiting bugs and vulnerabilities that are typically in the kernel or container runtime.
Traditionally, when an attacker gains access to the container file system by using an exploit, the root user inside the container corresponds to the root user outside the container. If an attacker escapes the container isolation, then they have elevated privileges on the host system, which potentially causes more damage.
Containers that do not run as the root user have limitations that might prove unsuitable for use in your application, such as the following limitations:
- Non-trivial Containerization
Some applications might require the root user. Depending on the application architecture, some applications might not be suitable for non-root containers, or might require a deeper understanding to containerize.
For example, applications such as HTTPd and Nginx start a bootstrap process and then create a process with a non-privileged user, which interacts with external users. Such applications are non-trivial to containerize for rootless use.
Red Hat provides containerized versions of HTTPd and Nginx that do not require root privileges for production usage. You can find the containers in the Red Hat container registry (https://catalog.redhat.com/software/containers/explore).
- Required Use of Privileged Utilities
Non-root containers cannot bind to privileged ports, such as the
80or443ports. Red Hat advises against using privileged ports, but to use port forwarding instead.Similarly, non-root containers cannot use the
pingutility by default, because it requires elevated privileges to establish raw sockets.
References
Skopeo GitHub Repository
skopeo(1) man page