10

Red Hat Enterprise Linux 7 includes official support for running Docker containers, and Red Hat offer a set of official rhel Docker images. An interesting feature of these images is that packages can be installed via the host's Red Hat Network Subscription without having to perform any configuration within the container.

To quote https://access.redhat.com/articles/881893#createimage:

"For the current Red Hat Docker release, the default RHEL 7 Docker image you pull from Red Hat will be able to draw on RHEL 7 entitlements available from the host system. So, as long as your Docker host is properly subscribed and the repositories are enabled that you need to get the software you want in your container (and have Internet access from your Docker host), you should be able to install packages from RHEL 7 software repositories."

My concern is that the mechanism by which this is achieved is rather opaque. When starting a new container with the rhel7.1 image, for example, it is possible to run yum install foo without even configuring the http proxy environment variables. Without understanding this mechanism, the system administrator is potentially at the mercy of unknown interactions between the host system, the Docker daemon, and running containers. This also suggests that the normal isolation between the host and container is in some way compromised (albeit in a benign fashion).

To put a point on it: How is this subscription support achieved, and is it dependent on the custom build of the Docker daemon provided by Red Hat via the Subscription Network?

Leynos
  • 216
  • 2
  • 5
  • 3
    https://access.redhat.com/solutions/1314663 – Michael Hampton Oct 14 '15 at 20:38
  • Thanks @michael. Unfortunately, I don't have access to the answer posted on that site, as I do not, personally, have a Red Hat Subscription account. (The account my employer uses is held by staff elsewhere in the organization). I'll see if someone with the relevant access in the organization can provide me with a copy of this KB answer. – Leynos Oct 14 '15 at 20:45
  • @michael you schould post your comment as an answer imho. – Bram Oct 17 '15 at 08:06
  • @MichaelHampton I've had a chance to read the answer on the Red Hat site. It may be worth noting in any answer posted here that the functionality in question is dependent upon Red Hat's custom version of the Docker daemon. – Leynos Oct 20 '15 at 11:30

2 Answers2

4

Red Hat carries a patch to docker called the 'secrets' patch which mounts the entitlement information into containers when they are run.

You can see the a better description of the patch and a link to the upstream PR in the projectatomic/docker repo:

https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel#add-rhel-super-secrets-patchpatch

Note, you'll need to select one of the branches (the link goes to the 'docker-1.3.1-rhel' branch) to see all the carried patch information.

rageear
  • 151
  • 3
  • And therefore, if you use try to Docker CE (which does not have that path) rather than the Red Hat provided Docker, you won't have the entitlement information and `yum` commands inside your Docker build or Docker image will fail? – Raedwald Jul 02 '19 at 13:47
2

Knowing how virtual machines managed by Red Hat Satellite are licensed, and going off @Leynos's comment, I would expect that there is something similar to virt-who, which is a service that talks to the virtualization host (vSphere, KVM, etc) and queries it to find details of VMs. It then does the necessary API calls in Satellite to allow the VM to use the host's datacenter license.

I would expect that the Red Hat docker daemon provides something similar, allowing the container to know that it's running from a subscribed Docker host and therefore make use of that subscription.

Also from here:

IMPORTANT: Running containers with the docker command, as described in this topic, does not specifically require you to register the RHEL Atomic Host system and attach a subscription. However, if you want to run yum install commands within a container, the container must get valid subscription information from the RHEL Atomic Host or it will fail.

So, there's something either in the container or the daemon that can query the host to find subscription info (and probably repo info as well).

shearn89
  • 3,143
  • 2
  • 14
  • 39