Image Building and Management

Image Building Overview

Uyuni enables system administrators to build containers and OS Images and push the result in image stores. The workflow looks like this:

Define an image store
Define an image profile and associate it with a source (either a git repository or a directory)
Build the image
Push the image to the image store

Uyuni supports two distinct build types: dockerfile, and the Kiwi image system.

Container Images

Requirements

The containers feature is available for Salt clients running SUSE Linux Enterprise Server 12 or later. Before you begin, ensure your environment meets these requirements:

A published git repository repository containing a dockerfile and configuration scripts. The repository can be public or private, and should be hosted on GitHub, GitLab, or BitBucket.

A properly configured image store, such as a Docker registry.

If you require a private image registry you can use an open source solution such as Portus. For additional information on setting up Portus as a registry provider, see the Portus Documentation.

For more information on Containers or SUSE CaaS Platform, see:

https://documentation.suse.com/sles/15-SP1/html/SLES-all/book-sles-docker.html
https://documentation.suse.com/suse-caasp/4/

To build images with Uyuni, you will need to create and configure a build host. Container build hosts are Salt clients running SUSE Linux Enterprise 12 or later. This section guides you through the initial configuration for a build host.

From the Uyuni Web UI, perform these steps to configure a build host:

Select a Salt client to be designated as a build host from the Systems Overview page.
From the System Details page of the selected client assign the containers modules. Go to Software Software Channels and enable the containers module (for example, SLE-Module-Containers15-Pool and SLE-Module-Containers15-Updates). Confirm by clicking Change Subscriptions.
From the System Details Properties page, enable Container Build Host from the Add-on System Types list and confirm by clicking Update Properties.
Install all required packages by applying Highstate. From the system details page select States Highstate and click Apply Highstate. Alternatively, apply Highstate from the Uyuni Server command line:
```
salt '$your_client' state.highstate
```

Create an Activation Key for Containers

The containers built using Uyuni will use channel(s) associated to the activation key as repositories when building the image. This section will guide you into creating an ad-hoc activation key for this purpose.

To build a container, you will need an activation key that is associated with a channel other than SUSE Manager Default.

Select Systems Activation Keys.
Click Create Key.
Enter a Description and a Key name. Use the drop-down menu to select the Base Channel to associate with this key.
Confirm with Create Activation Key.

For more information, see [bp.key.managment].

Create an Image Store

All built images are pushed to an image store. This section contains information about creating an image store.

Select Images Stores.
Click Create to create a new store.

Define a name for the image store in the Label field. . Provide the path to your image registry by filling in the URI field, as a fully qualified domain name (FQDN) for the container registry host (whether internal or external).

registry.example.com

The Registry URI can also be used to specify an image store on a registry that is already in use.

registry.example.com:5000/myregistry/myproject

Click Create to add the new image store.

Create an Image Profile

All container images are built using an image profile, which contains the building instructions. This section contains information about creating an image profile with the Uyuni Web UI.

Procedure: Create an Image Profile

To create an image profile select Images Profiles and click Create.

Provide a name for the image profile by filling in the Label field.

Only lowercase characters are permitted in container labels. If your container image tag is in a format such as myproject/myimage, make sure your image store registry URI contains the /myproject suffix.

Use a dockerfile as the Image Type.
Use the drop-down menu to select your registry from the Target Image Store field.
In the Path field, type a GitHub, GitLab or BitBucket repository URL. The URL should be be http, https, or a token authentication URL. Use one of these formats:

GitHub Path Options

GitHub single user project repository

https://github.com/USER/project.git#branchname:folder

GitHub organization project repository

https://github.com/ORG/project.git#branchname:folder

GitHub token authentication

If your git repository is private, modify the profile’s URL to include authentication. Use this URL format to authenticate with a GitHub token:
```
https://USER:<AUTHENTICATION_TOKEN>@github.com/USER/project.git#master:/container/
```

GitLab Path Options

GitLab single user project repository

https://gitlab.example.com/USER/project.git#master:/container/

GitLab groups project repository

https://gitlab.example.com/GROUP/project.git#master:/container/

GitLab token authentication

If your git repository is private and not publicly accessible, you need to modify the profile’s git URL to include authentication. Use this URL format to authenticate with a GitLab token:

https://gitlab-ci-token:<AUTHENTICATION_TOKEN>@gitlab.example.com/USER/project.git#master:/container/

Specifying a git branch

If a branch is not specified, the master branch will be used by default. If a folder is not specified the image sources (dockerfile sources) are expected to be in the root directory of the GitHub or GitLab checkout.

Select an Activation Key. Activation keys ensure that images using a profile are assigned to the correct channel and packages.

Relationship Between Activation Keys and Image Profiles

When you associate an activation key with an image profile you are ensuring any image using the profile will use the correct software channel and any packages in the channel.

Click the Create button.

Example Dockerfile Sources

An Image Profile that can be reused is published at https://github.com/SUSE/manager-build-profiles

The ARG parameters ensure that the built image is associated with the desired repository version served by Uyuni. The ARG parameters also allow you to build image versions of SUSE Linux Enterprise Server which may differ from the version of SUSE Linux Enterprise Server used by the build host itself.

For example: The ARG repo parameter and the echo command pointing to the repository file, creates and then injects the correct path into the repository file for the desired channel version.

The repository version is determined by the activation key that you assigned to your image profile.

The python and python-xml packages must be installed in the container. They are required for inspecting images, and for providing the package and product list of a container to the Uyuni Web UI. If you do not install them, images will still build but the package and product list will not available in the Web UI.

FROM registry.example.com/sles12sp2
MAINTAINER Tux Administrator "tux@example.com"

### Begin: These lines Required for use with {productname}

ARG repo
ARG cert

# Add the correct certificate
RUN echo "$cert" > /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT.pem

# Update certificate trust store
RUN update-ca-certificates

# Add the repository path to the image
RUN echo "$repo" > /etc/zypp/repos.d/susemanager:dockerbuild.repo

### End: These lines required for use with {productname}

# Add the package script
ADD add_packages.sh /root/add_packages.sh

# Run the package script
RUN /root/add_packages.sh

# After building remove the repository path from image
RUN rm -f /etc/zypp/repos.d/susemanager:dockerbuild.repo

Build an Image

There are two ways to build an image. You can select Images Build from the left navigation bar, or click the build icon in the Images Profiles list.

Procedure: Building an Image

Select Images Build.
Add a different tag name if you want a version other than the default latest (only relevant to containers).

Select Build Profile and Build Host.

Profile Summary

Notice the Profile Summary to the right of the build fields. When you have selected a build profile, detailed information about the selected profile will be displayed in this area.

To schedule a build click the Build button.

Import an Image

You can import and inspect arbitrary images. Select Images Image List from the left navigation bar. Complete the text boxes of the Import dialog. When it has processed, the imported image will be listed on the Image List page.

Procedure: Importing an Image

From Images Image list click Import to open the Import Image dialog.
In the Import Image dialog complete these fields:

Image store

The registry from where the image will be pulled for inspection.

Image name

The name of the image in the registry.

Image version

The version of the image in the registry.

Build host

The build host that will pull and inspect the image.

Activation key

The activation key that provides the path to the software channel that the image will be inspected with.
For confirmation, click Import.

The entry for the image is created in the database, and an Inspect Image action on Uyuni is scheduled.

When it has been processed, you can find the imported image in the Image List. It has a different icon in the Build column, to indicate that the image is imported. The status icon for the imported image can also be seen on the Overview tab for the image.

Troubleshooting

These are some known problems when working with images:

HTTPS certificates to access the registry or the git repositories should be deployed to the client by a custom state file.
SSH git access using Docker is currently unsupported.
If the python and python-xml packages are not installed in your images during the build process, reporting of installed packages or products will fail. This will result in an unknown update status.

OS Images

OS Images are built by the Kiwi image system. The output image is customizable and can be PXE, QCOW2, LiveCD, or other types of images.

For more information about the Kiwi build system, see the Kiwi documentation.

Requirements

The Kiwi image building feature is available for Salt clients running SUSE Linux Enterprise Server 12 and SUSE Linux Enterprise Server 11.

Kiwi image configuration files and configuration scripts must be accessible in one of these locations:

Git repository
HTTP hosted tarball
Local build host directory

For an example of a complete Kiwi repository served by git, see https://github.com/SUSE/manager-build-profiles/tree/master/OSImage

Hardware Requirements for Hosts Running OS Images

Hosts running OS Images built with Kiwi need at least 1 GB of RAM. Disk space depends on the actual size of the image. For more information, see the documentation of the underlying system.

The build host must be a Salt client. Do not install the build host as a traditional client.

Create a Build Host

To build all kinds of images with Uyuni, create and configure a build host. OS Image build hosts are Salt clients running on SUSE Linux Enterprise Server 12 (SP3 or later) or SUSE Linux Enterprise Server 11 SP4.

This procedure will guide you through the initial configuration for a build host.

The operating system on the build host must match the operating system on the targeted image.

For example, build SUSE Linux Enterprise Server 12 based images on a build host running SUSE Linux Enterprise Server 12 OS version. Build SUSE Linux Enterprise Server 11 based images on a build host running SUSE Linux Enterprise Server 11 OS version.

Configure the build host in the Uyuni Web UI:

Select a client that will be designated as a build host from the Systems Overview page.
Navigate to the System Details Properties tab, enable the Add-on System Type OS Image Build Host. Confirm with Update Properties.
Navigate to the System Details Software Software Channels tab, enable Uyuni Client tools (for example: SLE-Manager-Tools12-Pool and SLE-Manager-Tools12-Updates). Schedule and click Confirm.
Install Kiwi and all required packages by applying Highstate. From the system details page select States Highstate and click Apply Highstate. Alternatively, apply Highstate from the Uyuni Server command line:
```
salt '$your_client' state.highstate
```

Uyuni Web Server Public Certificate RPM

Build host provisioning copies the Uyuni certificate RPM to the build host. This certificate is used for accessing repositories provided by Uyuni.

The certificate is packaged in RPM by the mgr-package-rpm-certificate-osimage package script. The package script is called automatically during a new Uyuni installation.

When you upgrade the spacewalk-certs-tools package, the upgrade scenario will call the package script using the default values. However if the certificate path was changed or unavailable, you will need to call the package script manually using --ca-cert-full-path <path_to_certificate> after the upgrade procedure has finished.

Package script call example

/usr/sbin/mgr-package-rpm-certificate-osimage --ca-cert-full-path /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT

The RPM package with the certificate is stored in a salt-accessible directory such as /usr/share/susemanager/salt/images/rhn-org-trusted-ssl-cert-osimage-1.0-1.noarch.rpm.

The RPM package with the certificate is provided in the local build host repository /var/lib/Kiwi/repo.

The RPM Package with the Uyuni Certificate Must Be Specified in the Build Source

Make sure your build source Kiwi configuration contains rhn-org-trusted-ssl-cert-osimage as a required package in the bootstrap section.

config.xml

...
  <packages type="bootstrap">
    ...
    <package name="rhn-org-trusted-ssl-cert-osimage" bootinclude="true"/>
  </packages>
...

Create an Activation Key for OS Images

Create an activation key associated with the channel that your OS Images will use as repositories when building the image.

Activation keys are mandatory for OS Image building.

To build OS Images, you will need an activation key that is associated with a channel other than SUSE Manager Default.

In the Web UI, select Systems Activation Keys.
Click Create Key.
Enter a Description, a Key name, and use the drop-down box to select a Base Channel to associate with the key.
Confirm with Create Activation Key.

For more information, see [bp.key.managment].

Create an Image Store

OS Images can require a significant amount of storage space. Therefore, we recommended that the OS Image store is located on a partition of its own or on a Btrfs subvolume, separate from the root partition. By default, the image store will be located at /srv/www/os-images.

Image Stores for Kiwi Build Type

Image stores for Kiwi build type, used to build system, virtual, and other images, are not supported yet.

Images are always stored in /srv/www/os-images/<organization id> and are accessible via HTTP/HTTPS https://<susemanager_host>/os-images/<organization id>.

Create an Image Profile

Manage image profiles using the Web UI.

Procedure: Create an Image Profile

To create an image profile select from Images Profiles and click Create.
In the Label field, provide a name for the Image Profile.
Use Kiwi as the Image Type.
Image store is automatically selected.
Enter a Config URL to the directory containing the Kiwi configuration files:
1. git URI
2. HTTPS tarball
3. Path to build host local directory

Select an Activation Key. Activation keys ensure that images using a profile are assigned to the correct channel and packages.

Relationship Between Activation Keys and Image Profiles

When you associate activation key with an image profile you are ensuring any image using the profile will use the correct software channel and any packages in the channel.

Confirm with the Create button.

Source format options

git/HTTP(S) URL to the repository

URL to the git repository containing the sources of the image to be built. Depending on the layout of the repository the URL can be:
```
https://github.com/SUSE/manager-build-profiles
```
You can specify a branch after the # character in the URL. In this example, we use the master branch:
```
https://github.com/SUSE/manager-build-profiles#master
```
You can specify a directory that contains the image sources after the : character. In this example, we use OSImage/POS_Image-JeOS6:
```
https://github.com/SUSE/manager-build-profiles#master:OSImage/POS_Image-JeOS6
```
HTTP(S) URL to the tarball

URL to the tar archive, compressed or uncompressed, hosted on the webserver.
```
https://myimagesourceserver.example.org/MyKiwiImage.tar.gz
```
Path to the directory on the build host

Enter the path to the directory with the Kiwi build system sources. This directory must be present on the selected build host.
```
/var/lib/Kiwi/MyKiwiImage
```

Example of Kiwi Sources

Kiwi sources consist at least of config.xml. Usually, config.sh and images.sh are present as well. Sources can also contain files to be installed in the final image under the root subdirectory.

For information about the Kiwi build system, see the Kiwi documentation.

SUSE provides examples of fully functional image sources at the SUSE/manager-build-profiles public GitHub repository.

Example of JeOS config.xml

<?xml version="1.0" encoding="utf-8"?>

<image schemaversion="6.1" name="POS_Image_JeOS6">
    <description type="system">
        <author>Admin User</author>
        <contact>noemail@example.com</contact>
        <specification>SUSE Linux Enterprise 12 SP3 JeOS</specification>
    </description>
    <preferences>
        <version>6.0.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>

        <locale>en_US</locale>
        <keytable>us.map.gz</keytable>
        <timezone>Europe/Berlin</timezone>
        <hwclock>utc</hwclock>

        <rpm-excludedocs>true</rpm-excludedocs>
        <type boot="saltboot/suse-SLES12" bootloader="grub2" checkprebuilt="true" compressed="false" filesystem="ext3" fsmountoptions="acl" fsnocheck="true" image="pxe" kernelcmdline="quiet"></type>
    </preferences>
    <!--    CUSTOM REPOSITORY
    <repository type="rpm-dir">
      <source path="this://repo"/>
    </repository>
    -->
    <packages type="image">
        <package name="patterns-sles-Minimal"/>
        <package name="aaa_base-extras"/> <!-- wouldn't be SUSE without that ;-) -->
        <package name="kernel-default"/>
        <package name="salt-minion"/>
        ...
    </packages>
    <packages type="bootstrap">
        ...
        <package name="sles-release"/>
        <!-- this certificate package is required to access {productname} repositories
             and is provided by {productname} automatically -->
        <package name="rhn-org-trusted-ssl-cert-osimage" bootinclude="true"/>

    </packages>
    <packages type="delete">
        <package name="mtools"/>
        <package name="initviocons"/>
        ...
    </packages>
</image>

Build an Image

There are two ways to build an image using the Web UI. Either select Images Build, or click the build icon in the Images Profiles list.

Procedure: Building an Image

Select Images Build.
Add a different tag name if you want a version other than the default latest (applies only to containers).

Select the Image Profile and a Build Host.

Profile Summary

A Profile Summary is displayed to the right of the build fields. When you have selected a build profile, detailed information about the selected profile will show up in this area.

To schedule a build, click the Build button.

After the image is successfully built, the inspection phase begins. During the inspection phase SUSE Manager collects information about the image:

List of packages installed in the image
Checksum of the image
Image type and other image details

If the built image type is PXE, a Salt pillar will also be generated. Image pillars are stored in the /srv/susemanager/pillar_data/images/ directory and the Salt subsystem can access details about the generated image. Details include where the pillar is located and provided, image checksums, information needed for network boot, and more.

The generated pillar is available to all connected clients.

Troubleshooting

Building an image requires of several dependent steps. When the build fails, investigation of Salt states results can help you to identify the source of the failure. Usual checks when the build fails:

The build host can access the build sources
There is enough disk space for the image on both the build host and the Uyuni server
The activation key has the correct channels associated with it
The build sources used are valid
The RPM package with the Uyuni public certificate is up to date and available at /usr/share/susemanager/salt/images/rhn-org-trusted-ssl-cert-osimage-1.0-1.noarch.rpm. For more on how to refresh a public certificate RPM, see Create a Build Host.

Limitations

The section contains some known issues when working with images.

HTTPS certificates used to access the HTTP sources or git repositories should be deployed to the client by a custom state file, or configured manually.
Importing Kiwi-based images is not supported.

List Image Profiles Available for Building

To list images available for building select Images Image List. A list of all images will be displayed.

Displayed data about images includes an image Name, its Version and the build Status. You will also see the image update status with a listing of possible patch and package updates that are available for the image.

Clicking the Details button on an image will provide a detailed view. The detailed view includes an exact list of relevant patches and a list of all packages installed within the image.

The patch and the package list is only available if the inspect state after a build was successful.