All Red Hat

Log in

Login

Technical resources

Automated Build Service for Red Hat Build Partners

July 15, 2020
3 minute read

Keeping your certified container images up-to-date

 

The Red Hat Partner Connect program offers an automated build service for partners who participate in Red Hat Container Certification and/or Red Hat OpenShift Operator certification. 

When your containerized software is Red Hat Certified it differentiates your products and conveys your company’s commitment to keep your images up-to-date with the highest level of trust and supportability. When updating your application, automating your builds saves you time and can improve customer trust when your container images are updated to remove known critical and important vulnerabilities.

 

Background

As part of the certification workflow, partner container images are scanned to extract metadata and information regarding RPMs it contains. The scanned package information is compared with both Red Hat and public security advisory and vulnerability sources. These container images are then rated based on Red Hat published security updates that have not been applied and the length of time the software in the container images is exposed to those flaws. The rating system used is called the Container Health Index for Red Hat Content. In order to initially certify, the partner container image must have a health index grade “A”. This image summarizes the definition of a Health Index Grade “A” and how it is displayed in the Red Hat Ecosystem Catalog.

Image
ABS - container health index

 

Maintaining up-to-date container images

The Health Index grade for certified partner container images is temporal.  As new software package vulnerabilities are discovered it is important to rebuild these container images to keep them up-to-date to maintain an "A" on the health index. Without automation this process can become onerous and reflect negatively on the product listing in the Red Hat Ecosystem Catalog. Customers frequently run vulnerable software, but few want to download software that is tagged as vulnerable. 

The automated build service makes the process of updating certified partner container images effortless. 

 

The Automated Build Service

The Partner Connect build service allows a partner to build and rebuild their containers for certification and publishing in the Red Hat Ecosystem Catalog without having their own build environment.

The automated build service leverages the “auto-rebuild” feature of the build service and automatically builds and publishes a new container image in response to new Red Hat Security Advisories (RHSA). The automated publishing updates the image in the Red Hat Ecosystem Catalog for customers to download.

The only requirement to take advantage of the automated build service, is that the partner container image source code be accessible via a git repository which is internet-accessible. If the git repository is protected, the SSH key to access the source code is required. 

Steps to turn ON the Automated Build Service 

Login to connect.redhat.com and navigate to the “Build Service” menu from within the certification project screen and select the “Configure Build Service” tab. 

 

Image
ABS screen shot

 

Under the “Configure Build Service” tab 

 

  1. Turn “on” the Red Hat Build Service. 
Image
ABS configure build service

 

 

  1. Turn “on” the the automated build service (Auto-Rebuild feature)

 

* Auto-rebuild requires auto-publish and will enable it for you under your certification project settings.

 

  1. Provide URL for the git repository and the private SSH key if it’s a private repository.
Image
ABS - git source image

 

To summarize 

  • The automated build service triggers a security scan of the certified container images upon release of new Red Hat Security Advisories (RHSA).
  • The automated build service automates the rebuilding of the certified container image whenever an update is necessary for the Red Hat package(s) and/or container base image as per the results of the scan. 
  • The automated build service auto-publishes the rebuilt image; if the partner has opted in to distribute their image through the official Red Hat container registry. 
  • The automated build service sends an email, from connect@redhat.com, to inform the partner that the image has been rebuilt and republished. 

In case the automated build service is not suitable for your environment you might be able to leverage the Red Hat Partner Connect API to keep your container images up-to-date. Read more about the Red Hat Partner Connect API in the blog “Getting started with the Red Hat Partner Connect API.”

 

Resources:

If you have technical questions regarding this build service, post them in the Technology Partner Success Desk web form.

 

Shubha Badve
Shubha Badve
Technical product manager
Shubha Badve is a technical product manager, within the Red Hat Certified Technology Ecosystem (CTE) team, for Red Hat Container Certification offering. Working closely with Red Hat Enterprise Linux (RHEL) and OpenShift Container Platform (OCP) product management teams, Shubha combines Red Hat set forth best practices (product & security) and customer & partner feedback to enhance Container Certification offering benefits for partners and customers. Shubha has worked on this team for over two years and lives in Westford, Massachusetts with her husband and two boys.