Partners can use the partner build service for building their application containers for certification. This prevents the partner from needing to maintain a RHEL container build host. Build-service can build containers from git repositories which internet-accessible publicly or privately with an ssh key. To enable, navigate to your container project and click on 'build service.'
This setting is located in 'project settings' in container certification projects. When this is toggled 'on', containers which pass certification will be automatically published in the Red Hat Container Catalog.
Auto-rebuild is a build service feature which will automatically build and publish a new container in response to known vulnerabilities. Auto-rebuild requires auto-publish and will enable it for you.
How does auto-rebuild generate new container tags? Refer to the table to see what auto-rebuild will tag your containers with one the first and second rebuilds given the original tag in the far left column.
User provided Tag
Build Service Generated Tag (n+1)
Build Service Generated Tag (n+2)
Pulling images for testing
It is possible to pull images to test them before publishing.
1. Using the steps on the 'upload your image' tab in the certification area of the container zone, log into your project repository with docker.
2. Locate your 'pid' (project identifier) in the 'docker tag' command on the 'upload your image' instructions'. It is a string of random alphanumeric characters either starting with 'p' or 'ospid'.
3. run 'docker pull scan.connect.redhat.com/[pid]/partner-build-service:[tag]
The partner build service allows a partner to build and rebuild their containers for certification and publishing in RHCC without having their own environment.
1. From container project home, click partner build service on the left nav menu
2. main partner build service screen: you can start a new build, refresh, click into a build to see details, or configure the service.
3. configure build service screen:
1. Start a new build
2. Turn the build service on or off
3. Enable automatic rebuilds of this repository in response to security errata.
4. Required. URL of git repo to build container from. Can be either an HTTP or SSH git url (but see #4)
5. Optional and usually blank. if the Dockerfile is named something other than the default 'Dockerfile', enter it here.
6. Optional. The private SSH key which gives access to a private repo. Only valid when an SSH url is given for #2.
7. Optional, usually blank. If the docker build context root is not the root of the git repo, enter the path to it here.
8. Required, default is master. If you want to build a git branch other than master, specify the branch name here.
Ensure your dockerfile installs and applies fixes to critical/important vulnerabilities. This is typically accomplished with the following command within the Dockerfile: yum -y update-minimal --security --sec- setopt=tsflags=nodocs
Build a new image
Select the target project in Red Hat Connect (login required)
Go to the “Upload Your Image” tab and see details on how to upload a new, updated image for certification scan
Once the scan is completed successfully, click the publish button for this updated image