During a recent technical workshop we discussed what you need to know to build and certify your containers for Red Hat platforms. Among the many things covered we discussed were technical requirements, workflow, and the benefits of achieving this foundational certification as a technology partner. We captured a collection of questions asked during the workshop and wanted to share them as you may have the same or similar questions about certifying your container images.
Q: Is certification mandatory going forward for storage drivers (SAS Controllers)
A: Certification is never mandatory to run on OpenShift or Red Hat Enterprise Linux (RHEL). Certification is mandatory to be Red Hat-approved and jointly supported. If you choose to certify, it’s because you have a business or customer requirement to do so.
Q: For certification, is there a fee and is there any tutorial for preparation?
A: The certification documentation and our webinar presentations are the best preparation. There is no fee to certify.
Q: With OpenShift Partner Lab (OPL), do we need our Bring Your Own (BYO) AWS credits?
A: No. The OpenShift Partner Lab is all inclusive - we provision the cluster and send you access credentials. Because of this valued resource, we require your Red Hat technical or account manager to sponsor your access to the OPL.
Q: Is the same certification used when the application is composed of several different images?
A: Yes, you certify each image separately. Your product may be built from multiple container images.
Q: Can the submitted and approved container images remain private? Our customers demand certification, but we don't want to host our images externally or have them be publicly displayed.
A: Yes. You are able to keep your container images private behind whatever private registry you choose to use.
Q: In consulting there are many large customers (in DoD, public sector, etc.) that are trying to maintain their own catalogs of container images. Are there any plans to make this impressive tooling available for customers to stand up in their own environments for maintaining their own catalogs?
A: Our certification tooling is open-source and has no license preventing others from using it freely.
Q: For Operator certification, can related images / containers be linked to their own product listing or the product listing of the operator?
A: You should link all of your related image projects to one product listing. If you also deploy via a non-operator method, you would have a separate product listing for that deployment (e.g. helm chart, containerized product, etc.)
Q: Will the Red Hat Learning Subscriptions have the latest container training or is there a separate portal for the latest container training?
A: The Red Hat training portal has a lot of information, so I would expect you to find what you need there. If it’s not there, check out developers.redhat.com.
Q: Why can’t preflight tests be conducted on Red Hat infrastructure like security scans are?
A: We have optimized our certification tests for partner CI/CD workflows and removed dependencies on Red Hat infrastructure. We encourage you to test your products locally and regularly between releases. You can run certification tests in disconnected environments as well.
Q: Will there be a tool to run security checks locally like preflight checks?
A: Perhaps at some point in the future. For now, we recommend utilizing one of our certified partner vulnerability scanners. These are found at catalog.redhat.com. These will most closely match our own CVE checks.
Q: Quay.io mentions "builds, analyzes, distributes". What does "analyze" entail? Is that a Clair scan you mentioned previously?
A: Clair vulnerability scanner, yes. This is the same scanner we run within the partner connect certification process as well - we just run it stand alone versus within the quay infrastructure.
Q: Is it possible to switch to a non-Red Hat Container Registry from the Red Hat Marketplace only registry?
A: No, you will need to create a new project. You cannot change the distribution method after project setup is completed.
Q: Are the UBI images versioned? I often see it referenced in FROM directive of the dockerfile without a specific version tag.
A: Yes, they are versioned.
Q: What are the limitations for running Red Hat OpenShift Local?
A: Sizing and load capacity.
Q: Red Hat uses podman and not docker - do I need to have my application running in podman?
A: Red Hat does not support docker, but many developers use docker and it does work. Preflight works with docker. If you pursue RHEL software certification, you must use podman. See this Container cheat sheet.
Q: Which NFR products do I need to have in order to keep the CI/CD process?
A: For container certification, you should utilize RHEL NFR (Not for resale) subscriptions.
Q: What is the publish button (26 minutes into the video) for - the Red Hat marketplace, ecosystem or catalog?
A: The publish button is for catalog.redhat.com.
Q: What does NFR stand for?
A: Not for Resale software.
Q: What does "pyxis" stand for?
A: It’s not an acronym but the name of our backend database system behind the Partner Connect portal.
Schedule and future webinars
Q: Can you talk about docs on the release schedules expected for RHEL & Red Hat OpenShift Container Platform (OCP)?
A: RHEL minor releases come out every 6 months, and RHEL major releases come out every 3 years. OCP minor releases come out every 4 months.
Q: Will there be a followup webinar that describes the operator certification process ?
A: There is one from December 2021 that is still applicable to our process.