The Red Hat Container Catalog provides containerized applications for the Red Hat OpenShift Container Platform. The Red Hat container certification process must be followed to make containers available in the Red Hat Container Catalog. This tutorial explains the certification process in the context of open source projects running on the IBM Power architecture.

Prerequisites

Power RHEL virtual machine (VM) with Red Hat subscription enabled.

Estimated Time

It will take you approximately 3 to 4 hours to complete the full certification process, and a couple of additional days to get the export compliance and distribution approval from Red Hat.

Steps

The certification process has three parts: Certification on-boarding, certification testing, and certification publishing.

Refer to Chapter 4. Red Hat Enterprise Linux Software certification of the "Red Hat Software Certification Quick Start Guide" for additional guidance.

Certification on-boarding

1. Register as a Technology Partner on Red Hat Partner Connect: https://connect.redhat.com/user/register/.

2. Create an OpenShift Container Project by following these steps:

   1. In a browser, navigate to https://connect.redhat.com/auth-home. Click Manage certification projects from the Product Certification menu.

      

   2. On the My Work Page, type the project name and click Create Project.

      

   3. In the pop-up window, select Red Hat OpenShift, and click Next.

      

   4. In the next pop-up window, select Container Image, and click Next.

      

   5. On the Create container image certification project page, type the project name, select the base image used by your container, and select the distribution method for your image.

   6. Click Create project to complete the process.

      

Certification testing

Submit your container for verification testing by following these steps:

1. Build your container image. Consider the following requirements for content, metadata, and maintenance when building a container image. For example:

   The content requirements recommend that the image:

   • Be declared and run as non-root user
   • Use a UBI image as the base
   • Contain a “licenses” directory, and not contain components with critical CVEs

   The metadata requirements recommend that the image should have labels for:

   • Image Name
   • Company Name
   • Version
   • Release
   • Summary
   • Description

   The maintenance requirements state that partners are responsible for monitoring the health status of the published container. The container should be rebuilt periodically and kept up to date and submitted for re-certification and publication whenever there is a security update or new functionality is added.

   More specific details are documented in Chapter 2 of the Red Hat Software Certification Quick Start Guide on the Red Hat Customer Portal

2. Get access to your API key or token. The API keys are associated with your Red Hat Partner Account. After you are successfully log into your account, navigate to Product Certification > Container API Keys as shown in the following image.

   

3. Click Generate new key to generate an API Key.

   Note: Since the account is shared across your organization, it is possible that you have already hit the maximum limit of 10 keys, and might get the following error. Contact the manager of your account to get access to an existing shared API key.

   

4. Upload your container image. Push your image to Red Hat's inbound certification registry where it will be automatically scanned. The detailed steps for tagging and pushing the container can be found on your Project page in the Images tab.

   

   You will see the following page:

   

   1. Setup and run the preflight certification utility, which is a command line tool to verify that the submitted containers meet the minimum requirements for Red Hat Software Certification.

   2. More details about the preflight certification utility can be found here, https://github.com/redhat-openshift-ecosystem/openshift-preflight, and it can be downloaded from here, https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases.

   3. Upload your container to any public or private container registry.

   4. Run the preflight utility on your image and resolve the issues. 

      preflight check container \
      registry.example.org/<namespace>/<image_name>:<image_tag>
      

5. Retest to check if any issues persist. These issues would generally arise if the requirements, as specified in the “Build your container image” section above are not completely met, especially those related to the content and metadata aspects. For example, an error like below can be seen if the “licenses” directory is missing.

           "failed": [
               {
                   "name": "HasLicense",
                   "elapsed_time": 0,
                   "description": "Checking if terms and conditions applicable to the software including open source licensing information are present. The license must be at /licenses",
                   "help": "Check HasLicense encountered an error. Please review the preflight.log file for more information.",
                   "suggestion": "Create a directory named /licenses and include all relevant licensing and/or terms and conditions as text file(s) in that directory.",
                   "knowledgebase_url": "https://connect.redhat.com/zones/containers/container-certification-policy-guide",
                   "check_url": "https://connect.redhat.com/zones/containers/container-certification-policy-guide"
               }
           ],
           "errors": []
       }
   }
   time="2022-05-03T05:53:10-05:00" level=info msg="Preflight result: FAILED"
   

6. Submit the certification results to Red Hat Partner Connect.

   preflight check container \ registry.example.org/<namespace>/<image_name>:<image_tag> \ --submit \ --pyxis-api-token=<api_token> \ --certification-project-id=<project_id> \ --docker-config=./temp-authfile.json

   Where registry.example.org/<namespace>/<image_name>:<image_tag> is the container that you want to certify as specified in step 4 above and pyxis-api-token is the container api-keys associated with your account. The API keys can be obtained from here, https://connect.redhat.com/account/api-keys after you are logged into your partner connect account, as detailed above. certification-project-id is obtained after you have a certification project created in your partner account (see PID below).

7. Complete and submit the Export Control Questionnaire. Details are documented here: https://redhat-connect.gitbook.io/red-hat-partner-connect-general-guide/initial-onboarding/export-compliance

   1. Select the required options for specifying the source code URL for open source projects, Most of the form is straightforward, but you should contact your legal team to get an ECCN number.

      Note: Our project was open source and hence was not subject to Export Administration Regulations (EAR)  but you should still confirm with your legal team.

      

      For open source projects, there is also an additional requirement, as follows. If you miss this, the Red Hat approval process will not move forward.

      

   2. If you do not hear back from the Red Hat team within 5 working days, open a support case at https://connect.redhat.com/support/technology-partner/.

   3. Confirm that you have export compliance and distribution approval. After the issues (if any) are resolved, you will get a confirmation email from Red Hat confirming that your project is Export Compliance Approved. The status on your project page will be green only when Red Hat grants both the Export Compliance and Distribution approval which will happen automatically if you have provided complete information. The approval emails will be sent to the email address specified in the Company Export Contact (for Customers) field of the form.

8. Provide details about your container.

   

9. Provide the repository namespace, summary description , access level and other project details.

   

10. Create and attach product listing. In this final step, provide information to make the status of the “Pre Certification Checklist” green. You are expected to provide basic details about the product (like name, logo, company contacts etc.) with which your image is associated. We have clubbed all open source projects under a single “product” for simplicity.

Certification publishing

Follow these steps to publish the container:

1. Ensure that there are no CVEs publishing the image. The Health Index of the image will be determined based on the scan that was run after it was submitted using the preflight utility in the previous steps. The image will be visible under the project’s Images tab but the Publish button will be enabled only after the CVEs have been resolved. The Health Index can be seen on the Images tab as shown below:

   

   Click the Vulnerablities tab to show more details as shown below:

   

   Most of the vulnerabilities in this scenario originated from the base image and were fixed after pulling the latest base image and re-building the container to be published.

2. Confirm that the image is available in the Red Hat Container Catalog. After the image has been published, you will see it on the Projects page, Images tab as below:

   

Conclusion

This tutorial provides the basic flow of the Red Hat container certification process specifically for open source projects. More elaborate details and specifics about the prerequisites and each step of the process, how to troubleshoot, and so on, can be found in the official Red Hat documentation found here: https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/program-on-boarding/certification-workflow.

We'd like to hear about your experience with the certification process. Drop a comment here if you have any questions or run into any issues while following the steps outlined here.

#Highlights-home