Data and AI on Power

 View Only

Red Hat container certification process for open source projects on IBM Power

By Priya Seth posted Mon February 27, 2023 08:34 AM


The Red Hat Container Catalog provides containerized applications for the Red Hat OpenShift Container Platform. The Red Hat container certification process must be followed to make containers available in the Red Hat Container Catalog.

This tutorial explains the certification process in the context of open source projects running on the IBM Power architecture.


Power RHEL virtual machine (VM) with Red Hat subscription enabled.

Estimated Time

It will take you approximately 3 to 4 hours to complete the full certification process, and a couple of additional days to get the export compliance and distribution approval from Red Hat.


The certification process has three parts: Certification on-boarding, certification testing, and certification publishing.

Red Hat certification process workflow

Refer to Chapter 4. Red Hat Enterprise Linux Software certification of the "Red Hat Software Certification Quick Start Guide" for additional guidance.

Certification on-boarding

  1. Register as a Technology Partner on Red Hat Partner Connect:

  2. Create an OpenShift Container Project by following these steps:

    1. In a browser, navigate to Click Manage certification projects from the Product Certification menu.

      Red Hat Product Certification
    2. On the My Work Page, type the project name and click Create Project.

      Red Hat Create Project Screen
    3. In the pop-up window, select Red Hat OpenShift, and click Next.

      Select Red Hat OpenShift
    4. In the next pop-up window, select Container Image, and click Next.

      Select Contain Image
    5. On the Create container image certification project page, type the project name, select the base image used by your container, and select the distribution method for your image.

    6. Click Create project to complete the process.

      Create container image certification project

Certification testing

Submit your container for verification testing by following these steps:

  1. Build your container image. Consider the following requirements for content, metadata, and maintenance when building a container image. For example:

    The content requirements recommend that the image:

    • Be declared and run as non-root user
    • Use a UBI image as the base
    • Contain a “licenses” directory, and not contain components with critical CVEs

    The metadata requirements recommend that the image should have labels for:

    • Image Name
    • Company Name
    • Version
    • Release
    • Summary
    • Description

    The maintenance requirements state that partners are responsible for monitoring the health status of the published container. The container should be rebuilt periodically and kept up to date and submitted for re-certification and publication whenever there is a security update or new functionality is added.

    More specific details are documented in Chapter 2 of the Red Hat Software Certification Quick Start Guide on the Red Hat Customer Portal

  2. Get access to your API key or token. The API keys are associated with your Red Hat Partner Account. After you are successfully log into your account, navigate to Product Certification > Container API Keys as shown in the following image.

    Get access to your API key or token
  3. Click Generate new key to generate an API Key.

    Note: Since the account is shared across your organization, it is possible that you have already hit the maximum limit of 10 keys, and might get the following error. Contact the manager of your account to get access to an existing shared API key.

    Generate new key
  4. Upload your container image. Push your image to Red Hat's inbound certification registry where it will be automatically scanned. The detailed steps for tagging and pushing the container can be found on your Project page in the Images tab.

    Upload your container image

    You will see the following page:

    Container Registry Login Page
    1. Setup and run the preflight certification utility, which is a command line tool to verify that the submitted containers meet the minimum requirements for Red Hat Software Certification.

    2. More details about the preflight certification utility can be found here,, and it can be downloaded from here,

    3. Upload your container to any public or private container registry.

    4. Run the preflight utility on your image and resolve the issues. 

      preflight check container \<namespace>/<image_name>:<image_tag>
  5. Retest to check if any issues persist. These issues would generally arise if the requirements, as specified in the “Build your container image” section above are not completely met, especially those related to the content and metadata aspects. For example, an error like below can be seen if the “licenses” directory is missing.

            "failed": [
                    "name": "HasLicense",
                    "elapsed_time": 0,
                    "description": "Checking if terms and conditions applicable to the software including open source licensing information are present. The license must be at /licenses",
                    "help": "Check HasLicense encountered an error. Please review the preflight.log file for more information.",
                    "suggestion": "Create a directory named /licenses and include all relevant licensing and/or terms and conditions as text file(s) in that directory.",
                    "knowledgebase_url": "",
                    "check_url": ""
            "errors": []
    time="2022-05-03T05:53:10-05:00" level=info msg="Preflight result: FAILED"
  6. Submit the certification results to Red Hat Partner Connect.

    preflight check container \<namespace>/<image_name>:<image_tag> \ --submit \ --pyxis-api-token=<api_token> \ --certification-project-id=<project_id> \ --docker-config=./temp-authfile.json

    Where<namespace>/<image_name>:<image_tag> is the container that you want to certify as specified in step 4 above and pyxis-api-token is the container api-keys associated with your account. The API keys can be obtained from here, after you are logged into your partner connect account, as detailed above. certification-project-id is obtained after you have a certification project created in your partner account (see PID below).

  7. Complete and submit the Export Control Questionnaire. Details are documented here:

    1. Select the required options for specifying the source code URL for open source projects, Most of the form is straightforward, but you should contact your legal team to get an ECCN number.

      Note: Our project was open source and hence was not subject to Export Administration Regulations (EAR)  but you should still confirm with your legal team.


      For open source projects, there is also an additional requirement, as follows. If you miss this, the Red Hat approval process will not move forward.

      Publicly available certification
    2. If you do not hear back from the Red Hat team within 5 working days, open a support case at

    3. Confirm that you have export compliance and distribution approval. After the issues (if any) are resolved, you will get a confirmation email from Red Hat confirming that your project is Export Compliance Approved. The status on your project page will be green only when Red Hat grants both the Export Compliance and Distribution approval which will happen automatically if you have provided complete information. The approval emails will be sent to the email address specified in the Company Export Contact (for Customers) field of the form.

  8. Provide details about your container.

    Provide container details
  9. Provide the repository namespace, summary description , access level and other project details.

    Project details
  10. Create and attach product listing. In this final step, provide information to make the status of the “Pre Certification Checklist” green. You are expected to provide basic details about the product (like name, logo, company contacts etc.) with which your image is associated. We have clubbed all open source projects under a single “product” for simplicity.

Certification publishing

Follow these steps to publish the container:

  1. Ensure that there are no CVEs publishing the image. The Health Index of the image will be determined based on the scan that was run after it was submitted using the preflight utility in the previous steps. The image will be visible under the project’s Images tab but the Publish button will be enabled only after the CVEs have been resolved. The Health Index can be seen on the Images tab as shown below:

    Image Health Index

    Click the Vulnerablities tab to show more details as shown below:

    Image vulnerabilities

    Most of the vulnerabilities in this scenario originated from the base image and were fixed after pulling the latest base image and re-building the container to be published.

  2. Confirm that the image is available in the Red Hat Container Catalog. After the image has been published, you will see it on the Projects page, Images tab as below:

    Published image


This tutorial provides the basic flow of the Red Hat container certification process specifically for open source projects. More elaborate details and specifics about the prerequisites and each step of the process, how to troubleshoot, and so on, can be found in the official Red Hat documentation found here:

We'd like to hear about your experience with the certification process. Drop a comment here if you have any questions or run into any issues while following the steps outlined here.