Learn
This section is designed to help partners with fundamental container concepts, and Red Hat’s Universal Base Image
Container Primer
Developers working on application packaging and deployment methods likely know of Linux containers. Even if you think you know enough, it might be useful to take a step back and look at container basics.
Containers quite literally “contain” or isolate one or more processes from the host system in which they run on. This is only possible because all the runtime dependencies of the process or processes are included within the container.
One of the biggest benefits of container technology is portability, given the dependencies of the application/processes move with the container across different deployment footprints. Keep in mind that even though application dependencies are abstracted from the host, the host is still important. Some applications go deeper than others when it comes to interactions with the kernel API or system call layer (think networking solutions vs. a simple web server.) The more an application relies upon deeper layers into the host machine, the more important it is that the user space (containers) and host operating system are shipped together.
Choosing a base image is a crucially important part of the container journey, so even though all three linked resources are helpful, we highly recommend reviewing the "Choosing a Container Base Image" link below.
What is UBI? Basics and Key Points
If you want to provide your customers with production quality containers, you need a production quality base image. Red Hat Universal Base Image was created for this purpose, and it delivers with high quality base images that are Open Container Initiative (OCI) compliant. The OCI was put in place by a community organization to define industry standards for container image formats and runtimes. If an image follows the specification, it will enable anyone to run it using a compliant runtime.
UBI is built from a subset of the RHEL OS (user space only), and includes pre-built language runtimes for the most common application dependencies. These foundational OS packages and tools along with language dependencies form an ideal basis for developing and delivering container-based applications.
Being built off of Red Hat Enterprise Linux, users get the same hardening and security assurances as when using a traditional Red Hat Enterprise Linux image. UBI also follows the same release cadence and a similar life cycle. (No EUS or ELS for UBI).
UBI allows developers to create once and deploy anywhere. There is no need for developers to package their containerized applications for each target deployment, enabling true portability.
UBI images are certified and enterprise-grade, which means stable, secure, supported and up-to-date. With a 6 week rebuild schedule or whenever a critical or important security vulnerability is introduced these base images make developers lives easier and prevent deployment surprises.
Image Variations
There are four base images, spanning both Red Hat Enterprise Linux 7 and 8:
Micro: Is NEW and it’s a very small image, less than 15MB. It’s designed for applications that contain all of their own dependencies. No package manager is included, removing package manager dependencies and contributing to the size reduction. A big benefit of a small base image is a reduction in the attack surface. With open source it’s quite tempting to add additional packages and libraries to save yourself from needing to write code, but with each addition, especially using packages not shipped by Red Hat there is an increased chance of attacks. One of the main benefits of micro UBI is security. Check out the blog on UBI-Micro by Scott McCarty the Red Hat Product Manager of UBI, that includes a how-to tutorial.
Minimal: Contains a very small content set, and is also designed for applications that contain all of their own dependencies. A minimal package manager (microDNF) is added to install, update, and remove packages.
Platform: This is for any application that runs on RHEL. It includes the full YUM stack and other basic OS tools such as tar, gzip, and vi.
Multiservice: Sometimes multiple services are required to run within a single container. With the multi-service base image, systemD is configured to run on start, thus allowing multiple services to run in a single container.
For more detailed information about UBI, check out the links below. The first one takes you to a recently released webinar covering UBI basics and what is new (as of August 2021), and the second link is the presentation slides from the webinar. Both great resources from Scott McCarty our lead product manager for UBI.
Repositories
In addition to the OS packages and common prebuilt language runtimes there are other RPM packaged application dependencies available via UBI YUM/DNF repositories. Using the included package manager, you can add, remove, and update these dependencies as needed. Note that with the UBI minimal image you need to use microDNF and for the new micro image there is no package manager. Anyone using UBI has access to the UBI repositories without a RH subscription, and the built containers using these repositories are freely distributable (again per terms in the EULA). And remember the RPM packages in the UBI repositories are the exact same ones you’d find in the RHEL repositories, same hardening, same security, life-cycle and updates.
So, what if the UBI repositories don’t have the dependencies your container needs? What if you need access to the regular RHEL repositories? You can add packages from the full repositories of RHEL to your UBI based container images but you cannot legally distribute those containers, unless you are a registered partner of Red Hat Partner Connect. Then you can use the RHEL repositories and distribute them. We’ll double click into distribution and support in the next section.
Distribution and Support
UBI is not only awesome, it’s free! There is no cost or even subscription required to download it.
Applications built with UBI and UBI-compatible tools and packages can be freely distributed as per the UBI EULA. Registered Red Hat partners can add additional packages from the regular RHEL repositories as we covered previously and distribute them as well. Users may also choose their own registry, separate from Red Hat's internal registry.
Red Hat supports Universal Base Image-based containers when they are running on a supported container host, either RHEL or Open Shift. While UBI built container images may work on other, non-Red Hat container hosts, Red Hat will not provide support for the container image individually. So if your customer or user wants a supported container, make sure they're using a Red Hat subscription for their container host as well.
If you want need more details on support read on.
Applications built with UBI are supported when the following conditions are met:
Deployed on a Red Hat supported container platform (Red Hat OpenShift or Red Hat Enterprise Linux).
Uses a Red Hat supported container engine (Red Hat provided CRI-O, Podman, etc.).
Uses a Red Hat supported container runtime (Red Hat provided runc, etc.).
If a containerized application is deployed on any other container platform, or with any other container engine or runtime, users can receive updates, but support is not provided.
Additional Resources
If there was one resource that we would recommend to anyone who wants to learn about the Universal Base Image it would hands down be the UBI E-book! We can’t recommend this enough. Also you will find a great article here on images, packages, repos and source code for UBI. The Crunch Tools blog “Where is the UBI Dockerfile?” highlights the simplicity of UBI and the differences between base images and layered images.
Last updated