-
Understand and use FROM (the concept of a base image) instruction.
-
Understand and use RUN instruction.
-
Understand and use ADD instruction.
-
Understand and use COPY instruction.
-
Understand the difference between ADD and COPY instructions.
- COPY Copies files from the build host into the file system of the resulting container image. Relative paths respect the host’s current working directory, known as the build context, and the working directory within the container as defined by WORKDIR. It is not possible to copy a remote file by using its URL with this Containerfile instruction.
- ADD Copies files or folders from a local or remote source and adds them to the container’s file system. If used to copy local files, those must be in the working directory. The ADD instruction also unpacks local .tar archive files to the destination image directory. Add can be used to copy file via URL as well.
-
Understand and use WORKDIR and USER instructions.
-
Understand security-related topics.
- Rootless container
-
Understand the differences and applicability of CMD vs. ENTRYPOINT instructions.
- The ENTRYPOINT instruction defines an executable, or command, that is always part of the container execution. This means that additional arguments in CMD are passed to the provided command.
- If you only use the CMD instruction, then passing arguments to the container overrides the command provided in the CMD instruction.
-
Understand ENTRYPOINT instruction with param.
ENTRYPOINT ["executable", "param1", ..., "paramN"]
or
CMD executable param1 ... paramN
-
Understand when and how to expose ports from a Containerfile.
-
Understand and use environment variables inside images.
-
Understand ENV instruction.
- The ENV instruction lets you specify environment dependent configuration, for example, hostnames, ports or usernames. Then the containerized application can pick these values as environment variables and use them accordingly.
-
Understand container volume.
Bind mount:
# podman run -p 8080:8080 --volume /www:/var/www/html:ro \
registry.access.redhat.com/ubi8/httpd-24:latest
# podman run --rm --name podman-server \
-v ~/www:/server:Z -p 8000:8000 \
registry.ocp4.example.com:8443/redhattraining/podman-python-server
Volume:
# podman volume create http-data
# podman run -p 8080:8080 --volume http-data:/var/www/html \
registry.access.redhat.com/ubi8/httpd-24:latest
tmpfs:
# podman run -e POSTGRESQL_ADMIN_PASSWORD=redhat --network lab-net \
--mount type=tmpfs,tmpfs-size=512M,destination=/var/lib/pgsql/data \
registry.redhat.io/rhel9/postgresql-13:1
# --mount type=TYPE,source=/path/on/host,destination=/path/in/container
TYPE: bind, volume, tmpfs
- Mount a host directory as a data volume.
Verify host directory within new namespace:
# podman unshare ls -l --directory ~/www
drwxrwx---. 1 root root 20 Jun 28 14:56 /home/student/www
Verify the group ID inside of the podman-server container:
# podman run --rm \
registry.ocp4.example.com:8443/redhattraining/podman-python-server id
uid=994(python-server) gid=994(python-server) groups=994(python-server)
Change the group of the ~/www directory and its content to the python-server group ID:
# podman unshare chgrp -R 994 ~/www
Verify the directory permissions in a new user namespace:
# podman unshare ls -ln --directory ~/www
drwxrwx---. 1 0 994 20 Jun 28 14:56 /home/student/www
Start podman-server container with the ~/www directory mounted as a bind mount:
# podman run --rm --name podman-server \
-v ~/www:/server:Z -p 8000:8000 \
registry.ocp4.example.com:8443/redhattraining/podman-python-server- Understand security and permissions requirements related to this approach.
- ???
- Understand the lifecycle and cleanup requirements of this approach.
- ???
FROM openshift/golang-builder@sha256:d027750cda93ab497afbde0e09ef3d12e0aac10e9c89ed6da866b15188c9969c AS builder
ENV __doozer=update BUILD_RELEASE=202303201129.p0.g95e39bf.assembly.stream BUILD_VERSION=v4.12.0 OS_GIT_MAJOR=4 OS_GIT_MINOR=12 OS_GIT_PATCH=0 OS_GIT_TREE_STATE=clean OS_GIT_VERSION=4.12.0-202303201129.p0.g95e39bf.assembly.stream SOURCE_GIT_TREE_STATE=clean
ENV __doozer=merge OS_GIT_COMMIT=95e39bf OS_GIT_VERSION=4.12.0-202303201129.p0.g95e39bf.assembly.stream-95e39bf SOURCE_DATE_EPOCH=1679307754 SOURCE_GIT_COMMIT=95e39bf0e31a5af9ebcee698a69a4996a39e221a SOURCE_GIT_TAG=openshift-4.2.0-rc.3-180-g95e39bf0e SOURCE_GIT_URL=https://github.com/openshift/image-registry
WORKDIR /go/src/github.com/openshift/image-registry
COPY . .
RUN hack/build-go.sh
FROM openshift/ose-base:v4.12.0-202303081116.p0.g7e8a010.assembly.stream
ENV __doozer=update BUILD_RELEASE=202303201129.p0.g95e39bf.assembly.stream BUILD_VERSION=v4.12.0 OS_GIT_MAJOR=4 OS_GIT_MINOR=12 OS_GIT_PATCH=0 OS_GIT_TREE_STATE=clean OS_GIT_VERSION=4.12.0-202303201129.p0.g95e39bf.assembly.stream SOURCE_GIT_TREE_STATE=clean
ENV __doozer=merge OS_GIT_COMMIT=95e39bf OS_GIT_VERSION=4.12.0-202303201129.p0.g95e39bf.assembly.stream-95e39bf SOURCE_DATE_EPOCH=1679307754 SOURCE_GIT_COMMIT=95e39bf0e31a5af9ebcee698a69a4996a39e221a SOURCE_GIT_TAG=openshift-4.2.0-rc.3-180-g95e39bf0e SOURCE_GIT_URL=https://github.com/openshift/image-registry
RUN yum install -y rsync && yum clean all && rm -rf /var/cache/yum
COPY --from=builder /go/src/github.com/openshift/image-registry/_output/local/bin/dockerregistry /usr/bin/
COPY images/dockerregistry/config.yml /
ADD images/dockerregistry/writable-extracted.tar.gz /etc/pki/ca-trust/extracted
USER 1001
EXPOSE 5000
VOLUME /registry
ENV REGISTRY_CONFIGURATION_PATH=/config.yml
ENTRYPOINT ["sh", "-c", "update-ca-trust extract && exec \"$@\"", "arg0"]
CMD ["/usr/bin/dockerregistry"]- Understand private registry security.
- Interact with many different registries.
- Understand and use image tags
- Push and pull images from and to registries.
- Back up an image with its layers and meta data vs. backup a container state.
Copying image layers to local directory:
# skopeo copy docker:// dir:/
Exporting and importing container:
# podman export -o myphp.tar 89a05634df20
# ls -l
-rw-r--r--. 1 yazheng yazheng 250502144 Apr 4 17:43 myphp.tar
- Run containers locally using Podman
- Get container logs.
- Listen to container events on the container host.
- Use Podman inspect.
- Specifying environment parameters.
- Expose public applications.
- Get application logs.
- Inspect running applications.
- Create application stacks
services:
frontend:
image: awesome/webapp
ports:
- "443:8043"
networks:
- front-tier
- back-tier
configs:
- httpd-config
secrets:
- server-certificate
backend:
image: awesome/database
volumes:
- db-data:/etc/data
networks:
- back-tier
volumes:
db-data:
driver: flocker
driver_opts:
size: "10GiB"
configs:
httpd-config:
external: true
secrets:
server-certificate:
external: true
networks:
# The presence of these objects is sufficient to define them
front-tier: {}
back-tier: {}- Understand container dependencies
- Working with environment variables
- Working with secrets
- Working with volumes
- Working with configuration
services:
redis:
image: redis:latest
configs:
- my_config
- my_other_config
configs:
my_config:
file: ./my_config.txt
my_other_config:
external: true
services:
redis:
image: redis:latest
configs:
- source: my_config
target: /redis_config
uid: "103"
gid: "103"
mode: 0440
configs:
my_config:
external: true
my_other_config:
external: true- Understand the description of application resources
- Get application logs
- Inspect running applications
- Connecting to running containers
As with all Red Hat performance-based exams, configurations must persist after reboot without intervention.
During the exam you may be required to work with one or more pre-written applications. You will not be required to modify application code however in some cases you may need to utilize supplied documentation in order to produce a new deployment of a given application.