Build, Share, Collaborate
Containers offer a lighter-weight version of the Linux operating system’s userland stripped down to the bare essentials, but it’s still an operating system and the quality of a container matters just as much as the host operating system. This is why we have offered Red Hat Enterprise Linux (RHEL) images since Red Hat Enterprise Linux 7 GA, to offer customers certified and up-to-date enterprise-grade containers. Running RHEL container images on RHEL container hosts offers compatibility and portability between environments, not to mention familiarity. There was one problem. You couldn’t easily share it with others, even if they were a Red Hat Enterprise Linux customer or partner.
But now, that’s changed.
With the release of the Red Hat Universal Base Image (UBI), you can now take advantage of the greater reliability, security, and performance of official Red Hat container images where OCI-compliant Linux containers run - whether you’re a customer or not. This means you can build a containerized application on UBI, push it to a container registry server of your choosing, and share it. The Red Hat Universal Base Image can allow you to build, share and collaborate on your containerized application where you want.
With UBI, you can have the freedom to share and run your applications anywhere. But when you run them on Red Hat platforms like Red Hat OpenShift and Red Hat Enterprise Linux, there is additional value. Subscribers have access to product features and advocacy in the direction of the product roadmap. Running UBI on RHEL/OpenShift you can get:
Reasons to Use UBI
Here’s a set of wants and needs that might help you figure out if UBI is right for your needs:
My developers want a container image they can distribute more broadly
My operations team wants a supportable base image with an enterprise lifecycle
My architects want to deliver a Kubernetes Operator to my customers
My customers want enterprise support in their Red Hat environment
My community wants to share containerized applications more freely
If you said yes to one or more of these questions, or similarly formulated questions, then check out UBI.
More Than a Base Image
Less than a full operating system, UBI is three things:
- A set of three base images (
ubi, ubi-minimal, ubi-init)
- A set of language runtime images (
nodejs, ruby, python, php, perl, etc.)
- A set of associated packages in a YUM repository which satisfy common application dependencies
UBI is designed to be a foundation for cloud-native and web applications use cases, developed in containers. All UBI content is a subset of RHEL. All of the packages in UBI come from RHEL channels and are supported like RHEL when run on a Red Hat supported platforms like OpenShift & RHEL.
It takes a lot of engineering, security analysis and resources to provide quality support for container images. It requires testing not just of the base images, but also their behavior on a given container host.
To help ease upgrade challenges, Red Hat has focused heavily on engineering and support, allowing UBI 7 to be run on RHEL 8 hosts, and UBI 8 to be run on RHEL 7 hosts. This gives users greater flexibility and confidence during platform upgrades in the container image or the underlying hosts. These can now be broken up into two separate projects.
Three Base Images
Minimal - Designed for applications that contain their own dependencies (Python, Node.js, .NET, etc.)
Minimized pre-installed content set
No suid binaries
Minimal package manager (install, update, and remove)
Platform - For any application that runs on RHEL
Unified, OpenSSL crypto stack
Full YUM stack
Includes useful basic OS tools (tar, gzip, vi, etc.)
Multi-Service - Eases running multiple services in a single container
Configured to run systemd on start
Allows you to enable the services at build time
Pre-Built Language Runtime Container Images
In addition to the base images which allow you to install languages, UBI provides developers pre-built images to consume a number of language runtimes. In many instances, developers can just consume an image and start working on the application they are building.
With the launch of UBI, Red Hat is providing two sets of images, one based on RHEL 7 and another set based on RHEL 8. Derived from Red Hat Software Collections (RHEL 7) and Application Streams (RHEL 8), these runtimes are scheduled for updates via up to four release trains per year so that you can have access to the latest, current versions.
Here’s the set of container images provided for UBI 7:
Here’s the set of container images provided for UBI 8:
Consuming pre-built images is great. Red Hat keeps them up to date and releases them when a new version of RHEL is released and when critical CVEs are patched, mirroring the RHEL image policy. We have designed this one so you can just pull one of these images and start building your application.
But, sometimes when you are building an application, you need that one extra package. Or sometimes, you need a package updated to make your application work. That’s why UBI also comes with a set of RPMs available via yum, and distributed on a highly available content delivery network. When you run a yum update in your CI/CD at that critical moment when you have to do a production release, you are hitting the same infrastructure our customers use.
RHEL is the Foundation
Containerized applications represent a wave of innovation in enterprise IT. They are game-changers in how they improve the development and maintenance of traditionally-monolithic applications. But containers aren’t a panacea. In the enterprise world, operating systems need stability, reliability and security tools, guidance, and timely fixes. These are needs that Red Hat Enterprise Linux is designed to answer. Here are just a few of the Red Hat teams working on base images:
A performance engineering team, charged with updating and maintaining fundamental libraries like glibc and OpenSSL, as well as language runtimes like Python and Ruby, designed to provide robust performance and work reliably with the workloads you choose to containerize.
A Product Security team dedicated to making sure the same libraries and languages receive timely security fixes - measured by an associated Container Health Index grade.
Product management and engineering teams dedicated to adding new features and driving a long lifecycle which is designed to give you confidence in an investment to build on top of it.
Red Hat Enterprise Linux is subscription-based, meaning your organization doesn’t have to shell out for licenses per release and support on top of those license fees. When you subscribe to RHEL, you’re entitled to run any of the current versions of RHEL. This includes access to Red Hat support and the goodness of a more secure, hardened and trusted Linux operating system. Red Hat Enterprise Linux serves as a great host and image for containers, but for many developers, they need to support a wider range of use cases, some of which may be outside of the supported scenarios for the world’s leading enterprise Linux operating system. That’s where UBI comes into play.
Now and into The Future
Perhaps today, you’re just looking for a base image to get you started with building a simple containerized application. Or, perhaps you are moving from standalone containers running on a container engine to a cloud-native world building and certifying Operators designed to run on OpenShift. Either way, we believe that UBI can provide a great foundation.
Containers encapsulate a lightweight operating system userspace in a new packaging format and Red Hat is the enterprise-grade Linux operating system leader. UBI is designed to set a new industry standard for container development by making enterprise-grade containers available to ISVs, customers and open source communities.
In particular, ISVs can standardize on a single, trusted foundation for their containerized applications, including Kubernetes Operators. ISVs using UBI can take advantage of Red Hat Container Certification and Red Hat OpenShift Operator Certification for continuous verification of software deployed on a Red Hat platform like OpenShift.
Getting started is designed to be easy. Podman is available not only in RHEL, but Fedora, CentOS, and for several other Linux distributions. You can just pull an image from one of these repositories and go.
For UBI 8:
podman pull registry.access.redhat.com/ubi8/ubi podman pull registry.access.redhat.com/ubi8/ubi-minimal podman pull registry.access.redhat.com/ubi8/ubi-init
For UBI 7:
podman pull registry.access.redhat.com/ubi7/ubi podman pull registry.access.redhat.com/ubi7/ubi-minimal podman pull registry.access.redhat.com/ubi7/ubi-init
If you need more information, check out the full Universal Base Image Guide here:
About the author
Scott McCarty is technical product manager for the container subsystem team, which enables key product capabilities in OpenShift Container Platform and Red Hat Enterprise Linux. Focus areas includes container runtimes, tools, and images. Working closely with engineering teams, at both a product and upstream project level, he combines personal experience with customer and partner feedback to enhance and tailor strategic container features and capabilities.