We're pleased to announce that Red Hat Enterprise Linux Atomic Host 7.4 is now generally available. Red Hat Enterprise Linux Atomic Host is a lightweight, container-optimized version of Red Hat Enterprise Linux. Red Hat Enterprise Linux Atomic Host couples the flexible, modular capabilities of Linux containers with the reliability and security of Red Hat Enterprise Linux in a reduced footprint, to decrease the attack surface and provide only the packages needed to light up hardware and run containers. Here's a look at some of the major changes in 7.4.
OverlayFS now fully supported with SELinux
After being introduced in Red Hat Enterprise Linux 7.1 as a technology preview, OverlayFS is now fully supported in Red Hat Enterprise Linux 7.4 and Red Hat Enterprise Linux Atomic Host 7.4 when used with docker as the docker graph driver under the conditions described in the release notes.
As the name implies, OverlayFS is a type of file system that allows users to overlay a file system on top of another file system. When changes are made to a file, they are stored in the "upper" file system and the "lower" file system remains unchanged. This is used for Linux containers to allow writes to container images, which may be shared among multiple running containers. This will also convey performance benefits when using OverlayFS, particularly for container builds. Red Hat recommends using the overlay2 graph driver with Linux containers.
With 7.4, OverlayFS now has SELinux support and is fully supported as a graph driver for Linux containers. Note that OverlayFS is still only supported with XFS as the underlying file system, and is not supported for persistent storage for containers. Persistent storage for containers should still be placed on non-OverlayFS volumes to be supported.
LiveFS brings updates without reboot
We introduced package layering with rpm-ostree in Atomic Host with 7.3, and the 7.4 release brings this to fully supported. Package layering allows you to add packages that aren't part of the original install to the system permanently. This is useful for adding diagnostic tools, monitoring tools, or packages that add support for hardware.
Previously, using the atomic host install and atomic host uninstall commands (aka package layering) with Atomic Host required a reboot to take effect. In this release, we're delivering LiveFS functionality to allow users to let package changes take effect without a reboot. This is currently in technology preview stage with 7.4, and a reboot is still required for rpm-ostree updates (kernel & user space).
With Red Hat Enterprise Linux 7.4 and Red Hat Enterprise Linux Atomic Host 7.4, we now offer user namespaces with Linux containers. This means that processes inside a container have their own namespace that maps to unprivileged namespaces outside the container. So a root user in the container does not map to the root user outside the container.
Package signing, Container Health Index, and more
Red Hat's work on Linux containers goes far beyond RHEL Atomic Host. We are constantly working to improve the end-to-end delivery of Linux containers from the base image, to the host platform, to orchestration and more. In addition to the new features present in RHEL Atomic Host 7.4, here's a few noteworthy improvements beyond RHEL and RHEL Atomic Host for Linux containers.
In May, we announced the addition of the Container Health Index to the Red Hat Container Catalog. The Container Health Index is an easy-to-understand grade (A to F) detailing how images should be consumed and evaluated for production systems, based in part on the age and impact of unapplied security errata across all components of a container.
Last week, we delivered signing for all Red Hat images in the Container Catalog. As Aaron Weitekamp wrote last week, "customers can now configure a Red Hat Enterprise Linux host to cryptographically verify that images have come from Red Hat when they are pulled onto the system. This is a significant step in advancing the security of container hosts, providing assurance of provenance and integrity and enabling non-repudiation." Be sure to check out Aaron's post for the full details on using and verifying the signatures in your environment.
As you can see, there's a lot of container goodness in Red Hat Enterprise Linux Atomic Host 7.4. Watch this blog in the next few weeks for more details on using some of the new features in 7.4.