Build and launch Red Hat Enterprise Linux images in Oracle Cloud Infrastructure

Red Hat is pleased to announce additional capabilities and support to easily build and launch Red Hat Enterprise Linux (RHEL) on Oracle Cloud Infrastructure (OCI). This is one of many outcomes from our collaboration, providing two exciting paths to assembling and deploying RHEL optimized and supported to run on virtual and bare metal OCI compute shapes.

Insights image builder

Coming soon! Red Hat will soon add OCI as an option to build and launch RHEL on OCI to our Red Hat Insights image builder workflow, as demonstrated in this preview image. This will provide complete integration with Insights management capabilities that include Inventory, Compliance, Vulnerability, Patching and much more.

RHEL image builder

For on-premises build nodes, the RHEL image builder enables you to assemble a highly customized “gold” image that conforms to your requirements, and more easily upload them to your account at OCI to launch from the console or existing orchestration workflows. This even includes applying industry-standard security compliance policies so that new instances are more secure by default.

Build and launch in OCI

The following guide demonstrates setting up a RHEL image builder node on RHEL 9, building a RHEL image that incorporates the CIS Level 2 baseline security compliance policy, and uploading and launching in OCI.

Prerequisites:

• Access to a RHEL 9 virtual machine with image builder installed and accessible.
• Access to an OCI tenancy with appropriate permissions and limits to create and launch a custom image on OCI virtual machine shapes. The user should have a set of API keys in order to provide image builder the credentials to upload the image.
• A blueprint file (optional).

1. Install image builder

# yum install -y osbuild-composer composer-cli cockpit-composer bash-completion scap-security-guide openscap-utils openscap-scanner

# systemctl enable --now osbuild-composer.socket
# systemctl enable --now cockpit.socket
# firewall-cmd --add-service=cockpit && firewall-cmd --add-service=cockpit --permanent
# source /etc/bash_completion.d/composer-cli

2. Login into the image builder web console using the URL at port 9090 https://HOSTNAME_OR_IP:9090

Click Image Builder on the side navigation menu. 

Click Import Blueprint to upload a copy of the sample CIS L2 blueprint.

• Note 1:  You will need to update the user credentials and SSH keys as what is defined are non-functional placeholder values.
• Note 2: Review and optionally modify the partition sizes according to how large you would like the final image to be.

3. After the blueprint file is uploaded, select Create Image. 

4. In the Create Image window, select Oracle Cloud Infrastructure (.qcow2) for the image output type.

Check the Upload to OCI checkbox.

5. Enter the User OCID and the Private key and Fingerprint.

6. Fill in the destination details of the resulting image (image name, OCI bucket, Bucket namespace, etc.). 

7. Click Next, then click Create. 

It should only take a couple minutes for image builder to create the image and upload it into OCI. Once it is done, you should see the image listed under Custom Images in your OCI tenancy.

After the image is created and uploaded into your OCI tenancy, we need to enable the bare metal shapes.

8. Go to the custom image in your OCI tenancy under Compute -> Custom Images.  Due to the way OCI imports custom images, you will first need to click on the image name, then select “Edit image capabilities” and save. No changes need to be made, but this step ensures it re-saves with the required attributes needed to launch. 
9. Click Create Instance.
   1. Change the Name (such as RHEL-9-CIS-L2)
   2. Change the Shape (such as to AMD or Intel Flexible OCPU count, VM.Standard3.Flex)
   3. Optionally add SSH keys. This may not be necessary if User+SSH were defined within the Blueprint of the RHEL build.  Your own security policies may dictate the recommended practice for users and credentials.
10. Click Create.

Once the instance State is “Succeeded”, you can log in via SSH at the IP address listed on the instance details page.

11. Connect to Insights to validate with Insights Compliance reporting and remediation tools.

[myadmin@rhel-9-cis-l2 ~]$ sudo rhc connect --organization ORGID --activation-key ACT_KEY

Connecting rhel-9-cis-l2 to Red Hat.
This might take a few seconds.

● Connected to Red Hat Subscription Management
● Connected to Red Hat Insights
● Activated the Remote Host Configuration daemon
● Enabled console.redhat.com services: remote configuration, insights, remediations, compliance

Successfully connected to Red Hat!
Manage your connected systems: https://red.ht/connector

[myadmin@rhel-9-cis-l2 ~]$ sudo insights-client --compliance 
System uses SSG version 0.1.69 Running scan for xccdf_org.ssgproject.content_profile_cis... this may take a while Uploading Insights data. Successfully uploaded report for rhel-9-cis-l2.

Conclusion

The ability to easily create “gold” images for new deployments that are tailored to individual customers’ specifications reduces complexity, technical debt and time to deployment. By incorporating security compliance policies that integrate into Insights Compliance, Vulnerability, and Advisor functionality, Red Hat makes it easier than ever for customers to deploy and manage their infrastructure.

To learn more, visit our documentation on Composing a customized RHEL system image and our hosted Insights image builder for new functionality delivered regularly.