Image mode for Red Hat Enterprise Linux is generally available

Today, we're thrilled to announce the general availability of image mode for Red Hat Enterprise Linux (RHEL). Image mode extends the use of Linux containers beyond applications by allowing users to build, deploy, and manage the underlying operating system (OS) with container images. Specifically, a technology called bootc (boot container) enables a container image to install a system so that the same infrastructure, processes, and automation used for applications applies to OS images, whether deploying across a data center, on bare metal, at the edge, or in the cloud. More than just a technical advancement, this represents a cultural shift for how organizations can bridge silos and connect disparate teams.

One RHEL, two modes

Image mode is included in all RHEL subscriptions and supported in versions 9.6 and 10 and newer. You can choose between deploying RHEL as you have historically (in what is now called package mode) or you can deploy using image mode. We encourage everyone to use and experiment with image mode and discover where this may fit in your IT landscape. To inspire some creative thinking, we have further reading on common use cases and working with GitOps automation.

If you love using package mode, fear not. There is no intent to do away with it, or force users to change modes. Each mode has different advantages, and we encourage everyone to use what's best for their workloads and operational preferences.

Podman Desktop and the bootc extension

The Podman Desktop application is a great way to get started and experience image mode on your local machine. With the release of RHEL 10, Podman Desktop is now included in RHEL through the RHEL extensions repository. For those of you who aren't yet running RHEL on your laptop (we see you!), this software is available for Mac, Windows, and other Linux distros as a Flatpak. Once installed, the Red Hat Extension Pack loads all required extensions to make it easy to authenticate to the registry and get started with image mode. The bootc extension has numerous improvements, including the simpler configuration of user accounts and authentication, injecting kickstarts into installer ISO images, and easier menu navigation. Perhaps most importantly, it includes the ability to easily launch an image as a local VM:

As a bonus, advanced OS configuration options are made easy in Podman Desktop:

Security hardening profiles

Many users are familiar with the ease of which security baseline standards can be applied to RHEL. Not only do we frequently update our compliance tooling, but these can be applied with our installer, image builder, and managed at scale through Red Hat Satellite and Red Hat Insights. With this release, you can easily apply baseline harding profiles like CIS, PCI-DSS, STIG, HIPAA in a Containerfile or by applying your own custom profiles. To do so, you simply add the following to a Containerfile and adjust as desired for your use case:

RUN dnf install -y openscap-utils scap-security-guide && dnf clean all
RUN oscap-im --profile pci-dss --results-arf /arf.xml /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

Both machine and human readable reports are available. Here's a section of an HTML report:

Base images

Just like with applications built on a base container image (such as Red Hat's UBI images), image mode also starts with a base image. These images include a complete but minimal OS, making it easy to add applications or anything else needed. Base images are available in Red Hat's container catalog and are included with all RHEL subscriptions, including no-cost Developer subscriptions. For users who wish to extend the life of a minor release up to twenty four months, we're excited to announce the availability of Extended Update Support (EUS) rhel-bootc images.

In addition, we now have tooling for you to create your own base images from scratch using the bootc-base-imagectl command. This lets you easily when you're targeting constrained environments, or you just want more control over your base images for customized OS content. 

We’ve also added two more powerful tools.

The first is container linting to help check for common issues and best practices in the build process. Simply add this to the end of Containerfiles:

RUN bootc container lint

Follow the prompts, as needed, during the build to correct any errors you may have made.

The second is bootc-base-imagectlrechunk, an advanced, post-processing tool that splits up the RPM content in an image into separate layers, which itself is similar to how we build our base image. While on the surface it may seem efficient to squash images, by chunking images we effectively reshare layers between container image builds, and help optimize network utilization. This tool executes on an existing container build. Please refer to the documentation for details.

Additionally, it's now straightforward to upgrade, downgrade, or switch kernels using RUN dnf -y upgrade kernel (and related commands) from inside base images. 

Management

Image mode unlocks greater flexibility in management strategy, aligning seamlessly with Red Hat Satellite 6.17. This release empowers you to manage image-based clients throughout their lifecycle, from initial provisioning to a wide range of Day 2 operations. Furthermore, the integrated container registry can be used for image updates in a similar fashion to how Satellite publishes RPM content.

• If you're an existing Satellite user seeking to adopt image mode: This release offers a natural and integrated path forward. Familiar Satellite workflows can be extended to embrace the benefits of immutable infrastructure.
• If your infrastructure leans towards Insights and Red Hat Ansible Automation Platform: Satellite features robust support for image mode. Leverage existing tooling and expertise to manage image-based systems effectively.

Recognizing the growing need for build automation, we've curated practical examples for integrating image mode into popular GitOps and CI/CD pipelines. With support for GitHub Actions, GitLab CI, Tekton, Jenkins, and Ansible Automation Platform, our dedicated repository provides a valuable starting point to streamline build processes and to drive production systems with consistency and efficiency. Explore some great examples to get an idea of what's possible.

Cloud instance re-provisioning

Building containers is typically faster than creating, uploading, publishing, and subsequently life-cycling cloud and virtual machine images. This release brings a new tool that drastically streamlines deploying bootc images called system-reinstall-bootc. Now you can spin up instances starting from a default cloud image as an installer. You can either interactively run system-reinstall-bootc or use the output from the tool to completely automate the process using cloud-init. 

A compelling advantage of this model is that it avoids the need to generate disk images from container images at all, streamlining the build and deployment process. While this process is highly effective for iterating on builds, and combating disk image sprawl, we recognize that numerous use cases benefit from deploying disk images that directly boot into the desired state.

The bootc-image-builder tool continues to provide a quick means for converting bootc container images to disk images for all major hyperscalers and virtualization platforms.  

Hidden gems

In this release, we've made it more accessible to test out temporary changes to your operating system using the sudo dnf install --transient command. Use cases for this span applying hotfixes, troubleshooting, or even setups that run Ansible on boot. Keep in mind that this is a privileged command, and the operations are reset on boot. 

The bootc-image-builder tool continues to be a powerful tool for generating dedicated bare metal installers and native disk images for all the main virtualization platforms and hyperscalers. It's now fully supported, and this release brings improved UX and progress bars. Additionally, mount units are now used in place of the traditional /etc/fstab file to define filesystem mounts. This overcomes historic limitations with merging changes to a single file.

Next steps

We couldn't have done this without our amazing early adopters and community. Thanks to your feedback, we've been able to polish image mode to meet real-world needs, and bridge the DevOps divide. Join us as we explore how image mode in RHEL is revolutionizing application delivery and empowering teams to innovate faster!

We encourage everyone to try out image mode using either Podman Desktop, or our interactive lab. You can also read the official image mode documentation and view CI/CD examples of image mode in action.