Experiences patching a RHEL 7.1 base Docker image


Scenario

You have Docker installed on a host system and you want to deploy a patched Red Hat Enterprise Linux base Docker image. I have presented two options and have shown several challenges that I had to overcome.


Option #1

Start an interactive shell into a RHEL 7.1 docker container.

# docker run -it registry.access.redhat.com/rhel7.1 bash

Run yum update inside the container.

 [root@0e439b6c0ec6 /]# yum update -y
Loaded plugins: product-id, subscription-manager

https://mysatelliteserver/pulp/repos/myorganization/myenvironment/mycontentview/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.


 One of the configured repositories failed (Red Hat Enterprise Linux 7 Server (RPMs)),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use
        --enablerepo for temporary usage:

            yum-config-manager --disable rhel-7-server-rpms

     4. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=rhel-7-server-rpms.skip_if_unavailable=true

failure: repodata/repomd.xml from rhel-7-server-rpms: [Errno 256] No more mirrors to try.

https://mysatelliteserver/pulp/repos/myorganization/myenvironment/mycontentview/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found

Ugh! We hit an error. If you encounter the same error, then you need to specify the Red Hat release version using the "--releasever" yum parameter. See below.

[root@0e439b6c0ec6 /]# yum update -y --releasever=7.1
 Loaded plugins: product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.2.46-12.el7 will be updated
 ...
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
 Userid     : "Red Hat, Inc. (release key 2) <security@redhat.com>"
 Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
 Package    : redhat-release-server-7.1-1.el7.x86_64 (@koji-override-1/7.0)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0x2FA658E0:
 Userid     : "Red Hat, Inc. (auxiliary key) <security@redhat.com>"
 Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
 Package    : redhat-release-server-7.1-1.el7.x86_64 (@koji-override-1/7.0)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Running transaction check
Running transaction test


Transaction check error:
  file /usr/lib64/libsystemd-daemon.so.0 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/libsystemd-id128.so.0 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/libsystemd-journal.so.0 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/libsystemd-login.so.0 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/libudev.so.1 from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64
  file /usr/lib64/security/pam_systemd.so from install of systemd-libs-219-19.el7.x86_64 conflicts with file from package systemd-container-libs-208.20-6.el7.x86_64

Error Summary
-------------

Again, we hit another error. This error is a known Red Hat Bug (1284056). The good news is that there is a work around.

[root@0e439b6c0ec6 /]# yum --releasever=7.1 swap -y -- remove systemd-container\* -- install systemd systemd-libs
 Loaded plugins: product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package systemd.x86_64 0:219-19.el7 will be installed
...
 Complete!
 [root@0e439b6c0ec6 /]# yum update -y --releasever=7.1
 Loaded plugins: product-id, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.2.46-12.el7 will be updated
...
 Complete!

Bingo! A completely patched RHEL 7.1 Docker image. The final step is to commit the changes. Exit your running container by typing "exit" and then run a docker commit command.

# docker commit 0e439b6c0ec6 myprivatedockerregistry:5000/rhel7.1-patched

Golden! And the security department is happy!!


Option #2

Now for the easy way. Create a Dockerfile with the below contents.

FROM registry.access.redhat.com/rhel7.1

RUN yum clean all && \
    yum --releasever=7.1 swap -y -- remove systemd-container\* -- install systemd systemd-libs && \
    yum update -y --releasever=7.1 && \
    yum clean all

Run the docker build command and you're done!

# docker build -t myprivatedockerregistry:5000/rhel7.1-patched .