How To Guide Open Stack Zone Preliminary Release 20180913
User Manual:
Open the PDF directly: View PDF .
Page Count: 25
Download | |
Open PDF In Browser | View PDF |
Red Hat Connect for Technology Partners Getting Started Guide - OpenStack / NFV Zone Prepared for: Product Managers and Technical Staff Draft Version: 20180913 (preliminary release) Table of Contents Introduction 3 Register for RHC4TP & Request Technology Partnership 4 Request Zone Access 6 Add a Product 7 Add a New User to the RHC4TP Account 9 Request Software Access 10 Access granted software entitlements 10 Creating a Certification Project 10 In Tree vs Out of Tree 12 In Tree Certification Workflow 13 Out of Tree Certification Workflow 14 The Container Certification Checklist 14 Certification Checklist Section Descriptions 15 Preparing the Image For Scanning 16 Dockerfile Requirements 16 The Automated Build Service 17 Manually Upload Your Image 20 Downloading Your Unpublished Container 20 Image Scan Results 21 Export Compliance Questionnaire 22 Maintaining Certified Images 23 Top FAQs 24 Online Resources 25 2 Introduction Welcome to Red Hat Connect for Technology Partners. This guide provides instructions on how to register for the Red Hat Connect for Technology Partner program. This document will also guide you through the process of obtaining a “Red Hat Certified” designation for an OpenStack plugin that you have made deployable via a Linux container using Red Hat technology. The process involves preparing your containerized application so that it meets certain criteria as specified in the Red Hat Certification Policy Guide, submitting it to Red Hat scan utility for certification, and publishing it so that the containerized application is available for consumption. It should be noted that the ability to maintain the certification requires a commitment to maintaining the trustworthiness of the container, i.e., updating it as needed for security or other reasons. NOTE: This document only covers partner registration with Red Hat Connect and the image certification scanning process for out of tree OpenStack plugins. Functional testing and Red Hat OpenStack integration are out of scope of this document. 3 Register for RHC4TP & Request Technology Partnership Go to connect.redhat.com and click LOG IN at the upper right of the page. Click REGISTER. Check to see if you have an existing account by searching your Red Hat account login Username. If you do not have an existing User Account, check if your Company has an existing account by clicking SEARCH FOR YOUR COMPANY. Note: If you find your company in the search field, please email connect@redhat.com to find out who the Org Admin is for your company, so they can add you to the existing account. If your company does not have an existing account, click CAN’T FIND YOUR COMPANY a nd then click REGISTER NEW COMPANY. 4 Fill in all required fields and SUBMIT. A confirmation Email will be sent (example email) Once your Email has been confirmed, log in to your RHC4TP account at connect.redhat.com. You will be redirected to the Getting Started page. Note: If you are not redirected, please click MANAGE COMPANY and then click BECOME A PARTNER You will now be required to complete the following sections (clicking Next after filling in the required information): Company Details 5 Connect Details My Profile Once the Profile section is complete, you will need to review and accept the Technology Partner Program Agreement. Request Zone Access When you’re ready to certify your product on Red Hat Software, you will need to request Zone access and then create a Certification Project. Go to connect.redhat.com and click LOG IN at the upper right of the page. Click on COMPANY DASHBOARD Then select EDIT COMPANY PROFILE Complete all mandatory fields marked with an * and then click SUBMIT at the end of the page Click on ZONES at the top of the page. Scroll down to Join a Zone section. 6 Under the Zone you wish to join, click APPLY FOR ZONE ACCESS. For the OpenStack Plugins, you need to select OpenStack & NFV. At this point you will via Email upon approval of your Zone Request. Add a Product Log in to your RHC4TP account at connect.redhat.com. Select the Human icon at the top right of the screen and select Company Dashboard from the dropdown menu. Scroll down to Products section. Click ADD A PRODUCT. Fill in all required information and click SUBMIT. Note: The product information you enter will be used to feed the certified product catalog after certification is complete and approved by Red Hat, therefore verify all information is correct. 7 Note: If the plugin comes in multiple versions, you need to specify the different versions in order to create a Project for each version. Note: The Product Contact Distribution List must contain at least one email. 8 Add a New User to the RHC4TP Account Login to your RHC4TP account at connect.redhat.com Click on the Human icon at the top right of the page and select Company Dashboard from the drop-down menu Scroll down to Users section and click MANAGE USERS. Click ADD NEW USER Fill in required information, then click SAVE. 9 NOTE: For a User to access software and certification tools, you must check the Organization Administrator (Org Admin) box. Multiple users can be Organization Administrators. Request Software Access Log in to your RHC4TP account at connect.redhat.com. Scroll down to the As a program member you receive section and click LEARN MORE under Software access. On the Red Hat Software Access Page, scroll down to PLATFORMS and click REQUEST SUBSCRIPTION under the software you need You will receive an email once software access has been granted. Access granted software entitlements Go to access.redhat.com Click DOWNLOADS under Quick links at the bottom of the page Choose the product family Then follow the instructions to download Create a Certification Project Log in to your RHC4TP account at connect.redhat.com. Select ZONES at the top of the page. Scroll down to the OpenStack & NFV Zone and create the Project under and click CREATE A PROJECT. 10 Complete the required fields and click SUBMIT. Note: Select Tech Preview for the Release Category. General Availability is not an option for OpenStack plugins due to the API testing that is completed using the rhcert portal . After you have created the Project, you will presented with the page below. 11 A member of the RH4TP will contact you with further questions to determine whether your project is In Tree or Out of Tree. If you are not contacted, please send an email to connect@redhat.com. After the plugin status is confirmed and approved, you will be able to move on the the Certification Workflows. In Tree vs Out of Tree Projects can be contributed to the Red Hat Container platform following two separate processes: In Tree or Out of Tree. The descriptions below highlight the differences between both. In Tree In Tree plugins are included with the OpenStack upstream code base. In this case, Red Hat will build the plugin and will distribute it with every RHOSP 13 release. In Tree plugins also do not have to go through a container certification process, since Red Hat will verify that the plugin will work prior to release. Out of Tree Out of Tree plugins require an extra step called Container Certification. It is understood that partners that do not want their codebase to be distributed with RHOSP must take extra measure to ensure that their plugin adheres to our certification policy. Another major difference is that out of tree plugins must be built by the partner, scanned for security (by RH), and must be continuously maintained for security updates. Red Hat Connect has a built-in scanner that will review your container prior to publishing. Once all checks pass, then the plugin can be published as tech preview. Functional Certification Both processes will still need to go through functional certification to ensure that the plugins are compatible with RHOSP prior to release. This process involves utilizing a self-hosted OpenStack environment and collaborating with RHOSP engineers by providing them with system logs. Once the plugins are confirmed to work with the RHOSP API, the project can then be switched from “Tech Preview” to “Generally Available”. The full functional certification guide can be found here: https://access.redhat.com/documentation/en-us/red_hat_openstack_certification/1.0/html/red_hat_o penstack_certification_workflow_guide/ In Tree = Plugin is included in the OpenStack upstream code base and the plugin image is built by Red Hat and distributed with RHOSP 13. Out of Tree = Plugin image is NOT included of the OpenStack upstream code base and NOT distributed within RHOSP 13. 12 In Tree Certification Workflow Once your project has been configured as In Tree (by Red Hat), you will be greeted with the ABC guide: Align, Build, Certify. This guideline is simply a list of steps to begin your plugin integration with RHOSP. Note that the red text is a link to official Red Hat documentation and that each step is a different part of the process. Once you have read through all of the documentation, click on the black text so that the list item has a strikethrough (see image below). After all list items have been checked off, the “Request Certification” button will be clickable. Requesting certification will initiate the functional testing portion of the workflow and will change your project’s status to “Ready For Certification”. Once you reach this page, you are now ready to start the final step, functional certification. Functional certification involves creating your own self-hosted OpenStack environment and testing your plugin using packages created for this specific test. System logs will need to be collected and sent to Red Hat engineering for review. A detailed guide of this step can be found here: https://access.redhat.com/documentation/en-us/red_hat_openstack_certification/1.0/html/red_hat_o penstack_certification_workflow_guide/ 13 Once RHOSP engineers have determined that your plugin can integrate with the RHOSP platform, it will then be included in the upstream and will be released in the next major RHOSP release. Out of Tree Certification Workflow If the partner has not contributed the plugin to the OpenStack upstream code base, the image will need to complete the following checklist and use the Red Hat Automated Build Service (ABS) to push and scan the image. Once container certification is completed, then functional testing will be the next step in releasing your container as Generally Available. To get started, visit your company dashboard and select the project under the OpenStack & NFV Zone. Upon clicking on your project, you will be directed to your project detail page. The next steps will relate to the Container Certification Checklist. The Container Certification Checklist Certified containers are applications that meet Red Hat’s best practices for packaging, distribution, and maintenance. Certified containers imply a commitment from partners to maintain their images up to date and represent the highest level of trust and supportability for Red Hat customers container-capable platforms, including Red Hat OpenStack Platform. To access the Certification Checklist, click on the option in the left hand box: 14 The goal is to complete all sections of the certification checklist. If you need more information, you can click on the dropdown arrows and it will provide you with relevant links. Example of a Container Checklist in progress: Certification Checklist Section Descriptions ● ● ● ● Update your company profile ○ This page is to ensure that your company profile is up to date. Edit if necessary. Update your product profile ○ This page relates to the product’s profile such as product type, description, repository URL, version, contact distribution list, etc. Accept the OpenStack Appendix ○ Site Agreement to the Container Terms. Update project profile ○ This section relates more to the image/container settings such as Auto Publish feature, registry namespace, release category, supported platforms. Note: There is a minor bug on this page. In the “Supported Platforms” section at the bottom, you must select an option, even regardless of the zone your project is in (Containers/OpenStack). Select any any option will allow you to save other required fields on this page. 15 ● ● Package and test your application as a container ○ Follow the instructions on this page to configure the build service. The build service will be dependent on the complete of the previous steps. Upload documentation and marketing materials ○ This will bring you to the product page. Scroll to the bottom and click on Add new Collateral to upload your product information. Note: A minimum of 3 materials are required, with 1 being a mandatory “document” type. This is where you add your product information to your product page. ● ● ● ● Provide a container registry namespace ○ This is the same as the project page profile page. Provide sales contact information ○ Again, this information is the same as the company profile. Obtain distribution approval from Red Hat ○ Red Hat will take care of this step. Configure Automated Build Service ○ The build service is where Red Hat will automatically build your container/image by utilizing the Dockerfile provided in your repository. The advantage of setting up the automated build service is that your image will update whenever the underlying base image/OS is updated, to ensure up-to-date security. Part of the agreement of using Red Hat’s services requires that your container meets a high security standard. See section “Build Service” to get started with this. Preparing the Image For Scanning Red Hat requires specific labels and metadata in your Dockerfile for the image to pass the scan. In addition to labels, the scanner also requires licenses and it must be added to the Dockerfile. Please see the OpenStack & NFV neutron and cinder examples in this link for guidance: https://github.com/RHC4TP/starter Dockerfile Requirements 1. Base image must be Red Hat. Any images using Ubuntu, Debian, CentOS, etc as a base will not pass the scanner. 2. You must configure the required labels (name, maintainer, vendor, version, release, summary) 3. Software license(s) must be included (txt file only) within the image and must be added in the root of the project. 4. You must configure a user other than root. Below is a snippet of a Dockerfile which includes the aforementioned requirements: 16 The Build Service What does it do? This service automates the rebuilding of your image whenever an updated Red Hat package is available. It also scans your image (after a successful build) for any security vulnerabilities that may be present prior to publishing your image to the Container Catalog. How does it work? The build service clones your Github/Gitlab repository onto a build server, and uses the Dockerfile to build your image. Why is this recommended? It is a requirement from Red Hat to properly maintain your image by keeping up to date with the latest security updates. By not using the automated build service, you are opting into manually maintaining and rebuilding your image every time an update is released. Red Hat keeps track of your image by giving it a grade. If your image falls too far behind on security updates, your image grade will drop and will be flagged for removal from the Container Catalog. Configuration Configuration is very easy and straightforward. Follow the steps below: In the left hand box, click on Build Service: 17 Click on the Configure Automated Build Service tab and fill in the git repo and the Dockerfile name if it has a name other than “Dockerfile”. If your repository is public, then all that is needed is the git source URL (HTTPS link). If your repository is private, then you must configure the build service with the SSH link and a private ssh key. The git repository needs the public ssh key associated with the private key in order to successfully clone. It is recommended to create a new public and private ssh key just for the project. Never use your own personal private key. Click “Start New Build” button at the top of the page. Enter a tag number (the version number of the plugin) and click SUBMIT to begin the build and scan process. 18 NOTE: The Build Service must first be completed before it can begin the scanning process for certification. If your Build Service fails or does not complete, make sure the details you entered under the Configure Build Service tab is correct and confirm that your Dockerfile conforms to the examples provided in this link. Once the image has completed the scan in Red Hat Connect repository, the image will show the results of the scan. Scans normally take about 10-15 minutes to complete. The “View” button will expand on the scan results. The “Publish” button will publish the image to the Red Hat Container Catalog. It will change to “Unpublish” once and image has been published. The “Remove” button allows you to remove an image that you do not want to use or need anymore. Note: If you would like to manually push your images instead of using the Automated build Service, please see section Manually Upload Your Image 19 Manually Upload Your Image This information can be located in the Upload Your Image tab on the Projects page. Cut and paste the following line to your terminal. # docker login -u unused -e none scan.connect.redhat.com When prompted for the password copy and paste the Registry Key l ocated on the Upload Your Image t ab in the project. This Registry Key is unique per project, please make sure you are using the correct password for the project you are working on. Downloading Your Unpublished Container It is possible to download your unpublished container to test it on a local environment. To do so, visit the Upload Your Image tab and copy the last command for P ush Your Container. Change the word “push” to “pull” and replace the data in the brackets with the data appropriate to your project. Use either one of the command formats below to pull your image from the registry. If your image was built using the build service: format: # docker pull scan.connect.redhat.com/[pid]/partner-build-service:[image-tag] example: # docker pull scan.connect.redhat.com/p78693833236cdf211b0b7767fec4f6fe2a25b4e51/partner-bui ld-service:1.2.0 If your image was built locally and pushed manually: format: # docker pull scan.connect.redhat.com/[pid]/[image-name]:[image-tag] example: # docker pull scan.connect.redhat.com/p78693833236cdf211b0b7767fec4f6fe2a25b4e51/my-awesomeplugin:1.2.0 Common Error: Error response from daemon: unauthorized: authentication required 20 If your CLI complains of authorization being required after logging into the registry and performing a docker pull command, try these steps: 1. Log back into the registry: docker login -u unused -e none scan.connect.redhat.com 2. Copy the registry key and paste it on your command prompt as the password when prompted. 3. If you still get this error, after docker pull make sure that you physically type the commands. The only thing that should be copied and pasted is the registry key. Copying and pasting commands from PDF files or other programs or between VMs/hosts has been known to add special characters or trailing spaces that may alter your commands. After the image has completed being uploaded, the image will display “Scan In-Progress” in the “Status” column. Image Scan Results If the image returns a “Failed” scan status, the results will automatically be displayed. Click on the name of the failed item (in this example, “has_licenses”) for reference to the policy guide. *NOTE: If you receive an “Access Denied” link when accessing the Policy Guide, please reach out to connect@redhat.com 21 Export Compliance Questionnaire Red Hat Export Questionnaire and Resource Links This section references a set of questions provided by the Red Hat legal team for evaluation of export compliance by third party software vendors. The resource links and questions should be reviewed and answered by a legal representative of the partner. Completion and returning this document does not guarantee export compliance approval, but begins the evaluation process by Red Hat. Depending on the answers provided, a set of follow-up questions may be necessary. In the event that you have insufficient information to complete the questionnaire, some additional resources are provided in Part 2 below. The evaluation process is outlined below: Step 1: Red Hat provides questionnaire to partner to complete Step 2: Partner engages their legal team to review and respond to questionnaire Step 3: Partner returns completed questionnaire to Red Hat Step 4: Within approximately 5 business days, Red Hat legal evaluates responses and a. Approves partner b. Defers decision c. Requests more information d. Declines partner Part I: Red Hat Questionnaire Please access and complete this export questionnaire. At this time, Red Hat is NOT able to accept applications that are authorized for export as encryption items under License Exception ENC §740.17(b)(2) and/or License Exception ENC §740.17(a) of the U.S. Export Administration Regulations. Part II: Resources In the event that your company has not previously gone through the process of obtaining an export classification, or if you have not gone through this process for the product that you intend to publish in the Red Hat Container Catalog, the U.S. Department of Commerce’s Bureau of Industry and Security provides these resources. Unfortunately Red Hat cannot provide any guidance or help with our partners’ export control compliance. EAR/Encryption https://bis.doc.gov/index.php/1-encrypti Guidance for determining Overview on-items-not-subject-to-the-ear/15-polic whether your item is y-guidance/encryption subject to the EAR. Encryption items not https://bis.doc.gov/index.php/1-encrypti subject to the EAR on-items-not-subject-to-the-ear Flowchart 1 https://bis.doc.gov/index.php/document Item designed to use s/new-encryption/1654-flowchart1/file encryption NOT controlled under Category 5, Part 2 Flowchart 2 https://bis.doc.gov/index.php/document Item classified under an s/new-encryption/1655-flowchart-2-1/fil ECCN in Category 5, Part 22 e License Exception https://bis.doc.gov/index.php/document ENC §740.17/ Mass s/new-encryption/1651-740-17-enc-table Market Chart /file Chambers & Global - http://www.chambersandpartners.com/1 US Export Control 2788/525/editorial/5/1 2 Lawyers Red Hat Export https://www.redhat.com/en/about/expor Control Product t-control-product-matrix Matrix (for example purposes) Maintaining Certified Images Image Maintenance Requirements As software package vulnerabilities are discovered it is important to rebuild container images to keep them up-to-date. Without automation this process quickly becomes onerous and reflects poorly on the catalog listing. Organizations frequently run vulnerable software but few want to download vulnerable software. It is a requirement of Red Hat Connect Partner Program that the partner maintain the image certification. Red Hat publishes a “Container Health Index” (or CHI) as described here to inform partners about those situations where an image might need to be updated. 23 Reference: https://access.redhat.com/articles/2803031 If a container image falls below an "A" grade, a periodic email from connect@redhat.com will be sent out to the partner contact list. Top FAQs 1. Who can upload images through the Portal? A. The administrator account created for your organization may upload images. However, this account may grant permissions to other user accounts so that those accounts may also upload images. 2. Can I change the Product Version after I created a Project? A. No you cannot; therefore make sure you set it up correctly before starting any project with that product version. Keep in mind that the product version should be considered as the name of the image, the version can be specified later on when you Tag your image during the project. 3. Can a container be built on another version of Linux other than Red Hat? A. No, the Red Hat certification is a validation that the container, which is a combination of application software and Linux, is made of genuine Red Hat parts. Currently, Red Hat has just a little over one million paying customers today. Our customers do not use other versions of Linux and pay us for the services and support we provide to them. Therefore, your container needs to be built on a version of Red Hat Linux. 4. Will the catalog support an ISO or virtual machine image as the container image? A. No, this certification process is specifically for containers. Therefore, your image needs to be in Dockerfile format. You can find an example provided by Red Hat Engineering: Dockerfile Examples 5. What path should my licenses be on? A. Should be on / (the root or home directory of where the application resides). They must be text files, not PDF. You can find an example provided by RH Engineer:Dockerfile Example 6. How do I change the namespace and repository name of my project? A. First, unpublish all containers. Then change the namespace/repo in the project settings. Finally, re-publish your containers. 7. How do I download my unpublished container? A. First log into the registry (scan.connect.redhat.com) using the appropriate registry key as the password for the project. Then use this docker pull command if you have used the build service ( #docker pull scan.connect.redhat.com/[pid]/partner-build-service:[image-tag]), otherwise, use (#docker pull scan.connect.redhat.com/[pid]/[image-name]:[image-tag]). Look at the Downloading Your Unpublished Container section above for more information. 8. I pushed my image using a script but I do not see my image on the project page. Why is my project missing? A. Make sure you pushed your image to the correct endpoint. The correct endpoint scan.connect.redhat.com. If you push your image to registry.rhc4tp.openshift.com, your image will not show up on the project page. 24 Online Resources OpenStack Partner Integration https://access.redhat.com/documentation/en-us/ red_hat_openstack_platform/13/html/partner_int egration/index OpenStack Documentation https://docs.openshift.com/container-platform/ Red Hat Atomic Recommended Practices for Container Development https://access.redhat.com/articles/1483053 Continuous integration Examples https://rhsyseng.github.io/containerzone-pipeline -library/#_example_jenkins_pipeline_using_docke r Examples of scan ready Dockerfiles https://github.com/RHC4TP/starter.git Docker tagging https://docs.docker.com/engine/reference/com mandline/tag/ Setting up a test RHEL system for building OpenStack images: https://access.redhat.com/articles/1127153 25
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : Yes Producer : Skia/PDF m71 Page Count : 25EXIF Metadata provided by EXIF.tools