How To Guide Red Hat Open Shift & Container Zone Preliminary Release 20180912

User Manual:

Open the PDF directly: View PDF .
Page Count: 23









Red Hat Connect for Technology Partners

Getting Started Guide - Red Hat OpenShift & Container









Prepared for: Product Managers and Technical Staff

Draft Version: 20180912 (preliminary release)











































 

Table of Contents

Introduction 3

Register for RHC4TP & Request Technology Partnership 4

Request Zone Access 6

Add a Product 7

Add a New User to the RHC4TP Account 8

Request Software Access 9

Access granted software entitlements 10

Create a Certification Project 10

Primed & Container Certification 11

Primed 11

Container Certification Checklist 13

Red Hat Partner Logo 13

Build Service 16

Manually Upload Your Image 18

Image Scan 19

Image Results 19

Export Compliance Questionnaire 20

Maintaining Certified Images 21

Top FAQs 23

Online Resources 23





 

2

Introduction

Welcome to Red Hat Connect for Technology Partners. This guide provides instructions on

how to register for the Red Hat Connect for Technology Partner program.

This document will also guide you through the process of obtaining a “Red Hat Certified”

designation for an application that you have made deployable via a Linux container using

Red Hat technology.



The process involves preparing your containerized application so that it meets certain criteria

as specified in the Red Hat Certification Policy Guide, submitting it to Red Hat for review and

certification, and publishing it so that the containerized application is available for

consumption.



It should be noted that the ability to maintain the certification requires a commitment to

maintaining the trustworthiness of the container, i.e., updating it as needed for security or

other reasons.





 

3

Register for RHC4TP & Request Technology Partnership



Go to connect.redhat.com and click LOG IN



at the upper right of the page.



Click REGISTER



.

 

Check to see if you have an existing account by searching your Red Hat account login

Username.



If you do not have an existing User Account, check if your Company has an existing account by

clicking SEARCH FOR YOUR COMPANY



.



NOTE: If you find your company in the search field, please email connect@redhat.com to

find out who the Org Admin is for your company, so they can add you to the existing

account.







If your company does not have an existing account, click CAN’T FIND YOUR COMPANY



and then

click REGISTER NEW COMPANY



.



4

Fill in all required fields and SUBMIT



.







A confirmation Email will be sent (example email)





Once your Email has been confirmed, log in to your RHC4TP account at connect.redhat.com.

You will be redirected to the Getting Started



page.



NOTE: If you are not redirected, please click MANAGE COMPANY



and then click BECOME A

PARTNER



You will now be required to complete the following sections (clicking Next



after filling in the

required information):

Company Details

Connect Details

My Profile







5

Once the Profile section is complete, you will need to review and accept the Technology

Partner Program Agreement..





Request Zone Access

When you’re ready to certify your product on Red Hat Software, you will need to request Zone

access and then create a Certification Project.

Go to connect.redhat.com and click LOG IN



at the upper right of the page.



Click on COMPANY DASHBOARD





Then select EDIT COMPANY PROFILE



Complete all mandatory fields marked with an * and then click SUBMIT



at the end of the page



Click on ZONES



at the top of the page.









Scroll down to Join a Zone section.



Under the RED HAT OPENSHIFT & CONTAINER ZONE, click APPLY FOR ZONE ACCESS



.

6







You will be notified via Email upon approval of your Zone Request.



Add a Product

Log in to your RHC4TP account at connect.redhat.com.



Select the Human



icon at the top right of the screen and select Company Dashboard



from the

dropdown menu.



Scroll down to Products



section.



Click ADD A PRODUCT



.



Fill in all required information,



including adding your LOGO



and click SUBMIT



.













7







If your Product requires more than one container, add the container names separately under

Product Version. Example:





Note: The product information you enter will be used to feed the certified product catalog

after certification is complete and approved by Red Hat, therefore verify all information is

correct.





Add a New User to the RHC4TP Account

Login to your RHC4TP account at connect.redhat.com



Click on the Human



icon at the top right of the page and select Company Dashboard



from the

drop-down menu



Scroll down to Users



section



and click MANAGE USERS



.

8

Click ADD NEW USER



Fill in required information, then click SAVE



.







NOTE: For a User to access software and certification tools, you must check the Organization

Administrator (Org Admin) box. Multiple users can be Organization Administrators.



Request Software Access

Log in to your RHC4TP account at connect.redhat.com.



Scroll down to the As a program member you receive section



and click LEARN MORE



under

Software access.



On the Red Hat Software Access Page, scroll down to PLATFORMS



and click REQUEST

SUBSCRIPTION



under the software you need



You will receive an email once software access has been granted.

9

Access granted software entitlements

Go to access.redhat.com



Click DOWNLOADS



under Quick links at the bottom of the page



Choose the product family



Then follow the instructions to download





Create a Certification Project

Log in to your RHC4TP account at connect.redhat.com.



Select ZONES



at the top of the page.



Scroll down to the Zone you wish to create the Project under and click CREATE A PROJECT



.









Complete the required fields and click SUBMIT



.



















10

Primed & Container Certification

To find the Checklist for Primed and Container Certification go to your Project Page and select

Certification Checklist located on the left menu under Actions.





Primed

Primed is a technical readiness designation for applications that interoperate with OpenShift.

Through Primed, partners indicate that they have verified their product’s functionality on

OpenShift, taking the first step towards the ongoing commitment of container certification.

Primed is also the suggested path for products that integrate with OpenShift but are not

packaged as containers.



To achieve the Primed designation, complete the Primed section of the Container Checklist



Primed Listing

To find the Checklist for Primed Listing go to your Project Page and select Certification

Checklist located on the left menu under Actions.

11

Submitting Primed Evidence

Evidence must be submitted for review. To submit your evidence click on the START



button for

the item located on the Checklist.



This will now take you to the Settings Page of your Project. Fill out all mandatory fields.

Scroll all the way to the section: Supporting Documentation for Primed and add all evidence

links.

Click SUBMIT



at the end of the page.



Now you will have completed that item on the checklist. The check marked box only indicates

that the evidence has been submitted, NOT approved. Once the evidence is submitted, you will

need to click GET LISTED



button on the Certification Checklist Page.













12

Fill out the Contact form for your evidence to be reviewed. Make sure to include evidence and

copy the URL of your project.







Your evidence will reviewed and if your application successfully demonstrates running on the

latest release of OpenShift, it will be listed in in the OpenShift Primed page found here.



https://access.redhat.com/openshift-primed/



NOTE: It will take around 2 weeks after approval for you Company Listing to show.





Container Certification Checklist

Certified containers are applications that meet Red Hat’s best practices for packaging,

distribution and maintenance. Certified containers imply a commitment from partners to

maintain their images up to date and represent the highest level of trust and supportability for

Red Hat customers container-capable platforms, including OpenShift

For Container Certification, complete the Certified



section of the checklist and publish the

image. The certified container will be published in the Red Hat Container Catalog (RHCC)

Example of Container Checklist in progress:

13

Container Checklist

The certified container will be published in the Red Hat Container Catalog (RHCC) along with

containers published by Red Hat and those published by other software companies. The RHCC

is the public-facing website that showcases the containerized applications suitable for

enterprise consumption. RHCC pages will allow for publishing information about the partner

company, and company’s products, as well as technical information about the containerized

application. There will also be a way to link in assets from the partner company (by URL) that

provide additional information about the product, for example a datasheet, a solution brief, a

pre-recorded webinar, a case study, etc. The data populating the RHCC is sourced from the

Connect site. Therefore, it is important to review the company and product entries on Connect

prior to publishing the container to RHCC.



Before your image gets published you must complete the Certification Checklist. Once all items

are completed and your image has passed the scan, you will be able to publish to the Red Hat

Container Catalog.



Each item on the Checklist has more information, you can select the drop down arrow located

to the left of each item to Learn More.



















Certification Checklist Section Descriptions

●Update your company profile

○ This page is to ensure that your company profile is up to date. Edit if necessary.

●Update your product profile

○This page relates to the product’s profile such as product type, description,

repository URL, version, contact distribution list, etc.

●Accept the OpenStack Appendix

○Site Agreement to the Container Terms.

●Update project profile

○This section relates more to the image/container settings such as Auto Publish

feature, registry namespace, release category, supported platforms.

●Package and test your application as a container

○Follow the instructions on this page to configure the build service. The build

service will be dependent on the complete of the previous steps.

●Upload documentation and marketing materials

○This will bring you to the product page. Scroll to the bottom and click on Add

new Collateral



to upload your product information.

NOTE: A minimum of 3 materials are required, with 1 being a mandatory “document” type.

This is where you add your product information to your product page.



●Provide a container registry namespace

○This is the same as the project page profile page.

●Provide sales contact information

14

○Again, this information is the same as the company profile.

●Obtain distribution approval from Red Hat

○Red Hat will take care of this step.

●Configure Automated Build Service

○The build service is where Red Hat will automatically build your container/image

by utilizing the Dockerfile provided in your repository. The advantage of setting

up the automated build service is that your image will update whenever the

underlying base image/OS is updated, to ensure up-to-date security. Part of the

agreement of using Red Hat’s services requires that your container meets a high

security standard. See section “Build Service” to get started with this.

Red Hat Partner Logo

To download the Red Hat Technology Partner logo



, please go to

https://connect.redhat.com/benefits/marketing



If you have a product certified on Red Hat Technology, please contact us at

connect@redhat.com so that we can send you the Certified Product



logo.

Please contact connect@redhat.com for any questions or concerns. 



Dockerfile Requirements

You can use this link as a reference to how the Dockerfile needs to be configured to have your

image build and pass the scan successfully. Depending on your zone, navigate to the

appropriate directory. Here’s an example of a Dockerfile for a service you may want to build on

RHEL 7.



Note: Although labels and licenses are not required to successfully build a running container,

they are required for the Red Hat build service and scanner.

1. Base image must be Red Hat. Any images using Ubuntu, Debian, CentOS, etc as a base

will not pass the scanner.

2. You must configure the required labels (name, maintainer, vendor, version, release,

summary)

3. Software license(s) must be included within the image.

4. You must configure a user other than root.

Below is a snippet of a Dockerfile which includes the aforementioned requirements:

Dockerfile Example:



15

The Build Service

What does it do?

This service automates the rebuilding of your image whenever an updated Red Hat package is

available. It also scans your image (after a successful build) for any security vulnerabilities that

may be present prior to publishing your image to the Container Catalog.

How does it work?

The build service clones your Github/Gitlab repository onto a build server, and uses the

Dockerfile to build your image.

Why is this recommended?

It is a requirement from Red Hat to properly maintain your image by keeping up to date with

the latest security updates. By not using the automated build service, you are opting into

manually maintaining and rebuilding your image every time an update is released.

Configuration

Configuration is very easy and straightforward. Follow the steps below:

In the left hand box, click on Build Service



:



Click on the Configure Build Service



tab.



Fill in the git repo and the Dockerfile name if it has a name other than “Dockerfile”.



If your repository is public, then all that is needed is the git source URL (HTTPS link). If your

repository is private,



then you must configure the build service with the SSH link and a private

ssh key. The git repository needs the public ssh key associated with the private key in order to

successfully clone. It is recommended to create a new public and private ssh key just for the

project. Never use your own personal private key.

16





Click Submit



at the end of the page.

Click Start New Build



button at the top of the page.



Enter a tag number (the version number of the plugin) and click SUBMIT



to begin the build and

scan process. 







17



NOTE: The Build Service must first be completed before it can begin the scanning process for

certification. If your Build Service fails or does not complete, make sure the details you

entered under the Configure Build Service tab is correct and confirm that your Dockerfile

conforms to the examples provided in this link.





Once the image has completed the scan in Red Hat Connect repository, the image will show the

results of the scan. Scans normally take about 10-15 minutes to complete.







The “View” button will expand on the scan results. The “Publish” button will publish the image

to the Red Hat Container Catalog. It will change to “Unpublish” once and image has been

published. The “Remove” button allows you to remove an image that you do not want to use or

need anymore.





NOTE: The Build Service must first be completed before it can begin the scanning process for

certification. If your Build Service fails or does not complete, make sure the details you

entered under the Configure Build Service tab is correct



Manually Upload Your Image

This information can be located in the UPLOAD YOUR IMAGE tab on the Projects page.



Cut and paste the following line to your terminal.

# docker login -u unused -e none scan.connect.redhat.com



When prompted for the password copy and paste the Registry Key



located on the Upload Your

Image



tab in the project. This Registry Key is unique per project, please make sure you are

using the correct password for the project you are working on.









18

Image Scan

After the image has completed being uploaded, the image will display “Scan In-Progress” in the

“Status” column.







NOTE: It may be necessary to refresh the browser page to see the current status.



Once the image has completed the scan in Red Hat Connect repository, the image will show the

results of the scan. Scans normally take about 10-15 minutes to complete.







The “View” button will expand on the scan results. The “Publish” button will publish the image

to the Red Hat Container Catalog. It will change to “Unpublish” once and image has been

published. The “Remove” button allows you to remove an image that you do not want to use or

need anymore.

Image Results



If the image returns a “Failed” scan status, the results will automatically be displayed. Click on

the name of the failed item (in this example, “has_licenses”) for reference to the policy guide.

*NOTE: If you receive an “Access Denied” link when accessing the Policy Guide, please reach

out to connect@redhat.com

19

Export Compliance Questionnaire

Red Hat Export Questionnaire and Resource Links

This section references a set of questions provided by the Red Hat legal team for evaluation of

export compliance by third party software vendors.

The resource links and questions should be reviewed and answered by a legal representative of

the partner.

Completion and returning this document does not guarantee export compliance approval, but

begins the evaluation process by Red Hat.

Depending on the answers provided, a set of follow-up questions may be necessary.

In the event that you have insufficient information to complete the questionnaire, some

additional resources are provided in Part 2 below.



The evaluation process is outlined below:

Step 1: Red Hat provides questionnaire to partner to complete

Step 2: Partner engages their legal team to review and respond to questionnaire

Step 3: Partner returns completed questionnaire to Red Hat

Step 4: Within approximately 5 business days, Red Hat legal evaluates responses and

a. Approves partner

b. Defers decision

c. Requests more information

d. Declines partner



Part I: Red Hat Questionnaire

Please access and complete this export questionnaire.



At this time, Red Hat is NOT able to accept applications that are authorized for export as

encryption items under License Exception ENC §740.17(b)(2) and/or License Exception ENC

§740.17(a) of the U.S. Export Administration Regulations.



Part II: Resources

In the event that your company has not previously gone through the process of obtaining an

export classification, or if you have not gone through this process for the product that you

intend to publish in the Red Hat Container Catalog, the U.S. Department of Commerce’s Bureau

of Industry and Security provides these resources.

Unfortunately Red Hat cannot provide any guidance or help with our partners’ export control

compliance.



EAR/Encryption

Overview

https://bis.doc.gov/index.php/1-encrypti

on-items-not-subject-to-the-ear/15-polic

y-guidance/encryption

Guidance for determining

whether your item is

subject to the EAR.

Encryption items not

subject to the EAR

https://bis.doc.gov/index.php/1-encrypti

on-items-not-subject-to-the-ear



Flowchart 1

https://bis.doc.gov/index.php/document

s/new-encryption/1654-flowchart1/file

Item designed to use

encryption NOT controlled

under Category 5, Part 2

Flowchart 2

https://bis.doc.gov/index.php/document

s/new-encryption/1655-flowchart-2-1/fil

Item classified under an

ECCN in Category 5, Part

20

e

2

License Exception

ENC §740.17/ Mass

Market Chart

https://bis.doc.gov/index.php/document

s/new-encryption/1651-740-17-enc-table

/file





Chambers & Global -

US Export Control

Lawyers

http://www.chambersandpartners.com/1

2788/525/editorial/5/1



Red Hat Export

Control Product

Matrix (for example

purposes)

https://www.redhat.com/en/about/expor

t-control-product-matrix





Maintaining Certified Images

Image Maintenance Requirements

As software package vulnerabilities are discovered it is important to rebuild container images

to keep them up-to-date. Without automation this process quickly becomes onerous and

reflects poorly on the catalog listing. Organizations frequently run vulnerable software but few

want to download vulnerable software. It is a requirement of Red Hat Connect Partner Program

that the partner maintain the image certification. Red Hat publishes a “Container Health Index”

(or CHI) as described here to inform partners about those situations where an image might

need to be updated.



21



Reference: https://access.redhat.com/articles/2803031



If a container image falls below an "A" grade, a periodic email from connect@redhat.com will be

sent out to the partner contact list.



In order to keep the image up to date, it is recommended that the partner use the Red Hat

Connect Build Service located in the Project section of Red Hat Connect. The option

Auto-Rebuild will automatically rebuild your container and automatically publish it.







The only requirement to use this service is that the image bits be accessible via github/gitlab. If

the github is internal, ssh access to the bits is required. This service automates the rebuilding of

the image whenever an updated Red Hat package is available.



Top FAQs

1. Who can upload images through the Portal?

22

A. The administrator account created for your organization may upload images.

However, this account may grant permissions to other user accounts so that those

accounts may also upload images.

2. Can I change the Product Version after I created a Project?

A. No you cannot; therefore make sure you set it up correctly before starting any

project with that product version. Keep in mind that the product version should be

considered as the name of the image, the version can be specified later on when you

Tag your image during the project.

3. Can a container be built on another version of Linux other than Red Hat?

A. No, the Red Hat certification is a validation that the container, which is a

combination of application software and Linux, is made of genuine Red Hat parts.

Currently, Red Hat has just a little over one million paying customers today. Our

customers do not use other versions of Linux and pay us for the services and

support we provide to them. Therefore, your container needs to be built on a version

of Red Hat Linux.

4. Will the catalog support an ISO or virtual machine image as the container image?

A. No, this certification process is specifically for containers. Therefore, your image

needs to be in Dockerfile format. You can find an example provided by Red Hat

Engineering: Dockerfile Examples

5. What path should my licenses be on?

A. Should be on / (the root or home directory of where the application resides). You

can find an example provided by RH Engineer:Dockerfile Example

6. How do I change the namespace and repository name of my project?

A. First, unpublish all containers. Then change the namespace/repo in the project

settings. Finally, re-publish your containers.



For a full list of FAQs please visit:  http://people.redhat.com/~pchriste/.faq/



Online Resources

Learn Kubernetes by Example

http://kubernetesbyexample.com/

OpenShift Interactive Learning Portal

https://learn.openshift.com/

Partner Openshift Onboarding Guide

https://www.openshift.com/partners/get-started/

index.html

OpenShift Documentation

https://docs.openshift.com/container-platform/

Red Hat Atomic Recommended Practices for

Container Development

https://access.redhat.com/articles/1483053

Continuous integration Examples

https://rhsyseng.github.io/containerzone-pipeline

-library/#_example_jenkins_pipeline_using_docke

r

Examples of scan ready Dockerfiles

https://github.com/RHC4TP/starter.git

Docker tagging

https://docs.docker.com/engine/reference/com

mandline/tag/



23