Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Build and store universal application images on OpenShift

November 18, 2021
Bobby Woolf
Related topics:
CI/CDContainersDevOpsKubernetes
Related products:
Red Hat OpenShift

Share:

    After designing a universal application image that will run well on Kubernetes or Red Hat OpenShift—and that will pass Red Hat Container Certification—your next consideration is how to successfully build and store each image. This article discusses how to use a build pipeline to implement two best practices: Automating compliance with the Open Container Initiative (OCI) and tagging each image with a unique identifier. Using a build pipeline to build and store images automates the process and makes it repeatable and reliable. I'll also discuss the Red Hat Container Certification requirements for each of these best practices.

    A quick review of CI/CD pipelines

    As a reminder, a build pipeline performs continuous integration in a pipeline that provides continuous delivery (CI/CD) as part of DevOps or DevSecOps for a software development lifecycle. Every time the code for a software component changes, the CI pipeline builds the software, packages it for deployment, and deploys it into a development or test environment.

    CI/CD pipelines:

    • Confirm that the latest code can be built and deployed.
    • Ensure that the deployed component is always running the latest code.
    • Perform quality checks on the code.
    • Prevent deployment if the software falls below an acceptable level of quality.

    Best practice #1: Build images for OCI compliance

    The Open Container Initiative (OCI) is a neutral body that governs open industry standards for the container image format (image-spec), how images are stored and distributed (distribution-spec), and how images are run as containers (runtime-spec).

    Images built for OCI compliance avoid vendor lock-in. Any OCI-compliant container can run properly in any OCI-compliant container engine, such as containerd and CRI-O.

    Red Hat Container Certification requirement

    Although Red Hat does not require that images be built with specific tools, it does recommend a set of open source tools to build, transfer, and run OCI-compliant images: Buildah, Skopeo, and Podman. These tools currently run most easily on Linux, with varying support for Windows or MacOS.

    You should use Buildah to build images and Skopeo to copy them between registries. You can also use Podman to run images locally, although that doesn’t matter when deploying images to a container orchestrator. OpenShift supports using Buildah to build images as part of an integrated build process with all three tools.

    Build an image with Buildah

    Use Buildah’s bud command to build an image like this:

    buildah bud -f Dockerfile .

    bud stands for "build using dockerfile." Buildah refers to the file that contains the build instructions as either the Dockerfile or the Containerfile. Regardless of the file name, they use the same syntax.

    Best practice #2: Tag each image with a unique identifier

    When adding an image to a registry, tag the image to indicate the version of the software and the release of the build inside the image.

    Red Hat Container Certification requirement

    Red Hat Container Certification requires that an image have a tag (other than latest, which is automatic) that uniquely identifies that image from others with the same name. It suggests that the tag should commonly be the image version.

    Tagging your image

    Use Docker’s tag command to add a tag to an image. An image can have multiple tags, which are aliases for the same image file. For example:

    1. Build the image: my-image.
    2. Tag it for the registry: my-registry and the namespace my-namespace, and with the version 1.0 and the release 1.
    3. Tag it again without the release, for the latest release of that version.
    4. Push all tags of the image to the remote registry my-registry.

    Your command should look something like this:

    docker build -t my-image .
    docker tag my-image my-registry/my-namespace/my-image:1.0-1
    docker tag my-image my-registry/my-namespace/my-image:1.0
    docker push --all-tags my-registry/my-namespace/my-image

    This tags the image with two tags:

    • 1.0-1 specifies release 1 of version 1.0.
    • 1.0 specifies the latest release of version 1.0.

    The registry should not already contain an image with the tag 1.0-1; if it does, the old image will no longer have that tag. If this were tag 1.0-2, the registry typically already contains an image with the tags 1.0-1 and 1.0. The new 1.0 tag replaces the old one in the registry, so whereas the 1.0 used to point to the 1.0-1 image, now it points to the 1.0-2 image. Likewise, you could even add a 1 tag to point to the latest image that is a 1.x version. For example, see all the tags for various builds of the node image in DockerHub and notice how a single build often has multiple tags that act as aliases for the same build.

    The image’s identifiers in the registry should match its internal identifiers. An image should contain these three identifying fields:

    • name: Name of the image.
    • version: Version of the image.
    • release: A number that’s used to identify the specific build for this image.

    To make the registry identifiers match, tag the image with these same identifier values:

    docker tag <registry>/<namespace>/<name>:<version>-<release>

    where <registry> and <namespace> specify where the image is stored.

    Conclusion

    This article discussed best practices for building and storing images and showed you how to use a build pipeline to automate OCI compliance and tagging images with a unique identifier.

    Last updated: September 20, 2023

    Related Posts

    • Best practices for building images that pass Red Hat Container Certification

    • Best practices for running Buildah in a container

    • Building freely distributed containers with Podman and Red Hat UBI

    • Podman and Buildah for Docker users

    Recent Posts

    • Integrate Red Hat AI Inference Server & LangChain in agentic workflows

    • Streamline multi-cloud operations with Ansible and ServiceNow

    • Automate dynamic application security testing with RapiDAST

    • Assessing AI for OpenShift operations: Advanced configurations

    • OpenShift Lightspeed: Assessing AI for OpenShift operations

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue