Article

 

INTRODUCTION

  1. What has Red Hat announced?

Certain versions of Red Hat Enterprise Linux will be made available with a subset of its content delivered via three Red Hat Universal Base Images (UBI). This subset of content is intended to enable customers, partners, and community members wishing to standardize on enterprise-grade Container Images (often referred to as a Base Images) for all of their containerized applications. These Universal Base Images are freely redistributable so that anyone can deploy onto Red Hat or non-Red Hat platforms. 

 

  1. What is the Red Hat Universal Base Image (UBI)?

Red Hat Universal Base Images (UBI) are OCI-compliant container base operating system images with complementary runtime languages and packages that are freely redistributable. Like previous base images, they are built from portions of Red Hat Enterprise Linux. UBI images can be obtained from the Red Hat container catalog and be built and deployed anywhere. 

 

  1. What does the Red Hat Universal Base Image (UBI) include?

The Red Hat Universal Base Image includes three things:

  • A set of three base images (Minimal, Standard, and Multi-service) are provided to provide optimum starting points for a variety of use cases. 

  • A set of language runtime images (PHP, Perl, Python, Ruby, Node.js) enable developers to start coding out of the gate with the confidence that a Red Hat built container image provides.

  • A set of associated YUM repositories/channels include RPM packages and updates that allow users to add application dependencies and rebuild UBI container images anytime they want.

All of this content is usable and freely redistributable under the terms of the UBI End User License Agreement (EULA). Other RHEL packages not included above are not part of the UBI EULA.

 

  1. Why did Red Hat create Red Hat Universal Base Image (UBI)?

Prior to UBI, developers had to package their containerized app for each target that they needed to deploy on. Given this, containers were not really portable like zip or gif files are today. To achieve true portability, the industry needed a de facto method of building and readily sharing containerize applications that could be safely deployed anywhere — and only once. Such a method must be enterprise-grade to ensure it is safe to deploy and manage anywhere.

UBI lets developers create the image once and deploy anywhere using enterprise-grade packages. The alternative is to use untrusted, unreliable, and/or inferior packages that won’t stand up to enterprise-grade demands.
 

  1. What are the benefits of Red Hat Universal Base Image (UBI)?

Fundamentally, the age of containers has changed the way people build and share applications. Containers make it easy to FIND, RUN, BUILD, SHARE, and DEPLOY applications. A new level of collaboration is enabled by this packaging format.

Red Hat Universal Base Images enable users to FIND, RUN, BUILD, SHARE, and DEPLOY containerized applications using a highly supportable, and enterprise grade container Base Image anywhere they want — whether Red Hat or non-Red Hat platforms — allowing builders to meet their customers where they are. 

Red Hat has built UBI to give developers a better choice in terms of stability, lifecycle and support compared to alternative base images.

 

  1. UBI terms and terminology

    1. Pre-UBI base image is the original container base image for RHEL 7 that has been around for years. It does not comply with the UBI EULA and is not redistributable. It will continue to be available for RHEL 7 only. 

    2. UBI base image is the new de facto container base image for RHEL 8, and it is available on RHEL 7 as an optional and alternative to the pre-UBI image. The UBI base image is freely redistributable under the UBI EULA. 

    3. Non-UBI refers to packages that are not governed with the UBI EULA.

 

UBI DETAILS

  1. What’s the difference between the pre-UBI base images & UBI base images?

As with pre-UBI base images, UBI is derived from RHEL. It differs from pre-UBI RHEL 7  base images in a number of ways, most notably the fact that it can be freely redistributed under the terms of the Red Hat Universal Base Image End User License Agreement (EULA). In RHEL 8, all base images are governed by the UBI EULA. See the UBI documentation section, “How are UBI images different?

When deploying on OpenShift and/or RHEL, developers can use any package accessible via their Red Hat subscription. When deploying on non-Red Hat platforms, developers can only use the reduced set of packages that are tagged with the UBI-EULA. 

“UBI content” and “non-UBI content” are different primarily due to the EULA. The former can be freely redistributable; the latter is not.
 

  1. Will applications built on UBI have access to the same content as images built on a non-UBI base image?

Yes, but accessing non-UBI content requires a Red Hat subscription and renders containers built with non-UBI content non-redistributable.
 

  1. How can a user tell the difference between non-UBI and UBI content and/or packages?

In some cases, the difference is easy. In other cases, it’s less so. Images found in the Red Hat catalog with “ubi” in the name are clearly UBI content and freely redistributable. These images include base container images and runtime languages. 

To see a list of RPM packages installed inside a standard ubi or ubi-init container, type: 

rpm -qa

To see all available RPM packages from inside a standard ubi or ubi-init container, type: 

yum list all

Note that the yum command is not available in the ubi-minimal images.
 

  1. How can a user verify that a package they want to use is UBI and redistributable?

To avoid accidental usage of non-UBI compliant packages, users should be sure they are not subscribed to a Red Hat subscription by following the --disableplugin command as described in the UBI Adding software to UBI user documentation. An alternative would be to  build on Fedora.

 

  1. How are the 3 UBI base images different?

UBI OPTION

Minimal

Standard

Multi-service

Image name

ubi-minimal

ubi

ubi-init

Brief description

Minimal base images

“Standard” base images

Multiple base services via init

Key features

-Minimized pre-installed content set

-No suid binaries

-Minimal package manager (install, update, and remove)

 

UBI Minimal documentation 

-Unified, OpenSSL crypto stack

-Full YUM stack

-Includes useful basic OS tools (tar, gzip, vi, etc.)



 

UBI Standard documentation

-Run mysql and httpd side by side in the same container

-Run systemd in a container on start

-Allows you to enable the services at build time

 

UBI Multi-service documentation

Access to UBI-based packages?

Yes — fully redistributable

Yes — fully redistributable

Yes — fully redistributable

Access to non-UBI packages?

Yes, but can only deploy on a Red Hat platform

Yes, but can only deploy on a Red Hat platform

Yes, but can only deploy on a Red Hat platform

 

  1. What are the UBI runtime languages and what are the plans for them? 

A set of language runtime images (PHP, Perl, Python, Ruby, Node.js) are immediately available as UBI compliant. These runtimes will be updated periodically, and others will be added over time. There is no roadmap for additional runtimes. 

This table explains what’s available for UBI vs. non-UBI deployments. 

 

UBI

Non-UBI

Build Python apps

Yes, both 2.7 and 3.6

Yes, both 2.7 and 3.6

Build Ruby apps

Yes, Ruby 2.5

Yes, Ruby 2.5

Build Perl apps

Yes (2 versions)

Yes

Build PHP apps

Yes

Yes

Use PostgreSQL

Yes

No — requires RH subscription

UBI runtime languages are derived from Software Collections (RHEL 7) and Application Streams (RHEL 8).

 

  1. What UBI-compliant RPM packages are available?

A set of associated YUM repositories/channels which include UBI-compliant RPM packages are available. These allow users to add application dependencies and rebuild UBI container images anytime they want. 
 

  1. How do I find the UBI BOMs for images, runtimes, other?

Images found in the Red Hat catalog with “ubi” in the name are clearly UBI content and freely redistributable. These images include base container images and runtime languages. 

To see a list of RPM packages installed inside a standard ubi or ubi-init container, type: 

rpm -qa

To see all available RPM packages from inside a standard ubi or ubi-init container, type: 

yum list all

Note that the yum command is not available in the ubi-minimal images.

 

  1. Do I need a subscription to use UBI?

No, the Red Hat Universal Base Images and all associated content can be used for development and deployment without the need for a Red Hat subscription. However, for a fully supported operational experience and access to an expanded list of non-UBI tools, containers built on UBI must be deployed on a Red Hat platform such as OpenShift or RHEL.

Accessing non-UBI content does require a Red Hat subscription.

 

  1. Do I need a RHEL environment to build on UBI?

No, you can build your applications on UBI on any Linux, Windows, MacOS, or other OCI-compliant environment. 

When built on a subscribed and supported Red Hat platform (OpenShift or RHEL), the build environment will be fully supported. When built on a non-Red Hat platform (Fedora, CentOS, Ubuntu, Debian, cloud provider Kubernetes, etc), you will have access to UBI images and YUM content. Red Hat does not provide support for non-Red Hat platforms.

Building UBI-compliant images on OCI-compliant (e.g., Docker) platforms for Windows or Mac is feasible, but use-cases must be verified.

 

  1. Do I need a RHEL environment to deploy UBI?

No, you can deploy UBI-based applications anywhere you like. There are different levels of support depending on where you run UBI, e.g., you get full support when deploying on a Red Hat platform. See the Support section on how support differs across Red Hat and non-Red Hat deployment.

 

  1. Will other Red Hat products use UBI?

Yes, with the release of RHEL8, UBI 8 becomes the only base image provided by Red Hat. All containerized Red Hat products designed for RHEL8 will be built on UBI. Remember, only the content released with UBI is governed under the UBI EULA. Other Red Hat products, even when built on UBI have their own EULA. Please consult the specific EULA for products built on UBI.

 

  1. On RHEL 7, can I keep my app on the RHEL non-UBI base image?

Yes, partners and customers using non-UBI 7 as a base image are not required to move to UBI 7. The non-UBI 7 image will remain supported until the RHEL 7 end of life. All partner  certifications done on RHEL 7 remain active and distributed through the Red Hat container catalog.

 

REDISTRIBUTION

  1. Can I freely distribute applications built on UBI?

Yes, applications built on the Red Hat Universal Base Images and UBI-compatible tools and packages can be distributed with the embedded UBI content in the base image, as per the UBI EULA. Software vendors and community projects which build on UBI may have additional EULAs which apply to their layered software.
 

  1.   Can I distribute my UBI-based container images without using Red Hat’s registry?

Yes. Users can choose their own registry.

 

  1. Can I add non-UBI RPMs to a UBI image and still redistribute the resultant container image on a non-Red Hat platform?

No, only Red Hat packages assigned to the UBI EULA can be redistributed. The EULA, under which UBI is governed, allows users to distribute a set of container images and RPMs delivered as part of UBI. Container images and RPMs which are covered by a different EULA have different rights and restrictions. Of course, and in general, you can expect any community open source technology to be redistributable.

 

COMMUNITY

  1. Is UBI compatible with EPEL?

Partially, the Red Hat Universal Base image follows the RHEL release clock and versions. So, UBI 7 is compatible with EPEL 7, and UBI 8 will be compatible with EPEL 8. Users and customers alike can connect this content at container build time, but not every package in EPEL will work without a full RHEL subscription. Many packages in EPEL rely on packages in the full RHEL content set, so many dependencies may be missing in UBI.

To ensure operation with EPEL software, UBI containers with EPEL content should  be run on a subscribed Red Hat platform (OpenShift or RHEL).
 

  1.  Is UBI recommended for community projects?

Sure. Compared to the CentOS image, UBI gives partners and customers a path to support for the UBI bits. If a community project is using CentOS today, they should consider UBI. If communities need access to, and community support for, the latest packages, it is recommended that they use the Fedora base image.


 

CONTAINER CERTIFICATION

  1. How does UBI impact Container Certification?

Red Hat container certification is available for commercial software applications built on non-UBI and UBI, so customers who deploy on supported configurations can benefit from a trusted stack that includes the container image and collaborative support provided by Red Hat and the application vendor. 

Certification is available through the Red Hat Partner Connect program. Software vendors can join at no cost and take advantage of container build, certification, and distribution services, as well as technical and marketing resources. 

Certification of container images is available for images and distributed through the Red Hat registry. See: Red Hat Partner Connect and this guide

 

  1. How do I refer to these container images built on UBI?

When building on UBI, ISVs can make several different claims based on their level of commitment to the Red Hat ecosystem. Each of these levels encompasses the lower levels of commitment:

  • Built on Red Hat Universal Base Image — any application built and deployed on UBI can be referred to publicly as “Built on Red Hat Universal Base Image”.

  • Red Hat Certified Container — Commercial applications built on UBI that successfully complete the Container Certification can be referred to as “Red Hat Certified Containers.”  Visit Red Hat Partner Connect.

 

  1. Where do I learn about Red Hat Container Certification?

Visit Red Hat Partner Connect.

 

SUPPORT, LIFECYCLE, AND UPDATING

  1. Will UBI receive updates?

Yes, the Red Hat Universal Base Image content will follow the Red Hat Enterprise Linux schedule. Every time there is a new release of RHEL, new Red Hat Universal Base Images and supporting packages will be released as a new version number. Building on UBI is a safe choice, because you will receive updates for the lifecycle of the underlying RHEL content.

New container images will be built governed by the Red Hat Image Updates Policy. This includes images rebuilds for critical CVEs and during releases. Also, a YUM repository will be provided with the latest set of RPMs for any given release. This will allow users to update container images during rebuilds, ensuring the latest errata (security, bug fixes, enhancements) is picked up and applied.

At release, only the latest version of each RPM will be provided in the publicly available YUM repositories. 

  1. How is UBI supported?

The Red Hat Universal Base Image can be deployed in two ways. Each comes with different license and support expectations:

  1. On a Red Hat Supported Container Platform, such as OpenShift, or on Red Hat Enterprise Linux. Applications built with UBI are supported as a full Red Hat Enterprise Linux stack when run with all of the following conditions:

    1. On a Red Hat Supported Container Platform (OpenShift or RHEL)

    2. With a Red Hat shipped and supported  Container Engine (Red Hat provided CRI-O, Podman, etc.)

    3. With a Red Hat shipped and supported Container Runtime (Red Hat provided runc, etc.)

  2. On any other container platform, or with any other container engine or runtime — including upstream Kubernetes, cloud provider based Kubernetes services, other Linux distributions, any other non-RHEL Linux distribution, or a non-Red Hat provided container engine or runtime — users will receive updates, but support will not be provided by Red Hat. There is no way to purchase support on any platform other than a Red Hat container platform (OpenShift, RHEL). Red Hat does not perform any testing or validation of UBI on any non-Red Hat software stack.  Any issues should be filed with the respective upstream communities or products. If the issue is reproduced on a Red Hat supported platform.

 

  1. Will my application built on UBI be supported?

Red Hat will support all Red Hat components included in a container image, when such image is deployed on a subscribed RHEL host or OpenShift cluster. Container images based on UBI that are deployed on any other hosts will only receive updates per the UBI lifecycle, but will not be supported by Red Hat.

 

  1. What is the UBI lifecycle?

The UBI will follow the same lifecycle and support dates as the underlying RHEL content. When run on a subscribed RHEL or OpenShift node, it will follow the same support policy as the underlying RHEL content. There will be a UBI 7, which maps to RHEL7 content and a UBI 8 Dev Preview maps to RHEL8 Beta content. 

 

  1. How to request new features in UBI?

Red Hat partners and customers can request new features, including package requests, by filing a support ticket through standard methods. Non-Red Hat customers do not receive support but can file requests through the standard Red Hat Bugzilla under Red Hat Enterprise Linux and the proper proper ubi7 or ubi8 Product Component. See the example screenshot:

 

See also: Red Hat Bugzilla Queue

 

  1. How to file a support case for UBI?

Red Hat partners and customers can file support tickets through standard methods when running UBI on a supported Red Hat platform (OpenShift/RHEL). Red Hat support staff will guide partners and customers 

See also: Open a Support Case

 

  1. Will UBI have an EUS add-on?

Yes, but only through a Red Hat subscription. UBI enables users to distribute/redistribute a subset of content from RHEL channels in the container use case — an EUS add-on will not be provided for this specific content set. If extended support is needed, a user will need to run UBI in a supported Red Hat Platform with active subscriptions for Extended Update Support (EUS). These can be purchased through the standard mechanism for RHEL. 

Note: there is a bug that prevents consumption of EUS with microdnf today (BZ 1591627), so this will not work with the Minimal (ubi-minimal) images. 

 

LEGAL AND LICENSING

  1. What is the UBI End User License Agreement (EULA) and where can I find it?

The Red Hat Universal Base Images EULA is a new Red Hat license specifically produced to make UBI components freely redistributable.  Red Hat content governed by the EULA must be tagged with this license and/or “ubi” label for them to fall under the UBI T&Cs.  

 

  1. Does the UBI EULA affect my application’s EULA?

The UBI EULA applies to the container images and YUM repositories which are part of UBI. This includes permission to use Red Hat trademark when distributing images based on UBI. Users are still guaranteed all of the rights and must still adhere to the responsibilities of all of the underlying software licenses for components within UBI (Apache, BSD, GPL, etc.). This is quite similar to distribution of any other container image built on free software.

 

  1. What legal agreements are needed to build my products on UBI?

Red Hat Universal Base Images are governed by the terms of the individual open source licenses and the UBI EULA.  ISVs and software developers who build on UBI may use and distribute the content provided in UBI based on those terms to their customers whether the end user environment is a supported Red Hat environment or not. 

See also: Can I freely distribute applications built on UBI?

 

  1. Does UBI let me distribute my container images anywhere I want?

Yes. Building on UBI means Red Hat is never going to tell you where or how you can distribute your images. You can distribute your images wherever and however you like.

 

  1. Can I add non-UBI packages if something is missing from UBI?

Yes, but not if you want to freely redistribute the images. Once you add RHEL RPMs onto a UBI image, you are back to redistributing content released under the Red Hat Enterprise Linux end user license. If you are a paying Red Hat customer, this would break the agreement between you and Red Hat. Furthermore receivers of these images wouldn’t receive updates for the RPMs you added unless they have Red Hat subscriptions. This puts those end users without Red Hat subscriptions in a bad place.

If you need extra packages, don’t add RHEL packages (because they are restricted). Also, don’t add CentOS packages (because they will remove supportability). Adding CentOS packages turns the image into a Frankenstein. Neither Red Hat, nor the community will want to support it. You are better off with all UBI or CentOS content. Don’t mix and match. 

 

  1. Is the UBI License open source?

UBI is not a software license; it’s an end user license agreement (EULA) for Red Hat trademarks embedded in our RPM content.

 

  1. What’s the difference between the UBI EULA and the Red Hat Enterprise Linux EULA?

The UBI EULA lets you redistribute the UBI base image and RPMs; the Red Hat Enterprise Linux one does not.


 

RESOURCES

  1. Where can someone find public information on UBI?

 

Last updated: July 23, 2019