Page
Update hosts running image mode for RHEL
Next, we’ll update the application running the host.
In this lesson, you will:
- Update the application running the host.
Simplify host updates
Red Hat Enterprise Linux (RHEL) servers, and the applications running on them, will inevitably need to be updated. Bug fixes, security patches, OS, and application updates are part of life. The workflow to update these hosts is similar to the steps already followed, but the updated images don’t need to be converted into bootable disk images.
Instead, just create a new standard container image and allow the host to pull it from a container registry. Once you pull the update image, simply reboot the host to implement all the updates in the image. If anything goes wrong, the host can be rolled back to the previous, known-good image.
We’ll also update the index.html file to simulate an application update. The update to the file changes the text that the web page viewer will see, as shown below.
<HTML>
<HEAD>
<TITLE>My Application</TITLE>
</HEAD>
<BODY BGCOLOR="000000">
<HR>
<H1><font color="white">The application is updated!</font></H1>
<HR>
</BODY>
</HTML>The updated Dockerfile below is used to update the RHEL operating system on the Image mode for RHEL host. It accomplishes this by using an updated RHEL 9.5 bootc image by specifying a later tag (version). In our example, this updated Dockerfile is named rhel9-httpd-v4.txt.
FROM registry.redhat.io/rhel9/rhel-bootc:9.5-1742917433
RUN <<EOF
set -euox pipefail
#Install firewall, SSH server and web server
dnf install -y firewalld openssh-server httpd
# Use /opt/www/html for web content, which is immutable
sed -i 's/var\/www\/html/opt\/www\/html/g' /etc/httpd/conf/httpd.conf
# Set the SSH and web servers to start at boot
systemctl enable sshd httpd
# Open TCP ports for HTTP and SSH traffic
firewall-offline-cmd --zone=public --add-port=80/tcp
firewall-offline-cmd --zone=public --add-port=22/tcp
EOF
# Copy the website into the documents directory
COPY ./index.html /opt/www/html/index.html
# Run linting as the final step to check for errors
RUN bootc container lintNotice above that the web application is being updated by copying an updated index.html file to /opt/www/html directory. This directory is immutable, and therefore can only be updated during an image update, not during runtime.
It is important to understand that the filesystem of bootc images are read-only, with the exception of the /etc and /var directories, which are writable. Therefore, updating applications will vary depending on where the application files are installed on the host.
- App files installed in
/etcor/var: Set during the creation of the initial image used for host deployment, or updated on the live, running system - App files installed in any other directory: Updated by creating a new container image with updated application files, an optionally updated RHEL image, and the image pulled by the host
For example, if the update image used in this section also updated an index.html file in /var/www/html directory, the original index.html file would not have been updated on the host. However, since the application in this example was stored in the /opt directory, it is updated during a container update, but can't be updated on the running host.
With the updated container definition file, we can build an updated custom image with the v4 tag. Then we can push the update image to the registry.
# Build the initial image
$ podman build -f rhel9-httpd-v4.txt -t quay.io/seanmerrow/rhel9-httpd:v4 .
# Push the image to the registry
podman push quay.io/seanmerrow/rhel9-httpd:v4The updated container image is now published and available on the image registry. Now we can log into the host running image mode for RHEL and pull the update from the registry.
If the image tag of the update image is the same as the image tag of the previously used image, then the host can be updated simply using bootc update, without specifying the target image. However, in our example, we are updating the image tag of the update image to v4, so we need to use the bootc switch command and specify the new image target.
After switching the host to the new image with the first command below, we check the status of bootc. We can see the currently booted image, as well as the staged image that will take effect at the next reboot. We can also see that there is no option to roll back, since we are still running the initially deployed image.
The system is rebooted.
$ sudo bootc switch quay.io/seanmerrow/rhel9-httpd:v4
:
$ sudo bootc status
Current staged image: quay.io/seanmerrow/rhel9-httpd:v4
Image version: 9.20250325.0 (2025-03-28 21:08:25.470786760 UTC)
Image digest: sha256:e4a48560e3a47351a3a8308bb6e89e84feee3a9db8a81d8a26fb6faa5b6bbd91
Current booted image: quay.io/seanmerrow/rhel9-httpd:v3
Image version: 9.20250217.0 (2025-03-28 20:56:34.366462786 UTC)
Image digest: sha256:04d85d36679e6aefc05299dff33974a1cede994f20b7ec8cd615a404c03f75d6
No rollback image present
$ sudo rebootAfter the host boots up using the staged image, check the kernel version to see that the operating system has been updated. Prior to the update, the kernel version was 5.14.0-503.23.2.el9_5.x86_64.
$ rpm -q kernel
kernel-5.14.0-503.31.1.el9_5.x86_64The system is now running the updated version of the image. There is also a rollback image available in case there is a need to roll back.
$ sudo bootc status
No staged image present
Current booted image: quay.io/seanmerrow/rhel9-httpd:v2
Image version: 9.20250325.0 (2025-03-28 21:08:25.470786760 UTC)
Image digest: sha256:e4a48560e3a47351a3a8308bb6e89e84feee3a9db8a81d8a26fb6faa5b6bbd91
Current rollback image: quay.io/seanmerrow/rhel9-httpd:v1
Image version: 9.20250217.0 (2025-03-28 20:56:34.366462786 UTC)
Image digest: sha256:04d85d36679e6aefc05299dff33974a1cede994f20b7ec8cd615a404c03f75d6From the workstation, use a web browser to connect to the web server running, to confirm that the web application has been updated (Figure 1).
The application is updated.
Congratulations! You’ve updated both the RHEL operating system and the web application.
