Skip to content
/ image-template Public template

Build your own custom Universal Blue Image!

License

Notifications You must be signed in to change notification settings

ublue-os/image-template

Repository files navigation

image-template

Purpose

This repository is meant to be a template for building your own custom Universal Blue image. This template is the recommended way to make customizations to any image published by the Universal Blue Project:

or any other base image if you want to start from scratch:

  • Fedora: quay.io/fedora/fedora-bootc:41
  • CentOS Stream 9: quay.io/centos-bootc/centos-bootc:stream9
  • CentOS Stream 10 (in development): quay.io/centos-bootc/centos-bootc:stream10

This template includes a Containerfile and a Github workflow for building the container image, signing, and proper metadata to be listed on artifacthub. As soon as the workflow is enabled in your repository, it will build the container image and push it to the Github Container Registry.

Prerequisites

Working knowledge in the following topics:

How to Use

Template

Select Use this Template and create a new repository from it. To enable the workflows, you may need to go the Actions tab of the new repository and click to enable workflows.

Containerfile

This file defines the operations used to customize the selected image. It contains examples of possible modifications, including how to:

  • change the upstream from which the custom image is derived
  • add additional RPM packages
  • add binaries as a layer from other images

Building an ISO

Modify iso.toml to point to your custom image before generating an ISO.

  • (Steps in progress)

Workflows

build.yml

This workflow creates your custom OCI image and publishes it to the Github Container Registry (GHCR). By default, the image name will match the Github repository name.

Container Signing

Container signing is important for end-user security and is enabled on all Universal Blue images. It is recommended you set this up, and by default the image builds will fail if you don't.

This provides users a method of verifying the image.

  1. Install the cosign CLI tool

  2. Run inside your repo folder:

    cosign generate-key-pair
    • Do NOT put in a password when it asks you to, just press enter. The signing key will be used in GitHub Actions and will not work if it is encrypted.

Warning

Be careful to never accidentally commit cosign.key into your git repo.

  1. Add the private key to GitHub

    • This can also be done manually. Go to your repository settings, under Secrets and Variables -> Actions image Add a new secret and name it SIGNING_SECRET, then paste the contents of cosign.key into the secret and save it. Make sure it's the .key file and not the .pub file. Once done, it should look like this: image

    • (CLI instructions) If you have the github-cli installed, run:

    gh secret set SIGNING_SECRET < cosign.key
  2. Commit the cosign.pub file to the root of your git repository.

Community

  • bootc discussion forums - Nothing in this template is ublue specific, the upstream bootc project has a discussions forum where custom image builders can hang out and ask questions.
  • Index your image on artifacthub.io, use the artifacthub-repo.yml file at the root to verify yourself as the publisher. Discussion thread

Community Examples