Overview
1. What has Red Hat announced?
Certain versions of Red Hat Enterprise Linux (RHEL) will be made available with a subset of its content delivered via four Red Hat Universal Base Images (UBI). This subset of content is intended to enable customers, partners, and community members wishing to standardize on enterprise-grade container images (often referred to as base images) for all of their containerized applications. These Universal Base Images are freely redistributable so that anyone can deploy onto Red Hat or non-Red Hat platforms.
2. What is the Red Hat Universal Base Image (UBI)?
Red Hat Universal Base Images (UBI) are OCI-compliant container base operating system images with complementary runtime languages and packages that are freely redistributable. Like previous base images, they are built from portions of Red Hat Enterprise Linux. UBI images can be obtained from the Red Hat container catalog and be built and deployed anywhere.
3. What does the Red Hat Universal Base Image (UBI) include?
The Red Hat Universal Base Image includes three things:
- A set of four base images (Micro, Minimal, Standard, and Multi-service) provides optimum starting points for a variety of use cases.
- A set of language runtime images (PHP, Perl, Python, Ruby, Node.js) enables developers to start coding out of the gate with the confidence that a Red Hat-built container image provides.
- A set of associated YUM repositories/channels includes RPM packages and updates that allow users to add application dependencies and rebuild UBI container images anytime they want.
All of this content is usable and freely redistributable under the terms of the UBI End User License Agreement (EULA). Other Red Hat Enterprise Linux packages not included above are not part of the UBI EULA. For more information on what images, repositories, packages, and source code are part of UBI, please see this Knowledge Base article.
4. Why did Red Hat create Red Hat Universal Base Image (UBI)?
Prior to UBI, developers had to package their containerized app for each target that they needed to deploy on. Given this, containers were not really portable like zip or gif files are today. To achieve true portability, the industry needed a de facto method of building and readily sharing containerize applications that could be safely deployed anywhere—and only once. Such a method must be enterprise-grade to ensure it is safe to deploy and manage anywhere.
UBI lets developers create the image once and deploy anywhere using enterprise-grade packages. The alternative is to use untrusted, unreliable, and/or inferior packages that won’t stand up to enterprise-grade demands.
5. What are the benefits of Red Hat Universal Base Image (UBI)?
Fundamentally, the age of containers has changed the way people build and share applications. Containers make it easy to FIND, RUN, BUILD, SHARE, and DEPLOY applications. A new level of collaboration is enabled by this packaging format.
Red Hat Universal Base Images enable users to FIND, RUN, BUILD, SHARE, and DEPLOY containerized applications using a highly supportable, and enterprise-grade container Base Image anywhere they want — whether Red Hat or non-Red Hat platforms — allowing builders to meet their customers where they are.
Red Hat has built UBI to give developers a better choice in terms of stability, lifecycle, and support compared to alternative base images.
6. UBI terms and terminology
Pre-UBI base image is the original container base image for Red Hat Enterprise Linux 7 that has been around for years. It does not comply with the UBI EULA and is not redistributable. It will continue to be available for Red Hat Enterprise Linux 7 only.
UBI base image is the new de facto container base image for Red Hat Enterprise Linux 8, and it is available on Red Hat Enterprise Linux 7 as an optional and alternative to the pre-UBI image. The UBI base image is freely redistributable under the UBI EULA.
Non-UBI refers to packages that are not governed with the UBI EULA.
UBI details
7. What is the difference between the pre-UBI base images and UBI base images?
As with pre-UBI base images, UBI is derived from Red Hat Enterprise Linux. It differs from pre-UBI Red Hat Enterprise Linux 7 base images in a number of ways, most notably the fact that it can be freely redistributed under the terms of the Red Hat Universal Base Image End User License Agreement (EULA). In Red Hat Enterprise Linux 8, all base images are governed by the UBI EULA. See the following UBI documentation section: How are UBI images different?
When deploying on Red Hat OpenShift and/or RHEL, developers can use any package accessible via their Red Hat subscription. When deploying on non-Red Hat platforms, developers can only use the reduced set of packages that are tagged with the UBI-EULA.
“UBI content” and “non-UBI content” are different primarily due to the EULA. The former can be freely redistributable; the latter is not.
8. Will applications built on UBI have access to the same content as images built on a non-UBI base image?
Yes, but accessing non-UBI content requires a Red Hat subscription and renders containers built with non-UBI content non-redistributable.
9. How can a user tell the difference between non-UBI and UBI content and/or packages?
In some cases, the difference is easy. In other cases, it’s less so. Images found in the Red Hat catalog with “ubi” in the name are clearly UBI content and freely redistributable. These images include base container images and runtime languages.
To see a list of RPM packages installed inside a standard ubi or ubi-init container, type:
rpm -qa
To see all available RPM packages from inside a standard ubi or ubi-init container, type:
yum list all
Note that the yum command is not available in the ubi-minimal images.
10. How can a user verify that a package they want to use is UBI and redistributable?
To avoid accidental usage of non-UBI compliant packages, users should be sure they are not subscribed to a Red Hat subscription by following the disableplugin
command, as described in the UBI Adding software to UBI user documentation. An alternative would be to build on Fedora.
11. How are the four UBI base images different?
UBI option |
Micro |
Minimal |
Standard |
Multi-service |
---|---|---|---|---|
Image name |
ubi-micro |
ubi-minimal |
ubi |
ubi-init |
Description |
Smallest base image available |
Minimal base images |
"Standard" base images |
Multiple base services via init |
Key features |
- Smallest base image available - Does not even include a package manager - Must use underlying tools from the operating system |
- Minimized pre-installed content set - No suid binaries - Minimal package manager (install, update, and remove) |
- Unified, OpenSSL crypto stack - Full YUM stack - Includes useful basic OS tools (tar, gzip, vi, etc.) |
- Run mysql and httpd side by side in the same container - Run systemd in a container on start - Allows you to enable the services at build time |
Documentation | UBI Micro documentation | UBI Minimal documentation | UBI Standard documentation | UBI Multi-service documentation |
Access to UBI-based packages? |
Yes; redistributable and not subject to Red Hat Enterprise Agreement | |||
Access to non-UBI packages? |
Yes, but non-UBI packages subject to Red Hat Enterprise Agreement |
12. What are the UBI runtime languages and what are the plans for them?
A set of language runtime images (PHP, Perl, Python, Ruby, Node.js) are immediately available as UBI compliant. These runtimes will be updated periodically, and others will be added over time. There is no roadmap for additional runtimes.
The following table explains what’s available for UBI vs. non-UBI deployments.
UBI runtime languages are derived from Software Collections (Red Hat Enterprise Linux 7) and Application Streams (Red Hat Enterprise Linux 8).
|
UBI |
Non-UBI |
---|---|---|
Build Python apps |
Yes, both 2.7 and 3.6 |
Yes, both 2.7 and 3.6 |
Build Ruby apps |
Yes, Ruby 2.5 |
Yes, Ruby 2.5 |
Build Perl apps |
Yes (2 versions) |
Yes |
Build PHP apps |
Yes |
Yes |
Use PostgreSQL |
Yes |
No — requires Red Hat subscription |
13. What UBI-compliant RPM packages are available?
A set of associated YUM repositories/channels that include UBI-compliant RPM packages are available. These allow users to add application dependencies and rebuild UBI container images anytime they want.
14. How do I find the UBI BOMs for images, runtimes, other?
Images found in the Red Hat catalog with “ubi” in the name are clearly UBI content and freely redistributable. These images include base container images and runtime languages.
To see a list of RPM packages installed inside a standard ubi or ubi-init container, type:
rpm -qa
To see all available RPM packages from inside a standard ubi or ubi-init container, type:
yum list all
Note that the yum command is not available in the ubi-minimal images.
15. Do I need a subscription to use UBI?
No. The Red Hat Universal Base Images and all associated content can be used for development and deployment without the need for a Red Hat subscription. However, for a fully supported operational experience and access to an expanded list of non-UBI tools, containers built on UBI must be deployed on a Red Hat platform such as OpenShift or Red Hat Enterprise Linux.
Accessing non-UBI content does require a Red Hat subscription.
16. Do I need a Red Hat Enterprise Linux environment to build on UBI?
No. You can build your applications on UBI on any Linux, Windows, macOS, or other OCI-compliant environments.
When built on a subscribed and supported Red Hat platform (OpenShift or Red Hat Enterprise Linux), the build environment will be fully supported. When built on a non-Red Hat platform (Fedora, CentOS, Ubuntu, Debian, cloud provider Kubernetes, etc), you will have access to UBI images and YUM content. Red Hat does not provide support for non-Red Hat platforms.
Building UBI-compliant images on OCI-compliant (e.g., Docker) platforms for Windows or Mac is feasible, but use cases must be verified.
17. Do I need a Red Hat Enterprise Linux environment to deploy UBI?
No, you can deploy UBI-based applications anywhere you like. There are different levels of support depending on where you run UBI, e.g., you get full support when deploying on a Red Hat platform. See the Support section on how support differs across Red Hat and non-Red Hat deployment.
18. Will other Red Hat products use UBI?
Yes, with the release of Red Hat Enterprise Linux 8, UBI 8 becomes the only base image provided by Red Hat. All containerized Red Hat products designed for Red Hat Enterprise Linux 8 will be built on UBI. Remember, only the content released with UBI is governed under the UBI EULA. Other Red Hat products, even when built on UBI have their own EULA. Please consult the specific EULA for products built on UBI.
19. On Red Hat Enterprise Linux 7, can I keep my app on the RHEL non-UBI base image?
Yes, partners and customers using non-UBI 7 as a base image are not required to move to UBI 7. The non-UBI 7 image will remain supported until the Red Hat Enterprise Linux 7 end of life. All partner certifications done on Red Hat Enterprise Linux 7 remain active and distributed through the Red Hat container catalog.
Redistribution
20. Can I freely distribute applications built on UBI?
Yes, applications built on the Red Hat Universal Base Images and UBI-compatible tools and packages can be distributed with the embedded UBI content in the base image, as per the UBI EULA. Software vendors and community projects which build on UBI may have additional EULAs, which apply to their layered software.
21. Can I distribute my UBI-based container images without using Red Hat’s registry?
Yes. Users can choose their own registry.
22. Can I add non-UBI RPMs to a UBI image and still redistribute the resultant container image on a non-Red Hat platform?
No, only Red Hat packages assigned to the UBI EULA can be redistributed. The EULA, under which UBI is governed, allows users to distribute a set of container images and RPMs delivered as part of UBI. Container images and RPMs which are covered by a different EULA have different rights and restrictions. Of course, and in general, you can expect any community open source technology to be redistributable.
Community
23. Is UBI compatible with EPEL?
Partially, the Red Hat Universal Base image follows the Red Hat Enterprise Linux release clock and versions. So, UBI 7 is compatible with Red Hat Enterprise Linux 7, and UBI 8 will be compatible with EPEL 8. Users and customers alike can connect this content at container build time, but not every package in EPEL will work without a full Red Hat Enterprise Linux subscription. Many packages in EPEL rely on packages in the full Red Hat Enterprise Linux content set, so many dependencies may be missing in UBI.
To ensure operation with EPEL software, UBI containers with EPEL content should be run on a subscribed Red Hat platform (OpenShift or Red Hat Enterprise Linux).
24. Is UBI recommended for community projects?
Sure. Compared to the CentOS image, UBI gives partners and customers a path to support for the UBI bits. If a community project is using CentOS today, they should consider UBI. If communities need access to, and community support for, the latest packages, it is recommended that they use the Fedora base image.
Container certification
25. How does UBI impact container certification?
Red Hat container certification is available for commercial software applications built on non-UBI and UBI, so customers who deploy on supported configurations can benefit from a trusted stack that includes the container image and collaborative support provided by Red Hat and the application vendor.
Certification is available through the Red Hat Partner Connect program. Software vendors can join at no cost and take advantage of container build, certification, and distribution services, as well as technical and marketing resources.
Certification of container images is available for images and distributed through the Red Hat registry. For more information, see Red Hat Partner Connect and this guide.
26. Can other Red Hat Enterprise Linux packages (non-UBI) be used or redistributed?
Yes, updated terms and conditions now enable Red Hat Partner Connect members to include any Red Hat Enterprise Linux user-space packages in UBI-based container images and redistribute them through both official Red Hat and third-party container registries. Learn more from the Red Hat Partner Connect Partner Guide.
27. How do I refer to these container images built on UBI?
When building on UBI, ISVs can make several different claims based on their level of commitment to the Red Hat ecosystem. Each of these levels encompasses the lower levels of commitment:
- Built on Red Hat Universal Base Image: any application built and deployed on UBI can be referred to publicly as “Built on Red Hat Universal Base Image.”
- Red Hat Certified Container: Commercial applications built on UBI that successfully complete the Container Certification can be referred to as “Red Hat Certified Containers.” Visit Red Hat Partner Connect.
28. Where do I learn about Red Hat Container Certification?
Visit Red Hat Partner Connect.
Support, lifecycle, and updating
29. Will UBI receive updates?
Yes, the Red Hat Universal Base Image content will follow the Red Hat Enterprise Linux schedule. Every time there is a new release of Red Hat Enterprise Linux, new Red Hat Universal Base Images and supporting packages will be released as a new version number. Building on UBI is a safe choice because you will receive updates for the lifecycle of the underlying Red Hat Enterprise Linux content.
New container images will be built and governed by the Red Hat Image Updates Policy. This includes image rebuilds for Critical and Important CVEs during releases. Also, a YUM repository will be provided with the latest set of RPMs for any given release. This will allow users to update container images during rebuilds, ensuring the latest errata (security, bug fixes, enhancements) is picked up and applied.
At release, only the latest version of each RPM will be provided in the publicly available YUM repositories.
30. How do I use UBI with Red Hat Enterprise Linux subscription content?
There are three options to use RHEL content in conjunction with UBI:
- Build your containers on a subscribed RHEL host and you will automatically have access to all RHEL content.
- Build on OpenShift. All OpenShift subscriptions include a RHEL subscription. To use the included Red Hat Enterprise Linux subscription, see the OpenShift documentation: Using Red Hat Subscriptions in Builds
- You can connect a container directly to the Red Hat Portal or a Satellite using activation keys. Refer to the following article for more details: How to install packages from RHEL in a UBI container running on a non-RHEL host?
31. How is UBI supported?
The Red Hat Universal Base Image can be deployed in two ways. Each comes with different support expectations:
- On a Red Hat Supported Container Platform, such as OpenShift, or on Red Hat Enterprise Linux. Applications built with UBI are supported as a full Red Hat Enterprise Linux stack when run with all of the following conditions:
- On a Red Hat Supported Container Platform (OpenShift or Red Hat Enterprise Linux)
- With a Red Hat shipped and supported Container Engine (Red Hat provided CRI-O, Podman, etc.)
- With a Red Hat shipped and supported Container Runtime (Red Hat provided runc, etc.)
- On any other container platform, or with any other container engine or runtime—including upstream Kubernetes, cloud provider-based Kubernetes services, other Linux distributions, any other non-Red Hat Enterprise Linux Linux distribution, or a non-Red Hat provided container engine or runtime—users will receive updates, but support will not be provided by Red Hat. There is no way to purchase support on any platform other than a Red Hat container platform (OpenShift, Red Hat Enterprise Linux). Red Hat does not perform any testing or validation of UBI on any non-Red Hat software stack. Any issues should be filed with the respective upstream communities or products. If the issue is reproduced on a Red Hat-supported platform.
32. Will my application built on UBI be supported?
Red Hat will support all Red Hat components included in a container image when such image is deployed on a subscribed Red Hat Enterprise Linux host or OpenShift cluster. Container images based on UBI that are deployed on any other hosts will only receive updates per the UBI lifecycle, but will not be supported by Red Hat.
33. What is the UBI lifecycle?
The UBI will follow the same lifecycle and support dates as the underlying Red Hat Enterprise Linux content. When run on a subscribed Red Hat Enterprise Linux or OpenShift node, it will follow the same support policy as the underlying Red Hat Enterprise Linux content. There will be a UBI 7, which maps to Red Hat Enterprise Linux 7 content and a UBI 8 Dev Preview maps to Red Hat Enterprise Linux 8 Beta content.
34. How to request new features in UBI?
Red Hat partners and customers can request new features, including package requests, by filing a support ticket through standard methods. Non-Red Hat customers do not receive support but can file requests through the “RHEL” Jira project at issues.redhat.com/browse/RHEL Click the blue “Create” button and fill in the fields, using “distribution” as the component. See the example screenshot:
35. How to file a support case for UBI?
Red Hat partners and customers can file support tickets through standard methods when running UBI on a supported Red Hat platform (OpenShift/RHEL). Red Hat support staff will guide partners and customers.
See also: Open a Support Case
36. Will UBI have an Extended Update Support (EUS) add-on?
Yes, but only through a Red Hat subscription. UBI enables users to distribute/redistribute a subset of content from Red Hat Enterprise Linux channels in the container use case—an EUS add-on will not be provided for this specific content set. If extended support is needed, a user will need to run UBI in a supported Red Hat Platform with active subscriptions for Extended Update Support (EUS). These can be purchased through the standard mechanism for RHEL.
Note: There is a bug that prevents consumption of EUS with microdnf today (BZ 1591627), so this will not work with the Minimal (ubi-minimal) images.
Legal and licensing
37. What is the UBI End User License Agreement (EULA) and where can I find it?
The Red Hat Universal Base Images EULA is a new Red Hat license specifically produced to make UBI components freely redistributable. Red Hat content governed by the EULA must be tagged with this license and/or “ubi” label for them to fall under the UBI T&Cs.
38. Does the UBI EULA affect my application’s EULA?
The UBI EULA applies to the container images and YUM repositories which are part of UBI. This includes permission to use Red Hat trademark when distributing images based on UBI. Users are still guaranteed all of the rights and must still adhere to the responsibilities of all of the underlying software licenses for components within UBI (Apache, BSD, GPL, etc.). This is quite similar to distribution of any other container image built on free software.
39. What legal agreements are needed to build my products on UBI?
Red Hat Universal Base Images are governed by the terms of the individual open source licenses and the UBI EULA. ISVs and software developers who build on UBI may use and distribute the content provided in UBI based on those terms to their customers whether the end user environment is a supported Red Hat environment or not.
See also FAQ #20: Can I freely distribute applications built on UBI?
40. Does UBI let me distribute my container images anywhere I want?
Yes. Building on UBI means Red Hat is never going to tell you where or how you can distribute your images. You can distribute your images wherever and however you like.
41. Can I add non-UBI packages if something is missing from UBI?
Yes, but not if you want to freely redistribute the images. Once you add RHEL RPMs onto a UBI image, you are back to redistributing content released under the Red Hat Enterprise Linux end user license. If you are a paying Red Hat customer, this would break the agreement between you and Red Hat. Furthermore, receivers of these images wouldn’t receive updates for the RPMs you added unless they have Red Hat subscriptions. This puts those end users without Red Hat subscriptions in a bad place.
If you need extra packages, don’t add Red Hat Enterprise Linux packages (because they are restricted). Also, don’t add CentOS packages (because they will remove supportability). Adding CentOS packages turns the image into a Frankenstein. Neither Red Hat nor the community will want to support it. You are better off with all UBI or CentOS content. Don’t mix and match.
42. Is the UBI license open source?
UBI is not a software license; it’s an end user license agreement (EULA) for Red Hat trademarks embedded in our RPM content.
43. What’s the difference between the UBI EULA and the RHEL EULA?
The UBI EULA lets you redistribute the UBI base image and RPMs; the Red Hat Enterprise Linux one does not.
Resources
44. Where can someone find public information on UBI?
- For container certification, visit Red Hat Partner Connect.
- Email UBI questions and/or feedback to ubi@redhat.com.
- Join the UBI community mailing list and follow UBI discussions.
- View documentation: Building, running, and managing containers
- Explore UBI resources on Red Hat Developer.