打造自己的 DockerImage

来源：互联网发布：java 查看tcp连接数编辑：程序博客网时间：2024/05/17 02:32

目标:

满足团队需求 Docker 镜像镜像需符合安全审计要求

镜像要求

最简化安装需要解决 glibc ( ghost ) 漏洞修改 ulimit  65535 限制添加用户 apps修改 apps,  root 密码修改默认语言环境为 en_US.UTF8添加额外的 yum 源指定时间为中国时区

制作方法

利用  image-withyum.sh 创建 docker 干净镜像   (参见下方附件地址)利用 DockerFile 完成系统修改

镜像创建

利用 image-withyum.sh 脚本进行镜像创建

1. 建议在相同的环境下进行脚本创建 ( 如 centos 6.X 在 centos 6 系统上进行镜像创建 )2. 当前需要指定对应的 yum.repos.d 中的源,  (下面例子中, 操作系统默认是 centos6.6, 而 /etc/yum.repo.d/centos6.8.repo 则是 6.8 的源, 当然你可以选择 7.3 的源或其他版本的源 )3. 安装过程中需要指定安装软件包组 (可以通过 yum grouplist 查询) 及对应的软件包 (参考下面要指定多个软件包的方法)4. 当前服务器必须启动 docker daemon, 因为创建 images 时,  images 会自动导入到本地 registry cache 中5. 查询创建后的 docker images 的命令:   docker images 6. 启动对应容器方法:  docker run -i -t --rm centos6:6.8 /bin/bash7. 关闭并删除容器方法:  docker stop xxxxx;  docker rm xxxxxx;8. 删除 docker images 命令:   docker rmi xxxxxxx9. 拉取对应 docker  images 方法,  例:  docker save -o centos6.8.tar centos6:6.810.  导入 docker images 方法, 例: docker load --input centos6.8.tar11.  导入到 registry docker images 方法: docker push xxxxxxxx (需要对 registry 进行配置, 略)

参考创建镜像命令 (image-withyum.sh 参考下面脚本范例)

./image-withyum.sh -y /etc/yum.repo.d/centos6.8.repo -g Base  -p  "sudo glibc glibc-headers glibc-common glibc-stati glibc-utils glibc-devel yum yum-utils passwd vim-enhanced unzip gzip wget tar curl wget" centos6 | tee /tmp/install.6.8

脚本下载:

#!/usr/bin/env bash## Create a base CentOS Docker image.## This script is useful on systems with yum installed (e.g., building# a CentOS image on CentOS).  See contrib/mkimage-rinse.sh for a way# to build CentOS images on other systems.usage() {    cat <<EOOPTS$(basename $0) [OPTIONS] <name>OPTIONS:  -p "<packages>"  The list of packages to install in the container.                   The default is blank.  -g "<groups>"    The groups of packages to install in the container.                   The default is "Core".  -y <yumconf>     The path to the yum config to install packages from. The                   default is /etc/yum.conf for Centos/RHEL and /etc/dnf/dnf.conf for FedoraEOOPTS    exit 1}# option defaultsyum_config=/etc/yum.confif [ -f /etc/dnf/dnf.conf ] && command -v dnf &> /dev/null; then        yum_config=/etc/dnf/dnf.conf        alias yum=dnffiinstall_groups="Core"while getopts ":y:p:g:h" opt; do    case $opt in        y)            yum_config=$OPTARG            ;;        h)            usage            ;;        p)            install_packages="$OPTARG"            ;;        g)            install_groups="$OPTARG"            ;;        \?)            echo "Invalid option: -$OPTARG"            usage            ;;    esacdoneshift $((OPTIND - 1))name=$1if [[ -z $name ]]; then    usagefitarget=$(mktemp -d --tmpdir $(basename $0).XXXXXX)set -xmkdir -m 755 "$target"/devmknod -m 600 "$target"/dev/console c 5 1mknod -m 600 "$target"/dev/initctl pmknod -m 666 "$target"/dev/full c 1 7mknod -m 666 "$target"/dev/null c 1 3mknod -m 666 "$target"/dev/ptmx c 5 2mknod -m 666 "$target"/dev/random c 1 8mknod -m 666 "$target"/dev/tty c 5 0mknod -m 666 "$target"/dev/tty0 c 4 0mknod -m 666 "$target"/dev/urandom c 1 9mknod -m 666 "$target"/dev/zero c 1 5# amazon linux yum will fail without vars setif [ -d /etc/yum/vars ]; then        mkdir -p -m 755 "$target"/etc/yum        cp -a /etc/yum/vars "$target"/etc/yum/fiif [[ -n "$install_groups" ]];then    yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs \        --setopt=group_package_types=mandatory -y groupinstall $install_groupsfiif [[ -n "$install_packages" ]];then#    yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs        --setopt=group_package_types=mandatory -y install $install_packages    yum -c "$yum_config" --nogpgcheck --installroot="$target"  -y install $install_packagesfiyum -c "$yum_config" --installroot="$target" -y clean allcat > "$target"/etc/sysconfig/network <<EOFNETWORKING=yesHOSTNAME=localhost.localdomainEOF# effectively: febootstrap-minimize --keep-zoneinfo --keep-rpmdb --keep-services "$target".#  localesrm -rf "$target"/usr/{{lib,share}/locale,{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive}#  docs and man pagesrm -rf "$target"/usr/share/{man,doc,info,gnome/help}#  cracklibrm -rf "$target"/usr/share/cracklib#  i18nrm -rf "$target"/usr/share/i18n#  yum cacherm -rf "$target"/var/cache/yummkdir -p --mode=0755 "$target"/var/cache/yum#  slnrm -rf "$target"/sbin/sln#  ldconfigrm -rf "$target"/etc/ld.so.cache "$target"/var/cache/ldconfigmkdir -p --mode=0755 "$target"/var/cache/ldconfigversion=for file in "$target"/etc/{redhat,system}-releasedo    if [ -r "$file" ]; then        version="$(sed 's/^[^0-9\]*\([0-9.]\+\).*$/\1/' "$file")"        break    fidoneif [ -z "$version" ]; then    echo >&2 "warning: cannot autodetect OS version, using '$name' as tag"    version=$namefitar --numeric-owner -c -C "$target" . | docker import - $name:$versiondocker run -i -t --rm $name:$version /bin/bash -c 'echo success'rm -rf "$target"

基础镜像系统修改

创建 DockerFile利用 DockerFile 对上面创建的镜像进行修改

参考 rebuild docker images 命令:

docker build --tag="centos6.8:1.0" --file="./Dockfile"  .

参考 DockerFile

# Dockerfile that modifies centos6:6.8# add apps user, sed apps user passwd (XXXXXXX)  , modify root password  (XXXXXX)#FROM centos6:6.8MAINTAINER terry.zeng <signmem@hotmail.com>#yum repo, user, sudoer, root password [S}6zx4MbFZ] , UTF8, apps yumrepo, localtimeRUN useradd apps ; sed -i '/root/s/*/$1$pwCxD\/$yNdGkOwwC7z3xghUN6VYx0/' /etc/shadow; rm -rf /etc/security/limits.d/*nproc.conf; sed -i /requiretty/d /etc/sudoers ; echo -e 'Defaults:apps,root !requiretty\napps ALL=(root) NOPASSWD:  ALL' >> /etc/sudoers.d/apps; echo -e "export LANG=en_US.UTF-8" >>  /etc/profile; echo -e "[moana-apps]\nname=moana-apps\nbaseurl=http://mirrors.mysite.com/apps/\$releasever/\$basearch/\ngpgcheck=0\nenabled=1\n" > /etc/yum.repos.d/moana-apps.repo;  ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime; rpm -ivh --replacepkgs --force http://10.199.129.21/mysite/creat_image_el6/glibc-common-2.12-1.192.el6.x86_64.rpm;# 环境定义ENV LANG en_US.UTF-8ENV TZ Asia/ShanghaiUSER apps

注意, USER apps 这个语法会导致容器启动后, 默认以 apps 用户进行连接

测试

参考下面对容器启动并测试过程

[root@gx-yun-084043 centos6.8]# docker run -i -t --rm centos6.8:1.0 /bin/bash[apps@7f7753093387 /]$ sudo su --bash-4.1# whoamiroot-bash-4.1# exitlogout[apps@7f7753093387 /]$ localeLANG=en_US.UTF-8LC_CTYPE="en_US.UTF-8"LC_NUMERIC="en_US.UTF-8"LC_TIME="en_US.UTF-8"LC_COLLATE="en_US.UTF-8"LC_MONETARY="en_US.UTF-8"LC_MESSAGES="en_US.UTF-8"LC_PAPER="en_US.UTF-8"LC_NAME="en_US.UTF-8"LC_ADDRESS="en_US.UTF-8"LC_TELEPHONE="en_US.UTF-8"LC_MEASUREMENT="en_US.UTF-8"LC_IDENTIFICATION="en_US.UTF-8"LC_ALL=[apps@7f7753093387 /]$ ls /etc/yum.repos.d/apps.repo  CentOS-Base.repo  CentOS-Debuginfo.repo  CentOS-fasttrack.repo  CentOS-Media.repo  CentOS-Vault.repo[apps@7f7753093387 /]$ cat /etc/yum.repos.d/apps.repo[apps]name=appsbaseurl=http://mirrors.mysite.com/apps/$releasever/$basearch/gpgcheck=0enabled=1[apps@7f7753093387 /]$ ping mirrors.mysite.comPING mirrors.mysite.com (10.199.129.21) 56(84) bytes of data.64 bytes from hh-yun-puppet-129021.mysite.com (10.199.129.21): icmp_seq=1 ttl=57 time=0.530 ms[apps@7f7753093387 /]$ dateThu Mar 16 12:35:04 CST 2017[apps@286b1a7f45c3 /]$ ls /usr/bin/vim/usr/bin/vim[apps@da8a1dc80920 /]$ gzipgzip: compressed data not written to a terminal. Use -f to force compression.For help, type: gzip -h[apps@da8a1dc80920 /]$ curlcurl: try 'curl --help' or 'curl --manual' for more information

0 0