本文共 4193 字,大约阅读时间需要 13 分钟。
满足团队需求 Docker 镜像镜像需符合安全审计要求
最简化安装需要解决 glibc ( ghost ) 漏洞修改 ulimit 65535 限制添加用户 apps修改 apps, root 密码
利用 image-withyum.sh 创建 docker 干净镜像 (参见下方附件地址)利用 DockerFile 完成系统修改
利用 image-withyum.sh 脚本进行镜像创建
1. 建议在相同的环境下进行脚本创建 ( 如 centos 6.X 在 centos 6 系统上进行镜像创建 )2. 当前需要指定 对应的 yum.repos.d 中的源, (假如 centos7 中创建 centos6.x 镜像, 需要重新创建对应指向 centos6 的源)3. 安装过程中需要指定安装软件包组 (可以通过 yum grouplist 查询) 及对应的软件包 (软件包建议指定版本名称)4. 当前服务器必须启动 docker daemon, 因为创建 images 时, images 会自动导入到本地 registry cache 中5. 查询创建后的 docker images 的命令: docker images 6. 启动对应容器方法: docker run -itd centos6:6.6 /bin/bash7. 关闭并删除容器方法: docker stop xxxxx; docker rm xxxxxx;8. 删除 docker images 命令: docker rmi xxxxxxx9. 拉取对应 docker images 方法, 例: docker save -o centos6.v1.tar centos6:v1
参考命令
./image-withyum.sh -y yum.conf -g Base -p "bash-4.1.2-29.el6 sudo-1.8.6p3-15.el6 glibc-2.12-1.192.el6 vim-minimal-7.2.411-1.8.el6 yum-3.2.29-60.el6 passwd-0.77-4.el6_2.2" centos6 &> /tmp/install
脚本下载:
#!/usr/bin/env bash## Create a base CentOS Docker image.## This script is useful on systems with yum installed (e.g., building# a CentOS image on CentOS). See contrib/mkimage-rinse.sh for a way# to build CentOS images on other systems.usage() { cat < OPTIONS: -p " " The list of packages to install in the container. The default is blank. -g " " The groups of packages to install in the container. The default is "Core". -y The path to the yum config to install packages from. The default is /etc/yum.conf for Centos/RHEL and /etc/dnf/dnf.conf for FedoraEOOPTS exit 1}# option defaultsyum_config=/etc/yum.confif [ -f /etc/dnf/dnf.conf ] && command -v dnf &> /dev/null; then yum_config=/etc/dnf/dnf.conf alias yum=dnffiinstall_groups="Core"while getopts ":y:p:g:h" opt; do case $opt in y) yum_config=$OPTARG ;; h) usage ;; p) install_packages="$OPTARG" ;; g) install_groups="$OPTARG" ;; \?) echo "Invalid option: -$OPTARG" usage ;; esacdoneshift $((OPTIND - 1))name=$1if [[ -z $name ]]; then usagefitarget=$(mktemp -d --tmpdir $(basename $0).XXXXXX)set -xmkdir -m 755 "$target"/devmknod -m 600 "$target"/dev/console c 5 1mknod -m 600 "$target"/dev/initctl pmknod -m 666 "$target"/dev/full c 1 7mknod -m 666 "$target"/dev/null c 1 3mknod -m 666 "$target"/dev/ptmx c 5 2mknod -m 666 "$target"/dev/random c 1 8mknod -m 666 "$target"/dev/tty c 5 0mknod -m 666 "$target"/dev/tty0 c 4 0mknod -m 666 "$target"/dev/urandom c 1 9mknod -m 666 "$target"/dev/zero c 1 5# amazon linux yum will fail without vars setif [ -d /etc/yum/vars ]; then mkdir -p -m 755 "$target"/etc/yum cp -a /etc/yum/vars "$target"/etc/yum/fiif [[ -n "$install_groups" ]];then yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs \ --setopt=group_package_types=mandatory -y groupinstall $install_groupsfiif [[ -n "$install_packages" ]];then yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs \ --setopt=group_package_types=mandatory -y install $install_packagesfiyum -c "$yum_config" --installroot="$target" -y clean allcat > "$target"/etc/sysconfig/network < &2 "warning: cannot autodetect OS version, using '$name' as tag" version=$namefitar --numeric-owner -c -C "$target" . | docker import - $name:$versiondocker run -i -t --rm $name:$version /bin/bash -c 'echo success'rm -rf "$target" 创建 DockerFile利用 DockerFile 对上面创建的镜像进行修改
参考命令:
docker build --tag="centos6:v1" --file="DockerFile" .
参考 DockerFile