7 Creating Custom Container Images #

To obtain a pre-built base image for SUSE Linux Enterprise 12 SP3 and later, use the following command:

      > docker pull registry.suse.com/suse/
      IMAGENAME

For example, for SUSE Linux Enterprise Server 15, the command is as follows:

> docker pull registry.suse.com/suse/sle15

sle2docker is not required, because the image is being pulled from the Docker Registry.

For information on obtaining specific base images, refer to Section 6.1, “SUSE Linux Enterprise Base Images” .

When the container image is ready, you can customize it as described in Section 7.2, “Customizing SLES Container Images” .

The pre-built images do not have any repositories configured and do not include any modules or extensions. They contain a zypper service that contacts either the SUSE® Customer Center or a Repository Mirroring Tool (RMT) server, according to the configuration of the SUSE Linux Enterprise Server host that runs the container. The service obtains the list of repositories available for the product used by the container image. You can also directly declare extensions in your Dockerfile . For more information, see Section 7.2.3, “Adding SLE Extensions and Modules to Images” .

You do not need to add any credentials to the container image, because the machine credentials are automatically injected into the /run/secrets directory in the container by the docker daemon. The same applies to the /etc/SUSEConnect file of the host system, which is automatically injected into the /run/secrets directory.

Note: Credentials and Security

The contents of the /run/secrets directory are never included in a container image, hence there is no risk of your credentials leaking.

Note: Building Images on Systems Registered with RMT

When the host system used for building container images is registered with RMT, the default behavior allows only building containers of the same code base as the host. For example, if your container host is an SLE 15 system, you can only build SLE 15-based images on that host by default. To build images for a different SLE version, for example SLE 12 on an SLE 15 host, the host machine credentials for the target release can be injected into the container as outlined below.

When the host system is registered with SUSE Customer Center, this restriction does not apply.

Note: Building Container Images in On-Demand SLE Instances in the Public Cloud

Building container images on SLE instances that were launched as so-called “on-demand” or “pay as you go” instances on a public cloud (AWS, GCE, or Azure) requires additional steps. To install packages and updates, the “on-demand” public cloud instances are connected to update infrastructure. This infrastructure is based on RMT servers operated by SUSE on the various public cloud providers.

Therefore, your machines need to locate the required services and authenticate with them. This can be done using the containerbuild-regionsrv service. This service is available in the public cloud images provided through the marketplaces of the various public cloud providers. Before building an image, this service must be started on the public cloud instance by running the following command:

> sudo systemctl start containerbuild-regionsrv

To start it automatically on system start-up, enable it:

> sudo systemctl enable containerbuild-regionsrv

The Zypper plug-ins provided by the SLE base images connect to this service and retrieve authentication details and information about which update server to talk to. For this to work, the container has to be built with host networking enabled, for example:

        > docker build --network host
        build-directory/

Since update infrastructure in the public clouds is based upon RMT, the restrictions to building SLE images for SLE versions different from the SLE version of the host apply as well (see Note: Building Images on Systems Registered with RMT ).

To obtain the list of repositories, use the following command:

> sudo zypper ref -s

This automatically adds all the repositories to the container. For each repository added to the system, a new file will be created under /etc/zypp/repos.d . The URLs of these repositories include an access token that automatically expires after 12 hours. To renew the token, run the command zypper ref -s . Including these files in a container image does not pose any security risk.

To use a different set of credentials, put a custom /etc/zypp/credentials.d/SCCcredentials file inside of the container image. It contains the machine credentials that have the subscription you want to use. The same applies to the SUSEConnect file: to override the existing file on the host system running the container, add a custom /etc/SUSEConnect file inside of the container image.

Now you can create a custom container image by using a Dockerfile as described in Section 7.2.1, “Creating a Custom Image for SLE 12 SP3 and Later”

If you want to move your application to a container, see Chapter 8, Creating Application Images .

After you have edited the Dockerfile , build the image by running the following command in the same directory in which the Dockerfile resides:

> docker build .

For more information about docker build options, see the official Docker documentation .

Note: Creating Application Images

For information about creating a Dockerfile for the application you want to run inside a container, see Chapter 8, Creating Application Images .

        FROM registry.suse.com/suse/sle15

        RUN zypper ref -s
        RUN zypper -n in vim

        FROM registry.suse.com/suse/sle15

        # Import the crt file of our private SMT server
        ADD http://smt.example.com/smt.crt /etc/pki/trust/anchors/smt.crt
        RUN update-ca-certificates

        RUN zypper ref -s
        RUN zypper -n in vim

        > docker inspect registry.suse.com/suse/sle15
        [...]
        "Labels": {
            "com.suse.sle.base.created": "2020-11-23T11:51:32.695975200Z",
            "com.suse.sle.base.description": "Image containing a minimal environment for containers based on SUSE Linux Enterprise Server 15 SP2.",
            "com.suse.sle.base.disturl": "obs://build.suse.de/SUSE:SLE-15-SP2:Update:CR/images/4a8871be8078bcef2e2417e2a98fc3a0-sles15-image",
            "com.suse.sle.base.reference": "registry.suse.com/suse/sle15:15.2.8.2.794",
            "com.suse.sle.base.title": "SUSE Linux Enterprise Server 15 SP2 Base Container",
            "com.suse.sle.base.url": "https://www.suse.com/products/server/",
            "com.suse.sle.base.vendor": "SUSE LLC",
            "com.suse.sle.base.version": "15.2.8.2.794",
            "org.openbuildservice.disturl": "obs://build.suse.de/SUSE:SLE-15-SP2:Update:CR/images/4a8871be8078bcef2e2417e2a98fc3a0-sles15-image",
            "org.opencontainers.image.created": "2020-11-23T11:51:32.695975200Z",
            "org.opencontainers.image.description": "Image containing a minimal environment for containers based on SUSE Linux Enterprise Server 15 SP2.",
            "org.opencontainers.image.title": "SUSE Linux Enterprise Server 15 SP2 Base Container",
            "org.opencontainers.image.url": "https://www.suse.com/products/server/",
            "org.opencontainers.image.vendor": "SUSE LLC",
            "org.opencontainers.image.version": "15.2.8.2.794",
            "org.opensuse.reference": "registry.suse.com/suse/sle15:15.2.8.2.794"
        },
        [...]

ENV ADDITIONAL_MODULES sle-module-desktop-applications,sle-module-development-tools