For creating your custom image you need a base Docker image of SLES. You can use any of the pre-built SLES images that you can obtain as described in Section 5.2, “Customizing SLES Docker Images”.
Usually you can pull a variety of base Docker images from the
docker hub but that does
not apply for SLES. Currently we cannot distribute SLES images for
Docker Open Source Engine because there is no way to associate an End-User License Agreement
(EULA) to a Docker image. sle2docker
enables you to
import pre-built SLES images that you can use for creating base SLES
images.
After you obtain your base docker image, you can modify the image by using a
Dockerfile
(usually placed in the build directory). Then
use the standard building tool to create your custom image:
docker build path_to_build_directory
For more docker build
options please refer to the
official
Docker documentation.
You may want to write a dockerfile for your own application that should be run inside a docker container. For a procedure refer to Chapter 6, Creating Docker Images of Applications.
You can install pre-built images of SLES by using Zypper:
sudo zypper in sles11sp4-docker-image suse-sles12sp3-image
Pre-built images do not have repositories configured. But when the Docker host has an SLE subscription that provides access to the product used in the image, Zypper will automatically have access to the right repositories.
After the pre-built images are installed, you need to list them using
sle2docker
to get a proper image name:
sle2docker list
Now you need to activate the pre-built images:
sle2docker activate PRE-BUILT_IMAGE_NAME
After successful activation, sle2docker
will display the
name of the Docker image. You can customize the docker image as described in
Section 5.2, “Customizing SLES Docker Images”.
The pre-built images do not have any repository configured and do not
include any modules or extensions. They contain a
zypper
service that contacts either the SUSE Customer Center (SCC) or your Subscription Management Tool
(SMT) server, according to the configuration of
the SLE host that runs the Docker container. The service obtains the list of
repositories available for the product used by the Docker image. You can
also directly declare extensions in your Dockerfile
(for details refer to
Section 5.2.3, “Adding SLE Extensions and Modules to Images”.
You do not need to add any credentials to the Docker image because the
machine credentials are automatically injected into the container by the
Docker daemon. They are injected inside of the
/run/secrets
directory. The same applies to the
/etc/SUSEConnect
file of the host system, which is
automatically injected into the /run/secrets
directory.
The contents of the /run/secrets
directory are never
committed to a Docker image, hence there is no risk of your credentials
leaking.
When the host system used for building Docker images is registered against RMT, the default behavior allows only building containers of the same code base as the host. For example, if your Docker host is a SLE 15 system you can only build SLE 15-based images on that host by default. To build images for a different SLE version, for example SLE 12 on a SLE 15 host, the host machine credentials for the target release can be injected into the container as outlined below.
When the host system is registered again SUSE Customer Center this restriction does not apply.
When building container images on SLE instances that were launched as so-called "on-demand" or "pay as you go" instances on a Public Cloud (AWS, GCE, or Azure), some additional steps have to be performed. For installing packages and updates, the "on-demand" public cloud instances are connected to a public cloud-specific update infrastructure, which is based on RMT servers operated by SUSE on the various Public Cloud Providers. Some additional steps are required to locate the required services and authenticate with them.
A new service was introduced to enable this, called
containerbuild-regionsrv
. This service is available
in the public cloud images provided through the
Marketplaces of the various Public Cloud Providers. So before building
an image, this service has to be started on the public cloud instance by
running the following command:
tux >
sudo
systemctl start containerbuild-regionsrv
To start it automatically after system startup, enable it with
systemctl
:
tux >
sudo
systemctl enable containerbuild-regionsrv
The Zypper plugins provided by the SLE base images will then connect to this service for retrieving authentication details and information about which update server to talk to. In order for that to work the container has to be built with host networking enabled, like the following example:
tux >
docker build --network host build-directory/
Since update infrastructure in the Public Clouds is based upon RMT, the same restrictions with regard to building SLE images for SLE versions differing from the SLE version of the host apply here as well (see Note: Building Images on Systems Registered with RMT).
To obtain the list of repositories use the following command:
zypper ref -s
It will automatically add all the repositories to your container. For each
repository added to the system a new file will be created under
/etc/zypp/repos.d
. The URLs of these repositories include
an access token that automatically expires after 12 hours. To renew the
token call the zypper ref -s
command. It is secure to
commit these files to a Docker image.
If you want to use a different set of credentials, place a custom
/etc/zypp/credentials.d/SCCcredentials
file inside of
the Docker image. It contains the machine credentials that have the
subscription you want to use. The same applies to the
SUSEConnect
file: to override the file available on the
host system that is running the Docker container, add a custom
/etc/SUSEConnect
file inside of the Docker image.
Now you can create a custom Docker image by using a
Dockerfile
. If you want to create a custom SLE 12
image, please refer to
Section 5.2.1, “Creating a Custom SLE 12 Image”. If
you want to create a custom SLE 11 SP3 Docker image, please refer to
Section 5.2.2, “Creating a Custom SLE 11 SP4 Image”. In
case you would like to move your application to a Docker container, please
refer to Chapter 6, Creating Docker Images of Applications.
The following Dockerfile
creates a simple Docker image based on
SLE 12 SP3:
FROM suse/sles12sp3:latest RUN zypper ref -s RUN zypper -n in vim
When the Docker host machine is registered against an internal SMT server, the Docker image requires the SSL certificate used by SMT:
FROM suse/sles12sp3:latest # Import the crt file of our private SMT server ADD http://smt.test.lan/smt.crt /etc/pki/trust/anchors/smt.crt RUN update-ca-certificates RUN zypper ref -s RUN zypper -n in vim
The following Dockerfile
creates a simple Docker image based on
SLE 11 SP4:
FROM suse/sles11sp4:latest RUN zypper ref -s RUN zypper -n in vim
When the Docker host machine is registered against an internal SMT server, the Docker image requires the SSL certificate used by SMT:
FROM suse/sles11sp4:latest # Import the crt file of our private SMT server ADD http://smt.test.lan/smt.crt /etc/ssl/certs/smt.pem RUN c_rehash /etc/ssl/certs RUN zypper ref -s RUN zypper -n in vim
You may have subscriptions to SLE extensions or modules that you would like to use in your custom image. To add them to the Docker image, proceed as follows:
Add the following into your Dockerfile
:
ADD *.repo /etc/zypp/repos.d/ ADD *.service /etc/zypp/services.d RUN zypper refs && zypper refresh
Copy all .service
and .repo
files that you will use into the directory where you will build the
Docker image from the Dockerfile
.