Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Server 15 SP1

4 Creating Custom Images Edit source

For creating your custom image you need a base Docker image of SLES. You can use any of the pre-built SLES images that you can obtain as described in Section 4.2, “Customizing SLES Docker Images”.

After you obtain your base Docker image, you can modify the image by using a Dockerfile (usually placed in the build directory). Then use the standard docker building tool to create your custom image:

tux > docker build PATH_TO_BUILD_DIRECTORY

For more information about docker build options, see the official Docker documentation.

Note
Note: Creating a Docker Image for an Application

For information about creating a Dockerfile for the application you want to run inside a Docker container, see Chapter 5, Creating Docker Images of Applications.

4.1 Obtaining Base SLES Images Edit source

Base images of SLES are provided on the SUSE registry in the suse/ namespace. To obtain the base SLES images from SUSE registry and make them available to the local Docker instance, use the following command:

tux > docker pull registry.suse.com/suse/IMAGENAME

Pre-built images do not have repositories configured. But when the Docker host has a SLE subscription that provides access to the product used in the image, Zypper will automatically have access to the right repositories.

You can customize the Docker image as described in Section 4.2, “Customizing SLES Docker Images”.

4.1.1 Obtaining Base Images of SLE 12 SP3 and Later Service Packs Edit source

Base images of SLE 12 SP3 and later Service Packs can be found on registry.suse.com at registry.suse.com/suse/sles12spX, with X being the number of the Service Pack.

The latest tag refers to the most recently built and published image, while tags in the form 12.34 refer to a specific build which will not change in the future. The full reference including the tag to a specific image is part of the meta information, see Section 4.2.3, “Meta Information in SLE Container Images”.

4.1.2 Obtaining Base Images of SLE 15 and Later Edit source

Base images of SLE 15 and later can be found on registry.suse.com at registry.suse.com/suse/sleX, with X being the number of the major version.

The latest tag refers to the most recently built and published image for the newest Service Pack release, while builds for a specific Service Pack can be referenced by MAJOR.SP. To refer to a specific image build, the build identification numbers need to be appended, e.g. 15.0.3.2.1 or 15.1.2.3. The full reference including the tag to a specific image is part of the meta information, see Section 4.2.3, “Meta Information in SLE Container Images”.

For example, to get the latest image for SUSE Linux Enterprise Server 15 SP1, use:

tux > docker pull registry.suse.com/suse/sle15:15.1

4.2 Customizing SLES Docker Images Edit source

The pre-built images do not have any repository configured and do not include any modules or extensions. They contain a zypper service that contacts either the SUSE® Customer Center (SUSE Customer Center) or your Repository Mirroring Tool (RMT) server, according to the configuration of the SLE host that runs the Docker container. The service obtains the list of repositories available for the product used by the Docker image. You can also directly declare extensions in your Dockerfile (for details refer to Section 4.2.4, “Adding SLE Extensions and Modules to Images”.

You do not need to add any credentials to the Docker image because the machine credentials are automatically injected into the container by the docker daemon. They are injected inside of the /run/secrets directory. The same applies to the /etc/SUSEConnect file of the host system, which is automatically injected into the /run/secrets directory.

Note
Note: Credentials and Security

The contents of the /run/secrets directory are never committed to a Docker image, hence there is no risk of your credentials leaking.

Note
Note: Building Images on Systems Registered with RMT

When the host system used for building Docker images is registered with RMT, the default behavior allows only building containers of the same code base as the host. For example, if your Docker host is an SLE 15 system, you can only build SLE 15-based images on that host by default. To build images for a different SLE version, for example SLE 12 on an SLE 15 host, the host machine credentials for the target release can be injected into the container as outlined below.

When the host system is registered with SUSE Customer Center, this restriction does not apply.

Note
Note: Building Container Images in On-Demand SLE Instances in the Public Cloud

When building container images on SLE instances that were launched as so-called "on-demand" or "pay as you go" instances on a Public Cloud (AWS, GCE, or Azure), some additional steps have to be performed. For installing packages and updates, the "on-demand" public cloud instances are connected to a public cloud-specific update infrastructure, which is based around RMT servers operated by SUSE on the various Public Cloud Providers. Some additional steps are required to locate the required services and authenticate with them.

A new service was introduced to enable this, called containerbuild-regionsrv. This service is available in the public cloud images provided through the Marketplaces of the various Public Cloud Providers. So before building an image, this service has to be started on the public cloud instance by running the following command:

tux > sudo systemctl start containerbuild-regionsrv

To start it automatically after system startup, enable it with systemctl:

tux > sudo systemctl enable containerbuild-regionsrv

The Zypper plugins provided by the SLE base images will then connect to this service for retrieving authentication details and information about which update server to talk to. In order for that to work the container has to be built with host networking enabled, like the following example:

tux > docker build --network host build-directory/

Since update infrastructure in the Public Clouds is based upon RMT, the same restrictions with regard to building SLE images for SLE versions differing from the SLE version of the host apply here as well (see Note: Building Images on Systems Registered with RMT).

To obtain the list of repositories, use the following command:

tux > sudo zypper ref -s

It will automatically add all the repositories to your container. For each repository added to the system a new file will be created under /etc/zypp/repos.d. The URLs of these repositories include an access token that automatically expires after 12 hours. To renew the token call the zypper ref -s command. It is secure to commit these files to a Docker image.

If you want to use a different set of credentials, place a custom /etc/zypp/credentials.d/SCCcredentials file inside of the Docker image. It contains the machine credentials that have the subscription you want to use. The same applies to the SUSEConnect file: to override the file available on the host system that is running the Docker container, add a custom /etc/SUSEConnect file inside of the Docker image.

Now you can create a custom Docker image by using a Dockerfile as described in Section 4.2.1 and Section 4.2.2. In case you would like to move your application to a Docker container, refer to Chapter 5, Creating Docker Images of Applications. After you have edited the Dockerfile, build the image by running the following command in the same directory in which the Dockerfile resides:

tux > docker build .

4.2.1 Creating a Custom SLE 12 Image Edit source

The following Dockerfile creates a simple Docker image based on SLE 12 SP4:

FROM registry.suse.com/suse/sles12sp4

RUN zypper ref -s
RUN zypper -n in vim

When the Docker host machine is registered against an internal RMT server, the Docker image requires the SSL certificate used by RMT:

FROM registry.suse.com/suse/sles12sp4

# Import the crt file of our private SMT server
ADD http://smt.test.lan/smt.crt /etc/pki/trust/anchors/smt.crt
RUN update-ca-certificates

RUN zypper ref -s
RUN zypper -n in vim

4.2.2 Creating a Custom SLE 15 Image Edit source

The following Dockerfile creates a simple Docker image based on the latest Service Pack released for SLE 15:

FROM registry.suse.com/suse/sle15

RUN zypper ref -s
RUN zypper -n in vim

When the Docker host machine is registered against an internal RMT server, the Docker image requires the SSL certificate used by RMT:

FROM registry.suse.com/suse/sle15

# Import the crt file of our private SMT server
ADD http://smt.test.lan/smt.crt /etc/pki/trust/anchors/smt.crt
RUN update-ca-certificates

RUN zypper ref -s
RUN zypper -n in vim

4.2.3 Meta Information in SLE Container Images Edit source

Starting from SUSE Linux Enterprise 12 SP3, all base container images include information such as a build time stamp and description. This information is provided in the form of labels attached to the base images and is thus available for derived images and containers as well. It can be displayed with docker inspect:

tux > docker inspect registry.suse.com/suse/sle15
[...]
            "Labels": {
                "com.suse.sle.base.created": "2019-06-20T18:21:37.729383880Z",
                "com.suse.sle.base.description": "Image containing a minimal environment for containers based on SUSE Linux Enterprise Server 15 SP1.",
                "com.suse.sle.base.disturl": "obs://build.suse.de/SUSE:SLE-15-SP1:Update:CR/images/20efed47827dc48da9537c1aeed4dbe2-sles15-image",
                "com.suse.sle.base.reference": "registry.suse.com/suse/sle15:15.1.6.2.31",
                "com.suse.sle.base.title": "SUSE Linux Enterprise Server 15 SP1 Base Container",
                "com.suse.sle.base.url": "https://www.suse.com/products/server/",
                "com.suse.sle.base.vendor": "SUSE LLC",
                "com.suse.sle.base.version": "15.1.6.2.31",
                "org.openbuildservice.disturl": "obs://build.suse.de/SUSE:SLE-15-SP1:Update:CR/images/20efed47827dc48da9537c1aeed4dbe2-sles15-image",
                "org.opencontainers.image.created": "2019-06-20T18:21:37.729383880Z",
                "org.opencontainers.image.description": "Image containing a minimal environment for containers based on SUSE Linux Enterprise Server 15 SP1.",
                "org.opencontainers.image.title": "SUSE Linux Enterprise Server 15 SP1 Base Container",
                "org.opencontainers.image.url": "https://www.suse.com/products/server/",
                "org.opencontainers.image.vendor": "SUSE LLC",
                "org.opencontainers.image.version": "15.1.6.2.31",
                "org.opensuse.reference": "registry.suse.com/suse/sle15:15.1.6.2.31"
            }
[...]

All labels are shown twice. This is necessary to ensure that in derived images the information about the original base image is still visible and not overwritten.

4.2.4 Adding SLE Extensions and Modules to Images Edit source

You may have subscriptions to SLE extensions or modules that you would like to use in your custom image. To add them to the Docker image, proceed as follows:

Procedure 4.1: Adding Extension and Modules
  1. Add the following into your Dockerfile:

    ADD *.repo /etc/zypp/repos.d/
    ADD *.service /etc/zypp/services.d
    RUN zypper refs && zypper refresh
  2. Copy all .service and .repo files that you will use into the directory where you will build the Docker image from the Dockerfile.

Print this page