Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise Server Documentation / Container Guide / Creating custom container images
Applies to SUSE Linux Enterprise Server 15 SP4

8 Creating custom container images

To create a custom image, you need a base image of SUSE Linux Enterprise Server. You can use any of the pre-built SUSE Linux Enterprise Server images.

8.1 Pulling base SLES images

To obtain a pre-built base image for SUSE Linux Enterprise 12 SP3 and later, use the following command:

      > docker pull registry.suse.com/suse/

For example, for SUSE Linux Enterprise Server 15, the command is as follows:

> docker pull registry.suse.com/suse/sle15

sle2docker is not required, because the image is being pulled from the Docker Registry.

For information on obtaining specific base images, refer to Section 7.1, “SUSE Linux Enterprise base images”.

When the container image is ready, you can customize it as described in Section 8.2, “Customizing SLES container images”.

8.2 Customizing SLES container images

The pre-built images do not have any repositories configured and do not include any modules or extensions. They contain a zypper service that contacts either the SUSE® Customer Center or a Repository Mirroring Tool (RMT) server, according to the configuration of the SUSE Linux Enterprise Server host that runs the container. The service obtains the list of repositories available for the product used by the container image. You can also directly declare extensions in your Dockerfile. For more information, see Section 8.2.3, “Adding SLE extensions and modules to images”.

Note: SLE_BCI repository

Starting with SUSE Linux Enterprise 15 SP3, the default base image includes the SLE_BCI repository. This repository is only used when a container is built or runs on a non-registered SLES host, or when registration credentials are not made available to containers. The repository provides a subset of SUSE Linux Enterprise 15 SP3 packages useful for customizing SLES container images. The repository is available without any registration, and it is not supported.

You do not need to add any credentials to the container image, because the machine credentials are automatically injected into the /run/secrets directory in the container by the docker daemon. The same applies to the /etc/SUSEConnect file of the host system, which is automatically injected into the /run/secrets directory.

Note: Credentials and security

The contents of the /run/secrets directory are never included in a container image, hence there is no risk of your credentials leaking.

Note: Building images on systems registered with RMT

When the host system used for building container images is registered with RMT, the default behavior allows only building containers of the same code base as the host. For example, if your container host is an SLE 15 system, you can only build SLE 15-based images on that host by default. To build images for a different SLE version, for example, SLE 12 on an SLE 15 host, the host machine credentials for the target release can be injected into the container as outlined below. Please note that if the RMT server is using a self-signed certificate, the matching CA certificate needs to be added into the container at CA_TRUSTSTORE/rmt-server.pem for the certificate to be accepted.

When the host system is registered with SUSE Customer Center, this restriction does not apply.

Note: Building container images in on-demand SLE instances in the public cloud

Building container images on SLE instances that were launched as on-demand or pay-as-you-go instances on a public cloud (AWS, GCE, or Azure) requires additional steps. To install packages and updates, the on-demand public cloud instances are connected to the update infrastructure. This infrastructure is based on RMT servers operated by SUSE on the various public cloud providers.

Therefore, your machines need to locate the required services and authenticate with them. This can be done using the containerbuild-regionsrv service. This service is available in the public cloud images provided through the marketplaces of the various public cloud providers. Before building an image, this service must be started on the public cloud instance by running the following command:

> sudo systemctl start containerbuild-regionsrv

To start it automatically on system start-up, enable it:

> sudo systemctl enable containerbuild-regionsrv

The Zypper plug-ins provided by the SLE base images connect to this service and retrieve authentication details and information about which update server to talk to. For this to work, the container has to be built with host networking enabled, for example:

        > docker build --network host

Since update infrastructure in the public clouds is based upon RMT, the restrictions on building SLE images for SLE versions different from the SLE version of the host apply as well (see Note: Building images on systems registered with RMT).

To obtain the list of repositories, use the following command:

> sudo zypper ref -s

This automatically adds all the repositories to the container. For each repository added to the system, a new file will be created under /etc/zypp/repos.d . The URLs of these repositories include an access token that automatically expires after 12 hours. To renew the token, run the command zypper ref -s . Including these files in a container image does not pose any security risk.

To use a different set of credentials, put a custom /etc/zypp/credentials.d/SCCcredentials file inside the container image. It contains the machine credentials that have the subscription you want to use. The same applies to the SUSEConnect file: To override the existing file on the host system running the container, add a custom /etc/SUSEConnect file inside the container image.

Now you can create a custom container image by using a Dockerfile as described in Section 8.2.1, “Creating a custom image for SLE 12 SP3 and later”.

If you want to move your application to a container, see Chapter 9, Creating application images.

After you have edited the Dockerfile , build the image by running the following command in the same directory in which the Dockerfile resides:

> docker build .

For more information about docker build options, see the official Docker documentation .

Note: Creating application images

For information about creating a Dockerfile for the application you want to run inside a container, see Chapter 9, Creating application images.

8.2.1 Creating a custom image for SLE 12 SP3 and later

The following Dockerfile creates a simple container image based on SUSE Linux Enterprise Server 15:

        FROM registry.suse.com/suse/sle15

        RUN zypper ref -s
        RUN zypper -n in vim

When the Docker host machine is registered with an internal RMT server, the image requires the SSL certificate used by RMT:

        FROM registry.suse.com/suse/sle15

        # Import the crt file of our private SMT server
        ADD http://smt.example.com/smt.crt /etc/pki/trust/anchors/smt.crt
        RUN update-ca-certificates

        RUN zypper ref -s
        RUN zypper -n in vim

8.2.2 Meta information in SLE container images

Starting with SUSE Linux Enterprise 12 SP3, all base container images include information such as a build time stamp and description. This information is provided in the form of labels attached to the base images, and is therefore available for derived images and containers (see Section 7.2.2, “Labels”). This information can be viewed with docker inspect :

        > docker inspect registry.suse.com/suse/sle15
        "Labels": {
            "com.suse.sle.base.created": "2020-11-23T11:51:32.695975200Z",
            "com.suse.sle.base.description": "Image containing a minimal environment for containers based on SUSE Linux Enterprise Server 15 SP2.",
            "com.suse.sle.base.disturl": "obs://build.suse.de/SUSE:SLE-15-SP2:Update:CR/images/4a8871be8078bcef2e2417e2a98fc3a0-sles15-image",
            "com.suse.sle.base.reference": "registry.suse.com/suse/sle15:",
            "com.suse.sle.base.title": "SUSE Linux Enterprise Server 15 SP2 Base Container",
            "com.suse.sle.base.url": "https://www.suse.com/products/server/",
            "com.suse.sle.base.vendor": "SUSE LLC",
            "com.suse.sle.base.version": "",
            "org.openbuildservice.disturl": "obs://build.suse.de/SUSE:SLE-15-SP2:Update:CR/images/4a8871be8078bcef2e2417e2a98fc3a0-sles15-image",
            "org.opencontainers.image.created": "2020-11-23T11:51:32.695975200Z",
            "org.opencontainers.image.description": "Image containing a minimal environment for containers based on SUSE Linux Enterprise Server 15 SP2.",
            "org.opencontainers.image.title": "SUSE Linux Enterprise Server 15 SP2 Base Container",
            "org.opencontainers.image.url": "https://www.suse.com/products/server/",
            "org.opencontainers.image.vendor": "SUSE LLC",
            "org.opencontainers.image.version": "",
            "org.opensuse.reference": "registry.suse.com/suse/sle15:"

All labels are shown twice, to ensure that in derived images, the information about the original base image is still visible and not overwritten.

8.2.3 Adding SLE extensions and modules to images

If you have subscriptions to SUSE Linux Enterprise Server extensions or modules that you want to use in your custom image, you can add them to the container image by specifying the ADDITIONAL_MODULES environment variable:

ENV ADDITIONAL_MODULES sle-module-desktop-applications,sle-module-development-tools