目标:
满足团队需求 Docker 镜像
镜像需符合安全审计要求
镜像要求
最简化安装
需要解决 glibc ( ghost ) 漏洞
修改 ulimit 65535 限制
添加用户 apps
修改 apps, root 密码
制作方法
利用 image-withyum.sh 创建 docker 干净镜像 (参见下方附件地址)
利用 DockerFile 完成系统修改
镜像创建
利用 image-withyum.sh 脚本进行镜像创建
1. 建议在相同的环境下进行脚本创建 ( 如 centos 6.X 在 centos 6 系统上进行镜像创建 )
2. 当前需要指定 对应的 yum.repos.d 中的源, (假如 centos7 中创建 centos6.x 镜像, 需要重新创建对应指向 centos6 的源)
3. 安装过程中需要指定安装软件包组 (可以通过 yum grouplist 查询) 及对应的软件包 (软件包建议指定版本名称)
4. 当前服务器必须启动 docker daemon, 因为创建 images 时, images 会自动导入到本地 registry cache 中
5. 查询创建后的 docker images 的命令: docker images
6. 启动对应容器方法: docker run -itd centos6:6.6 /bin/bash
7. 关闭并删除容器方法: docker stop xxxxx; docker rm xxxxxx;
8. 删除 docker images 命令: docker rmi xxxxxxx
9. 拉取对应 docker images 方法, 例: docker save -o centos6.v1.tar centos6:v1
参考命令
./image-withyum.sh -y yum.conf -g Base -p "bash-4.1.2-29.el6 sudo-1.8.6p3-15.el6 glibc-2.12-1.192.el6 vim-minimal-7.2.411-1.8.el6 yum-3.2.29-60.el6 passwd-0.77-4.el6_2.2" centos6 &> /tmp/install
脚本下载:
#!/usr/bin/env bash
#
# Create a base CentOS Docker image.
#
# This script is useful on systems with yum installed (e.g., building
# a CentOS image on CentOS). See contrib/mkimage-rinse.sh for a way
# to build CentOS images on other systems.
usage() {
cat <<EOOPTS
$(basename $0) [OPTIONS] <name>
OPTIONS:
-p "<packages>" The list of packages to install in the container.
The default is blank.
-g "<groups>" The groups of packages to install in the container.
The default is "Core".
-y <yumconf> The path to the yum config to install packages from. The
default is /etc/yum.conf for Centos/RHEL and /etc/dnf/dnf.conf for Fedora
EOOPTS
exit 1
}
# option defaults
yum_config=/etc/yum.conf
if [ -f /etc/dnf/dnf.conf ] && command -v dnf &> /dev/null; then
yum_config=/etc/dnf/dnf.conf
alias yum=dnf
fi
install_groups="Core"
while getopts ":y:p:g:h" opt; do
case $opt in
y)
yum_config=$OPTARG
;;
h)
usage
;;
p)
install_packages="$OPTARG"
;;
g)
install_groups="$OPTARG"
;;
\?)
echo "Invalid option: -$OPTARG"
usage
;;
esac
done
shift $((OPTIND - 1))
name=$1
if [[ -z $name ]]; then
usage
fi
target=$(mktemp -d --tmpdir $(basename $0).XXXXXX)
set -x
mkdir -m 755 "$target"/dev
mknod -m 600 "$target"/dev/console c 5 1
mknod -m 600 "$target"/dev/initctl p
mknod -m 666 "$target"/dev/full c 1 7
mknod -m 666 "$target"/dev/null c 1 3
mknod -m 666 "$target"/dev/ptmx c 5 2
mknod -m 666 "$target"/dev/random c 1 8
mknod -m 666 "$target"/dev/tty c 5 0
mknod -m 666 "$target"/dev/tty0 c 4 0
mknod -m 666 "$target"/dev/urandom c 1 9
mknod -m 666 "$target"/dev/zero c 1 5
# amazon linux yum will fail without vars set
if [ -d /etc/yum/vars ]; then
mkdir -p -m 755 "$target"/etc/yum
cp -a /etc/yum/vars "$target"/etc/yum/
fi
if [[ -n "$install_groups" ]];
then
yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs \
--setopt=group_package_types=mandatory -y groupinstall $install_groups
fi
if [[ -n "$install_packages" ]];
then
yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs \
--setopt=group_package_types=mandatory -y install $install_packages
fi
yum -c "$yum_config" --installroot="$target" -y clean all
cat > "$target"/etc/sysconfig/network <<EOF
NETWORKING=yes
HOSTNAME=localhost.localdomain
EOF
# effectively: febootstrap-minimize --keep-zoneinfo --keep-rpmdb --keep-services "$target".
# locales
rm -rf "$target"/usr/{{lib,share}/locale,{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive}
# docs and man pages
rm -rf "$target"/usr/share/{man,doc,info,gnome/help}
# cracklib
rm -rf "$target"/usr/share/cracklib
# i18n
rm -rf "$target"/usr/share/i18n
# yum cache
rm -rf "$target"/var/cache/yum
mkdir -p --mode=0755 "$target"/var/cache/yum
# sln
rm -rf "$target"/sbin/sln
# ldconfig
rm -rf "$target"/etc/ld.so.cache "$target"/var/cache/ldconfig
mkdir -p --mode=0755 "$target"/var/cache/ldconfig
version=
for file in "$target"/etc/{redhat,system}-release
do
if [ -r "$file" ]; then
version="$(sed 's/^[^0-9\]*\([0-9.]\+\).*$/\1/' "$file")"
break
fi
done
if [ -z "$version" ]; then
echo >&2 "warning: cannot autodetect OS version, using '$name' as tag"
version=$name
fi
tar --numeric-owner -c -C "$target" . | docker import - $name:$version
docker run -i -t --rm $name:$version /bin/bash -c 'echo success'
rm -rf "$target"
基础镜像系统修改
创建 DockerFile
利用 DockerFile 对上面创建的镜像进行修改
参考命令:
docker build --tag="centos6:v1" --file="DockerFile" .
参考 DockerFile
# Dockerfile that modifies centos6:6.6
# add apps user, sed apps user passwd (XXXXXXX) , modify root password (XXXXXX)
#
FROM centos6:7.2.1511
MAINTAINER terry.zeng <signmem@hotmail.com>
RUN useradd apps ; echo 'XXXXXXX' | passwd --stdin root ; echo 'XXXXXXXXXX' | passwd --stdin apps ; rm -rf /etc/security/limits.d/*nproc.conf ; echo 'apps ALL=(root) NOPASSWD: ALL' >> /etc/sudoers