目标:

满足团队需求 Docker 镜像
镜像需符合安全审计要求

镜像要求

最简化安装
需要解决 glibc ( ghost ) 漏洞
修改 ulimit  65535 限制
添加用户 apps
修改 apps,  root 密码
修改默认语言环境为 en_US.UTF8
添加额外的 yum 源
指定时间为中国时区

制作方法

利用  image-withyum.sh 创建 docker 干净镜像   (参见下方附件地址)
利用 DockerFile 完成系统修改

镜像创建

利用 image-withyum.sh 脚本进行镜像创建

1. 建议在相同的环境下进行脚本创建 ( 如 centos 6.X 在 centos 6 系统上进行镜像创建 )
2. 当前需要指定对应的 yum.repos.d 中的源,  (下面例子中, 操作系统默认是 centos6.6, 而 /etc/yum.repo.d/centos6.8.repo 则是 6.8 的源, 当然你可以选择 7.3 的源或其他版本的源 )
3. 安装过程中需要指定安装软件包组 (可以通过 yum grouplist 查询) 及对应的软件包 (参考下面要指定多个软件包的方法)
4. 当前服务器必须启动 docker daemon, 因为创建 images 时,  images 会自动导入到本地 registry cache 中
5. 查询创建后的 docker images 的命令:   docker images 
6. 启动对应容器方法:  docker run -i -t --rm centos6:6.8 /bin/bash
7. 关闭并删除容器方法:  docker stop xxxxx;  docker rm xxxxxx;
8. 删除 docker images 命令:   docker rmi xxxxxxx
9. 拉取对应 docker  images 方法,  例:  docker save -o centos6.8.tar centos6:6.8
10.  导入 docker images 方法, 例: docker load --input centos6.8.tar
11.  导入到 registry docker images 方法: docker push xxxxxxxx (需要对 registry 进行配置, 略)

参考创建镜像命令 (image-withyum.sh 参考下面脚本范例)

./image-withyum.sh -y /etc/yum.repo.d/centos6.8.repo -g Base  -p  "sudo glibc glibc-headers glibc-common glibc-stati glibc-utils glibc-devel yum yum-utils passwd vim-enhanced unzip gzip wget tar curl wget" centos6 | tee /tmp/install.6.8

脚本下载:

#!/usr/bin/env bash
#
# Create a base CentOS Docker image.
#
# This script is useful on systems with yum installed (e.g., building
# a CentOS image on CentOS).  See contrib/mkimage-rinse.sh for a way
# to build CentOS images on other systems.

usage() {
    cat <<EOOPTS
$(basename $0) [OPTIONS] <name>
OPTIONS:
  -p "<packages>"  The list of packages to install in the container.
                   The default is blank.
  -g "<groups>"    The groups of packages to install in the container.
                   The default is "Core".
  -y <yumconf>     The path to the yum config to install packages from. The
                   default is /etc/yum.conf for Centos/RHEL and /etc/dnf/dnf.conf for Fedora
EOOPTS
    exit 1
}

# option defaults
yum_config=/etc/yum.conf
if [ -f /etc/dnf/dnf.conf ] && command -v dnf &> /dev/null; then
        yum_config=/etc/dnf/dnf.conf
        alias yum=dnf
fi
install_groups="Core"
while getopts ":y:p:g:h" opt; do
    case $opt in
        y)
            yum_config=$OPTARG
            ;;
        h)
            usage
            ;;
        p)
            install_packages="$OPTARG"
            ;;
        g)
            install_groups="$OPTARG"
            ;;
        \?)
            echo "Invalid option: -$OPTARG"
            usage
            ;;
    esac
done
shift $((OPTIND - 1))
name=$1

if [[ -z $name ]]; then
    usage
fi

target=$(mktemp -d --tmpdir $(basename $0).XXXXXX)

set -x

mkdir -m 755 "$target"/dev
mknod -m 600 "$target"/dev/console c 5 1
mknod -m 600 "$target"/dev/initctl p
mknod -m 666 "$target"/dev/full c 1 7
mknod -m 666 "$target"/dev/null c 1 3
mknod -m 666 "$target"/dev/ptmx c 5 2
mknod -m 666 "$target"/dev/random c 1 8
mknod -m 666 "$target"/dev/tty c 5 0
mknod -m 666 "$target"/dev/tty0 c 4 0
mknod -m 666 "$target"/dev/urandom c 1 9
mknod -m 666 "$target"/dev/zero c 1 5

# amazon linux yum will fail without vars set
if [ -d /etc/yum/vars ]; then
        mkdir -p -m 755 "$target"/etc/yum
        cp -a /etc/yum/vars "$target"/etc/yum/
fi

if [[ -n "$install_groups" ]];
then
    yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs \
        --setopt=group_package_types=mandatory -y groupinstall $install_groups
fi

if [[ -n "$install_packages" ]];
then
#    yum -c "$yum_config" --installroot="$target" --releasever=/ --setopt=tsflags=nodocs        --setopt=group_package_types=mandatory -y install $install_packages
	yum -c "$yum_config" --nogpgcheck --installroot="$target"  -y install $install_packages
fi

yum -c "$yum_config" --installroot="$target" -y clean all

cat > "$target"/etc/sysconfig/network <<EOF
NETWORKING=yes
HOSTNAME=localhost.localdomain
EOF

# effectively: febootstrap-minimize --keep-zoneinfo --keep-rpmdb --keep-services "$target".
#  locales
rm -rf "$target"/usr/{{lib,share}/locale,{lib,lib64}/gconv,bin/localedef,sbin/build-locale-archive}
#  docs and man pages
rm -rf "$target"/usr/share/{man,doc,info,gnome/help}
#  cracklib
rm -rf "$target"/usr/share/cracklib
#  i18n
rm -rf "$target"/usr/share/i18n
#  yum cache
rm -rf "$target"/var/cache/yum
mkdir -p --mode=0755 "$target"/var/cache/yum
#  sln
rm -rf "$target"/sbin/sln
#  ldconfig
rm -rf "$target"/etc/ld.so.cache "$target"/var/cache/ldconfig
mkdir -p --mode=0755 "$target"/var/cache/ldconfig

version=
for file in "$target"/etc/{redhat,system}-release
do
    if [ -r "$file" ]; then
        version="$(sed 's/^[^0-9\]*\([0-9.]\+\).*$/\1/' "$file")"
        break
    fi
done

if [ -z "$version" ]; then
    echo >&2 "warning: cannot autodetect OS version, using '$name' as tag"
    version=$name
fi

tar --numeric-owner -c -C "$target" . | docker import - $name:$version

docker run -i -t --rm $name:$version /bin/bash -c 'echo success'

rm -rf "$target"

基础镜像系统修改

创建 DockerFile
利用 DockerFile 对上面创建的镜像进行修改  

参考 rebuild docker images 命令:

docker build --tag="centos6.8:1.0" --file="./Dockfile"  .

参考 DockerFile

# Dockerfile that modifies centos6:6.8
# add apps user, sed apps user passwd (XXXXXXX)  , modify root password  (XXXXXX)
#
FROM centos6:6.8
MAINTAINER terry.zeng <signmem@hotmail.com>

#yum repo, user, sudoer, root password [S}6zx4MbFZ] , UTF8, apps yumrepo, localtime


RUN useradd apps ; sed -i '/root/s/*/$1$pwCxD\/$yNdGkOwwC7z3xghUN6VYx0/' /etc/shadow; rm -rf /etc/security/limits.d/*nproc.conf; sed -i /requiretty/d /etc/sudoers ; echo -e 'Defaults:apps,root !requiretty\napps ALL=(root) NOPASSWD:  ALL' >> /etc/sudoers.d/apps; echo -e "export LANG=en_US.UTF-8" >>  /etc/profile; echo -e "[moana-apps]\nname=moana-apps\nbaseurl=http://mirrors.mysite.com/apps/\$releasever/\$basearch/\ngpgcheck=0\nenabled=1\n" > /etc/yum.repos.d/moana-apps.repo;  ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime; rpm -ivh --replacepkgs --force http://10.199.129.21/mysite/creat_image_el6/glibc-common-2.12-1.192.el6.x86_64.rpm;


# 环境定义

ENV LANG en_US.UTF-8
ENV TZ Asia/Shanghai
USER apps

注意, USER apps 这个语法会导致容器启动后, 默认以 apps 用户进行连接

测试

参考下面对容器启动并测试过程

[root@gx-yun-084043 centos6.8]# docker run -i -t --rm centos6.8:1.0 /bin/bash
[apps@7f7753093387 /]$ sudo su -
-bash-4.1# whoami
root
-bash-4.1# exit
logout
[apps@7f7753093387 /]$ locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

[apps@7f7753093387 /]$ ls /etc/yum.repos.d/
apps.repo  CentOS-Base.repo  CentOS-Debuginfo.repo  CentOS-fasttrack.repo  CentOS-Media.repo  CentOS-Vault.repo
[apps@7f7753093387 /]$ cat /etc/yum.repos.d/apps.repo
[apps]
name=apps
baseurl=http://mirrors.mysite.com/apps/$releasever/$basearch/
gpgcheck=0
enabled=1

[apps@7f7753093387 /]$ ping mirrors.mysite.com
PING mirrors.mysite.com (10.199.129.21) 56(84) bytes of data.
64 bytes from hh-yun-puppet-129021.mysite.com (10.199.129.21): icmp_seq=1 ttl=57 time=0.530 ms

[apps@7f7753093387 /]$ date
Thu Mar 16 12:35:04 CST 2017

[apps@286b1a7f45c3 /]$ ls /usr/bin/vim
/usr/bin/vim

[apps@da8a1dc80920 /]$ gzip
gzip: compressed data not written to a terminal. Use -f to force compression.
For help, type: gzip -h
[apps@da8a1dc80920 /]$ curl
curl: try 'curl --help' or 'curl --manual' for more information