Creating a Docker Image and Starting a Container
This section describes how to create a Docker image for HCE and start the container on HCE.
Constraints
- The version of HCE running the container image must be the same as that of the created container image.
Creating an Image Archive File
- Confirm that the repository is configured correctly.
Check whether the parameters in the /etc/yum.repos.d/hce.repo file are configured correctly. The correct configuration is as follows:
[base] name=HCE $releasever base baseurl=https://repo.huaweicloud.com/hce/$releasever/os/$basearch/ enabled=1 gpgcheck=1 gpgkey=https://repo.huaweicloud.com/hce/$releasever/os/RPM-GPG-KEY-HCE-2 [updates] name=HCE $releasever updates baseurl=https://repo.huaweicloud.com/hce/$releasever/updates/$basearch/ ......
- Create a temporary directory as the root file system of Docker images and install the software package in the temporary directory.
rm -rf /tmp/docker_rootfs mkdir -p /tmp/docker_rootfs yum --setopt=install_weak_deps=False --installroot /tmp/docker_rootfs --releasever 2.0 install bash yum coreutils security-tool procps-ng vim-minimal tar findutils filesystem hce-repos hce-rootfiles cronie -y
By default, the yum command installs the software package of the current HCE version. To install the software package of other HCE version, you can use --releasever to specify the version. For example, the command above is used to install the software package of HCE 2.0.
- Use chroot to go to the temporary directory.
chroot /tmp/docker_rootfs
- Configure the temporary directory.
- Execute security-tool.sh to disable unnecessary services.
export EULEROS_SECURITY=0 echo "export TMOUT=300" >> /etc/bashrc /usr/sbin/security-tool.sh -d / -c /etc/hce_security/hwsecurity/hce_security_install.conf -u /etc/hce_security/usr-security.conf -l /var/log/hce-security.log -s
During the execution, it is normal if the errors similar to Figure 1 are displayed. The errors can be:
- The service file was not found. The service is not started in the chroot file system.
- The /etc/sysconfig/init file for booting the system was not found. The tool disables services during system startup. The image rootfs is not involved in system startup.
- The /proc/sys/kernel/sysrq file was not found. This file is used for calling after the system is started and does not exist in the chroot file system.
- Uninstall the security-tool, cronie, and systemd software packages and their dependent software packages.
cp -af /etc/pam.d /etc/pam.d.bak rm -f /etc/yum/protected.d/sudo.conf /etc/yum/protected.d/systemd.conf yum remove -y security-tool cronie systemd rpm -e --nodeps logrotate crontabs rm -rf /etc/pam.d mv /etc/pam.d.bak /etc/pam.d sh -c 'shopt -s globstar; for f in $(ls /**/*.rpmsave); do rm -f $f; done' [ -d /var/lib/dnf ] && rm -rf /var/lib/dnf/* [ -d /var/lib/rpm ] && rm -rf /var/lib/rpm/__db.*
- Remove the /boot directory.
rm -rf /boot
- Set the container image language to en_US.
cd /usr/lib/locale;rm -rf $(ls | grep -v en_US | grep -vw C.utf8 ) rm -rf /usr/share/locale/*
- Remove shared files man, doc, info, and mime.
rm -rf /usr/share/{man,doc,info,mime}
- Remove the cached log files.
rm -rf /etc/ld.so.cache [ -d /var/cache/ldconfig ] && rm -rf /var/cache/ldconfig/* [ -d /var/cache/dnf ] && rm -rf /var/cache/dnf/* [ -d /var/log ] && rm -rf /var/log/*.log
- Remove the Java security certificate.
rm -rf /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/java/cacerts
- Remove /etc/machine-id.
rm -rf /etc/machine-id
- Remove /etc/mtab.
rm -rf /etc/mtab
- Execute security-tool.sh to disable unnecessary services.
- Exit from the chroot file system.
exit
- Compress the temporary directory and generate the Docker image archive file hce-docker.x86_64.tar.xz.
The archive path is /tmp/docker_rootfs/hce-docker.x86_64.tar.xz.
pushd /tmp/docker_rootfs/ tar cvf hce-docker.x86_64.tar . xz hce-docker.x86_64.tar popd
Starting a Container Using an Image Archive File
- Confirm that the repository is configured correctly.
Check whether the parameters in the /etc/yum.repos.d/hce.repo file are configured correctly. The correct configuration is as follows:
[base] name=HCE $releasever base baseurl=https://repo.huaweicloud.com/hce/$releasever/os/$basearch/ enabled=1 gpgcheck=1 gpgkey=https://repo.huaweicloud.com/hce/$releasever/os/RPM-GPG-KEY-HCE-2 [updates] name=HCE $releasever updates baseurl=https://repo.huaweicloud.com/hce/$releasever/updates/$basearch/ ......
- Install the Docker software package.
yum install docker -y
- Use the image archive file to create a container image.
mv /tmp/docker_rootfs/hce-docker.x86_64.tar.xz . docker import hce-docker.x86_64.tar.xz
Run the docker images command to check the container image ID. In this example, the container image ID is 6cfefae3a541.
Figure 2 Checking the container image IDTo create an image, you can run the following command to specify the REPOSITORY and TAG parameters:
docker import [OPTIONS] file|URL|- [REPOSITORY[:TAG]]
- Use the image to run containers and enter the bash environment.
If the shell view changes after you run the following command, you have entered the bash environment of the containers: 6cfefae3a541 is the image ID.
docker run -it 6cfefae3a541 bash
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot