Help Center/ Huawei Cloud EulerOS/ User Guide/ Creating a Docker Image and Starting a Container

Updated on 2024-09-14 GMT+08:00

View PDF

Creating a Docker Image and Starting a Container

This section describes how you can create a Docker image for HCE and start the container on HCE.

Constraints

The version of HCE running the container image must be the same as that of the created container image.

Creating an Image Archive File

Confirm that the repository is configured correctly.

Check whether the parameters in the /etc/yum.repos.d/hce.repo file are configured correctly. The correct configuration is as follows:

[base]
name=HCE $releasever base
baseurl=https://repo.huaweicloud.com/hce/$releasever/os/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://repo.huaweicloud.com/hce/$releasever/os/RPM-GPG-KEY-HCE-2

[updates]
name=HCE $releasever updates
baseurl=https://repo.huaweicloud.com/hce/$releasever/updates/$basearch/
......

Create a temporary directory as the root system file of the Docker image and install the software package in the temporary directory.
```
rm -rf /tmp/docker_rootfs 
mkdir -p /tmp/docker_rootfs 
yum --setopt=install_weak_deps=False --installroot /tmp/docker_rootfs --releasever 2.0 install bash yum coreutils security-tool procps-ng vim-minimal tar findutils filesystem hce-repos hce-rootfiles cronie -y
```
- Replace releasever in the command with the HCE version number.
- You can also install other required software packages here, but ensure that the space in the /tmp directory is sufficient.

Go to the temporary directory of the chroot file system.

chroot /tmp/docker_rootfs

Execute HCE security-tool.sh to disable unnecessary services.
```
export EULEROS_SECURITY=0
echo "export TMOUT=300" >> /etc/bashrc
/usr/sbin/security-tool.sh -d / -c /etc/hce_security/hwsecurity/hce_security_install.conf -u /etc/hce_security/usr-security.conf -l /var/log/hce-security.log -s
```
During the execution, it is normal if the following errors are displayed:
- The service file was not found. The service is not started in the chroot file system.
- The /etc/sysconfig/init file for booting the system was not found. The tool disables services during system startup. The image rootfs is not involved in system startup.
- The /proc/sys/kernel/sysrq file was not found. This file is used for calling after the system is started and does not exist in the chroot file system.

Uninstall the security-tool, cronie, and systemd software packages and their dependent software packages.

cp -af /etc/pam.d /etc/pam.d.bak
rm -f /etc/yum/protected.d/sudo.conf /etc/yum/protected.d/systemd.conf
yum remove -y security-tool cronie systemd
rpm -e --nodeps logrotate crontabs
rm -rf /etc/pam.d
mv /etc/pam.d.bak /etc/pam.d
sh -c 'shopt -s globstar; for f in $(ls /**/*.rpmsave); do rm -f $f; done'
[ -d /var/lib/dnf ] && rm -rf /var/lib/dnf/*
[ -d /var/lib/rpm ] && rm -rf /var/lib/rpm/__db.*

Remove the /boot directory.
```
rm -rf /boot
```

Set the container image language to en_US.

cd /usr/lib/locale;rm -rf $(ls | grep -v en_US | grep -vw C.utf8 )
rm -rf /usr/share/locale/*

Remove shared files man, doc, info, and mime.
```
rm -rf /usr/share/{man,doc,info,mime}
```

Remove the cached log files.

rm -rf /etc/ld.so.cache
[ -d /var/cache/ldconfig ] && rm -rf /var/cache/ldconfig/*
[ -d /var/cache/dnf ] && rm -rf /var/cache/dnf/*
[ -d /var/log ] && rm -rf /var/log/*.log

Remove the Java security certificate.

rm -rf /etc/pki/ca-trust/extracted/java/cacerts /etc/pki/java/cacerts

Remove /etc/machine-id.
```
rm -rf /etc/machine-id
```
Remove /etc/mtab.
```
rm -rf /etc/mtab
```

Exit from the chroot file system.
```
exit
```
Compress the temporary directory and generate the Docker image archive file hce-docker.x86_64.tar.xz.
The archive path is /tmp/docker_rootfs/hce-docker.x86_64.tar.xz.
```
pushd /tmp/docker_rootfs/
tar cvf hce-docker.x86_64.tar .
xz hce-docker.x86_64.tar
popd
```
Convert the image archive file to a file with layer information.
You cannot run the docker load command to load the image because the generated image archive file does not contain layer information. You need to run the docker import command to generate an image from the image archive file, and then run the docker save command to save the image as an image file with layer information. In this way, you can run the docker load command to load the image. In the following example, the image archive file is docker_save.tar.xz and the image is named my_image.
```
docker import hce-docker.x86_64.tar.xz my_image:v1
docker save -o docker_save.tar.xz my_image:v1
```
You can run the docker load command to load the docker_save.tar.xz file.
```
docker load -i docker_save.tar.xz
```

Starting a Container Using an Image Archive File

Confirm that the repository is configured correctly.

Check whether the parameters in the /etc/yum.repos.d/hce.repo file are configured correctly. The correct configuration is as follows:

[base]
name=HCE $releasever base
baseurl=https://repo.huaweicloud.com/hce/$releasever/os/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://repo.huaweicloud.com/hce/$releasever/os/RPM-GPG-KEY-HCE-2

[updates]
name=HCE $releasever updates
baseurl=https://repo.huaweicloud.com/hce/$releasever/updates/$basearch/
......

Install the Docker software package.
```
yum install docker -y
```
Use the image archive file to create a container image.
```
mv /tmp/docker_rootfs/hce-docker.x86_64.tar.xz .
docker import hce-docker.x86_64.tar.xz
```
Run the docker images command to check the container image ID. In this example, the container image ID is 6cfefae3a541.

To create an image, you can run the following command to specify the REPOSITORY and TAG parameters:

docker import [OPTIONS] file|URL|- [REPOSITORY[:TAG]]
Run the image bash script in the container.
If the shell view changes after you run the following command, you have started the bash for the container:
```
docker run -it 6cfefae3a541 bash 
```