SUSE Manager/imagebuilding

From MicroFocusInternationalWiki
Jump to: navigation, search

Build Container images with SUSE Manager

This feature is only available for SALT minions running on SLES12.

Make a SALT minion a Container Build Host

   During Beta phase you need to create a custom repository with the new client tools.

In the Web UI select the system:

  • Assign the betatest client tools channel to the minion (Software => Software Channels)
  • Assign the Containers Module to the SALT minion (Software => Software Channels)
  • Update the packages "salt" and "salt-minion"
  • At "Details" => "Properties" enable the Add-On System Type: "Docker Build Host" and press "Update Properties"

A state should be applied to install the required software.

Create an Image Store

Define the place where you want to push the images too.

  • Go to "Images" => "Stores"
  • Click on "Create"
  • Define the Store Type, Label and URI (for containers the FQDN is sufficient in most cases)
  • Click on "Create"

Create an Activation Key to define the used channels during building

Create an activation key and select the channels you want to have available for building. Other values of an activation key are not taken into account.

Create an Image Profile

  • Go to "Images" => "Profiles"
  • Click on "Create"
  • Fill "Label", "Image Type", "Target Image Store", "Activation Key" and "Path"
  • Click on "Create"

For "Path" you can use a git url (http/https) with the following format

If branchname is omitted, "master" is used. If *folder* is omitted, the Dockerfile is expected in the root directory of the checkout.

See also: Using token authentication to access private GIT repositories

Example Dockerfile

SUSE Manager build process will provide the SSL certificate and the repositories via buildargs.

   MAINTAINER SUSE Manager Team ""
   ARG repo
   ARG cert
   RUN echo "$cert" > /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT.pem
   RUN update-ca-certificates
   RUN echo "$repo" > /etc/zypp/repos.d/susemanager:dockerbuild.repo
   ... do the required tasks
   RUN rm -f /etc/zypp/repos.d/susemanager:dockerbuild.repo

To be able to inspect the image and read the package and product list it is required to install python and python-xml in the container. If they are not installed building the image will still work, but the package and product list cannot be read and the info will not be available in the UI.

Build an Image

Either click on the "Build" icon in the profile list or

  • Go to "Images" => "Build"
  • Set a "Tag" if you want a different than "latest"
  • Select the "Build Profile" and the "Build Host"

On the left side the details of the selected Profile is shown.

To schedule a build click on the "Build" button

List / show Images

To list build images Go to

  • "Images" => "Images"

It will show you a list of all build images. Beside of name, version and build status it show the Update status with possible patch/package updates.

Clicking on the Details button will provide a more detailed view including and exact list of relevant patches and a list of all packages installed in the image.

   Patch and Package list is only available if the inspect state after building was successful.

Known Pitfalls

  • HTTPS certificates to access the registry or the git repositories should be deployed to the minion by an own written state file
  • ssh git access with docker is not working
  • In case python and python-xml is not installed in thr image salt is not able to run in the container and reporting the installed packages/products will fail. This result in an unknown update status.

Using token authentication to access private GIT repositories

The basic URL format to provide a GIT repository for a build profile is:


In real life this might (for public access) be something like:

If your GIT repository is private and not publicly accessible, you need to modify the profile's GIT URL to include some authentication. The kind of additional information depends on the used GIT-service. A common approach is to use authentication tokens. (or self-hosted)

In GitLab it's possible to generate authentication tokens for accessing the API and repositories. See for details.

If authentication is required, use a generated token with username "gitlab-ci-token" + ":" + "<your-token>". Just replace "XXXXXXXXXX" with your token.

Note: Don't change "gitlab-ci-token"! It's already the final string.

Using, the mechanism is quite similar, but your personal username has to be used instead of "gitlab-ci-token". See: for details.

"Docker" is a registered trademark of Docker, Inc.