1、JDK - 基础镜像
vi .dockerignore*!jdk-8u281-linux-x64.tar.gzvi DockerfileFROM centos:7MAINTAINER "Geray <1690014753@qq.com>"# 建议需要安装telnetRUN yum -y install wget unzip zip openssh-clients iproute net-tools kde-l10n-Chinese reinstall glibc-common && \# 安装jdk# yum -y install java-1.8.0-openjdk && \# yum -y install java-1.8.0-openjdk-devel.x86_64 && \yum clean all && \rm -rf /var/cache/yum/* && \localedef -c -f UTF-8 -i zh_CN zh_CN.utf8 && \cat /dev/null > /etc/locale.conf && echo "LC_ALL=\"zh_CN.UTF-8\"" > /etc/locale.conf#envENV TZ "Asia/Shanghai"#ENV LANG en_US.UTF-8ENV LANG zh_CN.UTF-8ADD jdk-8u281-linux-x64.tar.gz /usr/local#JDK环境变量#ENV JAVA_HOME /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.292.b10-1.el7_9.x86_64ENV JAVA_HOME /usr/local/jdk1.8.0_281ENV JRE_HOME ${JAVA_HOME}/jreENV CLASS_PATH .:${JAVA_HOME}/jre/lib/rt.jar:${JAVA_HOME}/lib/dt.jar:${JAVA_HOME}/lib/tools.jar:${JRE_HOME}/libENV PATH $PATH:${JAVA_HOME}/bin:${JRE_HOME}/bin
docker build -t geray/hs_jdk:v1.8.0_281-b09 .docker save geray/hs_jdk:v1.8.0_281-b09 | gzip > HSjdk-1.8.0_281.tar.gz
2、Tomcat - 基础镜像
需要用到的agent和证书文件:
UCA-RSA-Non-Public-CA-G1.cer
vi .dockerignore*!agent.zip!UCA-RSA-Non-Public-CA-G1.cer# 使用run.sh一遍输出日志到catalina.out,或者可以使用下面的方式替换catalina.sh文件vi run.sh#!/bin/bashbash /usr/local/tomcat/bin/startup.shtail -f /usr/local/tomcat/logs/catalina.outvi DockerfileFROM geray/hs_jdk:v1.8.0_281-b09MAINTAINER "Geray <1690014753@qq.com>"#声明CATALINA_HOME环境变量ENV CATALINA_HOME /usr/local/tomcat#将Tomcat下的bin路径加入到PATH环境变量中。ENV PATH $CATALINA_HOME/bin:$PATH#Tomcat相关文件的版本。ENV TOMCAT_MAJOR 9ENV TOMCAT_VERSION 9.0.52#Tomcat相关文件下载地址ENV TOMCAT_TGZ_URL "https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz"#下载验证文件#ENV TOMCAT_ASC_URL https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc#添加agent和证书文件COPY agent.zip /usr/localCOPY UCA-RSA-Non-Public-CA-G1.cer $JRE_HOME/lib/security#执行命令RUN set -x && \mkdir -p $CATALINA_HOME && \wget -O tomcat.tar.gz $TOMCAT_TGZ_URL && \#wget -O tomcat.tar.gz.asc "$TOMCAT_ASC_URL" && \tar -xvf tomcat.tar.gz --strip-components=1 -C $CATALINA_HOME && \# 禁用jdk随机数#sed -i '1a JAVA_OPTS="${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom"' $CATALINA_HOME/bin/catalina.sh && \echo 'JAVA_OPTS="${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom"' > $CATALINA_HOME/bin/setenv.sh && \rm -rf $CATALINA_HOME/bin/*.bat && \rm -rf $CATALINA_HOME/webapps/* && \# 共有5个{docs,examples,host-manager,manager,ROOT}# rm -rf $CATALINA_HOME/webapps/{docs,examples} && \rm -rf tomcat.tar.gz* && \mkdir -p $CATALINA_HOME/webapps/ROOT && \echo "ok" > $CATALINA_HOME/webapps/ROOT/index.html && \#解压agentunzip /usr/local/agent.zip -d /usr/local/ && \rm -rf /usr/local/agent.zip && \#添加jdk证书cd $JRE_HOME/lib/security && \echo y | keytool -import -trustcacerts -alias UCA-RSA-Non-Public-CA-G1.cer -file UCA-RSA-Non-Public-CA-G1.cer -keystore cacerts -storepass changeitCOPY run.sh /usr/local/tomcatRUN chmod +x /usr/local/tomcat/run.sh#指定RUN、CMD、ENTRYPOINT命令的当前工作路径WORKDIR $CATALINA_HOME#暴露8080端口EXPOSE 8080#容器启动时执行的命令。#CMD ["catalina.sh", "start"]CMD ["/usr/local/tomcat/run.sh"]#ENTRYPOINT ["run.sh"]
docker build -t geray/tomcat:v9.0.52-hsjdk1.8.0_281-b09 .docker save geray/tomcat:v9.0.52-hsjdk1.8.0_281-b09 | gzip > tomcat-9.tar.gz
怎么输出catalina.out日志?
第一种方式就是使用上面的run.sh
第二种,替换catalina.sh配置文件
建议:使用第一种方法,容器的logs也会看到先关启动日志信息
2021-12-7 - 栋哥所需镜像
根据tomcat发布的漏洞,需要升级tomcat版本,9版本最新版本为9.0.55,使用上述Docker存在以下问题:
1. .dockerignore配置文件中需要添加run.sh
2. tomcat版本为9.0.55构建存在证书错误
+ wget -O tomcat.tar.gz 'https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-9/v9.0.55/bin/apache-tomcat-9.0.55.tar.gz'--2021-12-07 15:33:11-- https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-9/v9.0.55/bin/apache-tomcat-9.0.55.tar.gzResolving www.apache.org (www.apache.org)... 151.101.2.132, 2a04:4e42::644Connecting to www.apache.org (www.apache.org)|151.101.2.132|:443... connected.ERROR: cannot verify www.apache.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:Issued certificate has expired.To connect to www.apache.org insecurely, use `--no-check-certificate'.
通过错误描述信息可以看到是由于执行wget -O tomcat.tar.gz $TOMCAT_TGZ_URL命令下载tomcat时出现证书认证问题(该问题和TOMCAT_ASC_URL验证文件无关吗,已验证),根据提示最简单的处理方法就是添加--no-check-certificate参数跳过验证
wget -O tomcat.tar.gz $TOMCAT_TGZ_URL --no-check-certificate
3. 构建
docker build -t geray/tomcat:v9.0.55-hsjdk1.8.0_281-b09 .docker save geray/tomcat:v9.0.55-hsjdk1.8.0_281-b09 | gzip > tomcat-9.0.55.tar.gz
3、良好的构建习惯 - 构建前测试
docker run -it --rm --name jdk geray/hs_jdk:v1.8.0_281-b09 bashexport CATALINA_HOME=/usr/local/tomcatexport PATH=$CATALINA_HOME/bin:$PATHexport TOMCAT_MAJOR=9export TOMCAT_VERSION=9.0.55export TOMCAT_TGZ_URL="https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz"mkdir -p $CATALINA_HOMEwget -O tomcat.tar.gz $TOMCAT_TGZ_URL --no-check-certificatetar -xvf tomcat.tar.gz --strip-components=1 -C $CATALINA_HOMEcd $CATALINA_HOME
2021-12-8栋哥tomcat9.0.55版本镜像提供
.dockerignore
*!agent.zip!UCA-RSA-Non-Public-CA-G1.cer!run.sh!404.html!500.html!web.xml
run.sh
#!/bin/bashbash /usr/local/tomcat/bin/startup.shtail -f /usr/local/tomcat/logs/catalina.out
404.html和500.html一样
太长了略
web.xml
<!-- 添加错误页面 --><welcome-file-list><welcome-file>index.html</welcome-file><welcome-file>index.htm</welcome-file><welcome-file>index.jsp</welcome-file></welcome-file-list><error-page><error-code>500</error-code><location>/500.html</location></error-page><error-page><error-code>404</error-code><location>/404.html</location></error-page></web-app>
Docker
FROM geray/hs_jdk:v1.8.0_281-b09MAINTAINER "Geray <1690014753@qq.com>"#声明CATALINA_HOME环境变量ENV CATALINA_HOME /usr/local/tomcat#将Tomcat下的bin路径加入到PATH环境变量中。ENV PATH $CATALINA_HOME/bin:$PATH#Tomcat相关文件的版本。ENV TOMCAT_MAJOR 9ENV TOMCAT_VERSION 9.0.55#Tomcat相关文件下载地址ENV TOMCAT_TGZ_URL "https://www.apache.org/dyn/closer.cgi?action=download&filename=tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz"#下载验证文件#ENV TOMCAT_ASC_URL https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc#添加agent和证书文件COPY agent.zip /usr/localCOPY UCA-RSA-Non-Public-CA-G1.cer $JRE_HOME/lib/security#执行命令RUN set -x && \mkdir -p $CATALINA_HOME && \wget -O tomcat.tar.gz $TOMCAT_TGZ_URL --no-check-certificate && \# wget -O tomcat.tar.gz.asc "$TOMCAT_ASC_URL" && \tar -xvf tomcat.tar.gz --strip-components=1 -C $CATALINA_HOME && \# 禁用jdk随机数#sed -i '1a JAVA_OPTS="${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom"' $CATALINA_HOME/bin/catalina.sh && \echo 'JAVA_OPTS="${JAVA_OPTS} -Djava.security.egd=file:/dev/./urandom"' > $CATALINA_HOME/bin/setenv.sh && \rm -rf $CATALINA_HOME/bin/*.bat && \# rm -rf $CATALINA_HOME/webapps/* && \rm -rf $CATALINA_HOME/webapps/{docs,examples} && \rm -rf tomcat.tar.gz* && \mkdir -p $CATALINA_HOME/webapps/ROOT && \# echo "ok" > $CATALINA_HOME/webapps/ROOT/index.html && \#解压agentunzip /usr/local/agent.zip -d /usr/local/ && \rm -rf /usr/local/agent.zip && \#添加jdk证书cd $JRE_HOME/lib/security && \# useradd tomcat && \echo y | keytool -import -trustcacerts -alias UCA-RSA-Non-Public-CA-G1.cer -file UCA-RSA-Non-Public-CA-G1.cer -keystore cacerts -storepass changeit# 添加错误页面COPY 404.html /COPY 500.html /# 替换conf/web.xml配置文件COPY web.xml /usr/local/tomcat/confCOPY run.sh /usr/local/tomcatRUN chmod +x /usr/local/tomcat/run.sh#指定RUN、CMD、ENTRYPOINT命令的当前工作路径WORKDIR $CATALINA_HOME#暴露8080端口EXPOSE 8080#容器启动时执行的命令。CMD ["/usr/local/tomcat/run.sh"]
若有收获,就点个赞吧
0 人点赞
