为镜像添加SSH服务

很多时候，系统管理员都习惯通过SSH服务来远程登陆管理服务器，但是Docker的很多镜像是不带SSH的，当需要远程登录到容器进行一些操作的时候，就需要SSH的支持了。这里介绍如何自行创建一个带有SSH服务的镜像。

一、基于commit命令创建

Docker的commit命令支持用户提交自己对指定容器的修改并生成新的镜像。该命令的使用方式如下：

root@ubuntu:~# docker commit --help

Usage:  docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]

Create a new image from a container's changes

Options:
  -a, --author string    Author (e.g., "John Hannibal Smith <hannibal@a-team.com>")
  -c, --change list      Apply Dockerfile instruction to the created image
  -m, --message string   Commit message
  -p, --pause            Pause container during commit (default true)

首先下载镜像并启动容器和配置软件源，具体过程可以参考使用Docker安装Ubuntu，这里重点看看如何安装和配置SSH服务。

1.1 安装和配置SSH服务

选择openshh-server作为服务端，安装openssh-server的命令如下：

root@2d7c5e1c06d8:/# apt-get install openssh-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
......

如果要正常启动SSH服务，那么目录/var/run/sshd必须存在，下面手动创建：

root@2d7c5e1c06d8:/# mkdir -p /var/run/sshd

接下来启动SSH服务：

root@2d7c5e1c06d8:/# /usr/sbin/sshd -D &
[1] 657

此时查看容器的22端口，可见此端口已经处于监听状态：

root@2d7c5e1c06d8:/# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      657/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      657/sshd

修改SSH服务的安全配置，取消pam登录限制：

root@2d7c5e1c06d8:/# sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd
root@2d7c5e1c06d8:/#

在root用户目录下创建.ssh目录，并复制需要登录的公钥信息到authorized_keys文件中：

root@2d7c5e1c06d8:/# mkdir root/.ssh
root@2d7c5e1c06d8:/#
root@2d7c5e1c06d8:/#
root@2d7c5e1c06d8:/# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wNq35+CSXxsXsWL2cNx+ZGQe4sucSPnOBdyxMeVlsfI root@a5503782666d
The key's randomart image is:
+---[RSA 2048]----+
|               .=|
|     .         o+|
|      o     .o *+|
|     o .   .++=+*|
|    . . S =o=+.E+|
|       . +.==o+o |
|       .o +.o*...|
|      o. = +o .. |
|       oo o  o   |
+----[SHA256]-----+
root@2d7c5e1c06d8:/#
root@2d7c5e1c06d8:/# ll root/.ssh/
total 16
drwxr-xr-x 2 root root 4096 Mar 10 12:59 ./
drwx------ 1 root root 4096 Mar 10 12:58 ../
-rw------- 1 root root 1675 Mar 10 12:59 id_rsa
-rw-r--r-- 1 root root  399 Mar 10 12:59 id_rsa.pub
root@2d7c5e1c06d8:/#
root@2d7c5e1c06d8:/# cp root/.ssh/id_rsa.pub root/.ssh/authorized_keys

创建自动启动SSH服务的可执行文件run.sh，并添加可执行权限：

root@2d7c5e1c06d8:/# vi run.sh
root@2d7c5e1c06d8:/# chmod +x run.sh

run.sh脚本内容如下：

#!/bin/bash
/usr/sbin/sshd -D

最后，退出容器：

root@2d7c5e1c06d8:/# exit
exit

1.2 保存镜像

将容器用docker commit命令保存为一个新的sshd:ubuntu镜像：

root@ubuntu:~# docker commit 2d7 sshd:ubuntu
sha256:dd6399386b1600d276389d42922c6e7b294f4506acaf131c1dcf1a7f52d24818

使用docker images查看本地目前的镜像列表：

root@ubuntu:~# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
sshd                ubuntu              dd6399386b16        13 seconds ago      225MB
ubuntu              latest              47b19964fb50        4 weeks ago         88.1MB

1.3 使用镜像

启动容器，并添加端口映射10022~22，其中10022是宿主主机的端口，22是容器SSH服务监听的端口：

root@ubuntu:~# docker run -p 10022:22 -d sshd:ubuntu /run.sh
0fadd9f9f458d7164d4e81beb24fea94b84ae68d483f370216a1710fa2ee274d

启动成功后，可以在宿主机上看到容器运行的详细信息：

root@ubuntu:~# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                   NAMES
0fadd9f9f458        sshd:ubuntu         "/run.sh"           52 seconds ago      Up 50 seconds       0.0.0.0:10022->22/tcp   clever_brattain

在宿主主机或其他主机上，可以通过SSH访问10022端口来登录容器：

root@ubuntu:~# ssh 192.168.10.128 -p 10022
The authenticity of host '[192.168.10.128]:10022 ([192.168.10.128]:10022)' can't be established.
ECDSA key fingerprint is SHA256:poSthw3GeJ/cYNmBhBiLk2jeoBSEKNtLlWmDZg9sG2A.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.10.128]:10022' (ECDSA) to the list of known hosts.
root@2d7c5e1c06d8:/#

二、使用Dockerfile创建

2.1 创建工作目录

首先创建一个工作目录sshd_ubuntu：

root@ubuntu:/# mkdir sshd_ubuntu

在其中创建run.sh和Dockerfile文件：

root@ubuntu:/# cd sshd_ubuntu/
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# touch run.sh
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# touch Dockerfile
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# ll
total 8
drwxr-xr-x  2 root root 4096 Mar 11 06:35 ./
drwxr-xr-x 25 root root 4096 Mar 11 06:34 ../
-rw-r--r--  1 root root    0 Mar 11 06:35 Dockerfile
-rw-r--r--  1 root root    0 Mar 11 06:35 run.sh

2.2 编写run.sh脚本和authorized_keys文件

run.sh脚本内容如下：

#!/bin/bash
/usr/sbin/sshd -D

在宿主主机上生成SSH密钥对，并创建authorized_key文件（注意authorized_keys文件和Dockerfile文件在同一目录，即在sshd_ubuntu目录下）：

root@ubuntu:/sshd_ubuntu# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ppCcX7RUD6j/p1L7XgKBb/ZawHoMjGteqpe8Lc/g/NE root@ubuntu
The key's randomart image is:
+---[RSA 2048]----+
|         .o      |
|        .o o     |
|       .+ . .    |
|   . o.= + .     |
|    = ..S B      |
|     o =.B.+     |
|     .*.+oE.+ .  |
|     ==*.ooo.o   |
|    .o*==.o=o    |
+----[SHA256]-----+
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# cat /root/.ssh/id_rsa.pub > authorized_keys

2.3 编写Dockerfile

Dockerfile内容如下：

#设置继承镜像
FROM ubuntu:18.04

#提供一些作者信息
MAINTAINER docker_user (wuychn@163.com)

#下面开始运行命令，此处更改ubuntu的源为163的源
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic main restricted universe multiverse" > /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.list

RUN apt-get update

#安装SSH服务
RUN apt-get install -y openssh-server
RUN mkdir -p /var/run/sshd
RUN mkdir -p /root/.ssh
#取消pam限制
RUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd

#复制配置文件到相应位置，并赋予脚本可执行权限
ADD authorized_keys /root/.ssh/authorized_keys
ADD run.sh /run.sh
RUN chmod 755 /run.sh

#开放端口
EXPOSE 22

#设置自启动命令
CMD ["/run.sh"]

2.4 创建镜像

使用docker build命令来创建镜像，注意命令最后的 “.”，表示使用当前目录中的Dockerfile：

root@ubuntu:/sshd_ubuntu# docker build -t sshd:dockerfile .
Sending build context to Docker daemon   5.12kB
Step 1/26 : FROM ubuntu:18.04
18.04: Pulling from library/ubuntu
898c46f3b1a1: Pull complete
......
Successfully built c85255d043cd
Successfully tagged sshd:dockerfile

命令执行完毕，如果出现“Successfully built XXX”的字样，则说明镜像创建成功。使用docker images命令查看镜像：

root@ubuntu:/sshd_ubuntu# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
sshd                dockerfile          c85255d043cd        10 minutes ago      252MB
ubuntu              18.04               94e814e2efa8        4 days ago          88.9MB

2.5 运行容器

启动容器，映射容器的22端口到本地的10122端口：

root@ubuntu:/sshd_ubuntu# docker run -d -p 10122:22 sshd:dockerfile
cae872b2925be64a030fef01d5d385b8d0a9566310452d0a9166ae3eaa7896f2
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                   NAMES
cae872b2925b        sshd:dockerfile     "/run.sh"           5 seconds ago       Up 5 seconds        0.0.0.0:10122->22/tcp   heuristic_lederberg

在宿主主机中连接到容器：

root@ubuntu:/sshd_ubuntu# ssh 192.168.10.128 -p 10122
The authenticity of host '[192.168.10.128]:10122 ([192.168.10.128]:10122)' can't be established.
ECDSA key fingerprint is SHA256:Gt3fHLuMaKLUKS/wzjniMqZ8earCZwm5vCqWp8TEhp4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.10.128]:10122' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@cae872b2925b:~#

效果与使用docker commit创建一样。