很多时候,系统管理员都习惯通过SSH服务来远程登陆管理服务器,但是Docker的很多镜像是不带SSH的,当需要远程登录到容器进行一些操作的时候,就需要SSH的支持了。这里介绍如何自行创建一个带有SSH服务的镜像。
一、基于commit命令创建
Docker的commit命令支持用户提交自己对指定容器的修改并生成新的镜像。该命令的使用方式如下:
root@ubuntu:~# docker commit --help
Usage: docker commit [OPTIONS] CONTAINER [REPOSITORY[:TAG]]
Create a new image from a container's changes
Options:
-a, --author string Author (e.g., "John Hannibal Smith <hannibal@a-team.com>")
-c, --change list Apply Dockerfile instruction to the created image
-m, --message string Commit message
-p, --pause Pause container during commit (default true)
首先下载镜像并启动容器和配置软件源,具体过程可以参考使用Docker安装Ubuntu,这里重点看看如何安装和配置SSH服务。
1.1 安装和配置SSH服务
选择openshh-server作为服务端,安装openssh-server的命令如下:
root@2d7c5e1c06d8:/# apt-get install openssh-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
......
如果要正常启动SSH服务,那么目录/var/run/sshd必须存在,下面手动创建:
root@2d7c5e1c06d8:/# mkdir -p /var/run/sshd
接下来启动SSH服务:
root@2d7c5e1c06d8:/# /usr/sbin/sshd -D &
[1] 657
此时查看容器的22端口,可见此端口已经处于监听状态:
root@2d7c5e1c06d8:/# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 657/sshd
tcp6 0 0 :::22 :::* LISTEN 657/sshd
修改SSH服务的安全配置,取消pam登录限制:
root@2d7c5e1c06d8:/# sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd
root@2d7c5e1c06d8:/#
在root用户目录下创建.ssh目录,并复制需要登录的公钥信息到authorized_keys文件中:
root@2d7c5e1c06d8:/# mkdir root/.ssh
root@2d7c5e1c06d8:/#
root@2d7c5e1c06d8:/#
root@2d7c5e1c06d8:/# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wNq35+CSXxsXsWL2cNx+ZGQe4sucSPnOBdyxMeVlsfI root@a5503782666d
The key's randomart image is:
+---[RSA 2048]----+
| .=|
| . o+|
| o .o *+|
| o . .++=+*|
| . . S =o=+.E+|
| . +.==o+o |
| .o +.o*...|
| o. = +o .. |
| oo o o |
+----[SHA256]-----+
root@2d7c5e1c06d8:/#
root@2d7c5e1c06d8:/# ll root/.ssh/
total 16
drwxr-xr-x 2 root root 4096 Mar 10 12:59 ./
drwx------ 1 root root 4096 Mar 10 12:58 ../
-rw------- 1 root root 1675 Mar 10 12:59 id_rsa
-rw-r--r-- 1 root root 399 Mar 10 12:59 id_rsa.pub
root@2d7c5e1c06d8:/#
root@2d7c5e1c06d8:/# cp root/.ssh/id_rsa.pub root/.ssh/authorized_keys
创建自动启动SSH服务的可执行文件run.sh,并添加可执行权限:
root@2d7c5e1c06d8:/# vi run.sh
root@2d7c5e1c06d8:/# chmod +x run.sh
run.sh脚本内容如下:
#!/bin/bash
/usr/sbin/sshd -D
最后,退出容器:
root@2d7c5e1c06d8:/# exit
exit
1.2 保存镜像
将容器用docker commit命令保存为一个新的sshd:ubuntu镜像:
root@ubuntu:~# docker commit 2d7 sshd:ubuntu
sha256:dd6399386b1600d276389d42922c6e7b294f4506acaf131c1dcf1a7f52d24818
使用docker images查看本地目前的镜像列表:
root@ubuntu:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
sshd ubuntu dd6399386b16 13 seconds ago 225MB
ubuntu latest 47b19964fb50 4 weeks ago 88.1MB
1.3 使用镜像
启动容器,并添加端口映射10022~22,其中10022是宿主主机的端口,22是容器SSH服务监听的端口:
root@ubuntu:~# docker run -p 10022:22 -d sshd:ubuntu /run.sh
0fadd9f9f458d7164d4e81beb24fea94b84ae68d483f370216a1710fa2ee274d
启动成功后,可以在宿主机上看到容器运行的详细信息:
root@ubuntu:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0fadd9f9f458 sshd:ubuntu "/run.sh" 52 seconds ago Up 50 seconds 0.0.0.0:10022->22/tcp clever_brattain
在宿主主机或其他主机上,可以通过SSH访问10022端口来登录容器:
root@ubuntu:~# ssh 192.168.10.128 -p 10022
The authenticity of host '[192.168.10.128]:10022 ([192.168.10.128]:10022)' can't be established.
ECDSA key fingerprint is SHA256:poSthw3GeJ/cYNmBhBiLk2jeoBSEKNtLlWmDZg9sG2A.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.10.128]:10022' (ECDSA) to the list of known hosts.
root@2d7c5e1c06d8:/#
二、使用Dockerfile创建
2.1 创建工作目录
首先创建一个工作目录sshd_ubuntu:
root@ubuntu:/# mkdir sshd_ubuntu
在其中创建run.sh和Dockerfile文件:
root@ubuntu:/# cd sshd_ubuntu/
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# touch run.sh
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# touch Dockerfile
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# ll
total 8
drwxr-xr-x 2 root root 4096 Mar 11 06:35 ./
drwxr-xr-x 25 root root 4096 Mar 11 06:34 ../
-rw-r--r-- 1 root root 0 Mar 11 06:35 Dockerfile
-rw-r--r-- 1 root root 0 Mar 11 06:35 run.sh
2.2 编写run.sh脚本和authorized_keys文件
run.sh脚本内容如下:
#!/bin/bash
/usr/sbin/sshd -D
在宿主主机上生成SSH密钥对,并创建authorized_key文件(注意authorized_keys文件和Dockerfile文件在同一目录,即在sshd_ubuntu目录下):
root@ubuntu:/sshd_ubuntu# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ppCcX7RUD6j/p1L7XgKBb/ZawHoMjGteqpe8Lc/g/NE root@ubuntu
The key's randomart image is:
+---[RSA 2048]----+
| .o |
| .o o |
| .+ . . |
| . o.= + . |
| = ..S B |
| o =.B.+ |
| .*.+oE.+ . |
| ==*.ooo.o |
| .o*==.o=o |
+----[SHA256]-----+
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# cat /root/.ssh/id_rsa.pub > authorized_keys
2.3 编写Dockerfile
Dockerfile内容如下:
#设置继承镜像
FROM ubuntu:18.04
#提供一些作者信息
MAINTAINER docker_user (wuychn@163.com)
#下面开始运行命令,此处更改ubuntu的源为163的源
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic main restricted universe multiverse" > /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb-src http://mirrors.163.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.list
RUN apt-get update
#安装SSH服务
RUN apt-get install -y openssh-server
RUN mkdir -p /var/run/sshd
RUN mkdir -p /root/.ssh
#取消pam限制
RUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd
#复制配置文件到相应位置,并赋予脚本可执行权限
ADD authorized_keys /root/.ssh/authorized_keys
ADD run.sh /run.sh
RUN chmod 755 /run.sh
#开放端口
EXPOSE 22
#设置自启动命令
CMD ["/run.sh"]
2.4 创建镜像
使用docker build命令来创建镜像,注意命令最后的 “.”,表示使用当前目录中的Dockerfile:
root@ubuntu:/sshd_ubuntu# docker build -t sshd:dockerfile .
Sending build context to Docker daemon 5.12kB
Step 1/26 : FROM ubuntu:18.04
18.04: Pulling from library/ubuntu
898c46f3b1a1: Pull complete
......
Successfully built c85255d043cd
Successfully tagged sshd:dockerfile
命令执行完毕,如果出现“Successfully built XXX”的字样,则说明镜像创建成功。使用docker images命令查看镜像:
root@ubuntu:/sshd_ubuntu# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
sshd dockerfile c85255d043cd 10 minutes ago 252MB
ubuntu 18.04 94e814e2efa8 4 days ago 88.9MB
2.5 运行容器
启动容器,映射容器的22端口到本地的10122端口:
root@ubuntu:/sshd_ubuntu# docker run -d -p 10122:22 sshd:dockerfile
cae872b2925be64a030fef01d5d385b8d0a9566310452d0a9166ae3eaa7896f2
root@ubuntu:/sshd_ubuntu#
root@ubuntu:/sshd_ubuntu# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cae872b2925b sshd:dockerfile "/run.sh" 5 seconds ago Up 5 seconds 0.0.0.0:10122->22/tcp heuristic_lederberg
在宿主主机中连接到容器:
root@ubuntu:/sshd_ubuntu# ssh 192.168.10.128 -p 10122
The authenticity of host '[192.168.10.128]:10122 ([192.168.10.128]:10122)' can't be established.
ECDSA key fingerprint is SHA256:Gt3fHLuMaKLUKS/wzjniMqZ8earCZwm5vCqWp8TEhp4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.10.128]:10122' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@cae872b2925b:~#
效果与使用docker commit创建一样。