之前说到可以通过attach和exec两个命令登陆容器,但是如果遇到需要远程通过ssh登陆容器的场景,就需要手动添加ssh服务。
下面介绍两种方法创建带有ssh服务的镜像,commit命令创建和通过Dockerfile创建。
一、通过commit命令创建镜像
docker提供了docker commit 命令,支持用户提交自己对容器的修改,并生成新的镜像。命令格式为 docker commit CONTAINER [REPOSITORY [:TAG] ]。
下面是如何为 ubuntu:18.04 镜像添加SSH服务的过程。
1.1、准备工作
首先,获取 ubuntu18:04 镜像,并创建一个容器
$ docker pull ubuntu:18.04$ docker run -it ubuntu:18.04 bash
1.2、配置软件源
如果嫌官方源速度慢可以替换为国内源,这里以阿里源为例
首先备份文件 /etc/apt/sources.list ,然后替换其中内容。
root@99c04606894d:/# cp /etc/apt/sources.list /etc/apt/sources.list.bakroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse" > /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.list
更新软件源信息
root@99c04606894d:/# apt-get update
1.3、安装和配置SSH服务
安装openssh-server
root@99c04606894d:/# apt install openssh-server
为了服务正常启动,需要创建目录/var/run/sshd
root@99c04606894d:/# mkdir -p /var/run/sshd
后台启动服务:
root@99c04606894d:/# /usr/sbin/sshd -D &
想要使用netstat查看ssh服务所占用22端口,但是发现没有命令,则需要首先安装所需软件,使用apt-file查看需要安装的软件。
root@99c04606894d:/# apt-get install apt-file 下面这一步一定要做root@99c04606894d:/# apt-file updateroot@99c04606894d:/# apt-file search /bin/netstat net-tools: /bin/netstatnetstat-nat: /usr/bin/netstat-nat
可以看到需要安装的软件包 net-tools,安装软件包并查看端口:
root@99c04606894d:/# apt-get install net-toolsroot@99c04606894d:/# netstat -an | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN
修改SSH服务的安全登陆配置,取消pam登陆限制:
root@99c04606894d:/# sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd
在容器root用户家目录下创建.ssh目录,并复制需要登陆的公钥信息(一般为宿主机用户家目录 .ssh/id_rsa.pub 文件,可以用 ssh-keygen -t rsa 命令生成) 到 authorized_keys 文件中:
root@99c04606894d:/# mkdir root/.ssh
root@99c04606894d:/# vi /root/.ssh/authorized_keys
如果没有 vi 命令,可以安装vim工具,apt-get install vim
创建自动启动SSH服务的可执行文件 run.sh,并添加可执行权限
root@99c04606894d:/# touch /run.shroot@99c04606894d:/# chmod +x /run.shroot@99c04606894d:/# vi /run.sh #!/bin/bash/usr/sbin/sshd -D
最后,退出容器:
root@ce21cd862b7e:/# exit
1.4、保存镜像
查看容器
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES99c04606894d ubuntu:18.04 "bash" About an hour ago Exited (0) 9 seconds ago elegant_mendeleev
生成新的镜像 sshd:ubuntu
$ docker commit 99c04606894d sshd:ubuntusha256:275da5f9600434f238c2d455a8fd103e0c55ad5c6113d2739a56839985832363
查看镜像
$ docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEsshd ubuntu 275da5f96004 7 seconds ago 494MB
1.5、使用镜像
启动容器,并映射宿主机 10022 端口到 容器 22 端口:
$ docker run -p 10022:22 -d sshd:ubuntu /run.shce21cd862b7edc64c0cd3853dc4a7c2fffe977a21254cd4b866748dac516b371
查看容器
$ docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESce21cd862b7e sshd:ubuntu "/run.sh" 4 seconds ago Up 2 seconds 0.0.0.0:10022->22/tcp fervent_jennings
登陆容器,不需要输入密码即可登陆
$ ssh root@192.168.121.121 -p 10022
The authenticity of host '[192.168.121.121]:10022 ([192.168.121.121]:10022)' can't be established.ECDSA key fingerprint is SHA256:a5DBqdYJ+WuBgJh5GhRb/fXgrtZcgDpL0dzZZqzKy88.ECDSA key fingerprint is MD5:e2:d3:99:0b:d4:ce:9e:ea:f2:4b:18:d9:25:8d:08:fe.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[192.168.121.121]:10022' (ECDSA) to the list of known hosts.Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 3.10.0-693.el7.x86_64 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantageThis system has been minimized by removing packages and content that arenot required on a system that users do not log into.To restore this content, you can run the 'unminimize' command.The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.root@18ff1392f000:~#
二、使用Dockerfile创建
2.1、创建工作目录
首先,创建一个 sshd_ubuntu 工作目录
$ mkdir sshd_ubuntu
创建 Dockerfile 和 run.sh
$ cd sshd_ubuntu/$ touch Dockerfile run.sh$ vi run.sh #!/bin/bash/usr/sbin/sshd -D
2.2、编写 authorized_keys 文件
在宿主机上生成 SSH 密钥对,并创建 authorized_keys 文件:
$ ssh-keygen -t rsa$ cat ~/.ssh/id_rsa.pub >authorized_keys
2.3、编写 Dockerfile
$ vi Dockerfile
# 设置继承镜像FROM ubuntu:18.04# 提供一些作者的信息MAINTAINER xiaozhou (xiaozhou@docker.com)# 下面开始运行命令,此处更改 ubuntu 的源为国内阿里的源RUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse" > /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse" /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.listRUN apt-get update# 安装ssh服务RUN apt-get install -y openssh-serverRUN mkdir -p /var/run/sshdRUN mkdir -p /root/.sshRUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd# 复制配置文件到相应位置,并赋予脚本可执行权限ADD authorized_keys /root/.ssh/authorized_keysADD run.sh /run.shRUN chmod 755 /run.sh# 开放端口EXPOSE 22 # 设置自启动命令CMD ["/run.sh"]
2.4、创建镜像
$ docker build -t sshd:dockerfile .
查看创建的镜像
$ docker imagesREPOSITORY TAG IMAGE ID CREATED SIZEsshd dockerfile 828c78d68a36 9 seconds ago 231MBubuntu 18.04 4c108a37151f 4 weeks ago 64.2MB
2.5、运行容器
$ docker run -d -p 10022:22 sshd:dockerfileb45d884c2cbb591fe97a34064c2b9ee09ffedf1cff22e992df0c582a99da2011
查看创建的容器
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESb45d884c2cbb sshd:dockerfile "/run.sh" 3 seconds ago Up 2 seconds 0.0.0.0:10022->22/tcp lucid_brown
登陆容器
$ ssh root@192.168.121.121 -p 10022Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 3.10.0-693.el7.x86_64 x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantageThis system has been minimized by removing packages and content that arenot required on a system that users do not log into.To restore this content, you can run the 'unminimize' command.The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.root@b45d884c2cbb:~#
如果不让root直接无密码登陆容器,可以注释 ADD authorized_keys /root/.ssh/authorized_keys 这一步,使用下面命令代替,创建普通账户并设置密码,设置root密码
RUN useradd dkuserRUN echo "dkuser:123456" | chpasswdRUN echo "root:123456" | chpasswd这样的话就只能通过普通账户dkuser登陆容器,然后再转到root用户。