之前说到可以通过attach和exec两个命令登陆容器，但是如果遇到需要远程通过ssh登陆容器的场景，就需要手动添加ssh服务。

 

下面介绍两种方法创建带有ssh服务的镜像，commit命令创建和通过Dockerfile创建。

 

一、通过commit命令创建镜像

docker提供了docker commit 命令，支持用户提交自己对容器的修改，并生成新的镜像。命令格式为 docker commit CONTAINER [REPOSITORY [:TAG] ]。

 

下面是如何为 ubuntu:18.04 镜像添加SSH服务的过程。

 

1.1、准备工作

首先，获取 ubuntu18:04 镜像，并创建一个容器

$ docker pull ubuntu:18.04$ docker run -it ubuntu:18.04 bash

 

1.2、配置软件源

如果嫌官方源速度慢可以替换为国内源，这里以阿里源为例

首先备份文件 /etc/apt/sources.list ，然后替换其中内容。

root@99c04606894d:/# cp /etc/apt/sources.list /etc/apt/sources.list.bakroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse" > /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.listroot@99c04606894d:/# echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.list

 

更新软件源信息

root@99c04606894d:/# apt-get update

 

1.3、安装和配置SSH服务

安装openssh-server

root@99c04606894d:/# apt install openssh-server

 

为了服务正常启动，需要创建目录/var/run/sshd

root@99c04606894d:/# mkdir -p /var/run/sshd

 

后台启动服务：

root@99c04606894d:/# /usr/sbin/sshd -D &

 

想要使用netstat查看ssh服务所占用22端口，但是发现没有命令，则需要首先安装所需软件，使用apt-file查看需要安装的软件。

root@99c04606894d:/# apt-get install apt-file 下面这一步一定要做root@99c04606894d:/# apt-file updateroot@99c04606894d:/# apt-file search /bin/netstat net-tools: /bin/netstatnetstat-nat: /usr/bin/netstat-nat

 

可以看到需要安装的软件包 net-tools，安装软件包并查看端口：

root@99c04606894d:/# apt-get install net-toolsroot@99c04606894d:/# netstat -an | grep :22

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     tcp6       0      0 :::22                   :::*                    LISTEN

 

修改SSH服务的安全登陆配置，取消pam登陆限制：

root@99c04606894d:/# sed -ri 's/session  required  pam_loginuid.so/#session  required  pam_loginuid.so/g' /etc/pam.d/sshd

 

在容器root用户家目录下创建.ssh目录，并复制需要登陆的公钥信息(一般为宿主机用户家目录 .ssh/id_rsa.pub 文件，可以用 ssh-keygen -t rsa 命令生成) 到 authorized_keys 文件中：

root@99c04606894d:/# mkdir root/.ssh

root@99c04606894d:/# vi /root/.ssh/authorized_keys

如果没有 vi 命令，可以安装vim工具，apt-get install vim

 

创建自动启动SSH服务的可执行文件 run.sh，并添加可执行权限

root@99c04606894d:/# touch /run.shroot@99c04606894d:/# chmod +x /run.shroot@99c04606894d:/# vi /run.sh #!/bin/bash/usr/sbin/sshd -D

 

最后，退出容器：

root@ce21cd862b7e:/# exit

 

1.4、保存镜像

查看容器

$ docker ps -a

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                     PORTS               NAMES99c04606894d        ubuntu:18.04        "bash"              About an hour ago   Exited (0) 9 seconds ago                       elegant_mendeleev

 

生成新的镜像 sshd:ubuntu

$ docker commit 99c04606894d sshd:ubuntusha256:275da5f9600434f238c2d455a8fd103e0c55ad5c6113d2739a56839985832363

 

查看镜像

$ docker imagesREPOSITORY          TAG                 IMAGE ID            CREATED             SIZEsshd                ubuntu              275da5f96004        7 seconds ago       494MB

 

1.5、使用镜像

启动容器，并映射宿主机 10022 端口到 容器 22 端口：

$ docker run -p 10022:22 -d sshd:ubuntu /run.shce21cd862b7edc64c0cd3853dc4a7c2fffe977a21254cd4b866748dac516b371

 

查看容器

$ docker psCONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                   NAMESce21cd862b7e        sshd:ubuntu         "/run.sh"           4 seconds ago       Up 2 seconds        0.0.0.0:10022->22/tcp   fervent_jennings

 

登陆容器，不需要输入密码即可登陆

$ ssh root@192.168.121.121 -p 10022

The authenticity of host '[192.168.121.121]:10022 ([192.168.121.121]:10022)' can't be established.ECDSA key fingerprint is SHA256:a5DBqdYJ+WuBgJh5GhRb/fXgrtZcgDpL0dzZZqzKy88.ECDSA key fingerprint is MD5:e2:d3:99:0b:d4:ce:9e:ea:f2:4b:18:d9:25:8d:08:fe.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[192.168.121.121]:10022' (ECDSA) to the list of known hosts.Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 3.10.0-693.el7.x86_64 x86_64) * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantageThis system has been minimized by removing packages and content that arenot required on a system that users do not log into.To restore this content, you can run the 'unminimize' command.The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.root@18ff1392f000:~#

 

二、使用Dockerfile创建

2.1、创建工作目录

首先，创建一个 sshd_ubuntu 工作目录

$ mkdir sshd_ubuntu

 

创建 Dockerfile 和 run.sh

$ cd sshd_ubuntu/$ touch Dockerfile run.sh$ vi run.sh #!/bin/bash/usr/sbin/sshd -D

 

2.2、编写 authorized_keys 文件

在宿主机上生成 SSH 密钥对，并创建 authorized_keys 文件：

$ ssh-keygen -t rsa$ cat ~/.ssh/id_rsa.pub >authorized_keys

 

2.3、编写 Dockerfile 

$ vi Dockerfile

# 设置继承镜像FROM ubuntu:18.04# 提供一些作者的信息MAINTAINER xiaozhou (xiaozhou@docker.com)# 下面开始运行命令，此处更改 ubuntu 的源为国内阿里的源RUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse" > /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.listRUN echo "deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse" /etc/apt/sources.listRUN echo "deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.listRUN apt-get update# 安装ssh服务RUN apt-get install -y openssh-serverRUN mkdir -p /var/run/sshdRUN mkdir -p /root/.sshRUN sed -ri 's/session  required  pam_loginuid.so/#session  required  pam_loginuid.so/g' /etc/pam.d/sshd# 复制配置文件到相应位置，并赋予脚本可执行权限ADD authorized_keys /root/.ssh/authorized_keysADD run.sh /run.shRUN chmod 755 /run.sh# 开放端口EXPOSE 22 # 设置自启动命令CMD ["/run.sh"]

 

2.4、创建镜像

$ docker build -t sshd:dockerfile .

 

查看创建的镜像

$ docker imagesREPOSITORY          TAG                 IMAGE ID            CREATED             SIZEsshd                dockerfile          828c78d68a36        9 seconds ago       231MBubuntu              18.04               4c108a37151f        4 weeks ago         64.2MB

 

2.5、运行容器

$ docker run -d -p 10022:22 sshd:dockerfileb45d884c2cbb591fe97a34064c2b9ee09ffedf1cff22e992df0c582a99da2011

 

查看创建的容器

$ docker ps CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                   NAMESb45d884c2cbb        sshd:dockerfile     "/run.sh"           3 seconds ago       Up 2 seconds        0.0.0.0:10022->22/tcp   lucid_brown

 

登陆容器

$ ssh root@192.168.121.121 -p 10022Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 3.10.0-693.el7.x86_64 x86_64) * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantageThis system has been minimized by removing packages and content that arenot required on a system that users do not log into.To restore this content, you can run the 'unminimize' command.The programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.root@b45d884c2cbb:~#

 

如果不让root直接无密码登陆容器，可以注释 ADD authorized_keys /root/.ssh/authorized_keys 这一步，使用下面命令代替，创建普通账户并设置密码，设置root密码

RUN useradd dkuser

RUN echo "dkuser:123456" | chpasswd

RUN echo "root:123456" | chpasswd

这样的话就只能通过普通账户dkuser登陆容器，然后再转到root用户。