第10章 为镜像添加SSH服务
SSH(安全外壳协议)为 Secure Shell 的缩写,SSH 为建立在应用层基础上的安全协议。
SSH 是较可靠,专为远程登录会话和其他网络服务提供安全性的协议。
利用 SSH 协议可以有效防止远程管理过程中的信息泄露问题。很多时候用户希望通过远程登录服务器来进行管理,但是Docker的很多镜像是不带SSH服务的,所以,需要我们只能自己给容器加上SSH服务
基于commit命令创建
Docker提供了docker commit命令,支持用户提交自己对制定容器的修改,并生成新的镜像。命令格式为docker commit CONTAINER[REPOSITORY[:TAG]]。
-
准备工作
首先获取ubuntu:18.04镜像并创建一个容器
arduinodokcer pull ubuntu:18.04 docker run --name one -it ubuntu:18.04 /bin/bash -
配置软件源
检查软件源并更新软件源信息apt-get update
默认官方镜像比较慢,可以替换成国内的163、sohu等,在容器内创建/etc/apt/sources.list.d/163.list文件,并添加内容
参考网址 Ubuntu apt-get 国内镜像源替换(新手必看,超详细!各种镜像源网站都有)_apt-get 镜像-CSDN博客
-
安装和配置SSH服务
更新软件源之后就可以安装SSH服务了,使用主流的openssh-server作为服务端
vbscriptapt-get install openssh-server如果需要正常启动SSH服务,需要目录/var/run/sshd必须存在,下卖弄手动创建并启动
typescriptroot@c16b58f160b4:/# mkdir -p /var/run/sshd root@c16b58f160b4:/# /usr/sbin/sshd -D & [1] 4038查看容器的22端口,查看状态
rubyroot@c16b58f160b4:/# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4038/sshd tcp6 0 0 :::22 :::* LISTEN 4038/sshd root@c16b58f160b4:/# root@c16b58f160b4:/# apt-get install net-tools Reading package lists... Done Building dependency tree Reading state information... Done net-tools is already the newest version (1.60+git20161116.90da8a0-1ubuntu1). 0 upgraded, 0 newly installed, 0 to remove and 33 not upgraded. root@c16b58f160b4:/# netstat -an | grep 22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN root@c16b58f160b4:/#修改SSH服务的安全登录配置,取消pam登录限制
rubyroot@c16b58f160b4:/# sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd root@c16b58f160b4:/#在root用户目录下创建.ssh目录,并复制需要登录的公钥信息(一般为本地主机用户目录下的.ssh/id_rsa.pub文件,可由ssh-keygen -t rsa命令生成)到authorized_keys文件中
先在宿主主机上生成公钥信息
vbnetPS C:\Users\fe> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\fe/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in C:\Users\fe/.ssh/id_rsa Your public key has been saved in C:\Users\fe/.ssh/id_rsa.pub The key fingerprint is: SHA256:4GxS2mEgSMtwl+ikCqLyQxqfGqSjJfdo1z8TvVHnLXw fe@DESKTOP-P6LDAHL The key's randomart image is: +---[RSA 3072]----+ |ooo.o. | |+.+o.. | | * = | |+ . B o . . | |=. o = S. . + . | |B . o . o + E| |**o. . . o o | |o**o. . o . | |oo.o. ..o | +----[SHA256]-----+ PS C:\Users\fe>在镜像中生成SSH公钥,需要注意和宿主主机的密码要一样,清空生成的公钥,将宿主主机的拷贝进去
swiftroot@c16b58f160b4:/# mkdir root/.ssh root@c16b58f160b4:/# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:ULPTasWZNizIrAaEUIfB1oaSGBKBAHhZ+MqvWvo0YSU root@c16b58f160b4 The key's randomart image is: +---[RSA 2048]----+ |/O+Oo o | |O.O.oo o * o | | +Eo. = + X | | +.. . * . | | .o.o S | | .oo . | | +. | | + .. | |ooo. | +----[SHA256]-----+ root@c16b58f160b4:/# cd root/.ssh root@c16b58f160b4:~/.ssh# echo "">authorized_keys root@c16b58f160b4:~/.ssh# cat authorized_keys root@c16b58f160b4:~/.ssh# echo "SHA256:IW9kwdcYgPIvqv5h8VF2L5JvDERWYaEJm0U1pXYQsmE fe@DESKTOP-P6LDAHL" SHA256:IW9kwdcYgPIvqv5h8VF2L5JvDERWYaEJm0U1pXYQsmE fe@DESKTOP-P6LDAHL root@c16b58f160b4:~/.ssh#创建自动启动SSH服务的可执行文件run.sh,并添加可执行权限:
rubyroot@c16b58f160b4:/# echo "#! /bin/bash">/run.sh root@c16b58f160b4:/# echo "/usr/sbin/sshd -D">>/run.sh root@c16b58f160b4:/# cat run.sh #! /bin/bash /usr/sbin/sshd -D root@c16b58f160b4:/# chmod +x run.sh root@c16b58f160b4:/# ll *.sh -rwxr-xr-x 1 root root 31 Dec 8 06:25 run.sh* root@c16b58f160b4:/#最后退出容器
-
保存镜像
将所退出的容器使用docker commit保存成一个新的镜像
sql# docker commit 容器名称或ID 新容器的名称 PS C:\Users\fe> docker commit one two sha256:38c35577d5a096e041f2818ae0c0eaf225d679f35d01a7c7794e76a038150b64 PS C:\Users\fe> docker images REPOSITORY TAG IMAGE ID CREATED SIZE two latest 38c35577d5a0 47 seconds ago 225MB debian latest 6f4986d78878 23 months ago 124MB fedora latest b78af7a83692 2 years ago 153MB ubuntu 18.04 5a214d77f5d7 2 years ago 63.1MB centos 7 eeb6ee3f44bd 2 years ago 204MB PS C:\Users\fe> -
使用镜像
启动容器,并添加端口映射10022-->22。其中10022是宿主主机的端口,22是容器的SSH服务监听端口
arduinoPS C:\Users\fe> docker run -p 10022:22 -d two /run.sh c677135d9856b4efaa0efcd74907481367aea1f71110ca98f7f9296623e5c924 PS C:\Users\fe> docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c677135d9856 two "/run.sh" 8 seconds ago Up 3 seconds 0.0.0.0:10022->22/tcp sad_antonelli c16b58f160b4 ubuntu:18.04 "/bin/bash" 48 minutes ago Up 48 minutes one PS C:\Users\fe>宿主机连接容器
使用Dockerfile创建
-
创建工作目录,创建Dockerfile和run.sh文件
-
编写run.sh脚本和authorized_key文件
bash#!/bin/bash /usr/sbin/sshd -D在宿主主机生成SSH秘钥对,并创建authorized_keys文件
vbnetPS E:\otherCode\studydocker> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\fe/.ssh/id_rsa): 123456 Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in 123456 Your public key has been saved in 123456.pub The key fingerprint is: SHA256:715+8zxeH1bgL5+fiv3+kBw/JYHIWG6cjrXfealJNjQ fe@DESKTOP-P6LDAHL The key's randomart image is: +---[RSA 3072]----+ | . | | * o . | | . O . o | | = . . o | | S o E+ o| | . ..o.B+| | . o+B==| | . o= BBB| | .o..*=O@| +----[SHA256]-----+ PS E:\otherCode\studydocker> cat ~/.ssh/id_rsa.pub >authorized_keys PS E:\otherCode\studydocker>这样会将生成的ssh密钥对复制到项目附录中,复制的文件有123456 123456.pub authorized_keys文件
-
编写Dockerfile文件
bash#设置继承镜像 FROM ubuntu:18.04 LABEL author="zhonghao" #下面开始运行命令,此处更改ubuntu的源为国内163的源 RUN echo "deb http://mirrors.163.com/ubuntu/ bionic main restricted universe multiverse" > /etc/apt/sources.list RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.list RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.list RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.list RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.list RUN apt-get update #安装ssh服务 RUN apt-get install -y openssh-server RUN mkdir -p /var/run/sshd RUN mkdir -p /root/.ssh #取消pam限制 RUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd #复制配置文件到相应位置,并赋予脚本可执行权限 COPY ./authorized_keys /root/.ssh/authorized_keys COPY ./run.sh /run.sh RUN chmod 755 ./run.sh #开放端口 EXPOSE 22 #设置自启动命令 CMD ["/run.sh"] -
创建镜像
在项目目录下,使用docker build命令创建镜像,需要注意在最后面还有一个.,表示使用当前目录中的Dockerfile文件
erlangdocker build -t sshtest .如果使用Dockerfile创建自定义镜像,那么需要注意的是Docker会自动删除中间临时创建的层,还需要注意每一步的操作和编写的Dockerfile中的命令对应关系
命令执行完成之后,看见Successfully build XXX表示镜像创建成功,
在本地查看镜像是否存在
sqlPS E:\otherCode\studydocker> docker images REPOSITORY TAG IMAGE ID CREATED SIZE sshtest latest 34ea5508604c 24 seconds ago 225MB two latest 281d86e17a1a 10 days ago 225MB <none> <none> 61eaf694493c 10 days ago 225MB <none> <none> 38c35577d5a0 10 days ago 225MB debian latest 6f4986d78878 24 months ago 124MB fedora latest b78af7a83692 2 years ago 153MB ubuntu 18.04 5a214d77f5d7 2 years ago 63.1MB centos 7 eeb6ee3f44bd 2 years ago 204MB -
测试镜像,运行容器
使用刚才创建的镜像运行容器,
arduinoPS E:\otherCode\studydocker> docker run -d -p 10002:22 sshtest ae6c8d1a098fa7370cfd9c5977a57236ffe68e918b2b7be5a13a100efd9775a0 -
失败 没有连接成功,原因未知