从centos镜像上创建具备SSH链接的Dockerfile

  1. 创建目录,名字随意

mkdir dockfile

cd dockfile

  1. 创建名字为Dockerfile的文件

touch Dockerfile

  1. 编辑内容如下

    FROM centos
    MAINTAINER liufeng "liuf@geoscene.cn"

    RUN /bin/echo 'root:123456'|chpasswd
    RUN useradd test
    RUN /bin/echo 'test:123456'|chpasswd
    RUN /bin/echo -e "LANG="en_US.UTF-8"" >/etc/default/local

    RUN /usr/bin/sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
    RUN /usr/bin/sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
    RUN /usr/bin/sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo

    RUN sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
    RUN sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
    RUN sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo

    RUN sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
    RUN sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
    RUN sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo

    RUN yum -y install openssh-server net-tools lsof telnet
    RUN sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config

    RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

    RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

    RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

    EXPOSE 22
    EXPOSE 80

    CMD /usr/sbin/sshd -D

  2. 执行docker build -t centos:sshd .

(实际该命令也是读取Dockerfile文件中的内容,发送给docker的服务端进程,然后创建container后,执行里面的各个指令后,使用docker commit后保存镜像,然后再自动删除container)

  1. 查看创建好的镜像

    docker images
    REPOSITORY TAG IMAGE ID CREATED SIZE
    centos sshd bb3f612b4aab 16 minutes ago 277MB

  2. 启动该镜像

    docker run -P -d centos:sshd
    7b9b21f834a7a3f20132c3e5c476299cd19ebf0de7d9d1a86c7933c01bde33bc

  3. 查看container(由于启动使用了-P选项,所以随机选择了端口映射)

    docker ps
    CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
    55e6f83d15ed centos:sshd "/bin/sh -c '/usr/sbâ¦" 39 seconds ago Up 38 seconds 0.0.0.0:32794->22/tcp, 0.0.0.0:32793->80/tcp clever_chatterjee

  4. 从别的机器登录

    C:\Users\admin>ssh root@192.168.100.138 -p 32794
    The authenticity of host '[192.168.100.138]:32794 ([192.168.100.138]:32794)' can't be established.
    RSA key fingerprint is SHA256:CcVVULJGCEJ/hacR1SqQj5RRQ2v+fRrSQPvSj4n7ksA.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '[192.168.100.138]:32794' (RSA) to the list of known hosts.
    root@192.168.100.138's password:
    [root@55e6f83d15ed ~]# ip addr show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    valid_lft forever preferred_lft forever
    242: eth0@if243: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.7/16 brd 172.17.255.255 scope global eth0
    valid_lft forever preferred_lft forever

  5. 原理

docker 使用iptables的nat进行ip和port的转换实现的,而且是在PREROUTING实现的

复制代码
[root@bigdataserver docker]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  bogon/16             anywhere
MASQUERADE  all  --  bogon/16             anywhere
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:commplex-main
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:http
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:ssh
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:http
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:ssh

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:filenet-nch to:172.17.0.3:5000
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32791 to:172.17.0.6:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32792 to:172.17.0.6:22
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32793 to:172.17.0.7:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32794 to:172.17.0.7:22

由于iptables的实现是在内核级别,所以虽然能看到docker-proxy进程会listen 32794端口,但是实际上使用strace监听该进程会发现不会有任何的系统调用在上面,并且杀掉该进行也不会影响链接。

相关推荐
古希腊数通小白(ip在学)5 分钟前
HCIA实现不同vlan间的通信
linux·服务器·网络
半桔19 分钟前
【Linux手册】从接口到管理:Linux文件系统的核心操作指南
android·java·linux·开发语言·面试·系统架构
禁默27 分钟前
Linux Vim 编辑器详解:从入门到进阶(含图示+插件推荐)
linux·vim·excel
许白掰2 小时前
Linux入门篇学习——Linux 工具之 make 工具和 makefile 文件
linux·运维·服务器·前端·学习·编辑器
longze_76 小时前
Ubuntu连接不上网络问题(Network is unreachable)
linux·服务器·ubuntu
Dirschs6 小时前
【Ubuntu22.04安装ROS Noetic】
linux·ubuntu·ros
qianshanxue116 小时前
ubuntu 操作记录
linux
AmosTian9 小时前
【系统与工具】Linux——Linux简介、安装、简单使用
linux·运维·服务器
这我可不懂11 小时前
Python 项目快速部署到 Linux 服务器基础教程
linux·服务器·python
车车不吃香菇12 小时前
java idea 本地debug linux服务
java·linux·intellij-idea