- 创建目录,名字随意
mkdir dockfile
cd dockfile
- 创建名字为Dockerfile的文件
touch Dockerfile
-
编辑内容如下
FROM centos
MAINTAINER liufeng "liuf@geoscene.cn"RUN /bin/echo 'root:123456'|chpasswd
RUN useradd test
RUN /bin/echo 'test:123456'|chpasswd
RUN /bin/echo -e "LANG="en_US.UTF-8"" >/etc/default/localRUN /usr/bin/sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
RUN /usr/bin/sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
RUN /usr/bin/sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repoRUN sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
RUN sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
RUN sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repoRUN sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
RUN sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
RUN sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-Extras.repoRUN yum -y install openssh-server net-tools lsof telnet
RUN sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_configRUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
EXPOSE 22
EXPOSE 80CMD /usr/sbin/sshd -D
-
执行docker build -t centos:sshd .
(实际该命令也是读取Dockerfile文件中的内容,发送给docker的服务端进程,然后创建container后,执行里面的各个指令后,使用docker commit后保存镜像,然后再自动删除container)
-
查看创建好的镜像
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos sshd bb3f612b4aab 16 minutes ago 277MB -
启动该镜像
docker run -P -d centos:sshd
7b9b21f834a7a3f20132c3e5c476299cd19ebf0de7d9d1a86c7933c01bde33bc -
查看container(由于启动使用了-P选项,所以随机选择了端口映射)
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
55e6f83d15ed centos:sshd "/bin/sh -c '/usr/sbâ¦" 39 seconds ago Up 38 seconds 0.0.0.0:32794->22/tcp, 0.0.0.0:32793->80/tcp clever_chatterjee -
从别的机器登录
C:\Users\admin>ssh root@192.168.100.138 -p 32794
The authenticity of host '[192.168.100.138]:32794 ([192.168.100.138]:32794)' can't be established.
RSA key fingerprint is SHA256:CcVVULJGCEJ/hacR1SqQj5RRQ2v+fRrSQPvSj4n7ksA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.100.138]:32794' (RSA) to the list of known hosts.
root@192.168.100.138's password:
[root@55e6f83d15ed ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
242: eth0@if243: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.7/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever -
原理
docker 使用iptables的nat进行ip和port的转换实现的,而且是在PREROUTING实现的
[root@bigdataserver docker]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- bogon/16 anywhere
MASQUERADE all -- bogon/16 anywhere
MASQUERADE tcp -- bogon bogon tcp dpt:commplex-main
MASQUERADE tcp -- bogon bogon tcp dpt:http
MASQUERADE tcp -- bogon bogon tcp dpt:ssh
MASQUERADE tcp -- bogon bogon tcp dpt:http
MASQUERADE tcp -- bogon bogon tcp dpt:ssh
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:filenet-nch to:172.17.0.3:5000
DNAT tcp -- anywhere anywhere tcp dpt:32791 to:172.17.0.6:80
DNAT tcp -- anywhere anywhere tcp dpt:32792 to:172.17.0.6:22
DNAT tcp -- anywhere anywhere tcp dpt:32793 to:172.17.0.7:80
DNAT tcp -- anywhere anywhere tcp dpt:32794 to:172.17.0.7:22
由于iptables的实现是在内核级别,所以虽然能看到docker-proxy进程会listen 32794端口,但是实际上使用strace监听该进程会发现不会有任何的系统调用在上面,并且杀掉该进行也不会影响链接。