从centos镜像上创建具备SSH链接的Dockerfile

1. 创建目录，名字随意

mkdir dockfile

cd dockfile

2. 创建名字为Dockerfile的文件

touch Dockerfile

3. 编辑内容如下

   FROM centos
   MAINTAINER liufeng "liuf@geoscene.cn"

   RUN /bin/echo 'root:123456'|chpasswd
   RUN useradd test
   RUN /bin/echo 'test:123456'|chpasswd
   RUN /bin/echo -e "LANG="en_US.UTF-8"" >/etc/default/local

   RUN /usr/bin/sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
   RUN /usr/bin/sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
   RUN /usr/bin/sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo

   RUN sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
   RUN sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
   RUN sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo

   RUN sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
   RUN sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
   RUN sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo

   RUN yum -y install openssh-server net-tools lsof telnet
   RUN sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config

   RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

   RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

   RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

   EXPOSE 22
   EXPOSE 80

   CMD /usr/sbin/sshd -D

4. 执行docker build -t centos:sshd .

（实际该命令也是读取Dockerfile文件中的内容，发送给docker的服务端进程，然后创建container后，执行里面的各个指令后，使用docker commit后保存镜像，然后再自动删除container）

5. 查看创建好的镜像

   docker images
   REPOSITORY TAG IMAGE ID CREATED SIZE
   centos sshd bb3f612b4aab 16 minutes ago 277MB

6. 启动该镜像

   docker run -P -d centos:sshd
   7b9b21f834a7a3f20132c3e5c476299cd19ebf0de7d9d1a86c7933c01bde33bc

7. 查看container（由于启动使用了-P选项，所以随机选择了端口映射）

   docker ps
   CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
   55e6f83d15ed centos:sshd "/bin/sh -c '/usr/sbâ¦" 39 seconds ago Up 38 seconds 0.0.0.0:32794->22/tcp, 0.0.0.0:32793->80/tcp clever_chatterjee

8. 从别的机器登录

   C:\Users\admin>ssh root@192.168.100.138 -p 32794
   The authenticity of host '[192.168.100.138]:32794 ([192.168.100.138]:32794)' can't be established.
   RSA key fingerprint is SHA256:CcVVULJGCEJ/hacR1SqQj5RRQ2v+fRrSQPvSj4n7ksA.
   Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
   Warning: Permanently added '[192.168.100.138]:32794' (RSA) to the list of known hosts.
   root@192.168.100.138's password:
   [root@55e6f83d15ed ~]# ip addr show
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
   242: eth0@if243: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
   link/ether 02:42:ac:11:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
   inet 172.17.0.7/16 brd 172.17.255.255 scope global eth0
   valid_lft forever preferred_lft forever

9. 原理

docker 使用iptables的nat进行ip和port的转换实现的，而且是在PREROUTING实现的

[root@bigdataserver docker]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  bogon/16             anywhere
MASQUERADE  all  --  bogon/16             anywhere
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:commplex-main
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:http
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:ssh
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:http
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:ssh

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:filenet-nch to:172.17.0.3:5000
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32791 to:172.17.0.6:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32792 to:172.17.0.6:22
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32793 to:172.17.0.7:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32794 to:172.17.0.7:22

由于iptables的实现是在内核级别，所以虽然能看到docker-proxy进程会listen 32794端口，但是实际上使用strace监听该进程会发现不会有任何的系统调用在上面，并且杀掉该进行也不会影响链接。