从centos镜像上创建具备SSH链接的Dockerfile

  1. 创建目录,名字随意

mkdir dockfile

cd dockfile

  1. 创建名字为Dockerfile的文件

touch Dockerfile

  1. 编辑内容如下

    FROM centos
    MAINTAINER liufeng "liuf@geoscene.cn"

    RUN /bin/echo 'root:123456'|chpasswd
    RUN useradd test
    RUN /bin/echo 'test:123456'|chpasswd
    RUN /bin/echo -e "LANG="en_US.UTF-8"" >/etc/default/local

    RUN /usr/bin/sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
    RUN /usr/bin/sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
    RUN /usr/bin/sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo

    RUN sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
    RUN sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
    RUN sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo

    RUN sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
    RUN sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
    RUN sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo

    RUN yum -y install openssh-server net-tools lsof telnet
    RUN sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config

    RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

    RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

    RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

    EXPOSE 22
    EXPOSE 80

    CMD /usr/sbin/sshd -D

  2. 执行docker build -t centos:sshd .

(实际该命令也是读取Dockerfile文件中的内容,发送给docker的服务端进程,然后创建container后,执行里面的各个指令后,使用docker commit后保存镜像,然后再自动删除container)

  1. 查看创建好的镜像

    docker images
    REPOSITORY TAG IMAGE ID CREATED SIZE
    centos sshd bb3f612b4aab 16 minutes ago 277MB

  2. 启动该镜像

    docker run -P -d centos:sshd
    7b9b21f834a7a3f20132c3e5c476299cd19ebf0de7d9d1a86c7933c01bde33bc

  3. 查看container(由于启动使用了-P选项,所以随机选择了端口映射)

    docker ps
    CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
    55e6f83d15ed centos:sshd "/bin/sh -c '/usr/sbâ¦" 39 seconds ago Up 38 seconds 0.0.0.0:32794->22/tcp, 0.0.0.0:32793->80/tcp clever_chatterjee

  4. 从别的机器登录

    C:\Users\admin>ssh root@192.168.100.138 -p 32794
    The authenticity of host '[192.168.100.138]:32794 ([192.168.100.138]:32794)' can't be established.
    RSA key fingerprint is SHA256:CcVVULJGCEJ/hacR1SqQj5RRQ2v+fRrSQPvSj4n7ksA.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '[192.168.100.138]:32794' (RSA) to the list of known hosts.
    root@192.168.100.138's password:
    [root@55e6f83d15ed ~]# ip addr show
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    valid_lft forever preferred_lft forever
    242: eth0@if243: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.7/16 brd 172.17.255.255 scope global eth0
    valid_lft forever preferred_lft forever

  5. 原理

docker 使用iptables的nat进行ip和port的转换实现的,而且是在PREROUTING实现的

复制代码
[root@bigdataserver docker]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  bogon/16             anywhere
MASQUERADE  all  --  bogon/16             anywhere
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:commplex-main
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:http
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:ssh
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:http
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:ssh

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:filenet-nch to:172.17.0.3:5000
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32791 to:172.17.0.6:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32792 to:172.17.0.6:22
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32793 to:172.17.0.7:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32794 to:172.17.0.7:22

由于iptables的实现是在内核级别,所以虽然能看到docker-proxy进程会listen 32794端口,但是实际上使用strace监听该进程会发现不会有任何的系统调用在上面,并且杀掉该进行也不会影响链接。

相关推荐
岁岁岁平安32 分钟前
CentOS-7-x86_64解决:使用NAT模式无法ping通www.baidu.com或无法ping 8.8.8.8问题。
linux·运维·centos·centos-7
运维小贺44 分钟前
各服务器厂商调整BIOS睿频教程
linux·运维·服务器·性能优化
特种加菲猫1 小时前
指尖上的魔法:优雅高效的Linux命令手册
linux·笔记
★Orange★1 小时前
Linux Kernel kfifo 实现和巧妙设计
linux·运维·算法
bemyrunningdog2 小时前
Mock数据
linux·运维·ubuntu
是阿建吖!2 小时前
【Linux | 网络】网络编程套接字
linux·网络
退役小学生呀2 小时前
十、K8s集群资源合理化分配
linux·云原生·容器·kubernetes·k8s
Winner13003 小时前
Debian、Buildroot 和 Ubuntu 都是基于 Linux 的系统区别
linux·ubuntu·debian
1nullptr3 小时前
UNIX程序设计基本概念和术语
linux
是阿建吖!4 小时前
【Linux | 网络】网络基础
linux·网络