一、
最近由于某些场景下需要使用nmap,而nmap的rpm安装包在源目标机器上使用有软件冲突,因此,计划使用docker部署nmap
具体计划为
1、使用centos的基础镜像,在有网环境下,通过配置阿里云的yum仓库,在centos基础镜像内编译安装好nmap
2、制作多版centos镜像,尽量优化制作出的镜像大小,合理瘦身,以方便制作出的镜像上传和下载
3、在多版镜像中挑选最小的镜像,测试镜像功能是否符合预期
二、
制作镜像前的准备工作
主要是nmap的源码包和阿里云的yum仓库文件
阿里云的yum仓库文件 两个文件都修改完成,可以直接使用了,和Dockerfile放置在同一个目录下,名字分别为CentOS-Base.repo和epel.repo
bash
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-7 - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/7/os/$basearch/
http://mirrors.aliyuncs.com/centos/7/os/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/7/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#released updates
[updates]
name=CentOS-7 - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/7/updates/$basearch/
http://mirrors.aliyuncs.com/centos/7/updates/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/7/updates/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful
[extras]
name=CentOS-7 - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/7/extras/$basearch/
http://mirrors.aliyuncs.com/centos/7/extras/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/7/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-7 - Plus - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/7/centosplus/$basearch/
http://mirrors.aliyuncs.com/centos/7/centosplus/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/7/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#contrib - packages by Centos Users
[contrib]
name=CentOS-7 - Contrib - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/7/contrib/$basearch/
http://mirrors.aliyuncs.com/centos/7/contrib/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/7/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
bash
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://mirrors.aliyun.com/epel/7/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=http://mirrors.aliyun.com/epel/7/$basearch/debug
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=http://mirrors.aliyun.com/epel/7/SRPMS
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0
[root@k8s-master dockerbuild]# cat epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://mirrors.aliyun.com/epel/7/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=http://mirrors.aliyun.com/epel/7/$basearch/debug
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=http://mirrors.aliyun.com/epel/7/SRPMS
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0nmap-7.91源码下载地址: https://nmap.org/dist/nmap-7.91.tar.bz2 ,该软件下载后和Dockerfile放置在同一个目录下
三、
第一版dockers build
bash
FROM centos_vim:latest
COPY CentOS-Base.repo /etc/yum.repos.d/
COPY epel.repo /etc/yum.repos.d/
ADD nmap-7.91.tar.bz2 /root/
RUN cd /root/nmap-7.91/ &&yum install gcc gcc-c++ make -y && ./configure --prefix=/usr/local/nmap&&make &&make install &&make clean&& cd /root/&& rm -rf /root/nmap-7.91&&yum clean all
ENTRYPOINT [ "/usr/bin/tail", "-f", "/etc/yum.repos.d/epel.repo;" ]build命令基本不变的:
bash
docker build -t centos-vim-nmap:v2 .此时,我们观察镜像大小,可以看到镜像还是比较大的,大概400多M,直接用docker images也是可以印证到的:
bash
[root@k8s-master dockerbuild]# docker history centos-vim-nmap:v2
IMAGE CREATED CREATED BY SIZE COMMENT
cef198ffbf5d 8 hours ago /bin/sh -c #(nop) ENTRYPOINT ["/usr/bin/tai... 0B
eba73e85c735 8 hours ago /bin/sh -c cd /root/nmap-7.91/ &&yum install... 151MB
4af8cec1f126 9 hours ago /bin/sh -c #(nop) ADD file:6f98802f7e9d7e895... 52.6MB
d63ddcc9393a 9 hours ago /bin/sh -c #(nop) COPY file:d41ffd9b2808e586... 664B
c075338a9174 9 hours ago /bin/sh -c #(nop) COPY file:d7d3b8798da7098c... 2.32kB
962cf7473955 3 years ago /bin/sh -c #(nop) CMD ["/bin/bash" "-D"] 0B
<missing> 3 years ago /bin/sh -c #(nop) EXPOSE 22 0B
<missing> 3 years ago /bin/sh -c yum -y install vim net-tools && y... 73.3MB
<missing> 3 years ago /bin/sh -c #(nop) MAINTAINER by jesse (jess... 0B
<missing> 8 years ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL license=GPLv2 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL vendor=CentOS 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL name=CentOS Base Im... 0B
<missing> 8 years ago /bin/sh -c #(nop) ADD file:b3bdbca0669a03490... 195MB
<missing> 8 years ago /bin/sh -c #(nop) MAINTAINER The CentOS Pro... 0B
bash
[root@k8s-master dockerbuild]# docker images |grep centos
centos-vim-nmap v1 ba4aaefb21f0 8 hours ago 299MB
centos-vim-nmap v2 cef198ffbf5d 8 hours ago 472MB
centos_vim v1 69b8e7c0ec9f 28 hours ago 824MB
centos_vim v d0f1a760bf9f 28 hours ago 824MB
centos_vim latest 962cf7473955 3 years ago 268MB第二版docker build
这一版采用多阶段构建,其实RUN命令是可以简化的,不过不影响最终的容器大小,主要是COPY --from=build /usr/local/nmap /usr/local/nmap 把编译产出物直接拷贝到下一个阶段了
bash
FROM centos_vim:latest AS build
COPY CentOS-Base.repo /etc/yum.repos.d/
COPY epel.repo /etc/yum.repos.d/
ADD nmap-7.91.tar.bz2 /root/
RUN cd /root/nmap-7.91/ &&yum install gcc gcc-c++ make -y && ./configure --prefix=/usr/local/nmap&&make &&make install &&make clean&& cd /root/&& rm -rf /root/nmap-7.91&&yum clean all
FROM centos_vim:latest
COPY --from=build /usr/local/nmap /usr/local/nmap
ENTRYPOINT [ "/usr/bin/tail", "-f", "/etc/yum.repos.d/epel.repo;" ]看build history可以看到明显变小了,只有300M了
bash
[root@k8s-master dockerbuild]# docker history centos-vim-nmap:v1
IMAGE CREATED CREATED BY SIZE COMMENT
ba4aaefb21f0 8 hours ago /bin/sh -c #(nop) ENTRYPOINT ["/usr/bin/tai... 0B
28424c28af89 8 hours ago /bin/sh -c #(nop) COPY dir:c798ee1e3e91fcd7d... 31MB
962cf7473955 3 years ago /bin/sh -c #(nop) CMD ["/bin/bash" "-D"] 0B
<missing> 3 years ago /bin/sh -c #(nop) EXPOSE 22 0B
<missing> 3 years ago /bin/sh -c yum -y install vim net-tools && y... 73.3MB
<missing> 3 years ago /bin/sh -c #(nop) MAINTAINER by jesse (jess... 0B
<missing> 8 years ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL license=GPLv2 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL vendor=CentOS 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL name=CentOS Base Im... 0B
<missing> 8 years ago /bin/sh -c #(nop) ADD file:b3bdbca0669a03490... 195MB
<missing> 8 years ago /bin/sh -c #(nop) MAINTAINER The CentOS Pro... 0B docker build的错误示范
也就是把RUN命令拆开,不做任何清理,那么这个镜像会多大呢?
bash
FROM centos_vim:latest
COPY CentOS-Base.repo /etc/yum.repos.d/
COPY epel.repo /etc/yum.repos.d/
ADD nmap-7.91.tar.bz2 /root/
RUN cd /root/nmap-7.91/
WORKDIR /root/nmap-7.91/
RUN yum install gcc gcc-c++ make -y && ./configure --prefix=/usr/local/nmap&&make &&make install
ENTRYPOINT [ "/usr/bin/tail", "-f", "/etc/yum.repos.d/epel.repo;" ]build命令:
bash
docker build -t centos-vim-nmap:v3 .build history 查看镜像大小,预估为800多M
bash
[root@k8s-master dockerbuild]# docker history centos-vim-nmap:v3
IMAGE CREATED CREATED BY SIZE COMMENT
7bd9da6a6834 24 seconds ago /bin/sh -c #(nop) ENTRYPOINT ["/usr/bin/tai... 0B
5638397f6bee 24 seconds ago /bin/sh -c yum install gcc gcc-c++ make -y &... 491MB
cc92fafc4d7f 2 minutes ago /bin/sh -c #(nop) WORKDIR /root/nmap-7.91 0B
ae1d0b5fc823 4 minutes ago /bin/sh -c cd /root/nmap-7.91/ 0B
4af8cec1f126 9 hours ago /bin/sh -c #(nop) ADD file:6f98802f7e9d7e895... 52.6MB
d63ddcc9393a 9 hours ago /bin/sh -c #(nop) COPY file:d41ffd9b2808e586... 664B
c075338a9174 9 hours ago /bin/sh -c #(nop) COPY file:d7d3b8798da7098c... 2.32kB
962cf7473955 3 years ago /bin/sh -c #(nop) CMD ["/bin/bash" "-D"] 0B
<missing> 3 years ago /bin/sh -c #(nop) EXPOSE 22 0B
<missing> 3 years ago /bin/sh -c yum -y install vim net-tools && y... 73.3MB
<missing> 3 years ago /bin/sh -c #(nop) MAINTAINER by jesse (jess... 0B
<missing> 8 years ago /bin/sh -c #(nop) CMD ["/bin/bash"] 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL license=GPLv2 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL vendor=CentOS 0B
<missing> 8 years ago /bin/sh -c #(nop) LABEL name=CentOS Base Im... 0B
<missing> 8 years ago /bin/sh -c #(nop) ADD file:b3bdbca0669a03490... 195MB
<missing> 8 years ago /bin/sh -c #(nop) MAINTAINER The CentOS Pro... 0B
bash
[root@k8s-master dockerbuild]# docker images |grep centos
centos-vim-nmap v3 7bd9da6a6834 2 minutes ago 811MB
centos-vim-nmap v1 ba4aaefb21f0 8 hours ago 299MB
centos-vim-nmap v2 cef198ffbf5d 8 hours ago 472MB
centos_vim v1 69b8e7c0ec9f 28 hours ago 824MB
centos_vim v d0f1a760bf9f 28 hours ago 824MB
centos_vim latest 962cf7473955 3 years ago 268MB可以发现,如果不做任何清理,RUN命令拆分开后,build的镜像是和直接commit镜像基本一致的
三、
nmap的功能测试
1、
docker run 镜像
bash
docker run -itd --name=centos centos-vim-nmap:v1 /bin/bash2、
直接运行nmap
bash
[root@k8s-master dockerbuild]# docker exec -it centos /usr/local/nmap/bin/nmap 182.61.244.181
Starting Nmap 7.91 ( https://nmap.org ) at 2025-07-19 13:24 UTC
Nmap scan report for 182.61.244.181
Host is up (0.0096s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
32768/tcp open filenet-tms
Nmap done: 1 IP address (1 host up) scanned in 4.87 seconds
bash
[root@k8s-master ~]# docker exec -it centos /usr/local/nmap/bin/nmap -iL /root/ip.txt -sS
Starting Nmap 7.91 ( https://nmap.org ) at 2025-07-19 13:27 UTC
Nmap scan report for 192.168.123.15
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds可以看到,nmap是从容器内向外扫描,数据链路会多一层,这些需要特别注意噢