Docker创建支持SSH服务的镜像
2019-03-05 本文已影响0人
平头哥2
1.基于commit命令创建
1.1 配置ssh服务
# 查看images
[root@langzi01 ~]# docker ps -a
2f5f9417b073 centos "/bin/bash" 3 days ago Up 3 days data01
# 更新yum源
[root@2f5f9417b073 /]# yum update -y
#查看sshd服务
[root@2f5f9417b073 /]# sshd
bash: sshd: command not found
#安装ssh
[root@2f5f9417b073 /]# yum install -y openssh-server
#创建目录,要正常启动,需要 /var/run/sshd 存在。
[root@2f5f9417b073 /]# mkdir /var/run/sshd
#启动服务 -- 发现报错
[root@2f5f9417b073 /]# /usr/sbin/sshd -D &
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
#解决办法
[root@2f5f9417b073 sshd]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
[root@2f5f9417b073 sshd]# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
[root@2f5f9417b073 sshd]# ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
#再次启动服务
[root@2f5f9417b073 sshd]# /usr/sbin/sshd
#查看服务
[root@2f5f9417b073 sshd]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 302/sshd
tcp6 0 0 :::80 :::* LISTEN 87/httpd
tcp6 0 0 :::22 :::* LISTEN 302/sshd
[root@2f5f9417b073 ~]# pwd
/root
[root@2f5f9417b073 ~]# mkdir .ssh
#新开会话,查看, 这里@之后是langzi01,容器@之后是2f5f9417b073
[root@langzi01 ~]# cd .ssh/
[root@langzi01 .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@langzi01 .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3q8E9u60OwMSPTbpLlIyxKVsmICFgTQccnPLXMYFelZQ6KSdXSPCItCWh5rIC0EuOh3J9ykNlqQC0GNoZ27ziom3ezsH0cP9Puqzzp9tqdiMZtLB/UviyRIKARemtuyEM14/PUV+SES4A6K514nJ5g96KEdxb7gl/20TfiYa0Eo+CtABiyIYTz+q/AHh0zAx20qwEPcRWyKsIEurtd+IyopxZmbYzIXX9yDurBks5ROS2Viq64B2nPvB+Yhhc5ehGKCbi52qIMgIXPMQob3fuW6+ProunnAvdFb7+eRlrY3M3QTkC7jdB5ZNGNa0bNTD0amD49ImwCsY1eXzrm5XB root@langzi01
#切换到容器绘画
[root@2f5f9417b073 .ssh]# vi authorized_keys
#将宿主的 id_rsa.pub内容复制到该文件中
#创建 /run.sh
[root@2f5f9417b073 .ssh]# vi /run.sh
#内容如下:
[root@04c0e6e78f46 ~]# cat /run.sh
#!/bin/bash
/usr/sbin/sshd -D
#退出容器 exit
1.2 保存镜像
[root@langzi01 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2f5f9417b073 centos "/bin/bash" 3 days ago Up 3 days data01
[root@langzi01 ~]# docker commit 2f5 sshd:centos
sha256:08d75e23080972ce9a4494a7b748b081a0286d88a97f9bb453bd88e280749146
[root@langzi01 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
sshd centos 08d75e230809 4 seconds ago 383 MB
1.3 使用镜像
[root@langzi01 ~]# docker run -p 10022:22 --name sshd -d sshd:centos /run.sh
04c0e6e78f46652c590b444b211bd76c3526311e3676bd3300c9846f371f6f56
[root@langzi01 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
04c0e6e78f46 sshd:centos "/run.sh" 7 seconds ago Up 5 seconds 0.0.0.0:10022->22/tcp sshd
1.4 宿主ssh登录
[root@langzi01 ~]# ssh 172.17.0.1 -p 10022
The authenticity of host '[172.17.0.1]:10022 ([172.17.0.1]:10022)' can't be established.
ECDSA key fingerprint is SHA256:MsHCJMCYdCwMmfC2fJva7hEQV2gQlIwR0py3h9l3iXU.
ECDSA key fingerprint is MD5:05:5d:c3:90:4d:1a:32:35:74:0e:ea:c8:1a:42:60:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.17.0.1]:10022' (ECDSA) to the list of known hosts.
[root@04c0e6e78f46 ~]# pwd
/root
2.基于Dockerfile命令创建
2.1 创建工作目录
[root@langzi01 docker]# pwd
/root/docker
[root@langzi01 docker]# mkdir sshd_centos
[root@langzi01 docker]# ls
sshd_centos
[root@langzi01 docker]# cd sshd_centos/
[root@langzi01 docker]# touch Dockerfile run.sh
Dockerfile run.sh
2.2 编写run.sh 脚本和authorized_keys 文件
[root@langzi01 sshd_centos]# vim run.sh
#!/bin/bash
/usr/sbin/sshd -D
# 在宿主主机上生成SSH密钥对,并创建authorized_keys文件:
[root@langzi01 sshd_centos]# ssh-keygen -t rsa
# 一路回车
[root@langzi01 sshd_centos]# cat ~/.ssh/id_rsa.pub > authorized_keys
2.3 编写Dockerfile
[root@langzi01 sshd_centos]# vim Dockerfile
FROM centos:7.4
MAINTAINER docker_user docker_user@email.com
#安装sshd服务
#RUN yum update -y
RUN yum install -y openssh-server
RUN mkdir -p /var/run/sshd
RUN mkdir -p /root/.ssh
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
RUN ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
#复制配置文件到相应的位置,并赋予脚本可执行权限
ADD authorized_keys /root/.ssh/authorized_keys
ADD run.sh /run.sh
RUN chmod 755 /run.sh
#开放端口
EXPOSE 22
# 设置自启动命令
CMD ["/run.sh"]
2.4 创建镜像
[root@langzi01 sshd_centos]# docker build -t sshd:centos .
2.5 测试镜像,运行容器
[root@langzi01 sshd_centos]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
sshd centos d5f2887c0d88 17 minutes ago 282 MB
[root@langzi01 sshd_centos]# docker run -d -p 10022:22 sshd:centos
ac104109a2395004cc6c7de97557d806c1bb9a5ac43bb9073a431d8e80c0747f
2.6 连接容器
[root@langzi01 .ssh]# ssh 172.17.0.1 -p 10022
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:dnCAPxpfBTT1jt23wblI0OH+Nhzl4ZuQXBLvRPcWcjI.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:3
ECDSA host key for [172.17.0.1]:10022 has changed and you have requested strict checking.
Host key verification failed.
如何解决这个bug?
解决方式:
cd /root/.ssh
vi known_hosts
找到对应的子机ip的 ssh-rsa 删除该行,退出保存known_hosts,重新执行主机ssh连接子机,通过操作。
重新连接
[root@langzi01 .ssh]# ssh 172.17.0.1 -p 10022
The authenticity of host '[172.17.0.1]:10022 ([172.17.0.1]:10022)' can't be established.
ECDSA key fingerprint is SHA256:dnCAPxpfBTT1jt23wblI0OH+Nhzl4ZuQXBLvRPcWcjI.
ECDSA key fingerprint is MD5:cb:c7:cd:f0:26:5a:4c:62:5e:d6:1f:bf:2c:a2:ed:4d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.17.0.1]:10022' (ECDSA) to the list of known hosts.