Dockerfile:制作可ssh登录的镜像
我们先手动制作一个可以ssh登录的容器,然后按照操作步骤编写Dockerfile,用docker build根据Dockerfile创建镜像,最后我们可以用这个镜像来生成可ssh登录的容器了。
一、首先创建一个容器并登入
|
1
2
3
4
5
6
|
[root@localhost ~]
# docker images centos
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
centos centos7 ae0c2d0bdc10 4 weeks ago 224 MB
centos latest ae0c2d0bdc10 4 weeks ago 224 MB
[root@localhost ~]
# docker run -i -t centos:centos7 /bin/bash
[root@5255b18871ae /]
#
|
二、在容器里安装ssh服务端
由于centos:centos7镜像里没有安装passwd、openssl和openssh-server,我们用yum安装一下:
|
1
|
[root@5255b18871ae /]
# yum install passwd openssl openssh-server -y
|
设置root密码为123456:
|
1
2
3
|
[root@5255b18871ae /]
# echo '123456' | passwd --stdin root
Changing password
for
user root.
passwd
: all authentication tokens updated successfully.
|
我们如果现在启动sshd,sshd会报错:
|
1
2
|
Could not load host key:
/etc/ssh/ssh_host_rsa_key
Could not load host key:
/etc/ssh/ssh_host_ecdsa_key
|
所以我们先生成/etc/ssh/ssh_host_rsa_key和/etc/ssh/ssh_host_ecdsa_key:
|
1
2
|
[root@5255b18871ae /]
# ssh-keygen -q -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
[root@5255b18871ae /]
# ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
|
然后查一下容器的IP,以daemon方式启动sshd:
|
1
2
3
4
5
6
7
8
|
[root@5255b18871ae /]
# ip addr ls eth0
270: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link
/ether
02:42:ac:11:00:81 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.129
/16
scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:81
/64
scope link
valid_lft forever preferred_lft forever
[root@5255b18871ae /]
# /usr/sbin/sshd -D
|
我们看到容器IP为172.17.0.129,从外部远程ssh到这个容器:
|
1
2
3
4
5
6
7
|
[root@localhost ~]
# ssh root@172.17.0.129
The authenticity of host
'172.17.0.129 (172.17.0.129)'
can't be established.
RSA key fingerprint is 81:ab:5d:18:88:73:d2:5b:cf:1b:1a:10:1c:e7:b4:1e.
Are you sure you want to
continue
connecting (
yes
/no
)?
yes
Warning: Permanently added
'172.17.0.129'
(RSA) to the list of known hosts.
root@172.17.0.129's password:
Connection to 172.17.0.129 closed.
|
发现容器立即关闭了连接,原因是容器的ssh使用了pam_loginuid.so模块,我们把它关掉:
|
1
|
[root@5255b18871ae /]
# sed -i '/^session\s\+required\s\+pam_loginuid.so/s/^/#/' /etc/pam.d/sshd
|
上述命令的意思是:在/etc/pam.d/sshd文件里注释掉"session required pam_loginuid.so"这一行。
然后重新启动sshd:
|
1
|
[root@5255b18871ae /]
# /usr/sbin/sshd -D
|
再次尝试远程ssh登入:
|
1
2
3
4
|
[root@localhost ~]
# ssh root@172.17.0.129
root@172.17.0.129's password:
Last login: Tue Dec 2 03:00:07 2014 from 172.17.42.1
[root@5255b18871ae ~]
#
|
登入成功!
三、编写Dockerfile
根据上面的操作步骤,在docker服务器端创建Dockerfile文件,内容如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# 设置基本的镜像,后续命令都以这个镜像为基础
FROM centos:centos7
# 作者信息
MAINTAINER Qicheng, http:
//qicheng0211
.blog.51cto.com
# RUN命令会在上面指定的镜像里执行任何命令
RUN yum
install
passwd
openssl openssh-server -y
RUN
echo
'123456'
|
passwd
--stdin root
RUN
ssh
-keygen -q -t rsa -b 2048 -f
/etc/ssh/ssh_host_rsa_key
-N
''
RUN
ssh
-keygen -q -t ecdsa -f
/etc/ssh/ssh_host_ecdsa_key
-N
''
RUN
sed
-i
'/^session\s\+required\s\+pam_loginuid.so/s/^/#/'
/etc/pam
.d
/sshd
RUN
mkdir
-p
/root/
.
ssh
&&
chown
root.root
/root
&&
chmod
700
/root/
.
ssh
# 暴露ssh端口22
EXPOSE 22
# 设定运行镜像时的默认命令:输出ip,并以daemon方式启动sshd
CMD ip addr
ls
eth0 |
awk
'{print $2}'
|
egrep
-o
'([0-9]+\.){3}[0-9]+'
;
/usr/sbin/sshd
-D
|
四、根据Dockerfile来创建镜像
用docker build根据Dockerfile创建镜像(centos:autosshd):
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
[root@localhost ~]
# docker build -t centos:autosshd - < Dockerfile
Sending build context to Docker daemon 2.56 kB
Sending build context to Docker daemon
Step 0 : FROM centos:centos7
---> ae0c2d0bdc10
Step 1 : MAINTAINER Qicheng, http:
//qicheng0211
.blog.51cto.com/
---> Running
in
26c2fddd9156
---> 1807df1e23db
Removing intermediate container 26c2fddd9156
Step 2 : RUN yum
install
passwd
openssl openssh-server -y
---> Running
in
e10f052d4263
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
......
Installed:
openssh-server.x86_64 0:6.4p1-8.el7 openssl.x86_64 1:1.0.1e-34.el7_0.6
passwd
.x86_64 0:0.79-4.el7
Dependency Installed:
fipscheck.x86_64 0:1.4.1-5.el7 fipscheck-lib.x86_64 0:1.4.1-5.el7
make
.x86_64 1:3.82-21.el7 openssh.x86_64 0:6.4p1-8.el7
tcp_wrappers-libs.x86_64 0:7.6-77.el7
Complete!
---> 20e63694ff20
Removing intermediate container e10f052d4263
Step 3 : RUN
echo
'123456'
|
passwd
--stdin root
---> Running
in
d0f1b578cc27
Changing password
for
user root.
passwd
: all authentication tokens updated successfully.
---> f1b73ad76b66
Removing intermediate container d0f1b578cc27
Step 4 : RUN
ssh
-keygen -q -t rsa -b 2048 -f
/etc/ssh/ssh_host_rsa_key
-N
''
---> Running
in
f31b1aa24883
---> 647bb8cb3fc9
Removing intermediate container f31b1aa24883
Step 5 : RUN
ssh
-keygen -q -t ecdsa -f
/etc/ssh/ssh_host_ecdsa_key
-N
''
---> Running
in
401c7e2cf34d
---> f79b9c8bf108
Removing intermediate container 401c7e2cf34d
Step 6 : RUN
sed
-i
'/^session\s\+required\s\+pam_loginuid.so/s/^/#/'
/etc/pam
.d
/sshd
---> Running
in
00c28bea761b
---> 50f7f29c64a9
Removing intermediate container 00c28bea761b
Step 7 : RUN
mkdir
-p
/root/
.
ssh
&&
chown
root.root
/root
&&
chmod
700
/root/
.
ssh
---> Running
in
a3a94d599b6b
---> f91df92e2194
Removing intermediate container a3a94d599b6b
Step 8 : EXPOSE 22
---> Running
in
28ee83c39a27
---> 7a82bca0db6a
Removing intermediate container 28ee83c39a27
Step 9 : CMD ip addr
ls
eth0 |
awk
'{print $2}'
|
egrep
-o
'([0-9]+\.){3}[0-9]+'
;
/usr/sbin/sshd
-D
---> Running
in
41d58259b402
---> bd345297137b
Removing intermediate container 41d58259b402
Successfully built bd345297137b
[root@localhost ~]
# docker images centos
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
centos autosshd bd345297137b 3 minutes ago 300 MB
centos centos7 ae0c2d0bdc10 4 weeks ago 224 MB
centos latest ae0c2d0bdc10 4 weeks ago 224 MB
|
我们看到centos:autosshd镜像已经成功创建了。
用这个镜像创建的容器都是可ssh登入的,我们验证一下:
|
1
2
3
4
5
6
7
8
9
10
11
|
[root@localhost ~]
# docker run -d --name=mytest1 centos:autosshd
614c6573b88451b073ee6aa10b8081337f3f2af8e77bf999bd0537173cf8c1fc
[root@localhost ~]
# docker logs mytest1
172.17.0.136
[root@localhost ~]
# ssh root@172.17.0.136
The authenticity of host
'172.17.0.136 (172.17.0.136)'
can't be established.
RSA key fingerprint is 35:b2:77:e9:32:ba:74:58:84:66:89:be:1b:78:ec:75.
Are you sure you want to
continue
connecting (
yes
/no
)?
yes
Warning: Permanently added
'172.17.0.136'
(RSA) to the list of known hosts.
root@172.17.0.136's password:
[root@614c6573b884 ~]
#
|
ssh登入成功!
本文转自 张斌_青岛 51CTO博客,原文链接:http://blog.51cto.com/qicheng0211/1585398
