• 创建ssh 服务的镜像


    $ sudo docker run -ti ubuntu:14.04  /bin/bash
    #首先,使用我们最熟悉的 「-ti」参数来创建一个容器。
    root@fc1936ea8ceb:/# sshd
    bash: sshd: command not found
    #使用 sshd 开启 ssh server 服务,发现没有安装这个服务,注意,我们在使用 「-ti /bin/bash」 进入容器后,获得的是 root 用户的bash
    root@fc1936ea8ceb:/# apt-get install openssh-server
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package openssh-server
    #现有缓存里面也找不到该软件,看来官方精简的够彻底啊
    root@fc1936ea8ceb:/# apt-get update
    #使用「apt-get update」来更新 apt 软件源信息,如果觉得默认的国外源速度慢的话,也可以替换为国内 163souhu 等镜像的源。
    Ign http://archive.ubuntu.com trusty InRelease
    Ign http://archive.ubuntu.com trusty-updates InRelease
    Ign http://archive.ubuntu.com trusty-security InRelease
    Ign http://archive.ubuntu.com trusty-proposed InRelease
    ...
    Fetched 20.4 MB in 2min 55s (116 kB/s)
    Reading package lists... Done
    root@fc1936ea8ceb:/# apt-get install openssh-server
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    The following extra packages will be installed:
      ca-certificates krb5-locales libck-connector0 libedit2 libgssapi-krb5-2
      libidn11 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0
      libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libwrap0 libx11-6
      libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term
      openssh-client openssh-sftp-server openssl python python-chardet
      python-minimal python-requests python-six python-urllib3 python2.7
      python2.7-minimal ssh-import-id tcpd wget xauth
    Suggested packages:
      krb5-doc krb5-user ssh-askpass libpam-ssh keychain monkeysphere rssh
      molly-guard ufw python-doc python-tk python2.7-doc binutils binfmt-support
    The following NEW packages will be installed:
      ca-certificates krb5-locales libck-connector0 libedit2 libgssapi-krb5-2
      libidn11 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0
      libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libwrap0 libx11-6
      libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term
      openssh-client openssh-server openssh-sftp-server openssl python
      python-chardet python-minimal python-requests python-six python-urllib3
      python2.7 python2.7-minimal ssh-import-id tcpd wget xauth
    0 upgraded, 38 newly installed, 0 to remove and 29 not upgraded.
    Need to get 7599 kB of archives.
    After this operation, 35.3 MB of additional disk space will be used.
    Do you want to continue? [Y/n] y
    #安装一个 ssh 服务,都需要下载安装这么多的依赖
    Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main libedit2 amd64 3.1-20130712-2 [86.7 kB]
    Get:2 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main libkrb5support0 amd64 1.12+dfsg-2ubuntu5 [30.0 kB]
    Get:3 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main libk5crypto3 amd64 1.12+dfsg-2ubuntu5 [79.9 kB]
    Get:4 http://archive.ubuntu.com/ubuntu/ trusty/main libkeyutils1 amd64 1.5.6-1 [7318 B]
    Get:5 http://archive.ubuntu.com/ubu
    ...
    Updating certificates in /etc/ssl/certs... 164 added, 0 removed; done.
    Running hooks in /etc/ca-certificates/update.d....done.
    Processing triggers for ureadahead (0.100.0-16) ...
    root@fc1936ea8ceb:/# mkdir -p /var/run/sshd
    #创建 ssh 服务运行需要的目录
    root@fc1936ea8ceb:/# /usr/sbin/sshd -D &
    #在后台运行 ssh 服务
    [1] 3254
    root@fc1936ea8ceb:/# netstat -tunlp
    #查看服务端口是否正常
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
    tcp6       0      0 :::22                   :::*                    LISTEN      -
    root@fc1936ea8ceb:/# mkdir root/.ssh
    root@fc1936ea8ceb:/# vi /root/.ssh/authorized_keys
    #复制需要登陆到这个台机器的公钥到 authorized_keys 文件中
    root@fc1936ea8ceb:/# sed -ri 's/session    required     pam_loginuid.so/#session    required     pam_loginuid.so/g' /etc/pam.d/sshd
    #修改 ssh 服务的安全登陆配置
    root@fc1936ea8ceb:/# vi /run.sh
    #创建可执行文件run.sh,详细内容见后文
    root@fc1936ea8ceb:/# chmod +x run.sh
    #添加可执行权限
    root@fc1936ea8ceb:/# exit
    exit
    $ sudo docker commit  fc1 sshd:ubuntu
    #使用 「docker commit」 将现在这个容器保存为 sshd:ubuntu 镜像
    7aef2cd95fd0c712f022bcff6a4ddefccf20fd693da2b24b04ee1cd3ed3eb6fc
    $ sudo docker  images
    REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
    sshd                ubuntu              7aef2cd95fd0        10 seconds ago      255.2 MB
    busybox             latest              e72ac664f4f0        3 weeks ago         2.433 MB
    ubuntu              latest              ba5877dc9bec        3 months ago        192.7 MB
    #验证一下,我们目前拥有的镜像
    $ sudo docker  run -p 100:22  -d sshd:ubuntu /run.sh
    #启动容器,并映射端口 100 -->22,100 是宿主主机的端口,22 是容器的 ssh 端口
    3ad7182aa47f9ce670d933f943fdec946ab69742393ab2116bace72db82b4895
    $ sudo docker ps
    #启动成功,可以看到容器运行的详细信息
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                 NAMES
    3ad7182aa47f        sshd:ubuntu         "/run.sh"           2 seconds ago       Up 2 seconds        0.0.0.0:100->22/tcp   focused_ptolemy
    > ssh 192.168.1.200 -p 100
    #在刚才复制公钥的机器上登陆容器
    The authenticity of host '[192.168.1.200]:100 ([192.168.1.200]:100)' can't be established.
    ECDSA key fingerprint is 5f:6e:4c:54:8f:c7:7f:32:c2:38:45:bb:16:03:c9:e8.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[192.168.1.200]:100' (ECDSA) to the list of known hosts.
    Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.2.0-37-generic x86_64)
    
     * Documentation:  https://help.ubuntu.com/
    
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    
    root@3ad7182aa47f:~#
    #成功登陆,镜像创建成功。
    

    run.sh 脚本内容

    #!/bin/bash
    /usr/sbin/sshd -D

    Dockerfile 的基础知识,在 1.8 章节讲过,下面我们就介绍下如何使用 Dockerfile 来完成上一节的操作。

    创建文件夹

    首先,创建一个叫做 sshd_ubuntu 的文件夹,用于存放我们的 Dockerfile 、脚本文件、以及其他文件。

    $ mkdir sshd_ubuntu
    $ ls
    sshd_ubuntu
    $ cd sshd_ubuntu/
    $ touch Dockerfile run.sh
    $ ls
    Dockerfile  run.sh
    

    编写 shell 脚本和 authorized_keys 文件

    其中脚本文件 run.sh 的内容与上一小节一致

    #!/bin/bash
    /usr/sbin/sshd -D
    

    创建 authorized_keys 文件

    $ ssh-keygen
    #根据提示生成访问密钥
    $ cat ~/.ssh/id_rsa.pub >authorized_keys
    #复制公钥到 authorized_keys 文件中
    

    下面是 Dockerfile 的内容及解释

    #设置继承镜像
    FROM ubuntu:14.04
    #提供一些作者的信息
    MAINTAINER dwj_zz@163.com
    #下面开始运行命令,此处更改ubuntu的源为国内163的源
    RUN echo "deb http://mirrors.163.com/ubuntu/ trusty main restricted universe multiverse" > /etc/apt/sources.list
    RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-security main restricted universe multiverse" >> /etc/apt/sources.list
    RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-updates main restricted universe multiverse" >> /etc/apt/sources.list
    RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-proposed main restricted universe multiverse" >> /etc/apt/sources.list
    RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-backports main restricted universe multiverse" >> /etc/apt/sources.list
    RUN apt-get update
    
    #安装 ssh 服务
    RUN apt-get install -y openssh-server
    RUN mkdir -p /var/run/sshd
    RUN mkdir -p /root/.ssh
    #取消pam限制
    RUN sed -ri 's/session    required     pam_loginuid.so/#session    required     pam_loginuid.so/g' /etc/pam.d/sshd
    
    #复制配置文件到相应位置,并赋予脚本可执行权限
    ADD authorized_keys /root/.ssh/authorized_keys
    ADD run.sh /run.sh
    RUN chmod 755 /run.sh
    
    #开放端口
    EXPOSE 22
    
    #设置自启动命令
    CMD ["/run.sh"]
    

    创建镜像

    $ sudo docker build -t sshd:dockerfile .
    Sending build context to Docker daemon 5.632 kB
    Sending build context to Docker daemon
    Step 0 : FROM ubuntu:14.04
    ^Z
    [1]+  Stopped                 sudo docker build -t sshd:dockerfile .
    #这里我发现创建的速度好慢,于是暂停创建过程,先查看下本地 images
    $ sudo docker images
    REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
    sshd                ubuntu              7aef2cd95fd0        12 hours ago        255.2 MB
    busybox             latest              e72ac664f4f0        3 weeks ago         2.433 MB
    ubuntu              latest              ba5877dc9bec        3 months ago        192.7 MB
    #原来我们的 ubuntu 镜像是使用默认的 latest 标签,而我们在 Dockerfile 中一般都是指定版本标签。
    $ sudo docker tag ba5 ubuntu:14.04
    $ pwd
    /home/xxx/sshd_ubuntu
    $ sudo docker build -t sshd:dockerfile .
    #这里注意一下,在最后还有一个 “.” ,表示使用当前目录的 Dockerfile
    Sending build context to Docker daemon 5.632 kB
    Sending build context to Docker daemon
    Step 0 : FROM ubuntu:14.04
     ---> ba5877dc9bec
    Step 1 : MAINTAINER dwj_zz@163.com
     ---> Running in 188d74d02d35
     ---> 473eb019b331
    Removing intermediate container 188d74d02d35
    #使用 Dockerfile 创建,他会帮你删除中间无用的文件层
    Step 2 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty main restricted universe multiverse" > /etc/apt/sources.list
     ---> Running in f52e2a583db5
     ---> bd4ceef2ee19
    Removing intermediate container f52e2a583db5
    Step 3 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-security main restricted universe multiverse" >> /etc/apt/sources.list
     ---> Running in 897d65dfe9be
     ---> 9cd736f11928
    Removing intermediate container 897d65dfe9be
    Step 4 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-updates main restricted universe multiverse" >> /etc/apt/sources.list
     ---> Running in ec3433db813e
     ---> 3fca0b605de4
    Removing intermediate container ec3433db813e
    Step 5 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-proposed main restricted universe multiverse" >> /etc/apt/sources.list
     ---> Running in 4a0fe165598f
     ---> f6d1c7af36c8
    Removing intermediate container 4a0fe165598f
    Step 6 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-backports main restricted universe multiverse" >> /etc/apt/sources.list
     ---> Running in 209179c21053
     ---> 0cda758c9f3c
    Removing intermediate container 209179c21053
    Step 7 : RUN apt-get update
     ---> Running in 1fd40eb66f7b
    Ign http://archive.ubuntu.com trusty-proposed InRelease
    Get:1 http://archive.ubuntu.com trusty-proposed Release.gpg [933 B]
    Get:2 http://archive.ubuntu.com trusty-proposed Release [110 kB]
    Get:3 http://archive.ubuntu.com trusty-proposed/main amd64 Packages [160 kB]
    ...
    #为了节约篇幅,删去一些无关紧要的内容
    Fetched 11.3 MB in 1min 37s (116 kB/s)
    Reading package lists...
     ---> 0f132591eddc
    Removing intermediate container 1fd40eb66f7b
    Step 8 : RUN apt-get install -y openssh-server
     ---> Running in 399e4ea726d2
    Reading package lists...
    Building dependency tree...
    Reading state information...
    The following extra packages will be installed:
      ca-certificates krb5-locales libck-connector0 libedit2 libgssapi-krb5-2
      libidn11 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0
      libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libwrap0 libx11-6
      libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term
      openssh-client openssh-sftp-server openssl python python-chardet
      python-minimal python-requests python-six python-urllib3 python2.7
      python2.7-minimal ssh-import-id tcpd wget xauth
    Suggested packages:
      krb5-doc krb5-user ssh-askpass libpam-ssh keychain monkeysphere rssh
      molly-guard ufw python-doc python-tk python2.7-doc binutils binfmt-support
    The following NEW packages will be installed:
      ca-certificates krb5-locales libck-connector0 libedit2 libgssapi-krb5-2
      libidn11 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0
      libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libwrap0 libx11-6
      libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term
      openssh-client openssh-server openssh-sftp-server openssl python
      python-chardet python-minimal python-requests python-six python-urllib3
      python2.7 python2.7-minimal ssh-import-id tcpd wget xauth
    0 upgraded, 38 newly installed, 0 to remove and 29 not upgraded.
    Need to get 7599 kB of archives.
    After this operation, 35.3 MB of additional disk space will be used.
    Get:1 http://mirrors.163.com/ubuntu/ trusty/main libedit2 amd64 3.1-20130712-2 [86.7 kB]
    ...
    Running hooks in /etc/ca-certificates/update.d....done.
    Processing triggers for ureadahead (0.100.0-16) ...
     ---> 62f952643e33
    Removing intermediate container 399e4ea726d2
    Step 9 : RUN mkdir -p /var/run/sshd
     ---> Running in aa1c4d469284
     ---> e81557dd4887
    Removing intermediate container aa1c4d469284
    Step 10 : RUN mkdir -p /root/.ssh
     ---> Running in 0626987081d0
     ---> 23882ee06756
    Removing intermediate container 0626987081d0
    Step 11 : RUN sed -ri 's/session    required     pam_loginuid.so/#session    required     pam_loginuid.so/g' /etc/pam.d/sshd
     ---> Running in 3808c650bf85
     ---> 6c0ca1d20d7f
    Removing intermediate container 3808c650bf85
    Step 12 : ADD authorized_keys /root/.ssh/authorized_keys
     ---> a64bbd8ae617
    Removing intermediate container 16e2d93d6ef0
    Step 13 : ADD run.sh /run.sh
     ---> 230711022f7d
    Removing intermediate container 137e56188d7b
    Step 14 : RUN chmod 755 /run.sh
     ---> Running in a876e4ea378e
     ---> 32d74bbb7406
    Removing intermediate container a876e4ea378e
    Step 15 : EXPOSE 22
     ---> Running in eeaf9352ca11
     ---> 901e3fa9f596
    Removing intermediate container eeaf9352ca11
    Step 16 : CMD /run.sh
     ---> Running in 48c37db83ffb
     ---> 570c26a9de68
    Removing intermediate container 48c37db83ffb
    Successfully built 570c26a9de68
    #最后,返回告诉我们创建成功,镜像 id 号是570c26a9de68,让我们来查看下
    $ sudo docker images
    REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
    sshd                dockerfile          570c26a9de68        4 minutes ago       246.5 MB
    sshd                ubuntu              7aef2cd95fd0        12 hours ago        255.2 MB
    busybox             latest              e72ac664f4f0        3 weeks ago         2.433 MB
    ubuntu              14.04               ba5877dc9bec        3 months ago        192.7 MB
    ubuntu              latest              ba5877dc9bec        3 months ago        192.7 MB
    

    测试镜像,运行容器

    我们使用刚才我们创建的 sshd:dockerfile 来运行一个容器,看看时候达到我们的要求。

    $ sudo docker ps
    #这是上一小节,我们用 ”commit“ 方式建立的容器
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                 NAMES
    3ad7182aa47f        sshd:ubuntu         "/run.sh"           12 hours ago        Up 3 seconds        0.0.0.0:100->22/tcp   focused_ptolemy
    $ sudo docker run -d -p 101:22 sshd:dockerfile
    #注意到,跟上一小节运行的容器的命令不一样,不需要在输入命令‘/run.sh’了,因为已经在 Dockerfile 中定义了自启动命令。
    890c04ff8d769b604386ba4475253ae8c21fc92d60083759afa77573bf4e8af1
    $ sudo docker ps
    CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                 NAMES
    890c04ff8d76        sshd:dockerfile     "/run.sh"           4 seconds ago       Up 3 seconds        0.0.0.0:101->22/tcp   high_albattani
    3ad7182aa47f        sshd:ubuntu         "/run.sh"           12 hours ago        Up 28 seconds       0.0.0.0:100->22/tcp   focused_ptolemy
    

    在本地新开一个终端,连接到新建的容器

    > ssh 192.168.1.200 -p 101
    The authenticity of host '[192.168.1.200]:101 ([192.168.1.200]:101)' can't be established.
    ECDSA key fingerprint is d1:59:f1:09:3b:09:79:6d:19:16:f4:fd:39:1b:be:27.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '[192.168.1.200]:101' (ECDSA) to the list of known hosts.
    Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.2.0-37-generic x86_64)
    
     * Documentation:  https://help.ubuntu.com/
    
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    
    root@890c04ff8d76:~#
    测试成功

    其实,在社区中,对于是否需要为 docker 容器一直有争论。

    • 一方的观点是:docker 在声明中有一个的理念是一个容器运行一个服务,如果每个容器都运行一个 ssh 服务,就违背了这个理念,另外他们认为根本没有从远程主机进入容器进行维护的必要。

    • 另一方的观点是:在 1.3 版本之前,如果要用 attach 进入容器,经常容易出现卡死的情况,1.3 之后,官方推出了 docker exec工具,在从宿主主机进入是没有障碍了,但是如果要从其他远程主机进入容器依然没有更好的解决方案。

    通 过一些目前看来较为复杂的方式确实能够不需要进入容器进行维护,但是使用 ssh 进行服务器的维护,是目前 linux 管理员熟悉的方式,在 docker 推出更加高效、安全的方式对容器进行维护之前,目前容器的 ssh 服务还是比较重要的,而且它对资源的占用,并没想象中的大。

  • 相关阅读:
    oracle查找前几条记录
    linux主要目录
    openstack搭建3、部署xinetd服务
    openstack搭建1、前期准备
    openstack搭建2、部署Mariadbgalera
    Java 基础(类的加载与ClassLoader的理解)
    K8S 查看资源使用情况
    Java 基础 (Java 反射机制)
    Java 基础 (网络编程 TCP 例子)
    Java 基础 (网络编程 UDP 例子, URL)
  • 原文地址:https://www.cnblogs.com/felixzh/p/5000319.html
Copyright © 2020-2023  润新知