docker version: 1.12.6
image: docker.io/centos:latest, 2d194b392dd1
在Docker社区中,对于是否需要为Docker容器添加SSH服务一直存有争议。
反对方的观点是:Docker的理念是一个容器只运行一个服务。因此,如果每一个容器都运行一个额外的SSH服务,就违背Docker的初衷。另外也有人认为根本没有从远程主机进入容器进行维护的必要。
支持方的观点是:在Docker 1.3版本之前,如果要用attach进入容器,经常会出现卡死的情况,v1.3之后,虽然官方推出了docker exec 命令, 再从宿主机进入容器是没有以前的问题了,但是如果要从去其他远程主机进入容器依然没有更好的解决方案。
其实,我认为这两种说法都有道理。对于是否需要为Docker容器添加SSH服务,应取决于容器的具体应用场景:即作为应用容器还是作为系统容器或数据容器。应用容器行为围绕应用生命周期,较少简单,不需要人工的额外干预;而系统容器或数据容器则需要支持管理员的登录操作,这个时候容器对SSH服务的支持就变得十分有必要了,因为它对资源的需求不高,同时可以保障安全性。
下面介绍两种为容器添加SSH服务并保存为镜像的方法。
docker commit
- 启动基础镜像
[root@JDu4e00u53f7 ~]# docker run -it centos
- 容器中安装 openssh-server
[root@f70036d0c6ca /]# yum install passwd openssh-server -y
- 修改root用户密码
[root@f70036d0c6ca /]# passwd root
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
- 生成秘钥(HostKey)
[root@f70036d0c6ca /]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 直接回车
Enter same passphrase again: 直接回车
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
SHA256:ItOJ+dA5dzIQpIvBZHNzLl/WiqZ5957hdYU3pg7mpQY root@f70036d0c6ca
The key's randomart image is:
+---[RSA 2048]----+
| + o.+ |
| + o = . . |
| o o o o . |
| o O B . . |
| . B @ S . .oo|
| O + E oo.|
| o o . oo.o. |
| . . oo==. |
| .*o . |
+----[SHA256]-----+
[root@fa13056d27da ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): (直接回车)
Enter same passphrase again: (直接回车)
Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key.
Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub.
The key fingerprint is:
SHA256:WpihxgDZRqjJog4r8C258f9pW5jN2HXURbKCpNfRk4E root@fa13056d27da
The key's randomart image is:
+---[RSA 2048]----+
|.=. . .oo+o|
|o.o o oE.++.|
|oo. . . o o o..|
|+. o . + . o |
|o + o S . . |
|+ . o B . . |
|+o.o . + = |
|o.+o. .o |
|. .o...o+. |
+----[SHA256]-----+
[root@fa13056d27da ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): (直接回车)
Enter same passphrase again: (直接回车)
Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.
Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub.
The key fingerprint is:
SHA256:M1/Y+3uh/2Ci8vCUEJkV6V2QTvnoGQDgn1XKD2Hp24o root@fa13056d27da
The key's randomart image is:
+---[RSA 2048]----+
| ....=+o+ |
| . *+++ . |
| . +o== + |
| . +o== . |
| S .++o |
| =.o+. . |
| ..+.o + .|
| E+.. = ..|
| o+ ++o|
+----[SHA256]-----+
- 编写启动脚本
[root@46d6949f23b3 ~]# vi /run.sh
[root@46d6949f23b3 ~]# chmod +x /run.sh
其中 /run.sh的内容为:
#!/bin/bash
/usr/sbin/sshd -D
7.修改配置文件 (可选)
[root@46d6949f23b3 ~]# vi /etc/ssh/sshd_config
# 修改ssh服务端口,默认22
#Port 22
#禁用 PAM
UsePAM no
#禁止root用户登录
#PermitRootLogin yes
- 退出容器,保存镜像
[root@46d6949f23b3 ~]# exit
[root@JDu4e00u53f7 ~]# docker ps -al
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
46d6949f23b3 centos "/bin/bash" 11 minutes ago Exited (0) 47 seconds ago practical_kilby
[root@JDu4e00u53f7 ~]# docker commit -m 'openssh-server' -a 'Rethink' 46d6949f23b3 sshd:centos
sha256:fa665548b8186c9b656a145ff9beaae1847d183dd405eba25888066e85ca10fc
- 启动容器
[root@JDu4e00u53f7 ~]# docker run -d --name ssh -p 10022:22 sshd:centos /run.sh
334c4330a56bfe5d9e87c35747ef604da60c5aa84fdae427ca30bbdab2592d37
[root@JDu4e00u53f7 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
334c4330a56b sshd:centos "/run.sh" 55 seconds ago Up 54 seconds 0.0.0.0:10022->22/tcp ssh
- 远程连接测试
[root@JDu4e00u53f7 ~]# ssh root@192.168.0.3 -p 10022
The authenticity of host '[192.168.0.3]:10022 ([192.168.0.3]:10022)' can't be established.
RSA key fingerprint is e1:95:09:40:48:8e:13:94:ca:73:15:e7:7b:37:2d:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.0.3]:10022' (RSA) to the list of known hosts.
root@192.168.0.3's password:
[root@334c4330a56b ~]# logout
Connection to 192.168.0.3 closed.
Dockerfile
使用docker commit 手动构建一个新的镜像,虽然步骤清晰,但是镜像分发起来比较不方便。Dockerfile 就是最优替代方案。
#20180328
FROM centos:centos7
MAINTAINER 简书:Rethink "https://www.jianshu.com/u/425d52eec5fa" "shijianzhihu@foxmail.com"
RUN yum install openssh-server -y
#修改root用户密码
#用以下命令修改密码时,密码中最好不要包含特殊字符,如"!",否则可能会失败;
RUN /bin/echo "rethink123" | passwd --stdin root
#生成密钥
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key \
&& ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key \
&& ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key
#修改配置信息
RUN /bin/sed -i 's/.*session.*required.*pam_loginuid.so.*/session optional pam_loginuid.so/g' /etc/pam.d/sshd \
&& /bin/sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config \
&& /bin/sed -i "s/#UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config
EXPOSE 22
CMD ["/usr/sbin/sshd","-D"]
远程连接时遇到的问题
- 【Q1】
[root@JDu4e00u53f7 ~]# ssh root@192.168.0.3 -p 10022
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f9:f4:8b:91:7b:0c:2e:86:c2:46:97:d0:aa:66:31:d6.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
RSA host key for [192.168.0.3]:10022 has changed and you have requested strict checking.
Host key verification failed.
解决方法为:
[root@JDu4e00u53f7 ~]# cd
[root@JDu4e00u53f7 ~]# ll -a
[root@JDu4e00u53f7 ~]# vi .ssh/known_hosts
删掉相关密钥信息后,再次连接即可。如:
[192.168.0.3]:10022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC28Z4QL5Lj/WOrZGGIj/mnRaWDwh9YfHbDl99wO3Bog5geOcsIMVhOMeExMpdQI1afEAlzZpqltY31kt0Eboto3Sa1DJ6YiryEBiv6pcHo2XGeczFD4PqG64C50I+w3qDANVcMHil+/qw/MsAvhFT972NzypL9+z+FGn2nZmLT/J+AxWyGqPLHZJ1xlgLc/Bk6H+GXXuO7HZj3NKn3C8SsSkhSUcCT5bKfRfxIuyX/nzyWK4yZoZhmAJvG9AUTd/qIOtqMKZ0x++TR+30yNJkphqOptHpZrbpybhpX0wOQIZiITtnUzYEAHlYx3X31lQHqcHirPvBGMKM7yG9wAa5V
- 【Q2】
[root@JDu4e00u53f7 ~]# ssh 192.168.0.3 -p 10022
ssh: connect to host 192.168.0.3 port 10022: Connection refused
解决方法:验证目标主机的ssh server端程序是否安装、服务是否启动,是否在侦听22端口,docker run命令中是否运行了/run.sh脚本。