Docker Centos新增SSH服務
阿新 • • 發佈:2019-01-11
docker version: 1.12.6
image: docker.io/centos:latest, 2d194b392dd1
在Docker社群中,對於是否需要為Docker容器新增SSH服務一直存有爭議。
反對方的觀點是:Docker的理念是一個容器只執行一個服務。因此,如果每一個容器都執行一個額外的SSH服務,就違背Docker的初衷。另外也有人認為根本沒有從遠端主機進入容器進行維護的必要。
支援方的觀點是:在Docker 1.3版本之前,如果要用attach
進入容器,經常會出現卡死的情況,v1.3之後,雖然官方推出了docker exec
命令, 再從宿主機進入容器是沒有以前的問題了,但是如果要從去其他遠端主機進入容器依然沒有更好的解決方案。
其實,我認為這兩種說法都有道理。對於是否需要為Docker容器新增SSH服務,應取決於容器的具體應用場景:即作為應用容器還是作為系統容器或資料容器。應用容器行為圍繞應用生命週期,較少簡單,不需要人工的額外干預;而系統容器或資料容器則需要支援管理員的登入操作,這個時候容器對SSH服務的支援就變得十分有必要了,因為它對資源的需求不高,同時可以保障安全性。
下面介紹兩種為容器新增SSH服務並儲存為映象的方法。
docker commit
- 啟動基礎映象
[root@JDu4e00u53f7 ~]# docker run -it centos
- 容器中安裝 openssh-server
[root@f70036d0c6ca /]# yum install passwd openssh-server -y
- 修改root使用者密碼
[[email protected] /]# passwd root
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
- 生成祕鑰(HostKey)
[[email protected] /]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 直接回車
Enter same passphrase again: 直接回車
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
SHA256:ItOJ+dA5dzIQpIvBZHNzLl/WiqZ5957hdYU3pg7mpQY [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| + o.+ |
| + o = . . |
| o o o o . |
| o O B . . |
| . B @ S . .oo|
| O + E oo.|
| o o . oo.o. |
| . . oo==. |
| .*o . |
+----[SHA256]-----+
[[email protected] ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): (直接回車)
Enter same passphrase again: (直接回車)
Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key.
Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub.
The key fingerprint is:
SHA256:WpihxgDZRqjJog4r8C258f9pW5jN2HXURbKCpNfRk4E [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|.=. . .oo+o|
|o.o o oE.++.|
|oo. . . o o o..|
|+. o . + . o |
|o + o S . . |
|+ . o B . . |
|+o.o . + = |
|o.+o. .o |
|. .o...o+. |
+----[SHA256]-----+
[[email protected] ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): (直接回車)
Enter same passphrase again: (直接回車)
Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.
Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub.
The key fingerprint is:
SHA256:M1/Y+3uh/2Ci8vCUEJkV6V2QTvnoGQDgn1XKD2Hp24o [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| ....=+o+ |
| . *+++ . |
| . +o== + |
| . +o== . |
| S .++o |
| =.o+. . |
| ..+.o + .|
| E+.. = ..|
| o+ ++o|
+----[SHA256]-----+
- 編寫啟動指令碼
[root@46d6949f23b3 ~]# vi /run.sh
[root@46d6949f23b3 ~]# chmod +x /run.sh
其中 /run.sh的內容為:
#!/bin/bash
/usr/sbin/sshd -D
- 修改配置檔案 (可選)
[root@46d6949f23b3 ~]# vi /etc/ssh/sshd_config
# 修改ssh服務埠,預設22
#Port 22
#禁用 PAM
UsePAM no
#禁止root使用者登入
#PermitRootLogin yes
- 退出容器,儲存映象
[root@46d6949f23b3 ~]# exit
[root@JDu4e00u53f7 ~]# docker ps -al
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
46d6949f23b3 centos "/bin/bash" 11 minutes ago Exited (0) 47 seconds ago practical_kilby
[root@JDu4e00u53f7 ~]# docker commit -m 'openssh-server' -a 'Rethink' 46d6949f23b3 sshd:centos
sha256:fa665548b8186c9b656a145ff9beaae1847d183dd405eba25888066e85ca10fc
- 啟動容器
[root@JDu4e00u53f7 ~]# docker run -d --name ssh -p 10022:22 sshd:centos /run.sh
334c4330a56bfe5d9e87c35747ef604da60c5aa84fdae427ca30bbdab2592d37
[root@JDu4e00u53f7 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
334c4330a56b sshd:centos "/run.sh" 55 seconds ago Up 54 seconds 0.0.0.0:10022->22/tcp ssh
- 遠端連線測試
[[email protected] ~]# ssh [email protected] -p 10022
The authenticity of host '[192.168.0.3]:10022 ([192.168.0.3]:10022)' can't be established.
RSA key fingerprint is e1:95:09:40:48:8e:13:94:ca:73:15:e7:7b:37:2d:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.0.3]:10022' (RSA) to the list of known hosts.
[email protected]192.168.0.3's password:
[[email protected]334c4330a56b ~]# logout
Connection to 192.168.0.3 closed.
Dockerfile
使用docker commit
手動構建一個新的映象,雖然步驟清晰,但是映象分發起來比較不方便。Dockerfile 就是最優替代方案。
#20180328
FROM centos:centos7
MAINTAINER 簡書:Rethink "https://www.jianshu.com/u/425d52eec5fa" "[email protected]"
RUN yum install openssh-server -y
#修改root使用者密碼
#用以下命令修改密碼時,密碼中最好不要包含特殊字元,如"!",否則可能會失敗;
RUN /bin/echo "rethink123" | passwd --stdin root
#生成金鑰
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key \
&& ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key \
&& ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key
#修改配置資訊
RUN /bin/sed -i 's/.*session.*required.*pam_loginuid.so.*/session optional pam_loginuid.so/g' /etc/pam.d/sshd \
&& /bin/sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config \
&& /bin/sed -i "s/#UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config
EXPOSE 22
CMD ["/usr/sbin/sshd","-D"]
## 遠端連線時遇到的問題
1.【Q1】
[root@JDu4e00u53f7 ~]# ssh root@192.168.0.3 -p 10022
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f9:f4:8b:91:7b:0c:2e:86:c2:46:97:d0:aa:66:31:d6.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
RSA host key for [192.168.0.3]:10022 has changed and you have requested strict checking.
Host key verification failed.
解決方法為:
[root@JDu4e00u53f7 ~]# cd
[root@JDu4e00u53f7 ~]# ll -a
[root@JDu4e00u53f7 ~]# vi .ssh/known_hosts
刪掉相關金鑰資訊後,再次連線即可。如:
[192.168.0.3]:10022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC28Z4QL5Lj/WOrZGGIj/mnRaWDwh9YfHbDl99wO3Bog5geOcsIMVhOMeExMpdQI1afEAlzZpqltY31kt0Eboto3Sa1DJ6YiryEBiv6pcHo2XGeczFD4PqG64C50I+w3qDANVcMHil+/qw/MsAvhFT972NzypL9+z+FGn2nZmLT/J+AxWyGqPLHZJ1xlgLc/Bk6H+GXXuO7HZj3NKn3C8SsSkhSUcCT5bKfRfxIuyX/nzyWK4yZoZhmAJvG9AUTd/qIOtqMKZ0x++TR+30yNJkphqOptHpZrbpybhpX0wOQIZiITtnUzYEAHlYx3X31lQHqcHirPvBGMKM7yG9wAa5V
2.【Q2】
[root@JDu4e00u53f7 ~]# ssh 192.168.0.3 -p 10022
ssh: connect to host 192.168.0.3 port 10022: Connection refused
解決方法:驗證目標主機的ssh server端程式是否安裝、服務是否啟動,是否在偵聽22埠,docker run命令中是否運行了/run.sh指令碼。