本章介绍如果通过ssh方式登陆Docker容器的操作记录(其实不太建议直接用ssh去连接上容器的想法,虽然可以,但是有很多弊端,而且docker已经提供了容器内执行的命令,没有必要再折腾每一个容器为sshd服务器。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
启动一个centos容器,然后安装基本的软件
[root@docker ~]
# docker run -itd --name sshd centos /bin/bash
a67a5c8ae426a841ad6c6aca6186f7fc585410471a6dfe69a1fc0e28d5a05953
[root@docker ~]
# docker exec -it sshd /bin/bash
[root@a67a5c8ae426 /]
# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@a67a5c8ae426 /]
# yum install wget vim ntpdate net-tools -y
安装
ssh
服务端
[root@a67a5c8ae426 /]
# yum clean all
[root@a67a5c8ae426 /]
# yum install openssh-server -y
修改容器密码(提前yum -y reinstall cracklib-dicts)
[root@a67a5c8ae426 /]
# echo "123456" |passwd --stdin root
产生公私钥
[root@a67a5c8ae426 /]
# ssh-keygen -t rsa
Generating public
/private
rsa key pair.
Enter
file
in
which
to save the key (
/root/
.
ssh
/id_rsa
):
Created directory
'/root/.ssh'
.
Enter passphrase (empty
for
no passphrase):
Enter same passphrase again:
Your identification has been saved
in
/root/
.
ssh
/id_rsa
.
Your public key has been saved
in
/root/
.
ssh
/id_rsa
.pub.
The key fingerprint is:
SHA256:tJ01c3RqkgtNijf6D9q6SXZJ9ZFQUvpbrnkCmW55T9Y root@a67a5c8ae426
The key's randomart image is:
+---[RSA 2048]----+
| +o+ .|
| . + * + |
| o = X * |
| . = * X . |
| S + .oo .|
| o .+ +.|
| o =. o. E|
| o = o+ o=.|
| =o....o+.|
+----[SHA256]-----+
[root@a67a5c8ae426 /]
# cd ~/.ssh/
[root@a67a5c8ae426 .
ssh
]
# ls
id_rsa id_rsa.pub
[root@a67a5c8ae426 .
ssh
]
# cp id_rsa.pub authorized_keys
[root@a67a5c8ae426 .
ssh
]
# ls
authorized_keys id_rsa id_rsa.pub
[root@a67a5c8ae426 .
ssh
]
#
执行sshd命令,有报错:
[root@a67a5c8ae426 .
ssh
]
# /usr/sbin/sshd
Could not load host key:
/etc/ssh/ssh_host_rsa_key
Could not load host key:
/etc/ssh/ssh_host_ecdsa_key
Could not load host key:
/etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
[root@a67a5c8ae426 .
ssh
]
#
解决办法:
[root@a67a5c8ae426 .
ssh
]
# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key //均是一路回车
[root@a67a5c8ae426 .
ssh
]
# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
[root@a67a5c8ae426 .
ssh
]
# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key
[root@a67a5c8ae426 .
ssh
]
# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key
再次执行sshd命令,如果没有报错,说明可以启动了
[root@a67a5c8ae426 .
ssh
]
# /usr/sbin/sshd
[root@a67a5c8ae426 .
ssh
]
# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
/Program
name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 160
/sshd
tcp6 0 0 :::22 :::* LISTEN 160
/sshd
[root@a67a5c8ae426 .
ssh
]
#
-----------------------启动
ssh
,如果报错如下(这是centos7下的一个bug)-------------------------
[root@a67a5c8ae426 .
ssh
]
# systemctl status sshd
Failed to get D-Bus connection: Operation not permitted
解决办法如下:
先把上面的容器关闭(docker stop container-
id
),然后重新启动容器,启动时加上参数--privileged(特权参数,也可以是--privileged=
true
,如果启动容器中挂载目录没有权限也可以添加此参数)和
/sbin/init
(代替
/bin/bash
),如下:
[root@docker ~]
# docker run -itd --privileged --name sshd centos /sbin/init
[root@docker ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
884db829911f centos
"/sbin/init"
33 seconds ago Up 31 seconds sshd
[root@docker ~]
#
其实命令
/sbin/init
和
/usr/sbin/init
运行容器都可以。
[root@docker ~]
# ll -ld /sbin/init
lrwxrwxrwx 1 root root 22 Jan 30 17:17
/sbin/init
-> ..
/lib/systemd/systemd
[root@docker ~]
# ll -ld /usr/sbin/init
lrwxrwxrwx 1 root root 22 Jan 30 17:17
/usr/sbin/init
-> ..
/lib/systemd/systemd
[root@docker ~]
#
然后按照容器的ID进去,这个时候再根据
/bin/bash
进入容器(前面加
exec
-it参数),接着重启
ssh
服务就ok了
[root@docker ~]
# docker exec -it sshd /bin/bash
[root@884db829911f /]
# yum install wget vim net-tools ntpdate openssh-server -y
[root@884db829911f /]
# systemctl restart sshd.service
[root@884db829911f /]
# echo "123456" |passwd --stdin root
查看
ssh
端口,发现22端口已经开启
[root@884db829911f /]
# netstat -tnlp|grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 220
/sshd
tcp6 0 0 :::22 :::* LISTEN 220
/sshd
[root@884db829911f /]
#
|
然后docker ps查看下容器,提交更改为新镜像,运行新的镜像
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
[root@docker ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
884db829911f centos
"/sbin/init"
6 minutes ago Up 6 minutes sshd
关闭容器
[root@docker ~]
# docker stop sshd
sshd
接着提交改为新的镜像,提交名为wangssh的镜像(提交成功后,之前创建的容器可以选择删除(docker
ps
-a 查看);当然不删除也不影响。建议不要删除,可以再次启用提交新的镜像以便他用。)
[root@docker ~]
# docker commit sshd centos7.4-ssh
sha256:e990237344dcb59c45b68fd91e952af6419415d78d0c2ac86fba68c22ff00d6
提交成功后,使用docker images可以查看到
[root@docker ~]
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos7.4-
ssh
latest e990237344dc 31 seconds ago 363MB
centos latest ff426288ea90 3 weeks ago 207MB
然后运行新的镜像
[root@docker ~]
# docker run -d -p 2022:22 centos7.4-ssh /usr/sbin/sshd -D
7a5441309940af66119989aac03ef79fddd8d145c10fc19a7ec937802b86df29
[root@docker ~]
#
上面运行命令中的参数解释:
-d 后台运行容器
-p 容器端口映射到主机[可选]
使用docker
ps
查看运行的容器
[root@docker ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7a5441309940 centos7.4-
ssh
"/usr/sbin/sshd -D"
28 seconds ago Up 26 seconds 0.0.0.0:2022->22
/tcp
laughing_yonath
此时你可以直接连接容器,也可以通过端口映射连接容器(使用之前创建的容器密码123456登陆)
[root@docker ~]
# ssh -p2022 root@localhost
The authenticity of host
'[localhost]:2022 ([::1]:2022)'
can't be established.
ECDSA key fingerprint is b1:37:95:96:11:1c:60:fd:8c:e2:e7:b3:3a:68:b6:85.
Are you sure you want to
continue
connecting (
yes
/no
)?
yes
Warning: Permanently added
'[localhost]:2022'
(ECDSA) to the list of known hosts.
root@localhost's password:
[root@7a5441309940 ~]
#
|
如果要想做ssh无密码登陆的信任关系,只需要将物理机本地的~/.ssh/id_rsa.pub拷贝到容器里的~/.ssh/authorized_keys即可
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
接着上面ID为7a5441309940的容器登陆后的操作:
[root@docker ~]
# ssh-keygen -t rsa
[root@docker ~]
# ssh-copy-id -i /root/.ssh/id_rsa.pub IP地址
将物理机本地的~/.
ssh
/id_rsa
.pub拷贝到容器里
[root@docker ~]
# docker cp ~/.ssh/id_rsa.pub 7a5441309940:/root/.ssh/
然后到容器里将id_rsa.pub拷贝为authorized_keys
[root@docker ~]
# docker exec -it 7a5441309940 /bin/bash
[root@7a5441309940 /]
# cd ~/.ssh/
[root@7a5441309940 .
ssh
]
# cp id_rsa.pub authorized_keys
接着提交为新镜像
[root@docker ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7a5441309940 centos7.4-
ssh
"/usr/sbin/sshd -D"
40 minutes ago Up 40 minutes 0.0.0.0:2022->22
/tcp
laughing_yonath
[root@docker ~]
#
[root@docker ~]
# docker stop 7a5441309940
7a5441309940
[root@docker ~]
# docker commit 7a5441309940 centos7.4-ssh:v1
sha256:80da77f10ad4337dc6f41e84b65d6b2f74370c974bacb819f5c127276075282e
[root@docker ~]
# docker run -d -p 2022:22 centos7.4-ssh:v1 /usr/sbin/sshd -D
40501782a73f27eac93fe5f2d3ceac3ff83650c5f3a1cead02d7af6898686cb7
最后尝试
ssh
方式连接容器,发现可以无密码登陆了~
[root@docker ~]
# ssh -p2022 root@localhost
Last login: Wed Jan 31 09:13:33 2018 from gateway
[root@40501782a73f ~]
#
|
当登录到容器后,如何可以查看下容器ip
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
第一种方式:
[root@docker ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
40501782a73f centos7.4-
ssh
:v1
"/usr/sbin/sshd -D"
3 minutes ago Up 3 minutes 0.0.0.0:2022->22
/tcp
vigorous_borg
[root@docker ~]
# docker inspect 40501782a73f |grep IPAddress
"SecondaryIPAddresses"
: null,
"IPAddress"
:
"172.17.0.2"
,
"IPAddress"
:
"172.17.0.2"
,
[root@docker ~]
#
第二种方式:
[root@docker ~]
# docker inspect --format='{{.NetworkSettings.IPAddress}}' 40501782a73f
172.17.0.2
第三种方式:
登陆到容器里使用“yum
install
net-tools”,安装后就可以使用
ifconfig
命令查看ip了
当知道了容器的ip后,就可以使用
ssh
直接连接容器的22端口即可!
[root@docker ~]
# ssh 172.17.0.2
Last login: Wed Jan 31 09:21:45 2018 from gateway
[root@40501782a73f ~]
#
|
本文转自 dengaosky 51CTO博客,原文链接:http://blog.51cto.com/dengaosky/2067424,如需转载请自行联系原作者
