10.1 基于commit 命令创建
Docker提供了docker commit 命令,支持用户提交自己对制定容器的修改,并生成新的镜像。命令格式为docker commit CONTAINER [REPOSITORY[:TAG]]。
10.1.1 准备工作
[root@docker ~]# docker run -it ubuntu:14.04 /bin/bash
root@4d938e39a8d4:/# apt-get update; apt-get install openssh-server -y
10.1.2 安装和配置SSH服务
如果需要正常启动SSH服务,则目录/var/run/sshd必须存在。手动创建它,并启动SSH服务
root@4d938e39a8d4:/# mkdir /var/run/sshd
root@4d938e39a8d4:/# /usr/sbin/sshd -D &
[1] 3033
查看容器的22端口
root@4d938e39a8d4:/# netstat -ntulp | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3033/sshd
tcp6 0 0 :::22 :::* LISTEN 3033/sshd
修改SSH服务的安全登陆配置,取消pam登陆限制
root@4d938e39a8d4:~# vi /etc/pam.d/sshd
注释以下行
……………………………………………………………………………………..
# Set the loginuid process attribute.
#session required pam_loginuid.so
………………………………………………………………………………………
在root用户目录下创建.ssh目录,并复制需要登录得公钥信息(一般为本地主机用户目录下得.ssh/id_rsa.pub文件,可由ssh-keygen -t rsa 命令生成)到authorized_keys文件中:
主机/root/.ssh/id_rsa.pub文件
[root@docker ~]# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCviOjoW8tlmGrtshwlqWDlBwsdDocFofZHv0RFfyv/YBrgZVOvq6t7F8ur4leFY5sVYqpXyDTnu8vDpSYW/qG8axE1a6os6DN0amcZjPKABs9SmhagnIVgccSXSt82Kb4uj+rys54Dheo0QBppdIPVNz4497joBlmeCm/nCZHYgmAt8dcKJhPWvXnqxCIGwHtzw1x0lDCWg4g+6m1zfV3Q8DfSFtd6cYWyj41jd7lJTkyGZlS6s1Cn7NAGO90ok1Eiido42vwvMSgQDb8mbwzynzi066fg5a0l2XuOmXPac/L8s0izaF1R1buCj/IpG7ZoufQk+7skMXhshsvNFcqv root@monitor
root@4d938e39a8d4:~# mkdir .ssh
root@4d938e39a8d4:~# vi /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCviOjoW8tlmGrtshwlqWDlBwsdDocFofZHv0RFfyv/YBrgZVOvq6t7F8ur4leFY5sVYqpXyDTnu8vDpSYW/qG8axE1a6os6DN0amcZjPKABs9SmhagnIVgccSXSt82Kb4uj+rys54Dheo0QBppdIPVNz4497joBlmeCm/nCZHYgmAt8dcKJhPWvXnqxCIGwHtzw1x0lDCWg4g+6m1zfV3Q8DfSFtd6cYWyj41jd7lJTkyGZlS6s1Cn7NAGO90ok1Eiido42vwvMSgQDb8mbwzynzi066fg5a0l2XuOmXPac/L8s0izaF1R1buCj/IpG7ZoufQk+7skMXhshsvNFcqv root@monitor
创建自动启动SSH服务的可执行文件run.sh,并添加执行权限。
root@4d938e39a8d4:~# vi /root/run.sh
#!/bin/bash
/usr/sbin/sshd -D
root@4d938e39a8d4:~# chmod +x run.sh
root@4d938e39a8d4:~# exit
exit
10.1.3 保存镜像
将所退出的容器用docker commit 命令保存为一个新的sshd:ubuntu镜像:
[root@docker ~]# docker commit 4d938 sshd:ubuntu
sha256:0a5c2d48f0b1a09628cadb3c1d71989321c91802f0921d6974491f1b3dd09a5d
[root@docker ~]# docker images | grep sshd
sshd ubuntu 0a5c2d48f0b1 21 seconds ago 287 MB
10.1.4 使用镜像
启动容器,并添加端口映射:
[root@docker ~]# docker run -p 32722:22 -d sshd:ubuntu /root/run.sh
27e67a364adbe82ab2c9ab206bea45369399b9c2e9bf274e4b10bf039f7c6a0b
[root@docker ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
27e67a364adb sshd:ubuntu "/root/run.sh" 3 seconds ago Up 2 seconds 0.0.0.0:32722->22/tcp lucid_kilby
在宿主机或其他主机上,可以通过SSH访问32722端口来登陆容器:
[root@docker ~]# ssh localhost -p 32722
The authenticity of host '[localhost]:32722 ([127.0.0.1]:32722)' can't be established.
ECDSA key fingerprint is SHA256:HbgbaaM1nUJN4NOJBUm9ej6Zlv8MPtwQNf7TzM/dNfw.
ECDSA key fingerprint is MD5:a0:d0:d8:8c:b8:0b:81:a3:e4:66:85:2d:02:ef:1c:4c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:32722' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-127-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@27e67a364adb:~#
10.2 使用Dockerfile创建
10.2.1 创建工作目录
创建工作目录
[root@docker ~]# cd /data/
[root@docker data]# mkdir sshd_ubuntu
创建Dockerfile、run.sh文件
[root@docker data]# cd sshd_ubuntu/
[root@docker sshd_ubuntu]# touch Dockerfile run.sh
[root@docker sshd_ubuntu]# ls
Dockerfile run.sh
10.2.2 编写run.sh脚本和authorized_keys文件
编写run.sh:
[root@docker sshd_ubuntu]# vi run.sh
#!/bin/bash
/usr/sbin/sshd -D
在宿主机上生成SSH密钥对,并创建authorized_keys文件:
[root@docker sshd_ubuntu]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /data/sshd_ubuntu/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /data/sshd_ubuntu/id_rsa.
Your public key has been saved in /data/sshd_ubuntu/id_rsa.pub.
The key fingerprint is:
SHA256:eVQyTfWanGk+aVCCkW5KoVzmDCHbXX1z+M+z4S5ftkE root@docker
The key's randomart image is:
+---[RSA 2048]----+
| . .. ==o... |
| +..+..*o +..|
| ...B.oo ...+.|
| o +oo + =.|
| .So. . BE.|
| .. +.+o|
| *.*|
| o =+|
| ++ |
+----[SHA256]-----+
[root@docker sshd_ubuntu]# ls
Dockerfile id_rsa id_rsa.pub run.sh
[root@docker sshd_ubuntu]# cat ./id_rsa.pub > authorized_keys
10.2.3 编写Dockerfile文件
[root@docker sshd_ubuntu]# vi Dockerfile
#设置继承镜像
FROM ubuntu:14.04
#提供作者信息
MAINTAINER doudou [email protected]
#运行更新命令,安装服务,建立运行目录
RUN apt-get update
RUN apt-get install -y openssh-server
RUN mkdir -p /var/run/sshd
RUN mkdir -p /root/.ssh
#取消pam限制
RUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd
#复制配置文件到相应位置,并赋予脚本可执行权限.
ADD authorized_keys /root/.ssh/authorized_keys
ADD run.sh /root/run.sh
RUN chmod 755 /root/run.sh
#开放端口
EXPOSE 22
#设置自启命令
CMD ["/root/run.sh"]
10.2.4 创建镜像
在sshd_ubuntu目录下,使用docker build命令来创建镜像。需要注意的是后面要跟上Dockerfile的目录。当前目录是一个“.”
[root@docker sshd_ubuntu]# docker build -t sshd:ubuntu .
Sending build context to Docker daemon 8.192 kB
Step 1/12 : FROM ubuntu:14.04
---> 578c3e61a98c
Step 2/12 : MAINTAINER doudou [email protected]
---> Using cache
---> eace31c6bb6d
Step 3/12 : RUN apt-get update
---> Using cache
---> 3d4f351b1a53
Step 4/12 : RUN apt-get install -y openssh-server
---> Using cache
---> d9851a1b09ff
Step 5/12 : RUN mkdir -p /var/run/sshd
---> Using cache
---> d9b5ea037e1f
Step 6/12 : RUN mkdir -p /root/.ssh
---> Using cache
---> d9e24a54d8e6
Step 7/12 : RUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd
---> Running in 67a2cf2ec897
---> 347e66f8b722
Removing intermediate container 67a2cf2ec897
Step 8/12 : ADD authorized_keys /root/.ssh/authorized_keys
---> f9d4b46e594c
Removing intermediate container f77dd926178d
Step 9/12 : ADD run.sh /root/run.sh
---> 88fe6339457d
Removing intermediate container f896defef6d9
Step 10/12 : RUN chmod 755 /root/run.sh
---> Running in 489298a47cda
---> 4c35dac34e03
Removing intermediate container 489298a47cda
Step 11/12 : EXPOSE 22
---> Running in b62c52a2c7d1
---> 1058f88da421
Removing intermediate container b62c52a2c7d1
Step 12/12 : CMD /root/run.sh
---> Running in a08a7b50287a
---> 743f9832f75a
Removing intermediate container a08a7b50287a
Successfully built 743f9832f75a
在使用Dockerfile创建自定义镜像,那么需要注意的是Docker回自动删除中间临时创建的层,还需要注意每一步的操作和编写的Dockerfile中命令的对应关系。
命令执行完毕后,如见“Successfully build XXX”字样,则说明镜像创建成功。
[root@docker sshd_ubuntu]# docker images | grep sshd
sshd ubuntu 743f9832f75a About a minute ago 287 MB
10.2.5 测试镜像、运行容器
启动
[root@docker ~]# docker run -d -p 32723:22 sshd:ubuntu
d649bfaf45a12d79df6b30775acdfa1ee9c44b7a69750d2f5a699774d73e8e65
[root@docker ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d649bfaf45a1 sshd:ubuntu "/root/run.sh" 4 seconds ago Up 4 seconds 0.0.0.0:32723->22/tcp adoring_hopper
测试连接
[root@docker ~]# ssh localhost -i /data/sshd_ubuntu/id_rsa -p 32723
The authenticity of host '[localhost]:32723 ([127.0.0.1]:32723)' can't be established.
ECDSA key fingerprint is SHA256:J6JB0XkO9rF8SBrorexymoMMybYpbA7QWhZrFvwRYag.
ECDSA key fingerprint is MD5:2d:94:bf:89:bd:76:f9:25:8c:9b:d3:3e:2b:15:82:9d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:32723' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-127-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@d649bfaf45a1:~#
-i指定私钥路径
-p指定端口
其他:清除ssh本地登陆记录(缓存)
[root@docker ~]# ls -al /root/.ssh/
总用量 20
drwx------ 2 root root 71 5月 25 14:19 .
dr-xr-x---. 19 root root 4096 6月 26 09:37 ..
-rw-r--r-- 1 root root 140 5月 25 14:19 config
-rw------- 1 root root 1675 5月 25 14:10 id_rsa
-rw-r--r-- 1 root root 394 5月 25 14:10 id_rsa.pub
-rw-r--r-- 1 root root 1788 6月 26 11:12 known_hosts
[root@docker ~]# vi .ssh/known_hosts
把不想要的记录直接删除即可