Docker实战 创建支持SSH服务的镜像(超详细)

基于docker commit命令创建

Docker提供了docker commit命令，支持用户提交自己对定制容器的修改，并生成新的镜像。

命令格式为：docker commit CONTAINER [REPOSITORY[:TAG]]

准备工作

利用ubuntu:14.04镜像创建一个容器：

[root@node1 ~]# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
docker.io/ubuntu        latest              b44d403a0d52        3 days ago          64.2 MB
docker.io/nginx         latest              540a289bab6c        12 days ago         126 MB
docker.io/hello-world   latest              fce289e99eb9        10 months ago       1.84 kB
[root@node1 ~]# 
[root@node1 ~]# docker run -it docker.io/ubuntu /bin/bash
root@b44d403a0d52:/# 

更新apt缓存:

更换更新源:
vi /etc/apt/sources.list

#aliyun
deb http://mirrors.aliyun.com/ubuntu/ trusty main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse

执行:apt-get update

root@b44d403a0d52:/# apt-get update
Ign http://mirrors.aliyun.com trusty InRelease
Get:1 http://mirrors.aliyun.com trusty-security InRelease [65.9 kB]
Get:2 http://mirrors.aliyun.com trusty-updates InRelease [65.9 kB]
Get:3 http://mirrors.aliyun.com trusty-proposed InRelease [65.9 kB]
Get:4 http://mirrors.aliyun.com trusty-backports InRelease [65.9 kB]
Get:5 http://mirrors.aliyun.com trusty Release.gpg [933 B]      
Get:6 http://mirrors.aliyun.com trusty-security/main Sources [220 kB]
Get:7 http://mirrors.aliyun.com trusty-security/restricted Sources [5050 B]
Get:8 http://mirrors.aliyun.com trusty-security/universe Sources [126 kB]
Get:9 http://mirrors.aliyun.com trusty-security/multiverse Sources [3070 B]
Get:10 http://mirrors.aliyun.com trusty-security/main amd64 Packages [1032 kB]
Get:11 http://mirrors.aliyun.com trusty-security/restricted amd64 Packages [18.1 kB]
Get:12 http://mirrors.aliyun.com trusty-security/universe amd64 Packages [377 kB]
Get:13 http://mirrors.aliyun.com trusty-security/multiverse amd64 Packages [4730 B]
Get:14 http://mirrors.aliyun.com trusty-updates/main Sources [532 kB]
Get:15 http://mirrors.aliyun.com trusty-updates/restricted Sources [6444 B]
Get:16 http://mirrors.aliyun.com trusty-updates/universe Sources [288 kB]
Get:17 http://mirrors.aliyun.com trusty-updates/multiverse Sources [7389 B]
Get:18 http://mirrors.aliyun.com trusty-updates/main amd64 Packages [1460 kB]
Get:19 http://mirrors.aliyun.com trusty-updates/restricted amd64 Packages [21.4 kB]
Get:20 http://mirrors.aliyun.com trusty-updates/universe amd64 Packages [671 kB]
Get:21 http://mirrors.aliyun.com trusty-updates/multiverse amd64 Packages [16.1 kB]
Get:22 http://mirrors.aliyun.com trusty Release [58.5 kB]
Get:23 http://mirrors.aliyun.com trusty-proposed/main Sources [1518 B]    
Get:24 http://mirrors.aliyun.com trusty-proposed/restricted Sources [699 B]
Get:25 http://mirrors.aliyun.com trusty-proposed/universe Sources [18.3 kB]
Get:26 http://mirrors.aliyun.com trusty-proposed/multiverse Sources [40 B]
Get:27 http://mirrors.aliyun.com trusty-proposed/main amd64 Packages [4519 B]
Get:28 http://mirrors.aliyun.com trusty-proposed/restricted amd64 Packages [681 B]
Get:29 http://mirrors.aliyun.com trusty-proposed/universe amd64 Packages [10.5 kB]
Get:30 http://mirrors.aliyun.com trusty-proposed/multiverse amd64 Packages [40 B]
Get:31 http://mirrors.aliyun.com trusty-backports/main Sources [10.4 kB]
Get:32 http://mirrors.aliyun.com trusty-backports/restricted Sources [40 B]
Get:33 http://mirrors.aliyun.com trusty-backports/universe Sources [41.3 kB]
Get:34 http://mirrors.aliyun.com trusty-backports/multiverse Sources [1747 B]
Get:35 http://mirrors.aliyun.com trusty-backports/main amd64 Packages [14.7 kB]
Get:36 http://mirrors.aliyun.com trusty-backports/restricted amd64 Packages [40 B]
Get:37 http://mirrors.aliyun.com trusty-backports/universe amd64 Packages [52.5 kB]
Get:38 http://mirrors.aliyun.com trusty-backports/multiverse amd64 Packages [1392 B]
Get:39 http://mirrors.aliyun.com trusty/main Sources [1335 kB]
Get:40 http://mirrors.aliyun.com trusty/restricted Sources [5335 B]
Get:41 http://mirrors.aliyun.com trusty/universe Sources [7926 kB]
Get:42 http://mirrors.aliyun.com trusty/multiverse Sources [211 kB]
Get:43 http://mirrors.aliyun.com trusty/main amd64 Packages [1743 kB]
Get:44 http://mirrors.aliyun.com trusty/restricted amd64 Packages [16.0 kB]
Get:45 http://mirrors.aliyun.com trusty/universe amd64 Packages [7589 kB]
Get:46 http://mirrors.aliyun.com trusty/multiverse amd64 Packages [169 kB]     
Fetched 24.3 MB in 8s (3029 kB/s)                                              
Reading package lists... Done

安装ssh服务
apt-get install openssh-server -y

如果需要正常启动SSH服务，则目录/var/run/sshd必须存在。手动创建并启动SSH服务：

root@b44d403a0d52:/# mkdir -p /var/run/sshd           
root@b44d403a0d52:/# /usr/sbin/sshd -D &
[1] 3035
root@b44d403a0d52:/# 

此时查看容器的22端口：

root@b44d403a0d52:/# netstat -lnutp | grep 22

修改SSH服务的安全登录配置，取消pam登陆限制：

root@b44d403a0d52:/# sed -ri 's#session    required     pam_loginuid.so#session    required     pam_loginuid.so#g' /etc/pam.d/sshd
root@b44d403a0d52:/# 

在root用户家目录创建.ssh目录，并将宿主机的登录的公钥信息复制到.ssh目录下的authorized_keys中：

root@b44d403a0d52:/# mkdir /root/.ssh
root@b44d403a0d52:/# cd /root/.ssh
root@b44d403a0d52::~/.ssh# ls
root@b44d403a0d52:~/.ssh# vi /root/.ssh/authorized_keys
　　

创建自启动的SSH服务可执行文件run.sh，并添加可执行权限：

root@b44d403a0d52:/# cat run.sh
#!/bin/bash
/usr/sbin/sshd -D &
root@b44d403a0d52:/# chmod +x run.sh
root@b44d403a0d52:/#

保存镜像:
[root@node1 ~]# docker commit b44 sshd:ubuntu

使用镜像

启动容器，并添加端口映射10022–>22。其中10022是宿主主机的端口，22是容器的SSH服务监听的端口:

[root@node1 ~]# docker run -it --name sshd_ubuntu -p 10022:22 sshd:ubuntu
root@2f3d3f69a26c:/# 

查看ip

root@2f3d3f69a26c:/# ip a            
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
27: eth0@if28: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:3/64 scope link 
       valid_lft forever preferred_lft forever
root@2f3d3f69a26c:/# 

[root@node1 ~]# ssh 172.17.0.3
The authenticity of host '172.17.0.3 (172.17.0.3)' can't be established.
ECDSA key fingerprint is SHA256:E52UcTYNRUigoz7AjFcNNZxtxMAxfuXb2Oqn71wZIXA.
ECDSA key fingerprint is MD5:6f:4f:32:90:c8:59:6b:cb:b3:fa:92:32:71:46:eb:e3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.3' (ECDSA) to the list of known hosts.


Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-146-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@2f3d3f69a26c:~# 
root@2f3d3f69a26c:~# 

使用Dockerfile创建

创建工作目录

[root@node1 ~]# mkdir ubuntu
[root@node1 ~]# cd ubuntu
[root@node1 ubuntu]# touch Dockerfile run.sh
[root@node1 ubuntu]# ls
Dockerfile  run.sh
[root@node1 ubuntu]# 

在该目录中创建Dockerfile和run.sh文件

编写run.sh脚本和authorized_keys文件

run.sh脚本内容如下:

#!/bin/bash
/usr/sbin/sshd -D

在宿主主机上生成SSH密钥，并创建authorized_keys文件:

ssh-keygen -t rsa

cp /root/.ssh/authorized_keys ./

编写Dockerfile文件

#设置继承镜像
FROM ubuntu:14.04

#提供一些作者信息
MAINTAINER docker_user([email protected])

#下面开始运行更新命令
RUN apt-get update

#安装ssh服务
RUN apt-get install -y openssh-server
RUN mkdir -p /var/run/sshd
RUN mkdir -p /root/.ssh

#取消pam限制
RUN sed -ri 's/session required pam_loginuid.sh/#session required pam_loginuid.so/g' /etc/pam.d/sshd

#复制配置文件到相应位置,并赋予脚本可执行权限
ADD authorized_keys /root/.ssh/authorized_keys
ADD run.sh /run.sh
RUN chmod 755 /run.sh

#开放端口
EXPOSE 22

#设置自启动命令
CMD ["/run.sh"]

创建镜像

执行该命令即可创建镜像
docker build -t sshd:dockerfile .

记得必须要在Dockerfile文件存在的目录执行该命令否则会报找不到目录异常

[root@node1 ~]# ssh 172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ECDSA key fingerprint is SHA256:E52UcTYNRUigoz7AjFcNNZxtxMAxfuXb2Oqn71wZIXA.
ECDSA key fingerprint is MD5:6f:4f:32:90:c8:59:6b:cb:b3:fa:92:32:71:46:eb:e3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.2' (ECDSA) to the list of known hosts.


Welcome to Ubuntu 14.04 LTS (GNU/Linux 4.4.0-146-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@1c79d6ccaebe:~# 
root@1c79d6ccaebe:~# 

连接成功!