Docker-爲鏡像添加SSH服務

寫在正文前

本博客是作者看了書籍《Docker技術入門與實戰》後，在ubuntu虛擬機內進行實戰操作後，發現了一些實際操作問題後，有感而發所寫的，若有侵權，請聯繫博主協商解決。

實驗環境：Win10宿主機上的ubuntu虛擬機，已安裝Docker【如何安裝Docker可查看其它教程】
Docker中有兩種創建容器的方法：基於Docker commit命令和基於Dockerfile創建。
本博客選擇基於Dockerfile的模式。

1 創建工作目錄

首先創建一個工作目錄，叫做sshd_ubuntu_blog，並進入其中：

ag@ubuntu:~/studyDocker$ mkdir sshd_ubuntu_blog && cd sshd_ubuntu_blog
ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ 

接着創建Dockerfile文件與run.sh文件：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ touch Dockerfile run.sh
ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ ls
Dockerfile  run.sh

2 編寫run.sh腳本和創建authorized_keys文件

腳本文件run.sh用來啓動ssh服務，內容如下：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ cat run.sh 
#! /bin/bash
/usr/sbin/sshd -D

而authorized_keys文件是用來實現SSH免密登錄的關鍵，原理不懂得可以看這篇博客，首先使用命令生成客戶端【這裏也就是ubuntu虛擬機】的SSH公鑰，命令執行過程中，會詢問存放目錄，這邊我選擇默認，如果之前有生成過，還會問是否覆蓋：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ag/.ssh/id_rsa): 
/home/ag/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ag/.ssh/id_rsa.
Your public key has been saved in /home/ag/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:fIJbGqA9l4Hpqhh7Affh2IGNIhaKZNqgU/OmADLQ6xo ag@ubuntu
The key's randomart image is:
+---[RSA 2048]----+
|o.               |
|=++  o           |
|X=.B+ .          |
|@.*+*. =         |
|oB.B+o= S .      |
|E =.+o = o       |
|.o..  o          |
|o+.              |
|+.               |
+----[SHA256]-----+

公鑰存放的位置會在上書命令執行過程中給出，執行下面的命令將其複製進authorized_keys文件：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ cat ~/.ssh/id_rsa.pub > authorized_keys

爲確保複製成功，可以將文件內容打開看看：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClFVrZdT5fqnM+e1PgU6ZEOTIiESd7X6dgzJAL8Tvwb2Da8vY+UTKzwFywYI4rV1+7MZ0KP2Ld6GDuKCy+Y+ddKNGIBNe8Cjn8dTh4E1Lw2weoo0/pWF1DZEDXY6xCvoL6dVQISb3AQRQYWGiEsLeIgR/it6z+6fJiJNTlEtaleIDWixkZZfYdInQKiKVBcuWu6V5Pa0ZSV7x7cfiD/G3j9vSYtrlIX+eGny1Uc0yR6fXXfgnQQdZkPBzJtHbPSa+554yxrOtpl+2ZA/bf2xRIXy7K66xEakHPfWB74TFQ87wxmvgtOqwfl9uePS4K7lJ954XUOzq6N/X8ES41RTR9 ag@ubuntu

3 編寫Dockerfile

Dockerfile文件用來創建Docker鏡像，其內容如下：

FROM ubuntu:18.04
MAINTAINER AlaGeek (24******[email protected])
#因爲國外源太慢，在這裏將ubuntu的源更改爲國內163的源
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic main restricted universe multiverse" > /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-security main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-updates main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-proposed main restricted universe multiverse" >> /etc/apt/sources.list
RUN echo "deb http://mirrors.163.com/ubuntu/ bionic-backports main restricted universe multiverse" >> /etc/apt/sources.list
RUN apt-get update
#安裝SSH服務
RUN apt-get install -y openssh-server
RUN mkdir -p /var/run/sshd
RUN mkdir -p /root/.ssh
#PAM會限制用戶登錄失敗次數，這邊是測試實驗，所以取消PAM限制，實際應用酌情考慮
RUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd
#複製配置文件到相應的位置
ADD authorized_keys /root/.ssh/authorized_keys
ADD run.sh /run.sh
#賦予腳本執行權限
RUN chmod 755 /run.sh
#開放端口22
EXPOSE 22
#設置自啓動命令
CMD ["/run.sh"]

4 創建鏡像

在sshd_ubuntu_blog目錄下執行命令【注意命令最後有一個 “.” ，表示Dockerfile文件在當前目錄下】：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ docker build -t sshd:blog .

執行成功的標誌如下：

Successfully built 9958d62beb4e
Successfully tagged sshd:blog

說明sshd:blog鏡像已經創建完畢，它的ID爲9958d62beb4e，也可用docker images命令查看鏡像：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED              SIZE
sshd                blog                9958d62beb4e        About a minute ago   207MB

5 測試

使用如下命令，基於sshd:blog鏡像啓動一個容器，並映射22端口到本地的10122端口：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ docker run -d -p 10122:22 sshd:blog
5a97e4a0849f2b966949f8a89de45c9710458203f737af659668f891e763417a

產生的字符串是該容器的ID，使用如下命令對該容器進行測試：

ag@ubuntu:~/studyDocker/sshd_ubuntu_blog$ ssh [email protected] -p 10122
The authenticity of host '[127.0.0.1]:10122 ([127.0.0.1]:10122)' can't be established.
ECDSA key fingerprint is SHA256:Cx8RX9fL3ZyXubghsH2RXoA4+nfoV29VhFUv5il4yAg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[127.0.0.1]:10122' (ECDSA) to the list of known hosts.

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.3.0-26-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@5a97e4a0849f:~# 

可以看到最後進入了容器的交互界面，這裏需要注意的一點是，用ssh連接容器的時候，需要註明使用root用戶進入。