标签:empty last 查看ip key ges mit docker容器 port 使用
本章介绍如果通过ssh方式登陆Docker容器的操作记录(其实不太建议直接用ssh去连接上容器的想法,虽然可以,但是有很多弊端,而且docker已经提供了容器内执行的命令,没有必要再折腾每一个容器为sshd服务器。启动一个centos容器,然后安装基本的软件 [root@docker ~]# docker run -itd --name sshd centos /bin/bash a67a5c8ae426a841ad6c6aca6186f7fc585410471a6dfe69a1fc0e28d5a05953 [root@docker ~]# docker exec -it sshd /bin/bash [root@a67a5c8ae426 /]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo [root@a67a5c8ae426 /]# yum install wget vim ntpdate net-tools -y 安装ssh服务端 [root@a67a5c8ae426 /]# yum clean all [root@a67a5c8ae426 /]# yum install openssh-server -y 修改容器密码(提前yum -y reinstall cracklib-dicts) [root@a67a5c8ae426 /]# echo "123456" |passwd --stdin root 产生公私钥 [root@a67a5c8ae426 /]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:tJ01c3RqkgtNijf6D9q6SXZJ9ZFQUvpbrnkCmW55T9Y root@a67a5c8ae426 The key's randomart image is: +---[RSA 2048]----+ | +o+ .| | . + * + | | o = X * | | . = * X . | | S + .oo .| | o .+ +.| | o =. o. E| | o = o+ o=.| | =o....o+.| +----[SHA256]-----+ [root@a67a5c8ae426 /]# cd ~/.ssh/ [root@a67a5c8ae426 .ssh]# ls id_rsa id_rsa.pub [root@a67a5c8ae426 .ssh]# cp id_rsa.pub authorized_keys [root@a67a5c8ae426 .ssh]# ls authorized_keys id_rsa id_rsa.pub [root@a67a5c8ae426 .ssh]# 执行sshd命令,有报错: [root@a67a5c8ae426 .ssh]# /usr/sbin/sshd Could not load host key: /etc/ssh/ssh_host_rsa_key Could not load host key: /etc/ssh/ssh_host_ecdsa_key Could not load host key: /etc/ssh/ssh_host_ed25519_key sshd: no hostkeys available -- exiting. [root@a67a5c8ae426 .ssh]# 解决办法: [root@a67a5c8ae426 .ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key //均是一路回车 [root@a67a5c8ae426 .ssh]# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key [root@a67a5c8ae426 .ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key [root@a67a5c8ae426 .ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key 再次执行sshd命令,如果没有报错,说明可以启动了 [root@a67a5c8ae426 .ssh]# /usr/sbin/sshd [root@a67a5c8ae426 .ssh]# netstat -tnlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 160/sshd tcp6 0 0 :::22 :::* LISTEN 160/sshd [root@a67a5c8ae426 .ssh]# -----------------------启动ssh,如果报错如下(这是centos7下的一个bug)------------------------- [root@a67a5c8ae426 .ssh]# systemctl status sshd Failed to get D-Bus connection: Operation not permitted 解决办法如下: 先把上面的容器关闭(docker stop container-id),然后重新启动容器,启动时加上参数--privileged(特权参数,也可以是--privileged=true,如果启动容器中挂载目录没有权限也可以添加此参数)和/sbin/init(代替/bin/bash),如下: [root@docker ~]# docker run -itd --privileged --name sshd centos /sbin/init [root@docker ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 884db829911f centos "/sbin/init" 33 seconds ago Up 31 seconds sshd [root@docker ~]# 其实命令/sbin/init和/usr/sbin/init运行容器都可以。 [root@docker ~]# ll -ld /sbin/init lrwxrwxrwx 1 root root 22 Jan 30 17:17 /sbin/init -> ../lib/systemd/systemd [root@docker ~]# ll -ld /usr/sbin/init lrwxrwxrwx 1 root root 22 Jan 30 17:17 /usr/sbin/init -> ../lib/systemd/systemd [root@docker ~]# 然后按照容器的ID进去,这个时候再根据/bin/bash进入容器(前面加exec -it参数),接着重启ssh服务就ok了 [root@docker ~]# docker exec -it sshd /bin/bash [root@884db829911f /]# yum install wget vim net-tools ntpdate openssh-server -y [root@884db829911f /]# systemctl restart sshd.service [root@884db829911f /]# echo "123456" |passwd --stdin root 查看ssh端口,发现22端口已经开启 [root@884db829911f /]# netstat -tnlp|grep sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 220/sshd tcp6 0 0 :::22 :::* LISTEN 220/sshd [root@884db829911f /]#
然后docker ps查看下容器,提交更改为新镜像,运行新的镜像
[root@docker ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 884db829911f centos "/sbin/init" 6 minutes ago Up 6 minutes sshd 关闭容器 [root@docker ~]# docker stop sshd sshd 接着提交改为新的镜像,提交名为wangssh的镜像(提交成功后,之前创建的容器可以选择删除(docker ps -a 查看);当然不删除也不影响。建议不要删除,可以再次启用提交新的镜像以便他用。) [root@docker ~]# docker commit sshd centos7.4-ssh sha256:e990237344dcb59c45b68fd91e952af6419415d78d0c2ac86fba68c22ff00d6 提交成功后,使用docker images可以查看到 [root@docker ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE centos7.4-ssh latest e990237344dc 31 seconds ago 363MB centos latest ff426288ea90 3 weeks ago 207MB 然后运行新的镜像 [root@docker ~]# docker run -d -p 2022:22 centos7.4-ssh /usr/sbin/sshd -D 7a5441309940af66119989aac03ef79fddd8d145c10fc19a7ec937802b86df29 [root@docker ~]# 上面运行命令中的参数解释: -d 后台运行容器 -p 容器端口映射到主机[可选] 使用docker ps查看运行的容器 [root@docker ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7a5441309940 centos7.4-ssh "/usr/sbin/sshd -D" 28 seconds ago Up 26 seconds 0.0.0.0:2022->22/tcp laughing_yonath 此时你可以直接连接容器,也可以通过端口映射连接容器(使用之前创建的容器密码123456登陆) [root@docker ~]# ssh -p2022 root@localhost The authenticity of host '[localhost]:2022 ([::1]:2022)' can't be established. ECDSA key fingerprint is b1:37:95:96:11:1c:60:fd:8c:e2:e7:b3:3a:68:b6:85. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[localhost]:2022' (ECDSA) to the list of known hosts. root@localhost's password: [root@7a5441309940 ~]#
如果要想做ssh无密码登陆的信任关系,只需要将物理机本地的~/.ssh/id_rsa.pub拷贝到容器里的~/.ssh/authorized_keys即可
接着上面ID为7a5441309940的容器登陆后的操作: [root@docker ~]# ssh-keygen -t rsa [root@docker ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub IP地址 将物理机本地的~/.ssh/id_rsa.pub拷贝到容器里 [root@docker ~]# docker cp ~/.ssh/id_rsa.pub 7a5441309940:/root/.ssh/ 然后到容器里将id_rsa.pub拷贝为authorized_keys [root@docker ~]# docker exec -it 7a5441309940 /bin/bash [root@7a5441309940 /]# cd ~/.ssh/ [root@7a5441309940 .ssh]# cp id_rsa.pub authorized_keys 接着提交为新镜像 [root@docker ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7a5441309940 centos7.4-ssh "/usr/sbin/sshd -D" 40 minutes ago Up 40 minutes 0.0.0.0:2022->22/tcp laughing_yonath [root@docker ~]# [root@docker ~]# docker stop 7a5441309940 7a5441309940 [root@docker ~]# docker commit 7a5441309940 centos7.4-ssh:v1 sha256:80da77f10ad4337dc6f41e84b65d6b2f74370c974bacb819f5c127276075282e [root@docker ~]# docker run -d -p 2022:22 centos7.4-ssh:v1 /usr/sbin/sshd -D 40501782a73f27eac93fe5f2d3ceac3ff83650c5f3a1cead02d7af6898686cb7 最后尝试ssh方式连接容器,发现可以无密码登陆了~ [root@docker ~]# ssh -p2022 root@localhost Last login: Wed Jan 31 09:13:33 2018 from gateway [root@40501782a73f ~]#
当登录到容器后,如何可以查看下容器ip
第一种方式: [root@docker ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 40501782a73f centos7.4-ssh:v1 "/usr/sbin/sshd -D" 3 minutes ago Up 3 minutes 0.0.0.0:2022->22/tcp vigorous_borg [root@docker ~]# docker inspect 40501782a73f |grep IPAddress "SecondaryIPAddresses": null, "IPAddress": "172.17.0.2", "IPAddress": "172.17.0.2", [root@docker ~]# 第二种方式: [root@docker ~]# docker inspect --format='{{.NetworkSettings.IPAddress}}' 40501782a73f 172.17.0.2 第三种方式: 登陆到容器里使用“yum install net-tools”,安装后就可以使用ifconfig命令查看ip了 当知道了容器的ip后,就可以使用ssh直接连接容器的22端口即可! [root@docker ~]# ssh 172.17.0.2 Last login: Wed Jan 31 09:21:45 2018 from gateway [root@40501782a73f ~]#
标签:empty last 查看ip key ges mit docker容器 port 使用
原文地址:http://blog.51cto.com/dengaosky/2067424