前面几篇已经介绍了Docker基础环境的部署,下面介绍下通过ssh方式登陆Docker容器的操作记录(其实不太建议直接用ssh去连接上容器的想法,虽然可以,但是有很多弊端,而且docker已经提供了容器内执行的命令,没有必要再折腾每一个容器为sshd服务器。具体参考:http://jpetazzo.github.io/2014/06/23/docker-ssh-considered-evil/)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
[root@localhost ~]
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos7 7.3.1611 d5ebea14da54 2 weeks ago 311 MB
<none> <none> d5c154b612c8 2 weeks ago 311 MB
test
latest ecefde07358f 11 weeks ago 599.6 MB
learn
/ping
latest fea07d84b0df 4 months ago 196.7 MB
docker.io
/tomcat
latest ebb17717bed4 4 months ago 355.4 MB
docker.io
/centos
latest 980e0e4c79ec 6 months ago 196.7 MB
nginx 1.9 c8c29d842c09 9 months ago 182.7 MB
docker.io
/redis
2.8.19 dd9fe7db5236 22 months ago 110.7 MB
[root@localhost ~]
# docker run -i -t centos7:7.3.1611 /bin/bash
[root@a3c8baf6961e /]
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@a3c8baf6961e /]
# yum install wget vim
[root@a3c8baf6961e /]
# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
安装
ssh
服务端
[root@a3c8baf6961e /]
# yum cleal all
[root@a3c8baf6961e /]
# yum install passwd
[root@a3c8baf6961e /]
# yum install openssh-server
修改容器密码(提前yum -y reinstall cracklib-dicts)
[root@a3c8baf6961e /]
# echo "123456" |passwd --stdin root
产生公私钥
[root@a3c8baf6961e /]
# ssh-keygen -t rsa //一路回车
[root@a3c8baf6961e /]
# cd ~/.ssh/
[root@a3c8baf6961e .
ssh
]
# ls
id_rsa id_rsa.pub
[root@a3c8baf6961e .
ssh
]
# cp id_rsa.pub authorized_keys
[root@a3c8baf6961e .
ssh
]
# ls
authorized_keys id_rsa id_rsa.pub
执行sshd命令,有报错:
[root@a3c8baf6961e .
ssh
]
# /usr/sbin/sshd
Could not load host key:
/etc/ssh/ssh_host_rsa_key
Could not load host key:
/etc/ssh/ssh_host_dsa_key
Could not load host key:
/etc/ssh/ssh_host_ecdsa_key
Could not load host key:
/etc/ssh/ssh_host_ed25519_key
解决办法:
[root@a3c8baf6961e .
ssh
]
# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key //均是一路回车
[root@a3c8baf6961e .
ssh
]
# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
[root@a3c8baf6961e .
ssh
]
# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key
[root@a3c8baf6961e .
ssh
]
# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key
再次执行sshd命令,如果没有报错,说明可以启动了
[root@a3c8baf6961e .
ssh
]
# /usr/sbin/sshd
[root@a3c8baf6961e .
ssh
]
#
-----------------------启动
ssh
,如果报错如下(这是centos7下的一个bug)-------------------------
[root@a3c8baf6961e .
ssh
]
# systemctl restart sshd.service
Failed to get D-Bus connection: Operation not permitted
这个报错在之前的文档里就已经提到过了
解决办法如下:
先把上面的容器关闭(docker stop container-
id
),然后重新启动容器,启动时加上参数--privileged(特权参数,也可以是--privileged=
true
,如果启动容器中挂载目录没有权限也可以添加此参数)和
/sbin/init
(代替
/bin/bash
),如下:
[root@localhost ~]
# docker run --privileged -i -t centos7:7.3.1611 /sbin/init
上面的容器启动后,会一直在卡着的状态中,先不用管,打开另一个终端窗口,查看容器
[root@localhost ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
af40bd07fa0f centos7:7.3.1611
"/sbin/init"
28 seconds ago Up 28 seconds nauseous_shirley
然后按照容器的ID进去,这个时候再根据
/bin/bash
进入容器(前面加
exec
-it参数),接着重启
ssh
服务就ok了
[root@localhost ~]
# docker exec -it af40bd07fa0f /bin/bash
[root@af40bd07fa0f /]
# systemctl restart sshd.service
[root@af40bd07fa0f /]
# echo "123456" |passwd --stdin root //注意这里由于上述特殊情况重新启动了容器,之前创建的root密码无效了(这就相当于重新另起了一个容器),需要重新修改下root密码!!可以随便创建个用户,然后切换到root,测试下之前创建的root密码是否还有效!
--------------------------------------------------------------------------------------------------
查看
ssh
端口,发现22端口已经开启
[root@af40bd07fa0f /]
# ss -a|grep ssh
tcp LISTEN 0 128 *:
ssh
*:*
tcp LISTEN 0 128 :::
ssh
:::*
[root@af40bd07fa0f /]
# ss -ln|grep 22
u_dgr UNCONN 0 0 * 26884224 * 26885412
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 :::22 :::*
|
然后docker ps查看下容器,提交更改为新镜像,运行新的镜像
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
[root@localhost ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
af40bd07fa0f centos7:7.3.1611
"/sbin/init"
21 minutes ago Up 21 minutes nauseous_shirley
记住这个容器ID,然后关闭
[root@localhost ~]
# docker stop af40bd07fa0f
af40bd07fa0f
接着提交改为新的镜像,使用上一步的容器ID,提交名为wangssh的镜像(提交成功后,之前创建的容器可以选择删除(docker
ps
-a 查看);当然不删除也不影响。建议不要删除,可以再次启用提交新的镜像以便他用。)
[root@localhost ~]
# docker commit af40bd07fa0f wangssh
sha256:ca5e393b7605949e58c1067c1bc73d99d52f47107756f0ade1725ca04886fd71
[root@localhost ~]
#
提交成功后,使用docker images可以查看到
[root@localhost ~]
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
wangssh latest ca5e393b7605 57 seconds ago 327.1 MB
centos7 7.3.1611 d5ebea14da54 2 weeks ago 311 MB
然后运行新的镜像
[root@localhost ~]
# docker run -d -p 220:22 wangssh /usr/sbin/sshd -D
b0a845a3dedeac7b46002d1c8514077309d88dcc0667b7080bc1ab67d70eb167
docker: Error response from daemon: Cannot start container b0a845a3dedeac7b46002d1c8514077309d88dcc0667b7080bc1ab67d70eb167: [9] System error: SELinux policy denies access..
如上出现上面的报错,这是由于selinux造成的!需要关闭selinux,如下:
[root@localhost ~]
# setenforce 0
[root@localhost ~]
# getenforce
Permissive
然后再次运行新的镜像,就成功了!
[root@localhost ~]
# docker run -d -p 220:22 wangssh /usr/sbin/sshd -D
0a7c1406361ef52dcc5c32801e4c7c231078594cd7010375ea33fe3024cc9126
[root@localhost ~]
#
上面运行命令中的参数解释:
-d 后台运行容器
-p 容器端口映射到主机[可选]
使用docker
ps
查看运行的容器
[root@localhost ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0a7c1406361e wangssh
"/usr/sbin/sshd -D"
About a minute ago Up About a minute 0.0.0.0:220->22
/tcp
focused_hawking
此时你可以直接连接容器,也可以通过端口映射连接容器(使用之前创建的容器密码123456登陆)
[root@localhost ~]
# ssh -p220 root@localhost
root@localhost's password:
[root@0a7c1406361e ~]
#
|
------------------------------------------------------------------------------------------------------------------
如果要想做ssh无密码登陆的信任关系,只需要将物理机本地的~/.ssh/id_rsa.pub拷贝到容器里的~/.ssh/authorized_keys即可
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
接着上面ID为aea267757cc9的容器登陆后的操作:
[root@localhost ~]
# docker exec -it aea267757cc9 /bin/bash
[root@aea267757cc9 /]
# ssh-keygen -t rsa //一路回车
将物理机本地的~/.
ssh
/id_rsa
.pub拷贝到容器里
[root@localhost ~]
# docker cp ~/.ssh/id_rsa.pub aea267757cc9:/root/.ssh/
然后到容器里将id_rsa.pub拷贝为authorized_keys
[root@aea267757cc9 /]
# cd ~
[root@aea267757cc9 ~]
# cd .ssh/
[root@aea267757cc9 .
ssh
]
# cp id_rsa.pub authorized_keys
接着提交为新镜像
[root@localhost ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aea267757cc9 centos7:7.3.1611
"/sbin/init"
About an hour ago Up 38 minutes admiring_hodgkin
fc726a6a27d2 centos
"/bin/bash"
3 months ago Up 3 months 0.0.0.0:32772->80
/tcp
web1
9d99c7b9451b centos
"/bin/bash"
3 months ago Up 3 months 0.0.0.0:32769->8080
/tcp
web3
[root@localhost ~]
# docker stop aea267757cc9
aea267757cc9
[root@localhost ~]
# docker commit aea267757cc9 hahassh
sha256:906bf1bd2a156b1222def7d3d21fbc2cd7e963fc923f5a6da92e6b45954688d9
[root@localhost ~]
# setenforce 0
[root@localhost ~]
# docker run -d -p 220:22 hahassh /usr/sbin/sshd -D
8b9c153463c73122cfd787a27190a8665f54fe77fa51601d521baab5a9234f2e
最后尝试
ssh
方式连接容器,发现可以无密码登陆了~
[root@localhost ~]
# ssh -p220 root@localhost
Last login: Mon Mar 13 10:03:54 2017
|
---------------------------------------------------------------------------------------------------------------------
当登陆到容器后,可以查看下容器ip
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
第一种方式:
[root@localhost ~]
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b220fabf815a wangssh
"/usr/sbin/sshd -D"
6 hours ago Up About an hour 0.0.0.0:20020->22
/tcp
gigantic_goldwasser
fc726a6a27d2 980e0e4c79ec
"/bin/bash"
3 months ago Up About an hour 0.0.0.0:32768->80
/tcp
web1
9d99c7b9451b 980e0e4c79ec
"/bin/bash"
3 months ago Up About an hour 0.0.0.0:32769->8080
/tcp
web3
[root@localhost ~]
# docker inspect b220fabf815a |grep IPAddress
"SecondaryIPAddresses"
: null,
"IPAddress"
:
"172.17.0.2"
,
"IPAddress"
:
"172.17.0.2"
,
第二种方式:
[root@localhost ~]
# docker inspect --format='{{.NetworkSettings.IPAddress}}' b220fabf815a
172.17.0.2
第三种方式:
登陆到容器里使用“yum
install
net-tools”,安装后就可以使用
ifconfig
命令查看ip了
当知道了容器的ip后,就可以使用
ssh
直接连接容器的22端口即可!
[root@localhost ~]
# ssh 172.17.0.2
root@172.17.0.2's password:
Last login: Tue Mar 14 09:11:27 2017 from 172.17.0.1
[root@b220fabf815a ~]
#
|
***************当你发现自己的才华撑不起野心时,就请安静下来学习吧***************
本文转自散尽浮华博客园博客,原文链接:http://www.cnblogs.com/kevingrace/p/6526990.html,如需转载请自行联系原作者
