Docker Centos添加SSH服务

docker version: 1.12.6
image: docker.io/centos:latest, 2d194b392dd1

在Docker社区中，对于是否需要为Docker容器添加SSH服务一直存有争议。

反对方的观点是：Docker的理念是一个容器只运行一个服务。因此，如果每一个容器都运行一个额外的SSH服务，就违背Docker的初衷。另外也有人认为根本没有从远程主机进入容器进行维护的必要。

支持方的观点是：在Docker 1.3版本之前，如果要用attach进入容器，经常会出现卡死的情况，v1.3之后，虽然官方推出了docker exec 命令， 再从宿主机进入容器是没有以前的问题了，但是如果要从去其他远程主机进入容器依然没有更好的解决方案。

其实，我认为这两种说法都有道理。对于是否需要为Docker容器添加SSH服务，应取决于容器的具体应用场景：即作为应用容器还是作为系统容器或数据容器。应用容器行为围绕应用生命周期，较少简单，不需要人工的额外干预；而系统容器或数据容器则需要支持管理员的登录操作，这个时候容器对SSH服务的支持就变得十分有必要了，因为它对资源的需求不高，同时可以保障安全性。

下面介绍两种为容器添加SSH服务并保存为镜像的方法。

docker commit

1. 启动基础镜像

[root@JDu4e00u53f7 ~]# docker run -it centos

1. 容器中安装 openssh-server

[root@f70036d0c6ca /]# yum install passwd openssh-server -y

1. 修改root用户密码

[root@f70036d0c6ca /]# passwd root
Changing password for user root.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

1. 生成秘钥(HostKey)

[root@f70036d0c6ca /]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):  直接回车
Enter same passphrase again: 直接回车
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
SHA256:ItOJ+dA5dzIQpIvBZHNzLl/WiqZ5957hdYU3pg7mpQY root@f70036d0c6ca
The key's randomart image is:
+---[RSA 2048]----+
|  + o.+          |
| + o = . .       |
|  o o o o .      |
|   o O B .     . |
|  . B @ S .   .oo|
|     O + E    oo.|
|    o o . oo.o.  |
|     . . oo==.   |
|         .*o .   |
+----[SHA256]-----+

[root@fa13056d27da ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): (直接回车)
Enter same passphrase again: （直接回车）
Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key.
Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub.
The key fingerprint is:
SHA256:WpihxgDZRqjJog4r8C258f9pW5jN2HXURbKCpNfRk4E root@fa13056d27da
The key's randomart image is:
+---[RSA 2048]----+
|.=.       . .oo+o|
|o.o      o oE.++.|
|oo.   . . o o o..|
|+. o . + .   o   |
|o   + o S   . .  |
|+  .   o B . .   |
|+o.o  . + =      |
|o.+o.   .o       |
|. .o...o+.       |
+----[SHA256]-----+

[root@fa13056d27da ssh]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): (直接回车)
Enter same passphrase again: （直接回车）
Your identification has been saved in /etc/ssh/ssh_host_ed25519_key.
Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub.
The key fingerprint is:
SHA256:M1/Y+3uh/2Ci8vCUEJkV6V2QTvnoGQDgn1XKD2Hp24o root@fa13056d27da
The key's randomart image is:
+---[RSA 2048]----+
|      ....=+o+   |
|     .   *+++ .  |
|      . +o== +   |
|       . +o== .  |
|        S .++o   |
|         =.o+. . |
|        ..+.o + .|
|        E+.. = ..|
|         o+   ++o|
+----[SHA256]-----+

1. 编写启动脚本

[root@46d6949f23b3 ~]# vi /run.sh
[root@46d6949f23b3 ~]# chmod +x /run.sh 

其中 /run.sh的内容为：

#!/bin/bash
/usr/sbin/sshd -D

7.修改配置文件 (可选)

[root@46d6949f23b3 ~]# vi /etc/ssh/sshd_config 

# 修改ssh服务端口，默认22
#Port 22

#禁用 PAM
UsePAM no

#禁止root用户登录
#PermitRootLogin yes

1. 退出容器，保存镜像

[root@46d6949f23b3 ~]# exit
[root@JDu4e00u53f7 ~]# docker ps -al 
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                      PORTS               NAMES
46d6949f23b3        centos              "/bin/bash"         11 minutes ago      Exited (0) 47 seconds ago                       practical_kilby

[root@JDu4e00u53f7 ~]# docker commit -m 'openssh-server' -a 'Rethink' 46d6949f23b3  sshd:centos
sha256:fa665548b8186c9b656a145ff9beaae1847d183dd405eba25888066e85ca10fc

1. 启动容器

[root@JDu4e00u53f7 ~]# docker run -d --name ssh -p 10022:22 sshd:centos /run.sh
334c4330a56bfe5d9e87c35747ef604da60c5aa84fdae427ca30bbdab2592d37
[root@JDu4e00u53f7 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                   NAMES
334c4330a56b        sshd:centos         "/run.sh"           55 seconds ago      Up 54 seconds       0.0.0.0:10022->22/tcp   ssh

1. 远程连接测试

[root@JDu4e00u53f7 ~]# ssh root@192.168.0.3 -p 10022
The authenticity of host '[192.168.0.3]:10022 ([192.168.0.3]:10022)' can't be established.
RSA key fingerprint is e1:95:09:40:48:8e:13:94:ca:73:15:e7:7b:37:2d:6c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.0.3]:10022' (RSA) to the list of known hosts.
root@192.168.0.3's password: 
[root@334c4330a56b ~]# logout
Connection to 192.168.0.3 closed.

Dockerfile

使用docker commit 手动构建一个新的镜像，虽然步骤清晰，但是镜像分发起来比较不方便。Dockerfile 就是最优替代方案。

#20180328
FROM centos:centos7
MAINTAINER 简书：Rethink "https://www.jianshu.com/u/425d52eec5fa" "shijianzhihu@foxmail.com"

RUN yum install openssh-server -y 

#修改root用户密码
#用以下命令修改密码时，密码中最好不要包含特殊字符，如"!"，否则可能会失败；
RUN /bin/echo "rethink123" | passwd --stdin root

#生成密钥
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key \
    && ssh-keygen -t rsa -f /etc/ssh/ssh_host_ecdsa_key \
    && ssh-keygen -t rsa -f /etc/ssh/ssh_host_ed25519_key

#修改配置信息
RUN /bin/sed -i 's/.*session.*required.*pam_loginuid.so.*/session optional pam_loginuid.so/g' /etc/pam.d/sshd \
    && /bin/sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config \
    && /bin/sed -i "s/#UsePrivilegeSeparation.*/UsePrivilegeSeparation no/g" /etc/ssh/sshd_config


EXPOSE 22

CMD ["/usr/sbin/sshd","-D"]

远程连接时遇到的问题

• 【Q1】

[root@JDu4e00u53f7 ~]# ssh root@192.168.0.3 -p 10022
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
f9:f4:8b:91:7b:0c:2e:86:c2:46:97:d0:aa:66:31:d6.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:1
RSA host key for [192.168.0.3]:10022 has changed and you have requested strict checking.
Host key verification failed.

解决方法为：

[root@JDu4e00u53f7 ~]# cd
[root@JDu4e00u53f7 ~]# ll -a
[root@JDu4e00u53f7 ~]# vi .ssh/known_hosts

删掉相关密钥信息后，再次连接即可。如：

[192.168.0.3]:10022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC28Z4QL5Lj/WOrZGGIj/mnRaWDwh9YfHbDl99wO3Bog5geOcsIMVhOMeExMpdQI1afEAlzZpqltY31kt0Eboto3Sa1DJ6YiryEBiv6pcHo2XGeczFD4PqG64C50I+w3qDANVcMHil+/qw/MsAvhFT972NzypL9+z+FGn2nZmLT/J+AxWyGqPLHZJ1xlgLc/Bk6H+GXXuO7HZj3NKn3C8SsSkhSUcCT5bKfRfxIuyX/nzyWK4yZoZhmAJvG9AUTd/qIOtqMKZ0x++TR+30yNJkphqOptHpZrbpybhpX0wOQIZiITtnUzYEAHlYx3X31lQHqcHirPvBGMKM7yG9wAa5V

• 【Q2】

[root@JDu4e00u53f7 ~]# ssh 192.168.0.3 -p 10022
ssh: connect to host 192.168.0.3 port 10022: Connection refused

解决方法：验证目标主机的ssh server端程序是否安装、服务是否启动，是否在侦听22端口，docker run命令中是否运行了/run.sh脚本。