Docker使用（三）使用Dockerfile創建鏡像以及為鏡像添加SSH服務

Dockerfile 是一個文本格式的配置文件， 可以使用Dockerfile 來快速創建自定義的鏡像。Dockerfile有典型的基本結構及其支持的眾多指令，具體可以參照Docker技術入門與實踐，這篇博客(Docker基礎-使用Dockerfile創建鏡像)整理了出來，也可以拿來參考。這里主要總結為鏡像添加SSH服務 。

一些進入容器的辦法， 比如用attach 、exec 等命令，但是這些命令都無法解決遠程管理容器的問題。因此，當需要遠程登錄到容器內進行一些操作的時候，就需要SSH 的支持。介紹如何自行創建一個帶有SSH 服務的鏡像，並介紹兩種創建容器的方法：基於docker commit 命令創建和基於Dockerfile 創建。

1 基於docker commit命令創建

1.1 獲取鏡像並創建一個容器

root@slave1:/home/xxx/Documents# docker pull ubuntu:16.04
16.04: Pulling from library/ubuntu
Digest: sha256:97b54e5692c27072234ff958a7442dde4266af21e7b688e7fca5dc5acc8ed7d9
Status: Image is up to date for ubuntu:16.04
root@slave1:/home/xxx/Documents# docker run -it ubuntu:16.04 bash
root@185a722ee292:/#

1.2 配置軟件源

檢查軟件源，並使用apt-get update 命令來更新軟件源信息：

root@185a722ee292:/# apt-get update
Get:1 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB]            
Get:2 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]  
Get:3 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages [940 kB]
Get:4 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]       
Get:5 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]     
Get:6 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages [1558 kB]    
Get:7 http://security.ubuntu.com/ubuntu xenial-security/restricted amd64 Packages [12.7 kB]
Get:8 http://security.ubuntu.com/ubuntu xenial-security/universe amd64 Packages [582 kB]
Get:9 http://security.ubuntu.com/ubuntu xenial-security/multiverse amd64 Packages [6114 B]
Get:10 http://archive.ubuntu.com/ubuntu xenial/restricted amd64 Packages [14.1 kB]
Get:11 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages [9827 kB]
Get:12 http://archive.ubuntu.com/ubuntu xenial/multiverse amd64 Packages [176 kB]
Get:13 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [1322 kB]
Get:14 http://archive.ubuntu.com/ubuntu xenial-updates/restricted amd64 Packages [13.1 kB]
Get:15 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [986 kB]
Get:16 http://archive.ubuntu.com/ubuntu xenial-updates/multiverse amd64 Packages [19.1 kB]
Get:17 http://archive.ubuntu.com/ubuntu xenial-backports/main amd64 Packages [7942 B]
Get:18 http://archive.ubuntu.com/ubuntu xenial-backports/universe amd64 Packages [8807 B]
Fetched 16.0 MB in 1min 39s (161 kB/s)                                         
Reading package lists... Done

1.3 安裝和配置SSH服務

更新軟件包緩存后可以安裝SSH 服務了，選擇主流的opens sh-server 作為服務端

root@185a722ee292:/# apt-get install openssh-server

如果需要正常啟動SSH 服務， 則目錄/var/run/sshd 必須存在。下面手動創建它，並啟動SSH 服務：

root@185a722ee292:/# mkdir -p /var/run/sshd
root@185a722ee292:/# /usr/sbin/sshd -D &
[1] 3243

查看容器的22 端口（ SSH 服務默認監昕的端口），可見此端口已經處於監聽狀態：

root@185a722ee292:/# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3243/sshd       
tcp6       0      0 :::22                   :::*                    LISTEN      3243/sshd       

如果bash: vi: command not found 用apt-get install net-tools安裝net工具包：
修改SSH服務的安全登錄配置，取消pam登陸限制

root@185a722ee292:/# sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd

在root 用戶目錄下創建.ssh 目錄，並復制需要登錄的公鑰信息（一般為本地主機用戶目錄下的.ssh/id_rsa.pub 文件，可由ssh-keygen -t rsa 命令生成）到authorized_keys 文件中：

root@185a722ee292:/# mkdir root/.ssh
root@185a722ee292:/# vi /root/.ssh/authorized_keys
bash: vi: command not found
root@185a722ee292:/# apt-get install vim
root@185a722ee292:/# vi /root/.ssh/authorized_keys

創建自動啟動SSH 服務的可執行文件run . sh ，並添加可執行權限：

root@185a722ee292:/# vi /run.sh
root@185a722ee292:/# chmod +x run.sh
root@185a722ee292:/#
root@185a722ee292:/# exit
exit

run.sh 腳本內容如下：

#!/bin/bash
/usr/sbin/sshd -D

1.4 保存鏡像

將退出的容器用docker commit命令保存為一個新的sshd:ubuntu鏡像：

root@slave1:/home/xxx/Documents# docker commit 185a722ee292 sshd:ubuntu
sha256:4a1f2846a21fee31106ec6d86ad9ea8cc96295f59ca7a533a8d5195446cebcae

使用docker images 查看本地生成的新鏡像sshd:ubuntu ，目前擁有的鏡像如下：

root@slave1:/home/xxx/Documents# docker images
REPOSITORY           TAG                 IMAGE ID            CREATED              SIZE
sshd                 ubuntu              4a1f2846a21f        About a minute ago   235MB

1.5 使用鏡像

啟動容器，並添加端口映射10022 >22 。其中100 22 是宿主主機的端口， 22 是容器的SSH 服務監昕端口：

root@slave1:/home/xxx/Documents# docker run -p 10022:22 -d sshd:ubuntu /run.sh
cdedf8932122f63b6165c744e9e10c1a453b19986332c6f6f5a84a6c61ab1bbe

啟動成功后，可以在宿主主機上看到容器運行的詳細信息。

root@slave1:/home/xxx/Documents# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                   NAMES
cdedf8932122        sshd:ubuntu         "/run.sh"           23 seconds ago      Up 21 seconds       0.0.0.0:10022->22/tcp   youthful_wing

在宿主主機（ 192.168.220.128 ）或其他主機上，可以通過SSH 訪問10022 端口來登錄容器：

root@slave1:/home/xxx/Documents# ssh 192.168.220.128 -p 10022
The authenticity of host '[192.168.220.128]:10022 ([192.168.220.128]:10022)' can't be established.
ECDSA key fingerprint is SHA256:PIe3rPCEmGvRA/zljQcz8OZzELeZvWnDtd2CXkqmfSk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.220.128]:10022' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-98-generic x86_64)

* Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

2 基於Dockerfile 創建

使用Dockerfile 來創建一個支持SSH 服務的鏡像。

2.1 創建工作目錄

創建一個sshd_ubuntu 工作目錄：

root@slave1:/home/xxx/Documents# mkdir sshd_ubuntu
root@slave1:/home/xxx/Documents# ls
sshd_ubuntu  

創建Dockerfile 和run.sh 文件：

root@slave1:/home/xxx/Documents# cd sshd_ubuntu
root@slave1:/home/xxx/Documents/sshd_ubuntu# touch Dockerfile run.sh
root@slave1:/home/xxx/Documents/sshd_ubuntu# ls
Dockerfile  run.sh

2.2 編寫run.sh腳本和authorized_keys文件 vi run.sh

#!/bin/bash
/usr/sbin/sshd -D

root@slave1:/home/xxx/Documents/sshd_ubuntu# ssh-keygen -t rsa
root@slave1:/home/xxx/Documents/sshd_ubuntu# cat ~/.ssh/id_rsa.pub >authorized_keys

2.3 編寫Dockerfile

root@slave1:/home/xxx/Documents/sshd_ubuntu# vi Dockerfile

# 基礎鏡像信息
FROM ubuntu:16.04

# 維護者信息
MAINTAINER zzz xxxxxxxx@qq.com

# 更新apt緩存、安裝ssh服務
RUN apt-get update && apt-get install -y openssh-server
RUN mkdir -p /var/run/sshd 
RUN mkdir -p /root/.ssh
#取消pam限制
RUN sed -ri 's/session requireD pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd

# 配置免密和自啟動腳本
ADD authorized_keys /root/.ssh/authorized_keys
ADD run.sh /run.sh
RUN chmod 755 /run.sh

# 開放22端口
EXPOSE 22

# 設置腳本自啟動
CMD ["/run.sh"]

2.4 創建鏡像

在sshd_ubuntu 目錄下，使用docker build 命令來創建鏡像。表示使用當前目錄中的Dockerfile

root@slave1:/home/xxx/Documents# cd sshd_ubuntu
root@slave1:/home/xxx/Documents/sshd_ubuntu# docker build -t sshd:dockerfile .
Sending build context to Docker daemon  4.608kB
Step 1/11 : FROM ubuntu:16.04
---> 5e13f8dd4c1a
Step 2/11 : MAINTAINER zzz 473612131@qq.com
---> Using cache
---> 0748b6027d39
Step 3/11 : RUN apt-get update && apt-get install -y openssh-server
---> Using cache
---> a251326511ad
Step 4/11 : RUN mkdir -p /var/run/sshd
---> Using cache
---> 7f7223f9ca3f
Step 5/11 : RUN mkdir -p /root/.ssh
---> Using cache
---> ef9f018d909c
Step 6/11 : RUN sed -ri 's/session requireD pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd
---> Running in 94c11b0c54ec
Removing intermediate container 94c11b0c54ec
---> cea047a4b34f
Step 7/11 : ADD authorized_keys /root/.ssh/authorized_keys
---> 8312e768de97
Step 8/11 : ADD run.sh /run.sh
---> f5c23bd379b2
Step 9/11 : RUN chmod 755 /run.sh
---> Running in 8f95705b05b4
Removing intermediate container 8f95705b05b4
---> 03eb32be673e
Step 10/11 : EXPOSE 22
---> Running in ef4439caf998
Removing intermediate container ef4439caf998
---> 3ac6903206c9
Step 11/11 : CMD ["/run.sh"]
---> Running in 8271fe311161
Removing intermediate container 8271fe311161
---> 10ba2747ab4a
Successfully built 10ba2747ab4a
Successfully tagged sshd:dockerfile
root@slave1:/home/xxx/Documents/sshd_ubuntu# docker images   #本地查看sshd :dockerfile 鏡像己存在
REPOSITORY           TAG                 IMAGE ID            CREATED             SIZE
sshd                 dockerfile          10ba2747ab4a        2 minutes ago       200MB

2.5 測試鏡像，運行容器

使用剛才創建的sshd:dockerfile 鏡像來運行一個容器。直接啟動鏡像，映射容器的22 端口到本地的10122 端口：

root@slave1:/home/xxx/Documents/sshd_ubuntu# docker run -d -p 10122:22 sshd:dockerfile
7cd646779554e185a34d0f775ad8bb81cef4af8547df5ba7ac79d8eed0571d48
root@slave1:/home/xxx/Documents/sshd_ubuntu# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                   NAMES
7cd646779554        sshd:dockerfile     "/run.sh"           40 seconds ago      Up 39 seconds       0.0.0.0:10122->22/tcp   loving_pike

在宿主主機新打開一個終端，連接到新建的容器：

root@slave1:/home/xxx/Documents/sshd_ubuntu# ssh 192.168.220.128 -p 10122
The authenticity of host '[192.168.220.128]:10122 ([192.168.220.128]:10122)' can't be established.
ECDSA key fingerprint is SHA256:MTblEFxBW0AGUzlvSzc5ouq1xM01jcykUFCzwW91Khc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.220.128]:10122' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.10.0-28-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@7cd646779554:~#

***參考：
Docker技術入門與實戰鏈接：https://pan.baidu.com/s/1r_TfonbXxPk6ogKvNxGp3g
提取碼：c5i2

---