Docker之Nginx+SSHD(一)安装配置SSHD

Weeknd
754 阅读6分钟

Docker Nginx+SSHD

背景描述

当开发尝试用容器进行页面调试,而docker daemon在远程机器上,想通过本地ssh tools连接操作nginx服务。本文主要介绍如何通过sshd连接到docker container里

SSHD

SSDH(OpenSSH Daemon)是ssh 的守护程序。通过不安全的网络在两个不受信任的主机之间提供了安全的加密通信。

环境准备:

准备nginx images

  • 宿主机
[root@rwplus ~]# docker pull nginx:1.19.2
Trying to pull repository docker.io/library/nginx ...
1.19.2: Pulling from docker.io/library/nginx
bf5952930446: Pull complete
cb9a6de05e5a: Pull complete
9513ea0afb93: Pull complete
b49ea07d2e93: Pull complete
a5e4a503d449: Pull complete
Digest: sha256:b0ad43f7ee5edbc0effbc14645ae7055e21bc1973aee5150745632a24a752661
Status: Downloaded newer image for docker.io/nginx:1.19.2

启动一个服务

  • 宿主机
[root@rwplus ~]# docker run --name test_sshd -p 9090:80 -p 9091:22 -itd docker.io/nginx:1.19.2 bash
59cb5b898e9c9f16165b6f38ce01847cf156f07c23e8cd4bdf32d0fe587e9114

[root@rwplus ~]# docker ps |grep sshd
59cb5b898e9c        docker.io/nginx:1.19.2                                     "/docker-entrypoin..."   26 seconds ago      Up 25 seconds       0.0.0.0:9091->22/tcp, 0.0.0.0:9090->80/tcp                         test_sshd

  • 9090:80

    9090是nginx映射到host的port。80是container nginx的port

  • 9091:22

    9091是sshd映射到host的port。22是container sshd的port

安装SSHD

  • 容器内
root@59cb5b898e9c:/# apt-get update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://deb.debian.org/debian buster InRelease [122 kB]
Get:3 http://security.debian.org/debian-security buster/updates/main amd64 Packages [226 kB]
Get:4 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7906 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7868 B]
Fetched 8379 kB in 59s (142 kB/s)
Reading package lists... Done
root@59cb5b898e9c:/#


root@59cb5b898e9c:/# apt-get install openssh-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  dbus dmsetup libapparmor1 libargon2-1 libcap2 libcryptsetup12 libdbus-1-3 libdevmapper1.02.1 libedit2 libgpm2 libidn11 libip4tc0 libjson-c3 libkmod2 libncurses6 libnss-systemd libpam-systemd
  libprocps7 libwrap0 libxext6 libxmuu1 ncurses-term openssh-client openssh-sftp-server procps psmisc systemd systemd-sysv xauth
Suggested packages:
  default-dbus-session-bus | dbus-session-bus gpm keychain libpam-ssh monkeysphere ssh-askpass molly-guard rssh ufw systemd-container policykit-1
The following NEW packages will be installed:
  dbus dmsetup libapparmor1 libargon2-1 libcap2 libcryptsetup12 libdbus-1-3 libdevmapper1.02.1 libedit2 libgpm2 libidn11 libip4tc0 libjson-c3 libkmod2 libncurses6 libnss-systemd libpam-systemd
  libprocps7 libwrap0 libxext6 libxmuu1 ncurses-term openssh-client openssh-server openssh-sftp-server procps psmisc systemd systemd-sysv xauth
0 upgraded, 30 newly installed, 0 to remove and 0 not upgraded.
Need to get 7807 kB of archives.
After this operation, 30.0 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian buster/main amd64 libapparmor1 amd64 2.13.2-10 [94.7 kB]
Get:2 http://security.debian.org/debian-security buster/updates/main amd64 libjson-c3 amd64 0.12.1+ds-2+deb10u1 [27.3 kB]
Get:3 http://deb.debian.org/debian buster/main amd64 libcap2 amd64 1:2.25-2 [17.6 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 libargon2-1 amd64 0~20171227-0.2 [19.6 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 dmsetup amd64 2:1.02.155-3 [90.8 kB]
Get:6 http://deb.debian.org/debian buster/main amd64 libdevmapper1.02.1 amd64 2:1.02.155-3 [141 kB]
Get:7 http://deb.debian.org/debian buster/main amd64 libcryptsetup12 amd64 2:2.1.0-5+deb10u2 [193 kB]
Get:8 http://deb.debian.org/debian buster/main amd64 libidn11 amd64 1.33-2.2 [116 kB]
Get:9 http://deb.debian.org/debian buster/main amd64 libip4tc0 amd64 1.8.2-4 [70.2 kB]
Get:10 http://deb.debian.org/debian buster/main amd64 libkmod2 amd64 26-1 [52.7 kB]
Get:11 http://deb.debian.org/debian buster/main amd64 systemd amd64 241-7~deb10u4 [3499 kB]
Get:12 http://deb.debian.org/debian buster/main amd64 systemd-sysv amd64 241-7~deb10u4 [99.9 kB]
Get:13 http://deb.debian.org/debian buster/main amd64 libncurses6 amd64 6.1+20181013-2+deb10u2 [102 kB]
Get:14 http://deb.debian.org/debian buster/main amd64 libprocps7 amd64 2:3.3.15-2 [61.7 kB]
Get:15 http://deb.debian.org/debian buster/main amd64 procps amd64 2:3.3.15-2 [259 kB]
Get:16 http://deb.debian.org/debian buster/main amd64 libdbus-1-3 amd64 1.12.20-0+deb10u1 [215 kB]
Get:17 http://deb.debian.org/debian buster/main amd64 dbus amd64 1.12.20-0+deb10u1 [236 kB]
Get:18 http://deb.debian.org/debian buster/main amd64 libnss-systemd amd64 241-7~deb10u4 [205 kB]
Get:19 http://deb.debian.org/debian buster/main amd64 libpam-systemd amd64 241-7~deb10u4 [209 kB]
Get:20 http://deb.debian.org/debian buster/main amd64 ncurses-term all 6.1+20181013-2+deb10u2 [490 kB]
Get:21 http://deb.debian.org/debian buster/main amd64 libedit2 amd64 3.1-20181209-1 [94.0 kB]
Get:22 http://deb.debian.org/debian buster/main amd64 openssh-client amd64 1:7.9p1-10+deb10u2 [782 kB]
Get:23 http://deb.debian.org/debian buster/main amd64 libgpm2 amd64 1.20.7-5 [35.1 kB]
Get:24 http://deb.debian.org/debian buster/main amd64 libwrap0 amd64 7.6.q-28 [58.7 kB]
Get:25 http://deb.debian.org/debian buster/main amd64 libxext6 amd64 2:1.3.3-1+b2 [52.5 kB]
Get:26 http://deb.debian.org/debian buster/main amd64 libxmuu1 amd64 2:1.1.2-2+b3 [23.9 kB]
Get:27 http://deb.debian.org/debian buster/main amd64 openssh-sftp-server amd64 1:7.9p1-10+deb10u2 [44.6 kB]
Get:28 http://deb.debian.org/debian buster/main amd64 openssh-server amd64 1:7.9p1-10+deb10u2 [352 kB]
Get:29 http://deb.debian.org/debian buster/main amd64 psmisc amd64 23.2-1 [126 kB]
Get:30 http://deb.debian.org/debian buster/main amd64 xauth amd64 1:1.0.10-1 [40.3 kB]
Fetched 7807 kB in 4min 20s (30.0 kB/s)
......................
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
Processing triggers for systemd (241-7~deb10u4) ...
Processing triggers for libc-bin (2.28-10) ...

启动SSHD

  • 容器内
root@59cb5b898e9c:/# ls /var/run/sshd
ls: cannot access '/var/run/sshd': No such file or directory
root@59cb5b898e9c:/# mkdir -p /var/run/sshd
root@59cb5b898e9c:/# /usr/sbin/sshd -D &
[1] 992

查看容器内进程

  • 宿主机
[root@rwplus ~]# docker top  test_sshd
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
root                26007               25990               0                   12:18               pts/1               00:00:00            bash
root                26065               26049               0                   12:19               pts/2               00:00:00            bash
root                26084               26065               0                   12:19               pts/2               00:00:00            /usr/sbin/sshd -D

检测端口是否打开

  • 宿主机
[root@rwplus ~]# telnet localhost 9091
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2

取消session PAM限制

root@59cb5b898e9c:/# more /etc/pam.d/sshd |grep pam_loginuid
session    required     pam_loginuid.so


root@59cb5b898e9c:/# sed -i 's|session    required     pam_loginuid.so|#session    required     pam_loginuid.so|g' /etc/pam.d/sshd
root@59cb5b898e9c:/# more /etc/pam.d/sshd |grep pam_loginuid
#session    required     pam_loginuid.so

配置远程密钥登陆

生成密钥对

  • 容器内
root@59cb5b898e9c:/# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3SSV83xpLxZrJdOLEIkiGEQC9cPM2FvEdY+idC3G1v4 root@59cb5b898e9c
The key's randomart image is:
+---[RSA 2048]----+
|oo++o.... o o.   |
|  .O o.o = *o    |
|  . B + O = ++ ..|
|     = = = =  *o+|
|    . . S o o oBo|
|           . .=..|
|            Eo . |
|                 |
|                 |
+----[SHA256]-----+

授权

  • 容器内
root@59cb5b898e9c:~/.ssh# cd ~/.ssh
root@59cb5b898e9c:~/.ssh# ls
id_rsa	id_rsa.pub
root@59cb5b898e9c:~/.ssh# cat id_rsa.pub > authorized_keys

本地配置docker container的公钥

将容器的id_rsa.pub内容复制到本地的文件里,本文是test.key文件

  • 宿主机
[root@rwplus ~]# more test.key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
.......................
=
-----END OPENSSH PRIVATE KEY-----

文件权限设置

  • 宿主机
[root@rwplus ~]# chmod 600 test.key

本地远程登陆

  • 宿主机
[root@rwplus ~]# ssh root@xxx.xxx.xxx.xxx -p 9091 -i test.key
Linux 59cb5b898e9c 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

扫描下方二维码关注公众号,获取更多docker,kubernetes,devops内容。

avatar
文章
阅读
粉丝