SSH远程登陆docker容器
Posted Pearl
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SSH远程登陆docker容器相关的知识,希望对你有一定的参考价值。
环境:
Ubuntu 16.04(mac osx的VMware Fushion环境)
任务:
Ubuntu 16.04通过SSH登陆docker(目的是为了运行在其他服务器的Jenkins访问docker,这个是另外一篇文章)
1、用户密码认证方式登陆
[email protected]:~$ sudo docker images
[sudo] hsl 的密码:
REPOSITORY TAG IMAGE ID CREATED SIZE
hsl/ubuntu 14.04_add_sourcealiyun_git_vim_ssh 7e81fb2f82c5 44 minutes ago 634.2 MB
hsl/ubuntu 14.04_JenkinsWithDocker_key 6fb1d3cb7983 46 hours ago 760 MB
hsl/ubuntu 14.04_JenkinsWithDocker_password 659fcb00b0dc 3 days ago 760.1 MB
ubuntu 14.04 4a725d3b3b1c 8 days ago 188 MB
training/webapp latest 6fae60ef3446 15 months ago 348.8 MB
[email protected]:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[email protected]:~$ sudo docker run -tid -p 22 -P hsl/ubuntu:14.04_add_sourcealiyun_git_vim_ssh
ea153153c8837a4b0e1a8d0e6945200c7ac820c358d546202f1a95c72f12ca77
[email protected]:~$ sudo docker exec -ti ea /bin/bash
[email protected]:/# cd /etc/ssh
[email protected]:/etc/ssh# vim sshd_config
[sudo] hsl 的密码:
REPOSITORY TAG IMAGE ID CREATED SIZE
hsl/ubuntu 14.04_add_sourcealiyun_git_vim_ssh 7e81fb2f82c5 44 minutes ago 634.2 MB
hsl/ubuntu 14.04_JenkinsWithDocker_key 6fb1d3cb7983 46 hours ago 760 MB
hsl/ubuntu 14.04_JenkinsWithDocker_password 659fcb00b0dc 3 days ago 760.1 MB
ubuntu 14.04 4a725d3b3b1c 8 days ago 188 MB
training/webapp latest 6fae60ef3446 15 months ago 348.8 MB
[email protected]:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[email protected]:~$ sudo docker run -tid -p 22 -P hsl/ubuntu:14.04_add_sourcealiyun_git_vim_ssh
ea153153c8837a4b0e1a8d0e6945200c7ac820c358d546202f1a95c72f12ca77
[email protected]:~$ sudo docker exec -ti ea /bin/bash
[email protected]:/# cd /etc/ssh
[email protected]:/etc/ssh# vim sshd_config
sshd_config 需要关注三个地方,未修改之前是这样:
PermitRootLogin without-password
#AuthorizedKeysFile %h/.ssh/authorized_keys
#PasswordAuthentication yes
说明:
#PermitRootLogin yes #允许root用户以任何认证方式登录(用户名密码认证和公钥认证)
#PermitRootLogin without-password #只允许root用公钥认证方式登录
#PermitRootLogin no #不允许root用户以任何认证方式登录
这里先修改两处:
PermitRootLogin without-password 改为 PermitRootLogin yes
* Starting OpenBSD Secure Shell server sshd [ OK ]
[email protected]:/# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
[email protected]:/# ifconfig
#PasswordAuthentication yes 改为 PasswordAuthentication yes
[email protected]:/etc/ssh# cd
[email protected]:~# service ssh start* Starting OpenBSD Secure Shell server sshd [ OK ]
[email protected]:/# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
[email protected]:/# ifconfig
#获得docker的内网地址(inet addr):172.17.0.2
[email protected]:/# exit
exit
[email protected]:~$ ssh [email protected]
[email protected]‘s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-93-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
[email protected]:~# exit
logout
Connection to 172.17.0.2 closed.
[email protected]:~$ ifconfig
[email protected]:/# exit
exit
[email protected]:~$ ssh [email protected]
[email protected]‘s password:
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-93-generic x86_64)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
[email protected]:~# exit
logout
Connection to 172.17.0.2 closed.
[email protected]:~$ ifconfig
#获得宿主机的内网地址(inet地址):192.168.127.159,这里试一下端口映射方式登陆docker
#因为做了端口映射,所以可以直接从映射的端口登陆,只需要知道和docker的22端口映射的宿主机端口和宿主机的ip(如果和docker的22做端口映射时候采用默认IP方式,则默认宿主机的所有IP都和docker的22端口映射,这样localhost和子网IP均可等登陆)
#即ssh [email protected]和ssh -p 32770 [email protected]都可以登陆docker
[email protected]:~$ ssh -p 32771 [email protected]
[email protected]:~$ ssh -p 32771 [email protected]
#第一次登陆有警告
The authenticity of host ‘[192.168.127.159]:32771 ([192.168.127.159]:32771)‘ can‘t be established.
ECDSA key fingerprint is SHA256:icDOU4lcWTiFb4eIKUtosFNrqzGMo5ufzqXQfPdtSZg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[192.168.127.159]:32771‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Sun Sep 4 06:00:37 2016 from 172.17.0.1
[email protected]:~# exit
logout
Connection to 192.168.127.159 closed.
[email protected]:~$ ssh -p 32771 [email protected]
The authenticity of host ‘[192.168.127.159]:32771 ([192.168.127.159]:32771)‘ can‘t be established.
ECDSA key fingerprint is SHA256:icDOU4lcWTiFb4eIKUtosFNrqzGMo5ufzqXQfPdtSZg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘[192.168.127.159]:32771‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Sun Sep 4 06:00:37 2016 from 172.17.0.1
[email protected]:~# exit
logout
Connection to 192.168.127.159 closed.
[email protected]:~$ ssh -p 32771 [email protected]
#再登录一遍就没有警告了
[email protected]‘s password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Sun Sep 4 06:01:33 2016 from 192.168.127.159
[email protected]:~# exit
logout
Connection to 192.168.127.159 closed.
[email protected]‘s password:
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Sun Sep 4 06:01:33 2016 from 192.168.127.159
[email protected]:~# exit
logout
Connection to 192.168.127.159 closed.
2、公钥认证方式登陆
[email protected]:~$ sudo docker run -tid -p 22 -P hsl/ubuntu:14.04_add_sourcealiyun_git_vim_ssh
f2e54200c5c7f3310a27e274d7d8c9585ed3c79f921cb63edb8f3a00d1165e24
[email protected]:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f2e54200c5c7 hsl/ubuntu:14.04_add_sourcealiyun_git_vim_ssh "/bin/bash" 15 seconds ago Up 10 seconds 0.0.0.0:32768->22/tcp big_brown
[email protected]:~$ sudo docker exec -it f2 /bin/bash
[email protected]:/# vim /etc/ssh/sshd_config
[email protected]:~$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f2e54200c5c7 hsl/ubuntu:14.04_add_sourcealiyun_git_vim_ssh "/bin/bash" 15 seconds ago Up 10 seconds 0.0.0.0:32768->22/tcp big_brown
[email protected]:~$ sudo docker exec -it f2 /bin/bash
[email protected]:/# vim /etc/ssh/sshd_config
把第一步中提到的需要注意的三个地方做以下修改:
PermitRootLogin without-password
#AuthorizedKeysFile %h/.ssh/authorized_keys改为AuthorizedKeysFile %h/.ssh/authorized_keys
#PasswordAuthentication yes改为PasswordAuthentication yes
(如果服务器不在本地,千万不能PasswordAuthentication yes->no,万一当前的ssh链接中断,万一RAS认证没弄好,密码验证又禁止了。可以理解为公钥认证优先于用户密码认证,但是万一公钥认证失败,用用户密码认证以防万一)
[email protected]:~$ ssh-keygen -t rsa
#一直回车,生成宿主机的密钥
[email protected]:~$ cd .ssh
[email protected]:~/.ssh$ ls
id_rsa id_rsa.pub
#一直回车,生成宿主机的密钥
[email protected]:~$ cd .ssh
[email protected]:~/.ssh$ ls
id_rsa id_rsa.pub
[email protected]:~/.ssh$ scp id_rsa.pub [email protected]:~/.ssh/
[email protected]‘s password:
id_rsa.pub 100% 392 0.4KB/s 00:00
[email protected]:~/.ssh$ sudo docker exec -it f2 /bin/bash
[email protected]:/# cd
[email protected]:~# cd .ssh
[email protected]:~/.ssh# ls
id_rsa.pub
[email protected]:~/.ssh# mv id_rsa.pub authorized_keys
[email protected]:~/.ssh# ls
authorized_keys
[email protected]‘s password:
id_rsa.pub 100% 392 0.4KB/s 00:00
[email protected]:~/.ssh$ sudo docker exec -it f2 /bin/bash
[email protected]:/# cd
[email protected]:~# cd .ssh
[email protected]:~/.ssh# ls
id_rsa.pub
[email protected]:~/.ssh# mv id_rsa.pub authorized_keys
[email protected]:~/.ssh# ls
authorized_keys
********可以替换上面的通过scp方法把公钥传送到docker*********
#或者直接把宿主机的id_rsa.pub内容复制到docker的/root/.ssh/authorized_keys
[email protected]:~$ cd .ssh
[email protected]:~/.ssh$ ls
id_rsa id_rsa.pub known_hosts
[email protected]:~/.ssh$ cat id_rsa.pub
#宿主机的公钥
[email protected]:~/.ssh$ sudo docker exec -it f2 /bin/bash
[email protected]:/# ssh-keygen -t rsa
#这一步只是为了方便产生docker的.ssh目录
[email protected]:/# cd
[email protected]:~# cd .ssh
[email protected]:~/.ssh# ls
id_rsa id_rsa.pub
[email protected]:~/.ssh# touch authorized_keys
[email protected]:~/.ssh# ls
authorized_keys id_rsa id_rsa.pub
[email protected]:~/.ssh# vim authorized_keys
#把宿主机的id_rsa.pub内容复制到docker的/root/.ssh/authorized_keys
[email protected]:~/.ssh$ ls
id_rsa id_rsa.pub known_hosts
[email protected]:~/.ssh$ cat id_rsa.pub
#宿主机的公钥
[email protected]:~/.ssh$ sudo docker exec -it f2 /bin/bash
[email protected]:/# ssh-keygen -t rsa
#这一步只是为了方便产生docker的.ssh目录
[email protected]:/# cd
[email protected]:~# cd .ssh
[email protected]:~/.ssh# ls
id_rsa id_rsa.pub
[email protected]:~/.ssh# touch authorized_keys
[email protected]:~/.ssh# ls
authorized_keys id_rsa id_rsa.pub
[email protected]:~/.ssh# vim authorized_keys
#把宿主机的id_rsa.pub内容复制到docker的/root/.ssh/authorized_keys
********可以替换上面的通过scp方法把公钥传送到docker*********
[email protected]:/# service ssh start
* Starting OpenBSD Secure Shell server sshd [ OK ]
[email protected]:/# exit
exit
[email protected]:~/.ssh$ ssh [email protected]
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Sun Sep 4 08:18:21 2016 from 172.17.0.1
[email protected]:~# exit
logout
Connection to 172.17.0.2 closed.
[email protected]:/# service ssh start
* Starting OpenBSD Secure Shell server sshd [ OK ]
[email protected]:/# exit
exit
[email protected]:~/.ssh$ ssh [email protected]
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Sun Sep 4 08:18:21 2016 from 172.17.0.1
[email protected]:~# exit
logout
Connection to 172.17.0.2 closed.
补充阅读资料
sshd_config配置
http://blog.csdn.net/zhu_xun/article/details/18304441
http://blog.licess.com/sshd_config/
http://19001989.blog.51cto.com/3447586/645882
外部访问容器
http://www.kancloud.cn/thinkphp/docker_practice/30928
SSH
http://www.ruanyifeng.com/blog/2011/12/ssh_remote_login.html
http://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html
http://blog.csdn.net/21aspnet/article/details/7249401
以上是关于SSH远程登陆docker容器的主要内容,如果未能解决你的问题,请参考以下文章
Docker容器学习梳理--容器登陆方法梳理(attachexecnsenter)