docker——通过ssh连接容器

# 容器安装sshd服务，便于主机ssh连接容器
[root@localhost ~]# docker run -itd --name sshd centos /bin/bash
374daee545e3a9fb1b6faa4075fc3ce295418cd2c83532627d88a28f6657a672
# 进入容器
[root@localhost ~]# docker exec -it sshd /bin/bash
# 安装一些软件（ssh相关）
[root@374daee545e3 /]# yum -y install passwd iproute net-tools openssh-server openssh-clients

设置容器root密码(一会ssh连接容器要用)

[root@374daee545e3 /]# passwd root
Changing password for user root.
New password: 
BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
Retype new password: 
passwd: all authentication tokens updated successfully.

查看sshd程序的启动命令

vi /usr/lib/systemd/system/sshd.service

[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS # 这里就是sshd程序的启动命令了 有些程序需要传递一些参数，要看的话就看上面的文件是否有参数，如果有就加上
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

设置秘钥（容器缺少一些必要的秘钥）

# 生成三个秘钥
[root@374daee545e3 /]# ssh-keygen -q -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N ''
[root@374daee545e3 /]# ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
[root@374daee545e3 /]# ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_ed25519_key -N ''

-t：keygen类型   -b密钥的长度   -f生成文件的位置   -N’’文件替换  ‘’原来是没有的	-q 不显示

允许root账户ssh连接

vi /etc/ssh/sshd_config 

UsePAM no
UsePrivilegeSeparation no
# PAM  加密模块，热插拔加密，容器里没有PAM，不能使用pam验证
PermitRootLogin yes
# 允许超级用户登录

启动sshd，主机连接容器

[root@374daee545e3 /]# /usr/sbin/sshd -D $OPTIONS
WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several problems.
Segmentation fault (core dumped)


[root@374daee545e3 /]# exit
exit
[root@localhost ~]# ssh root@172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ECDSA key fingerprint is SHA256:RIjDV9o2h4opVpD2MFlCCFq39l/q4aJNLwXvTqfZo/s.
ECDSA key fingerprint is MD5:0e:f6:dc:fb:0e:87:d8:25:61:eb:47:eb:4a:90:24:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.2' (ECDSA) to the list of known hosts.
root@172.17.0.2's password: 
[root@374daee545e3 ~]# 
# 连接到容器了

docker_PID隔离问题

• 1.通过容器内用户提权来解决不能使用system程序（不建议使用）
• 2.通过绕开systemd进程来启动程序
• 注重讲解第2种方法

接上面环境
容器安装httpd

[root@374daee545e3 ~]# yum -y install httpd
# 查看httpd的启动地址
vi /usr/lib/systemd/system/httpd.service

[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd # 可以查看启动参数
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND # 这里
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful # 都可以
ExecStop=/bin/kill -WINCH ${MAINPID}
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true

[Install]
WantedBy=multi-user.target

# 启动出现错误
[root@374daee545e3 ~]# /usr/sbin/httpd $OPTIONS
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
# 修改配置文件
vi /etc/httpd/conf/httpd.conf 

ServerName www.example.com:80 # 取消注释
# 再次启动看看
[root@374daee545e3 ~]# /usr/sbin/httpd $OPTIONS
httpd (pid 169) already running
[root@374daee545e3 ~]# netstat -anput |grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      169/httpd    

# 修改httpd的首页
[root@374daee545e3 ~]# echo 'LMK' > /var/www/html/index.html
# 退出容器访问容器
[root@374daee545e3 ~]# exit
logout
Connection to 172.17.0.2 closed.
[root@localhost ~]# curl 172.17.0.2
LMK

小结

• 其实找到程序的启动命令就可以了，ssh为了练习一遍才做的，主要是记住
  软件的启动文件在哪里就可以