$ sudo docker run -ti ubuntu:14.04  /bin/bash
#首先，使用我们最熟悉的 「-ti」参数来创建一个容器。
root@fc1936ea8ceb:/# sshd
bash: sshd: command not found
#使用 sshd 开启 ssh server 服务,发现没有安装这个服务,注意，我们在使用 「-ti /bin/bash」 进入容器后，获得的是 root 用户的bash root@fc1936ea8ceb:/# apt-get install openssh-server Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package openssh-server #现有缓存里面也找不到该软件，看来官方精简的够彻底啊 root@fc1936ea8ceb:/# apt-get update #使用「apt-get update」来更新 apt 软件源信息，如果觉得默认的国外源速度慢的话，也可以替换为国内 163\souhu 等镜像的源。 Ign http://archive.ubuntu.com trusty InRelease Ign http://archive.ubuntu.com trusty-updates InRelease Ign http://archive.ubuntu.com trusty-security InRelease Ign http://archive.ubuntu.com trusty-proposed InRelease ... Fetched 20.4 MB in 2min 55s (116 kB/s) Reading package lists... Done root@fc1936ea8ceb:/# apt-get install openssh-server Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: ca-certificates krb5-locales libck-connector0 libedit2 libgssapi-krb5-2 libidn11 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-sftp-server openssl python python-chardet python-minimal python-requests python-six python-urllib3 python2.7 python2.7-minimal ssh-import-id tcpd wget xauth Suggested packages: krb5-doc krb5-user ssh-askpass libpam-ssh keychain monkeysphere rssh molly-guard ufw python-doc python-tk python2.7-doc binutils binfmt-support The following NEW packages will be installed: ca-certificates krb5-locales libck-connector0 libedit2 libgssapi-krb5-2 libidn11 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-server openssh-sftp-server openssl python python-chardet python-minimal python-requests python-six python-urllib3 python2.7 python2.7-minimal ssh-import-id tcpd wget xauth 0 upgraded, 38 newly installed, 0 to remove and 29 not upgraded. Need to get 7599 kB of archives. After this operation, 35.3 MB of additional disk space will be used. Do you want to continue? [Y/n] y #安装一个 ssh 服务，都需要下载安装这么多的依赖 Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main libedit2 amd64 3.1-20130712-2 [86.7 kB] Get:2 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main libkrb5support0 amd64 1.12+dfsg-2ubuntu5 [30.0 kB] Get:3 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main libk5crypto3 amd64 1.12+dfsg-2ubuntu5 [79.9 kB] Get:4 http://archive.ubuntu.com/ubuntu/ trusty/main libkeyutils1 amd64 1.5.6-1 [7318 B] Get:5 http://archive.ubuntu.com/ubu ... Updating certificates in /etc/ssl/certs... 164 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. Processing triggers for ureadahead (0.100.0-16) ... root@fc1936ea8ceb:/# mkdir -p /var/run/sshd #创建 ssh 服务运行需要的目录 root@fc1936ea8ceb:/# /usr/sbin/sshd -D & #在后台运行 ssh 服务 [1] 3254 root@fc1936ea8ceb:/# netstat -tunlp #查看服务端口是否正常 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - root@fc1936ea8ceb:/# mkdir root/.ssh root@fc1936ea8ceb:/# vi /root/.ssh/authorized_keys #复制需要登陆到这个台机器的公钥到 authorized_keys 文件中 root@fc1936ea8ceb:/# sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd #修改 ssh 服务的安全登陆配置 root@fc1936ea8ceb:/# vi /run.sh #创建可执行文件run.sh，详细内容见后文 root@fc1936ea8ceb:/# chmod +x run.sh #添加可执行权限 root@fc1936ea8ceb:/# exit exit $ sudo docker commit fc1 sshd:ubuntu #使用 「docker commit」 将现在这个容器保存为 sshd:ubuntu 镜像 7aef2cd95fd0c712f022bcff6a4ddefccf20fd693da2b24b04ee1cd3ed3eb6fc $ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE sshd ubuntu 7aef2cd95fd0 10 seconds ago 255.2 MB busybox latest e72ac664f4f0 3 weeks ago 2.433 MB ubuntu latest ba5877dc9bec 3 months ago 192.7 MB #验证一下，我们目前拥有的镜像 $ sudo docker run -p 100:22 -d sshd:ubuntu /run.sh #启动容器，并映射端口 100 -->22，100 是宿主主机的端口，22 是容器的 ssh 端口 3ad7182aa47f9ce670d933f943fdec946ab69742393ab2116bace72db82b4895 $ sudo docker ps #启动成功，可以看到容器运行的详细信息 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 3ad7182aa47f sshd:ubuntu "/run.sh" 2 seconds ago Up 2 seconds 0.0.0.0:100->22/tcp focused_ptolemy > ssh 192.168.1.200 -p 100 #在刚才复制公钥的机器上登陆容器 The authenticity of host '[192.168.1.200]:100 ([192.168.1.200]:100)' can't be established. ECDSA key fingerprint is 5f:6e:4c:54:8f:c7:7f:32:c2:38:45:bb:16:03:c9:e8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.1.200]:100' (ECDSA) to the list of known hosts. Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.2.0-37-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@3ad7182aa47f:~# #成功登陆，镜像创建成功。 

run.sh 脚本内容

#!/bin/bash
/usr/sbin/sshd -D

Dockerfile 的基础知识，在 1.8 章节讲过，下面我们就介绍下如何使用 Dockerfile 来完成上一节的操作。

创建文件夹

首先，创建一个叫做 sshd_ubuntu 的文件夹，用于存放我们的 Dockerfile 、脚本文件、以及其他文件。

$ mkdir sshd_ubuntu
$ ls
sshd_ubuntu
$ cd sshd_ubuntu/
$ touch Dockerfile run.sh
$ ls
Dockerfile  run.sh

编写 shell 脚本和 authorized_keys 文件

其中脚本文件 run.sh 的内容与上一小节一致

#!/bin/bash
/usr/sbin/sshd -D

创建 authorized_keys 文件

$ ssh-keygen
#根据提示生成访问密钥
$ cat ~/.ssh/id_rsa.pub >authorized_keys
#复制公钥到 authorized_keys 文件中

下面是 Dockerfile 的内容及解释

#设置继承镜像
FROM ubuntu:14.04
#提供一些作者的信息
MAINTAINER dwj_zz@163.com
#下面开始运行命令,此处更改ubuntu的源为国内163的源 RUN echo "deb http://mirrors.163.com/ubuntu/ trusty main restricted universe multiverse" > /etc/apt/sources.list RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-security main restricted universe multiverse" >> /etc/apt/sources.list RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-updates main restricted universe multiverse" >> /etc/apt/sources.list RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-proposed main restricted universe multiverse" >> /etc/apt/sources.list RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-backports main restricted universe multiverse" >> /etc/apt/sources.list RUN apt-get update #安装 ssh 服务 RUN apt-get install -y openssh-server RUN mkdir -p /var/run/sshd RUN mkdir -p /root/.ssh #取消pam限制 RUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd #复制配置文件到相应位置,并赋予脚本可执行权限 ADD authorized_keys /root/.ssh/authorized_keys ADD run.sh /run.sh RUN chmod 755 /run.sh #开放端口 EXPOSE 22 #设置自启动命令 CMD ["/run.sh"] 

创建镜像

$ sudo docker build -t sshd:dockerfile .
Sending build context to Docker daemon 5.632 kB
Sending build context to Docker daemon
Step 0 : FROM ubuntu:14.04
^Z
[1]+ Stopped sudo docker build -t sshd:dockerfile . #这里我发现创建的速度好慢，于是暂停创建过程，先查看下本地 images $ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE sshd ubuntu 7aef2cd95fd0 12 hours ago 255.2 MB busybox latest e72ac664f4f0 3 weeks ago 2.433 MB ubuntu latest ba5877dc9bec 3 months ago 192.7 MB #原来我们的 ubuntu 镜像是使用默认的 latest 标签，而我们在 Dockerfile 中一般都是指定版本标签。 $ sudo docker tag ba5 ubuntu:14.04 $ pwd /home/xxx/sshd_ubuntu $ sudo docker build -t sshd:dockerfile . #这里注意一下，在最后还有一个 “.” ，表示使用当前目录的 Dockerfile Sending build context to Docker daemon 5.632 kB Sending build context to Docker daemon Step 0 : FROM ubuntu:14.04 ---> ba5877dc9bec Step 1 : MAINTAINER dwj_zz@163.com ---> Running in 188d74d02d35 ---> 473eb019b331 Removing intermediate container 188d74d02d35 #使用 Dockerfile 创建，他会帮你删除中间无用的文件层 Step 2 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty main restricted universe multiverse" > /etc/apt/sources.list ---> Running in f52e2a583db5 ---> bd4ceef2ee19 Removing intermediate container f52e2a583db5 Step 3 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-security main restricted universe multiverse" >> /etc/apt/sources.list ---> Running in 897d65dfe9be ---> 9cd736f11928 Removing intermediate container 897d65dfe9be Step 4 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-updates main restricted universe multiverse" >> /etc/apt/sources.list ---> Running in ec3433db813e ---> 3fca0b605de4 Removing intermediate container ec3433db813e Step 5 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-proposed main restricted universe multiverse" >> /etc/apt/sources.list ---> Running in 4a0fe165598f ---> f6d1c7af36c8 Removing intermediate container 4a0fe165598f Step 6 : RUN echo "deb http://mirrors.163.com/ubuntu/ trusty-backports main restricted universe multiverse" >> /etc/apt/sources.list ---> Running in 209179c21053 ---> 0cda758c9f3c Removing intermediate container 209179c21053 Step 7 : RUN apt-get update ---> Running in 1fd40eb66f7b Ign http://archive.ubuntu.com trusty-proposed InRelease Get:1 http://archive.ubuntu.com trusty-proposed Release.gpg [933 B] Get:2 http://archive.ubuntu.com trusty-proposed Release [110 kB] Get:3 http://archive.ubuntu.com trusty-proposed/main amd64 Packages [160 kB] ... #为了节约篇幅，删去一些无关紧要的内容 Fetched 11.3 MB in 1min 37s (116 kB/s) Reading package lists... ---> 0f132591eddc Removing intermediate container 1fd40eb66f7b Step 8 : RUN apt-get install -y openssh-server ---> Running in 399e4ea726d2 Reading package lists... Building dependency tree... Reading state information... The following extra packages will be installed: ca-certificates krb5-locales libck-connector0 libedit2 libgssapi-krb5-2 libidn11 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-sftp-server openssl python python-chardet python-minimal python-requests python-six python-urllib3 python2.7 python2.7-minimal ssh-import-id tcpd wget xauth Suggested packages: krb5-doc krb5-user ssh-askpass libpam-ssh keychain monkeysphere rssh molly-guard ufw python-doc python-tk python2.7-doc binutils binfmt-support The following NEW packages will be installed: ca-certificates krb5-locales libck-connector0 libedit2 libgssapi-krb5-2 libidn11 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-server openssh-sftp-server openssl python python-chardet python-minimal python-requests python-six python-urllib3 python2.7 python2.7-minimal ssh-import-id tcpd wget xauth 0 upgraded, 38 newly installed, 0 to remove and 29 not upgraded. Need to get 7599 kB of archives. After this operation, 35.3 MB of additional disk space will be used. Get:1 http://mirrors.163.com/ubuntu/ trusty/main libedit2 amd64 3.1-20130712-2 [86.7 kB] ... Running hooks in /etc/ca-certificates/update.d....done. Processing triggers for ureadahead (0.100.0-16) ... ---> 62f952643e33 Removing intermediate container 399e4ea726d2 Step 9 : RUN mkdir -p /var/run/sshd ---> Running in aa1c4d469284 ---> e81557dd4887 Removing intermediate container aa1c4d469284 Step 10 : RUN mkdir -p /root/.ssh ---> Running in 0626987081d0 ---> 23882ee06756 Removing intermediate container 0626987081d0 Step 11 : RUN sed -ri 's/session required pam_loginuid.so/#session required pam_loginuid.so/g' /etc/pam.d/sshd ---> Running in 3808c650bf85 ---> 6c0ca1d20d7f Removing intermediate container 3808c650bf85 Step 12 : ADD authorized_keys /root/.ssh/authorized_keys ---> a64bbd8ae617 Removing intermediate container 16e2d93d6ef0 Step 13 : ADD run.sh /run.sh ---> 230711022f7d Removing intermediate container 137e56188d7b Step 14 : RUN chmod 755 /run.sh ---> Running in a876e4ea378e ---> 32d74bbb7406 Removing intermediate container a876e4ea378e Step 15 : EXPOSE 22 ---> Running in eeaf9352ca11 ---> 901e3fa9f596 Removing intermediate container eeaf9352ca11 Step 16 : CMD /run.sh ---> Running in 48c37db83ffb ---> 570c26a9de68 Removing intermediate container 48c37db83ffb Successfully built 570c26a9de68 #最后，返回告诉我们创建成功，镜像 id 号是570c26a9de68，让我们来查看下 $ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE sshd dockerfile 570c26a9de68 4 minutes ago 246.5 MB sshd ubuntu 7aef2cd95fd0 12 hours ago 255.2 MB busybox latest e72ac664f4f0 3 weeks ago 2.433 MB ubuntu 14.04 ba5877dc9bec 3 months ago 192.7 MB ubuntu latest ba5877dc9bec 3 months ago 192.7 MB 

测试镜像，运行容器

我们使用刚才我们创建的 sshd:dockerfile 来运行一个容器，看看时候达到我们的要求。

$ sudo docker ps
#这是上一小节，我们用 ”commit“ 方式建立的容器
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                 NAMES
3ad7182aa47f        sshd:ubuntu         "/run.sh"           12 hours ago Up 3 seconds 0.0.0.0:100->22/tcp focused_ptolemy $ sudo docker run -d -p 101:22 sshd:dockerfile #注意到，跟上一小节运行的容器的命令不一样，不需要在输入命令‘/run.sh’了，因为已经在 Dockerfile 中定义了自启动命令。 890c04ff8d769b604386ba4475253ae8c21fc92d60083759afa77573bf4e8af1 $ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 890c04ff8d76 sshd:dockerfile "/run.sh" 4 seconds ago Up 3 seconds 0.0.0.0:101->22/tcp high_albattani 3ad7182aa47f sshd:ubuntu "/run.sh" 12 hours ago Up 28 seconds 0.0.0.0:100->22/tcp focused_ptolemy 

在本地新开一个终端，连接到新建的容器

> ssh 192.168.1.200 -p 101
The authenticity of host '[192.168.1.200]:101 ([192.168.1.200]:101)' can't be established. ECDSA key fingerprint is d1:59:f1:09:3b:09:79:6d:19:16:f4:fd:39:1b:be:27. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[192.168.1.200]:101' (ECDSA) to the list of known hosts. Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.2.0-37-generic x86_64) * Documentation: https://help.ubuntu.com/ The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@890c04ff8d76:~# 测试成功

其实，在社区中，对于是否需要为 docker 容器一直有争论。

• 一方的观点是：docker 在声明中有一个的理念是一个容器运行一个服务，如果每个容器都运行一个 ssh 服务，就违背了这个理念，另外他们认为根本没有从远程主机进入容器进行维护的必要。

• 另一方的观点是：在 1.3 版本之前，如果要用 attach 进入容器，经常容易出现卡死的情况，1.3 之后，官方推出了 docker exec工具，在从宿主主机进入是没有障碍了，但是如果要从其他远程主机进入容器依然没有更好的解决方案。

通 过一些目前看来较为复杂的方式确实能够不需要进入容器进行维护，但是使用 ssh 进行服务器的维护，是目前 linux 管理员熟悉的方式，在 docker 推出更加高效、安全的方式对容器进行维护之前，目前容器的 ssh 服务还是比较重要的，而且它对资源的占用，并没想象中的大。