dockerizing a sshd daemon based on Centos7

docker 有一个sshd服务是比较容易用来测试的, 所以有必要做一个sshd镜像.

docker文档里面有一篇是基于ubuntu : 14.04来制作sshd镜像的.

因为本人习惯了使用centos, 本文将基于centos7来制作一个sshd镜像.

先列出ubuntu制作sshd镜像的Dockerfile : 

# sshd
#
# VERSION               0.0.2

FROM ubuntu:14.04
MAINTAINER Sven Dowideit <SvenDowideit@docker.com>

RUN apt-get update && apt-get install -y openssh-server
RUN mkdir /var/run/sshd
# 设置默认密码
RUN echo 'root:screencast' | chpasswd
RUN sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/' /etc/ssh/sshd_config

# SSH login fix. Otherwise user is kicked off after login
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd

ENV NOTVISIBLE "in users profile"
RUN echo "export VISIBLE=now" >> /etc/profile

EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

修改成适合centos7的版本 : 

# mkdir /data01/sshd
# vi Dockerfile

# sshd
#
# VERSION               0.0.2

FROM centos:centos7
MAINTAINER digoal.zhou

RUN yum install -y openssh-server
RUN yum install -y openssh-clients
RUN mkdir /var/run/sshd
RUN echo 'UseDNS no' >> /etc/ssh/sshd_config
sed -i -e '/pam_loginuid.so/d' /etc/pam.d/sshd
# 设置默认密码
RUN echo 'root:Digoal_sshd_1999' | chpasswd
RUN /usr/bin/ssh-keygen -A

# 要在其他主机访问的话, 建议expose出去.
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

制作image : 

[root@localhost sshd]# docker build -t digoal/sshd .
Sending build context to Docker daemon  2.56 kB
Sending build context to Docker daemon
Step 0 : FROM centos:centos7
 ---> ae0c2d0bdc10
Step 1 : MAINTAINER digoal.zhou
 ---> Running in 072ae2460e25
 ---> 3c5e418bb4b1
Removing intermediate container 072ae2460e25
Step 2 : RUN yum install -y openssh-server
 ---> Running in bac9ecaa70cf
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: centos.ustc.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package openssh-server.x86_64 0:6.4p1-8.el7 will be installed
--> Processing Dependency: openssh = 6.4p1-8.el7 for package: openssh-server-6.4p1-8.el7.x86_64
--> Processing Dependency: fipscheck-lib(x86-64) >= 1.3.0 for package: openssh-server-6.4p1-8.el7.x86_64
--> Processing Dependency: libwrap.so.0()(64bit) for package: openssh-server-6.4p1-8.el7.x86_64
--> Processing Dependency: libfipscheck.so.1()(64bit) for package: openssh-server-6.4p1-8.el7.x86_64
--> Running transaction check
---> Package fipscheck-lib.x86_64 0:1.4.1-5.el7 will be installed
--> Processing Dependency: /usr/bin/fipscheck for package: fipscheck-lib-1.4.1-5.el7.x86_64
---> Package openssh.x86_64 0:6.4p1-8.el7 will be installed
---> Package tcp_wrappers-libs.x86_64 0:7.6-77.el7 will be installed
--> Running transaction check
---> Package fipscheck.x86_64 0:1.4.1-5.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch          Version               Repository   Size
================================================================================
Installing:
 openssh-server           x86_64        6.4p1-8.el7           base        367 k
Installing for dependencies:
 fipscheck                x86_64        1.4.1-5.el7           base         21 k
 fipscheck-lib            x86_64        1.4.1-5.el7           base         11 k
 openssh                  x86_64        6.4p1-8.el7           base        341 k
 tcp_wrappers-libs        x86_64        7.6-77.el7            base         66 k

Transaction Summary
================================================================================
Install  1 Package (+4 Dependent packages)

Total download size: 806 k
Installed size: 1.9 M
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/fipscheck-lib-1.4.1-5.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for fipscheck-lib-1.4.1-5.el7.x86_64.rpm is not installed
--------------------------------------------------------------------------------
Total                                              327 kB/s | 806 kB  00:02
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 Package    : centos-release-7-0.1406.el7.centos.2.5.x86_64 (@Updates/$releasever)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : fipscheck-lib-1.4.1-5.el7.x86_64                             1/5
  Installing : fipscheck-1.4.1-5.el7.x86_64                                 2/5
  Installing : openssh-6.4p1-8.el7.x86_64                                   3/5
  Installing : tcp_wrappers-libs-7.6-77.el7.x86_64                          4/5
  Installing : openssh-server-6.4p1-8.el7.x86_64                            5/5
  Verifying  : tcp_wrappers-libs-7.6-77.el7.x86_64                          1/5
  Verifying  : fipscheck-1.4.1-5.el7.x86_64                                 2/5
  Verifying  : openssh-server-6.4p1-8.el7.x86_64                            3/5
  Verifying  : openssh-6.4p1-8.el7.x86_64                                   4/5
  Verifying  : fipscheck-lib-1.4.1-5.el7.x86_64                             5/5 

Installed:
  openssh-server.x86_64 0:6.4p1-8.el7                                           

Dependency Installed:
  fipscheck.x86_64 0:1.4.1-5.el7      fipscheck-lib.x86_64 0:1.4.1-5.el7
  openssh.x86_64 0:6.4p1-8.el7        tcp_wrappers-libs.x86_64 0:7.6-77.el7     

Complete!
 ---> c48a513d5431
Removing intermediate container bac9ecaa70cf
Step 3 : RUN mkdir /var/run/sshd
 ---> Running in b0b25471af5d
 ---> e61b7a8bb4d9
Removing intermediate container b0b25471af5d
Step 4 : RUN echo 'UseDNS no' >> /etc/ssh/sshd_config
 ---> Running in 3d7072b4b9f5
 ---> 8ed4d6eb45c1
Removing intermediate container 3d7072b4b9f5
Step 5 : RUN echo 'root:Digoal_sshd_1999' | chpasswd
 ---> Running in 54eebb17b732
 ---> ecb67638a0df
Removing intermediate container 54eebb17b732
Step 6 : RUN /usr/bin/ssh-keygen -A
 ---> Running in cc7fc7b7a49e
ssh-keygen: generating new host keys: RSA1 RSA DSA ECDSA
 ---> 2b73dfeaebf1
Removing intermediate container cc7fc7b7a49e
Step 7 : EXPOSE 22
 ---> Running in fa5ca073d31b
 ---> 6e0fcfed929b
Removing intermediate container fa5ca073d31b
Step 8 : CMD ["/usr/sbin/sshd", "-D"]
 ---> Running in 0d53a37829c1
 ---> 3e5d8edfaeee
Removing intermediate container 0d53a37829c1
Successfully built 3e5d8edfaeee

上传到docker hub, 方便以后使用 : 

[root@localhost sshd]# docker login
Username: digoal
Password:
Email: digoal@126.com
Login Succeeded
[root@localhost sshd]# docker push digoal/sshd
...
Pushing tag for rev [3e5d8edfaeee] on {https://cdn-registry-1.docker.io/v1/repositories/digoal/sshd/tags/latest}

测试 : 

[root@localhost ~]# docker run -d --name digoal digoal/sshd
486381d4428e917b6572eb1a802972eb576b0fa3731178c2cd055a5def9a02ea
[root@localhost ~]# docker inspect -f '{{.NetworkSettings.IPAddress}}' digoal
172.17.0.13

使用Dockerfile设置的初始密码登录container : 

[root@localhost ~]# ssh root@172.17.0.13
The authenticity of host '172.17.0.13 (172.17.0.13)' can't be established.
ECDSA key fingerprint is 76:34:4f:98:d5:56:cd:2c:e4:f8:9c:14:5a:82:f6:bf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.13' (ECDSA) to the list of known hosts.
root@172.17.0.13's password: 

修改默认密码

[root@486381d4428e ~]# echo 'root:helloworld' | chpasswd
[root@486381d4428e ~]# exit
logout
Connection to 172.17.0.13 closed.

使用新密码登录container : 

[root@localhost ~]# ssh root@172.17.0.13
root@172.17.0.13's password:
Last login: Thu Nov 27 11:52:03 2014 from 172.17.42.1
[root@486381d4428e ~]# 

有了这个镜像, 想做测试就更方便了, 感觉就好像起了一个虚拟机.

最后有一个建议, 参考 : 

http://blog.163.com/digoal@126/blog/static/163877040201411165323773/

即建议修改 /etc/pam.d/sshd, 注释如下 : 

# session    required     pam_loginuid.so

修改后, 重新提交镜像.

[参考]
1. http://docs.docker.com/examples/running_ssh_service/