Docker

Docker: 官网注册

Centos 安装

1
2
$ curl -fsSL get.docker.com -o get-docker.sh
$ sudo sh get-docker.sh --mirror Aliyun

启动Docker CE

1
2
$ sudo systemctl enable docker
$ sudo systemctl start docker

建立Docker用户组

1
2
$ sudo groupadd docker
$ sudo usermod -aG docker $USER


Docker 基础使用

1
$ sudo docker login

images 查看实例

1
2
3
4
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 9f38484d220f 4 weeks ago 202MB
vagabond1132/centos_7 latest 9f38484d220f 4 weeks ago 202MB

ps 查看链接实例:

1
2
3
4
5
$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d5e50f6fa6a6 vagabond1132/centos_7 "/bin/bash" 2 hours ago Up 2 hours clever_hypatia
1680f31b1e29 centos "/bin/bash" 3 hours ago Up 3 hours peaceful_khorana
d9be61c00477 centos "/bin/bash" 3 hours ago Up 3 hours quizzical_elgamal

run: 创建启动实例:

1
sudo docker run -ti vagabond1132/centos_7  /bin/bash

创建实例后,才能使用exec, start, stop

tag 标签

1
sudo docker tag centos:latest vagabond1132/centos_base_7:latest

sudo docker images

1
2
3
4
REPOSITORY                   TAG                 IMAGE ID            CREATED             SIZE
vagabond1132/centos_base_7 latest 9f38484d220f 4 weeks ago 202MB
centos latest 9f38484d220f 4 weeks ago 202MB
vagabond1132/centos_7 latest 9f38484d220f 4 weeks ago 202MB

push 上传

1
sudo docker push centos  vagabond1132/centos_base:latest

Run 常用选项

选项 说明
-d 后台运行容器, 并返回容器ID;不指定时, 启动后开始打印日志, Ctrl + C 退出命令同时会关闭容器
-i 以交互模式运行容器, 通常与 -t 同时使用;
-t 为容器重新分配一个伪输入终端, 通常与 -i 同时使用
–name “anyesu-container” 为容器指定一个别名, 不指定时随机生成
-h docker-anyesu 设置容器的主机名, 默认随机生成
–dns 8.8.8.8 指定容器使用的DNS服务器, 默认和宿主一致
-e docker_host=172.17.0.1 设置环境变量
–cpuset=”0-2” or –cpuset=”0,1,2” 绑定容器到指定CPU运行
-m 100M 设置容器使用内存最大值
–net bridge 指定容器的网络连接类型, 支持 bridge / host / none / container 四种类型
–ip 172.18.0.13 为容器分配固定ip(需要使用自定义网络)
–expose 8081 –expose 8082 开放一个端口或一组端口, 会覆盖镜像设置中开放的端口
-p [宿主机端口]:[容器内端口] 宿主机到容器的端口映射, 可指定宿主机的要监听的ip, 默认为 0.0.0.0
-P 注意是大写的, 宿主机随机指定一组可用的端口映射容器 expose 的所有端口
-v [宿主机目录路径]:[容器内目录路径] 挂载宿主机的指定目录(或文件)到容器内的指定目录(或文件)
–add-host [主机名]:[ip] 为容器hosts文件追加host, 默认会在hosts文件最后追加 [主机名]:[容器ip]
–volumes-from [其他容器名] 将其他容器的数据卷添加到此容器
–link [其他容器名]:[在该容器中的别名] 添加链接到另一个容器, 在本容器hosts文件中加入关联容器的记录, 效果类似于 --add-host

基础命令

选项 说明
attach 进入运行中的容器, 显示该容器的控制台界面。注意, 从该指令退出会导致容器关闭
build 根据 Dockerfile 文件构建镜像
commit 提交容器所做的改为为一个新的镜像
cp 在容器和宿主机之间复制文件
create 根据镜像生成一个新的容器
diff 展示容器相对于构建它的镜像内容所做的改变
events 实时打印服务端执行的事件
exec 在已运行的容器中执行命令
export 导出容器到本地快照文件
history 显示镜像每层的变更内容
images 列出本地所有镜像
import 导入本地容器快照文件为镜像
info 显示 Docker 详细的系统信息
inspect 查看容器或镜像的配置信息, 默认为json数据
kill -s 选项向容器发送信号, 默认为SIGKILL信号(强制关闭)
load 导入镜像压缩包
login 登录第三方仓库
logout 退出第三方仓库
logs 打印容器的控制台输出内容
pause 暂停容器
port 容器端口映射列表
ps 列出正在运行的容器, -a 选项显示所有容器
pull 从镜像仓库拉取镜像
push 将镜像推送到镜像仓库
rename 重命名容器名
restart 重启容器
rm 删除已停止的容器, -f 选项可强制删除正在运行的容器
rmi 删除镜像(必须先删除该镜像构建的所有容器)
run 根据镜像生成并进入一个新的容器
save 打包本地镜像, 使用压缩包来完成迁移
search 查找镜像
start 启动关闭的容器
stats 显示容器对资源的使用情况(内存、CPU、磁盘等)
stop 关闭正在运行的容器
tag 修改镜像tag
top 显示容器中正在运行的进程(相当于容器内执行 ps -ef 命令)
unpause 恢复暂停的容器
update 更新容器的硬件资源限制(内存、CPU等)
version 显示docker客户端和服务端版本信息
wait 阻塞当前命令直到对应的容器被关闭, 容器关闭后打印结束代码
daemon 这个子命令已过期, 将在Docker 17.12之后的版本中移出, 直接使用dockerd

管理命令

选项 说明
container 管理容器
image 管理镜像
network 管理容器网络(默认为bridge、host、none三个网络配置)
plugin 管理插件
system 管理系统资源。其中, docker system prune 命令用于清理没有使用的镜像, 容器, 数据卷以及网络
volume 管理数据卷
swarm 管理Swarm模式
service 管理Swarm模式下的服务
node 管理Swarm模式下的docker集群中的节点
secret 管理Swarm模式下的敏感数据
stack Swarm模式下利用compose-file管理服务

Dockerfiles 编写

Dockerfile 是文本文件, 其中包含了一条条指令, 每一条指令构建一层,因此每一条指令的内容,就是描述该层应当如何构建。

所谓定制镜像: 一定是以某一个镜像为基础, 在其上进行定制. 例如在某一个容器上进行修改. 那么原始镜像必须要手动指定, FROM 是基础原始镜像 因此一个Dockerfile 中 From是必备的指令,并且必须是第一条指令。

https://github.com/docker-library/postgres/blob/7e80419825e4bab4e749bc61334570ffc261ea5e/11/Dockerfile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# vim:set ft=dockerfile:
FROM debian:stretch-slim

RUN set -ex; \
if ! command -v gpg > /dev/null; then \
apt-get update; \
apt-get install -y --no-install-recommends \
gnupg \
dirmngr \
; \
rm -rf /var/lib/apt/lists/*; \
fi

# explicitly set user/group IDs
RUN set -eux; \
groupadd -r postgres --gid=999; \
# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
mkdir -p /var/lib/postgresql; \
chown -R postgres:postgres /var/lib/postgresql

# grab gosu for easy step-down from root
ENV GOSU_VERSION 1.11
RUN set -x \
&& apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
&& wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
&& wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
&& export GNUPGHOME="$(mktemp -d)" \
&& gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
&& { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
&& rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
&& chmod +x /usr/local/bin/gosu \
&& gosu nobody true \
&& apt-get purge -y --auto-remove ca-certificates wget

# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
RUN set -eux; \
if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; \
localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
ENV LANG en_US.utf8

# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
# https://github.com/docker-library/postgres/issues/359
# https://cwrap.org/nss_wrapper.html
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends libnss-wrapper; \
rm -rf /var/lib/apt/lists/*

RUN mkdir /docker-entrypoint-initdb.d

RUN set -ex; \
# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
# uid PostgreSQL Debian Repository
key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
export GNUPGHOME="$(mktemp -d)"; \
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/postgres.gpg; \
command -v gpgconf > /dev/null && gpgconf --kill all; \
rm -rf "$GNUPGHOME"; \
apt-key list

ENV PG_MAJOR 11
ENV PG_VERSION 11.2-1.pgdg90+1

RUN set -ex; \
\
# see note below about "*.pyc" files
export PYTHONDONTWRITEBYTECODE=1; \
\
dpkgArch="$(dpkg --print-architecture)"; \
case "$dpkgArch" in \
amd64|i386|ppc64el) \
# arches officialy built by upstream
echo "deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
apt-get update; \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from their published source packages
echo "deb-src http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
\
case "$PG_MAJOR" in \
9.* | 10 ) ;; \
*) \
# https://github.com/docker-library/postgres/issues/484 (clang-6.0 required, only available in stretch-backports)
# TODO remove this once we hit buster+
echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list.d/pgdg.list; \
;; \
esac; \
\
tempDir="$(mktemp -d)"; \
cd "$tempDir"; \
\
savedAptMark="$(apt-mark showmanual)"; \
\
# build .deb files from upstream's source packages (which are verified by apt-get)
apt-get update; \
apt-get build-dep -y \
postgresql-common pgdg-keyring \
"postgresql-$PG_MAJOR=$PG_VERSION" \
; \
DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
apt-get source --compile \
postgresql-common pgdg-keyring \
"postgresql-$PG_MAJOR=$PG_VERSION" \
; \
# we don't remove APT lists here because they get re-downloaded and removed later
\
# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
apt-mark showmanual | xargs apt-mark auto > /dev/null; \
apt-mark manual $savedAptMark; \
\
# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
ls -lAFh; \
dpkg-scanpackages . > Packages; \
grep '^Package: ' Packages; \
echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
# ...
# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
apt-get -o Acquire::GzipIndexes=false update; \
;; \
esac; \
\
apt-get install -y postgresql-common; \
sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
apt-get install -y \
"postgresql-$PG_MAJOR=$PG_VERSION" \
; \
\
rm -rf /var/lib/apt/lists/*; \
\
if [ -n "$tempDir" ]; then \
# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
apt-get purge -y --auto-remove; \
rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
fi; \
\
# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +

# make the sample config easier to munge (and "correct by default")
RUN set -eux; \
dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample

RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql

ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
ENV PGDATA /var/lib/postgresql/data
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
VOLUME /var/lib/postgresql/data

COPY docker-entrypoint.sh /usr/local/bin/
RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
ENTRYPOINT ["docker-entrypoint.sh"]

EXPOSE 5432
CMD ["postgres"]

Run 执行命令

Run 指令是用来执行命令行命令.

  • shell 格式: run \<命令>

    1
    run echo 'hello,world' > /usr/local/index.txt
  • exec 格式: run [“可执行文件”, “参数1”, “参数二”]

    1
    run apt-get update
1
2
3
4
5
6
7
8
9
10
11
12
13
14
FROM debian:stretch

RUN buildDeps='gcc libc6-dev make wget' \
&& apt-get update \
&& apt-get install -y $buildDeps \
&& wget -O redis.tar.gz "http://download.redis.io/releases/redis-5.0.3.tar.gz" \
&& mkdir -p /usr/src/redis \
&& tar -xzf redis.tar.gz -C /usr/src/redis --strip-components=1 \
&& make -C /usr/src/redis \
&& make -C /usr/src/redis install \
&& rm -rf /var/lib/apt/lists/* \
&& rm redis.tar.gz \
&& rm -r /usr/src/redis \
&& apt-get purge -y --auto-remove $buildDeps

首先,之前所有的命令只有一个目的,就是编译、安装 redis 可执行文件。因此没有必要建立很多层,这只是一层的事情。因此,这里没有使用很多个 RUN 对一一对应不同的命令,而是仅仅使用一个 RUN 指令,并使用 && 将各个所需命令串联起来。将之前的 7 层,简化为了 1 层。在撰写 Dockerfile 的时候,要经常提醒自己,这并不是在写 Shell 脚本,而是在定义每一层该如何构建。

1
sudo docker build -t vagabond1132/image_name <上下文路径/URL/>

Docker 默认储存位置修改

Centos 7 Docker默认的存储地址位于 /var/lib/docker

当我们磁盘较小, 需要更改其默认存储;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
vim /usr/lib/systemd/system/docker.service  

#修改内容
ExecStart=/usr/bin/dockerd --graph /new-path/docker

#拷贝到新的镜像地址:
sudo cp -rf /var/lib/docker/* /new-path/docker

#重新生成配置服务-reload 配置文件
systemctl reload daemon-reload

#重启Docker
systemctl restart docker

###详细可以查看日志: 排查信息
sudo tailf /var/log/messages

Docker –privileged 启动

1
docker run -d --name rep9  --privileged=true mips-neokylin-hgdb-v4-rep3:latest /usr/sbin/init  改一下镜像和name

Docker 创建固定IP

bridge:桥接网络

默认情况下启动的Docker容器,都是使用 bridge,Docker安装时创建的桥接网络,每次Docker容器重启时,会按照顺序获取对应的IP地址,这个就导致重启下,Docker的IP地址就变了

none:无指定网络

使用 --network=none ,docker 容器就不会分配局域网的IP

host:主机网络

使用 --network=host,此时,Docker 容器的网络会附属在主机上,两者是互通的。
例如,在容器中运行一个Web服务,监听8080端口,则主机的8080端口就会自动映射到容器中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
docker network create --subnet=172.18.0.0/16 mynetwork
docker run -itd --name test --network mynetwork --ip 172.18.0.100 mips-neokylin-repmgr:latest /bin/bash

docker exec -ti test /bin/bash


[root@node2 ~]# docker exec -ti test /bin/bash
[root@fc2872f990ee /]#
[root@fc2872f990ee /]#
[root@fc2872f990ee /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
562: eth0@if563: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:12:00:64 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.100/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe12:64/64 scope link
valid_lft forever preferred_lft forever
[root@fc2872f990ee /]#
1
docker run -d -h rep01 --name rep01 --network mynetwork --ip 172.18.0.101 --privileged=true -v /root/highgodb01:/opt/HighGoDB-4.3.4/data mips-neokylin-repmgr /usr/sbin/init

yum -y install openssh-server openssh-clients
yum install initscripts ## service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

sshd_config:

​```powershell
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes ## 允许root用户登陆;;
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
#PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

启动sshd

1
2
3
4
5
这时报以下错误: 
[root@ b3426410ff43 /]# /usr/sbin/sshd
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key

ssh key: 解决办法:

1
2
3
ssh-keygen -q -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N '' 
ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''

将当前容器保存为镜像:

1
docker commit f0a4438144f0 vagabond1132/centos_ssh

显示所有镜像:

1
2
3
vagabond1132/centos_ssh   latest              34ed8e303d64        26 seconds ago      294MB
vagabond1132/centos_7 latest 9f38484d220f 4 weeks ago 202MB
vagabond1132/centos_7 ssh 9f38484d220f 4 weeks ago 202MB

基于新镜像启动新的容器

1
docker run --name conn  -d -p 10022:22 vagabond1132/centos_ssh:latest /usr/sbin/sshd -D

查看容器:

1
2
3
4
CONTAINER ID        IMAGE                            COMMAND               CREATED             STATUS                        PORTS                   NAMES
957bfd4bc7ca vagabond1132/centos_ssh:latest "/usr/sbin/sshd -D" 2 minutes ago Up 2 minutes 0.0.0.0:10022->22/tcp conn
f0a4438144f0 vagabond1132/centos_7:ssh "/bin/bash" About an hour ago Up About an hour ssh
c9e215a6e5f6 vagabond1132/centos_7:latest "/bin/bash" 4 hours ago Exited (137) 19 minutes ago mytest

查看端口: docker port 957bfd4bc7ca

1
22/tcp -> 0.0.0.0:10022

即可登陆:

1
2
3
4
5
6
7
ssh root@192.168.102.30 -p 10022
The authenticity of host '[192.168.102.30]:10022 ([192.168.102.30]:10022)' can't be established.
ECDSA key fingerprint is SHA256:2cYMWFEiY1Jdu8tD24188+DGW0j6yc6Va7UY5gzrgnQ.
ECDSA key fingerprint is MD5:b2:16:fd:ab:55:44:4a:76:71:3a:bc:41:b2:58:94:7c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.102.30]:10022' (ECDSA) to the list of known hosts.
root@192.168.102.30's password:

Docker学习

https://www.jianshu.com/p/7c9e2247cfbd

欣赏此文? 求鼓励,求支持!