对于那些对如何使用ssh 的方式感兴趣的人,我添加了一个小示例,它允许在没有容器的情况下使用ssh
- 处理身份验证密码
- 将私钥/公钥暴露给外部环境或主机
- 可以从外部访问(只有同一 docker 网络中的 docker 容器可以访问)
说明
docker-compose.yml
docker-compose 文件。它由一些配置组成。
- 我已经为我的容器分配了静态 IP,这样可以更轻松地访问。
- 我添加了一个卷 (
sshdata) 以在容器之间共享 ssh 密钥(用于身份验证)。
version: "3.8"
services:
first-service:
build:
context: .
dockerfile: Dockerfile-1
networks:
vpcbr:
ipv4_address: 10.5.0.2
environment:
- SECOND_SERVICE=10.5.0.3
volumes:
- sshdata:/home/developer/.ssh/
second-service:
build:
context: .
dockerfile: Dockerfile-2
networks:
vpcbr:
ipv4_address: 10.5.0.3
volumes:
- sshdata:/home/developer/.ssh/
depends_on:
- first-service
networks:
vpcbr:
driver: bridge
ipam:
config:
- subnet: 10.5.0.0/16
volumes:
sshdata:
Dockerfiles
服务的 Dockerfile 相同,只是 entrypoint.sh-scripts 不同(见下文)。
FROM ubuntu:latest
# We need some tools
RUN apt-get update && apt-get install -y ssh sudo net-tools
# We want to have another user than `root`
RUN adduser developer
## USER SETUP
# We want to have passwordless sudo access
RUN \
sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
sed -i /etc/sudoers -re 's/^#includedir.*/## **Removed the include directive** ##"/g' && \
echo "developer ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers; su - developer -c id
# Run now with user developer
USER developer
ADD ./entrypoint-1.sh /entrypoint-1.sh
RUN sudo chmod +x /entrypoint-1.sh
ENTRYPOINT [ "/entrypoint-1.sh" ]
入口点脚本
现在我们来看看重要的东西:entrypoint.sh-脚本,它执行所需的设置步骤。我们的第一个容器 (first-service) 应该能够 ssh 到我们的第二个容器 (second-service)。
为此,我们的第一个服务没有特殊设置。我们只需将~/.ssh 文件夹的所有者更改为对~/.ssh/known_hosts 的写入权限(但如果您不想这样做,可以禁用严格的主机密钥检查)
#!/bin/bash
# ENTRYPOINT FOR SERVICE first-service
# We can now ssh to our other container
# Change the owner of the .ssh folder and it's content
sudo chown -R developer:developer ~/.ssh
# Perform your command
while ! ssh-keyscan -H ${SECOND_SERVICE} >> ~/.ssh/known_hosts
do
echo "Host not up, trying again..."
sleep 1;
done
# -------------------------------------
# Here we can run our command
ssh developer@${SECOND_SERVICE} "ls -l /"
echo "DONE!"
# -------------------------------------
# Here you can do other stuff
tail -f /dev/null
一个值得注意的行是 while-loop:我们真的不知道我们的第二个服务何时准备好进行 ssh 连接。我们可以等待,但那不是那么优雅。相反,我们会定期尝试连接到第二个容器,直到命令成功。之后它将继续执行实际命令。
最后是entrypoint.sh-第二个服务的脚本:
#!/bin/bash
# ENTRYPOINT FOR SERVICE second-service
## -- A little bit of setup for ssh
# Starting the server
sudo service ssh start
# Generate a key
sudo ssh-keygen -t rsa -f /home/developer/.ssh/id_rsa
# Change the owner of the .ssh folder and it's content
sudo chown -R developer:developer ~/.ssh
# Add the keys
sudo echo $(cat /home/developer/.ssh/id_rsa.pub) >> ~/.ssh/authorized_keys
# -------------------------------------
# Here we can start doing the stuff
tail -f /dev/null
也许这对某人有帮助。