ubuntu14.04创建含ssh服务的suse11sp2 docker容器

1.打包suse11sp2系统

tar --numeric-owner --exclude=/proc --exclude=/sys -cvf suse.tar /

2.生成suse docker镜像

cat suse.tar | docker import - suse

3.编写Dockerfile

FROM suse
MAINTAINER KYLIN
RUN mkdir -p /var/run/sshd
RUN sed -i 's/session  required       pam_loginuid.so/#session  required       pam_loginuid.so/g' /etc/pam.d/sshd
RUN sed -i "s/PermitRootLogin without-password/PermitRootLogin yes/" /etc/ssh/sshd_config
RUN sed -i "s/UsePAM yes/UsePAM no/" /etc/ssh/sshd_config
RUN mkdir -p /root/.ssh && chown root.root /root && chmod 700 /root/.ssh
RUN echo 'root:thinker' | chpasswd
EXPOSE 22 
CMD /usr/sbin/sshd -D -e

注:加入-e参数将调试日志输出到标准错误输出

4.创建suse ssh镜像

docker build -t suse-ssh ./

注:./为Dockerfile所在的目录

5.运行主机模式的docker容器

docker run --net=host --privileged=true suse-ssh

6.ssh登录

ssh -v x.x.x.x

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH_5* compat 0x0c000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by x.x.x.x

docker容器的日志为:
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
cannot write into audit
cannot write into audit
cannot write into audit
cannot write into audit
cannot write into audit
linux_audit_write_entry failed: Operation not permitted

注:ubuntu14.04宿主机ssh服务端口已经改为非22号端口
7.ssh问题诊断及解决办法
suse11sp2/rhel6 patches up openssh-5.1p to disallow logins when the audit subsystem cannot be used (linux cap audit_write)
For some reason this causes no issue building a rhel6 container on a  host, but when doing so on an ubuntu 14.04 host the sshd daemon fails
rhel6启动容器加入--privileged=true  ,rhel6可以解决ssh登录的问题,不过suse11sp2却没能解决
目前采取的方法:
重新编译openssh,将openssh中关于audit的选项disable,让ssh登录不再去进行审计,替换suse中的/usr/sbin/sshd,重新制作镜像suse-ssh解决ssh登录问题

你可能感兴趣的:(docker)