对于那些对如何使用方式感兴趣的人ssh
,我添加了一个小例子,允许使用ssh
容器之间无
- 处理身份验证密码
- 将私钥/公钥暴露给外部环境或主机
- 可以从外部访问(只有同一 docker 网络内的 docker 容器可以访问)
描述
docker-compose.yml
The docker-compose
文件。它由一些配置组成。
- 我已经分配了我的容器静态IP,这样可以更轻松地访问。
- 我添加了一个卷(
sshdata
)在容器之间共享 ssh 密钥(用于身份验证)。
version: "3.8"
services:
first-service:
build:
context: .
dockerfile: Dockerfile-1
networks:
vpcbr:
ipv4_address: 10.5.0.2
environment:
- SECOND_SERVICE=10.5.0.3
volumes:
- sshdata:/home/developer/.ssh/
second-service:
build:
context: .
dockerfile: Dockerfile-2
networks:
vpcbr:
ipv4_address: 10.5.0.3
volumes:
- sshdata:/home/developer/.ssh/
depends_on:
- first-service
networks:
vpcbr:
driver: bridge
ipam:
config:
- subnet: 10.5.0.0/16
volumes:
sshdata:
Dockerfile
服务的 Dockerfile 是相同的,只是entrypoint.sh
- 脚本不同(见下文)。
FROM ubuntu:latest
# We need some tools
RUN apt-get update && apt-get install -y ssh sudo net-tools
# We want to have another user than `root`
RUN adduser developer
## USER SETUP
# We want to have passwordless sudo access
RUN \
sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
sed -i /etc/sudoers -re 's/^#includedir.*/## **Removed the include directive** ##"/g' && \
echo "developer ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers; su - developer -c id
# Run now with user developer
USER developer
ADD ./entrypoint-1.sh /entrypoint-1.sh
RUN sudo chmod +x /entrypoint-1.sh
ENTRYPOINT [ "/entrypoint-1.sh" ]
入口点脚本
现在我们来谈谈重要的事情:entrypoint.sh
- 脚本,执行所需的操作设置步骤。我们的第一个容器(first-service
) 应该可以ssh
到我们的第二个容器(second-service
).
为此,我们的第一项服务没有特殊设置。我们只是改变了所有者~/.ssh
具有写入权限的文件夹~/.ssh/known_hosts
(但如果您不想这样做,您可以禁用严格的主机密钥检查)
#!/bin/bash
# ENTRYPOINT FOR SERVICE first-service
# We can now ssh to our other container
# Change the owner of the .ssh folder and it's content
sudo chown -R developer:developer ~/.ssh
# Perform your command
while ! ssh-keyscan -H ${SECOND_SERVICE} >> ~/.ssh/known_hosts
do
echo "Host not up, trying again..."
sleep 1;
done
# -------------------------------------
# Here we can run our command
ssh developer@${SECOND_SERVICE} "ls -l /"
echo "DONE!"
# -------------------------------------
# Here you can do other stuff
tail -f /dev/null
一条值得注意的线是while循环:我们真的不知道我们的第二项服务是什么时候准备好 ssh 连接。我们可以等待,但这并不那么优雅。相反,我们定期尝试连接到第二个容器,直到命令成功。之后它将继续执行实际命令。
最后一件事是entrypoint.sh
-第二个服务的脚本:
#!/bin/bash
# ENTRYPOINT FOR SERVICE second-service
## -- A little bit of setup for ssh
# Starting the server
sudo service ssh start
# Generate a key
sudo ssh-keygen -t rsa -f /home/developer/.ssh/id_rsa
# Change the owner of the .ssh folder and it's content
sudo chown -R developer:developer ~/.ssh
# Add the keys
sudo echo $(cat /home/developer/.ssh/id_rsa.pub) >> ~/.ssh/authorized_keys
# -------------------------------------
# Here we can start doing the stuff
tail -f /dev/null
也许这对某人有帮助。