I am trying to build a hadoop Dockerfile.
In the build process, I added:
&& apt install -y openssh-client \
&& apt install -y openssh-server \
&& ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa \
&& cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys \
&& chmod 0600 ~/.ssh/authorized_keys
&& sed -i '/\#AuthorizedKeysFile/ d' /etc/ssh/sshd_config \
&& echo "AuthorizedKeysFile ~/.ssh/authorized_keys" >> /etc/ssh/sshd_config \
&& /etc/init.d/ssh restart
I assumed that when I ran this container:
docker run -it --rm hadoop/tag bash
I would be able to:
ssh localhost
But I got an error:
ssh: connect to host localhost port 22: Connection refused
If I run this manually inside the container:
/etc/init.d/ssh restart
# or this
service ssh restart
Then I can get connected. I am thinking that this means the sshd restart didn't work.
I am using FROM java in the Dockerfile.
The build process only builds an image. Processes that are run at that time (using RUN) are no longer running after the build, and are not started again when a container is launched using the image.
What you need to do is get sshd to start at container runtime. The simplest way to do that is using an entrypoint script.
Dockerfile:
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["whatever", "your", "command", "is"]
entrypoint.sh:
#!/bin/sh
# Start the ssh server
/etc/init.d/ssh restart
# Execute the CMD
exec "$#"
Rebuild the image using the above, and when you use it to start a container, it should start sshd before running your CMD.
You can also change the base image you start from to something like Phusion baseimage if you prefer. It makes it easy to start some services like syslogd, sshd, that you may wish the container to have running.
Related
I want to setup a very minimalistic alpine linux docker container with the following capabilities:
It runs an ssh server
It copies over a SSH public key of my choice to which I can then authenticate
I looked into various options, and in the end decided to write my own small Dockerfile.
However, I ran into some problems.
Dockerfile
FROM alpine:latest
RUN apk update
RUN apk upgrade
RUN apk add openssh-server
RUN mkdir -p /var/run/sshd
RUN mkdir -p /root/.ssh
ADD authorized_keys /root/.ssh/authorized_keys
ADD entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh
EXPOSE 22
CMD ["/entrypoint.sh"]
entrypoint.sh
#!/bin/sh
/usr/sbin/sshd -D
authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP8cIHIPgV9QoAaSsYNGHktiP/QnWfKPOeyzjujUXgQMQLBw3jJ1EBe04Lk3FXTMxwrKk3Dxq0VhJ+Od6UwzPDg=
Starting the container gives an error: sshd: no hostkeys available -- exiting.
How can I fix my Dockerfile, to ensure the ssh server is running correctly and the authorized_keys file is there. What am I missing?
In order to start, the SSH daemon does need host keys.
Those does not represents the keys that you are going to use to connect to your container, just the keys that define this specific host.
A host key is a cryptographic key used for authenticating computers in the SSH protocol.
Source: https://www.ssh.com/ssh/host-key
So you have to generate some keys for your host, you can then safely ignore those if you do not really intend to use them.
Generating those keys can be done via
ssh-keygen -A
So in your image, just adding a
RUN ssh-keygen -A
should do.
For the record, here is my own sshd Alpine image:
FROM alpine
RUN apk add --no-cache \
openssh \
&& ssh-keygen -A \
&& mkdir /root/.ssh \
&& chmod 0700 /root/.ssh \
&& echo "root:$(openssl rand 96 | openssl enc -A -base64)" | chpasswd \
&& ln -s /etc/ssh/ssh_host_ed25519_key.pub /root/.ssh/authorized_keys
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-e"]
Extra notes:
I am reusing the SSH keys generated by ssh-keygen -A, exposing them in a volume, this is the reason why I am doing the command:
ln -s /etc/ssh/ssh_host_ed25519_key.pub /root/.ssh/authorized_keys
Because this is just an Ansible node cluster lab, I am SSH'ing this machine as the root user, this is why I need the, quite insecure
echo "root:$(openssl rand 96 | openssl enc -A -base64)" | chpasswd
I'm having a Dockerfile
FROM centos:7
ENV container docker
RUN yum -y update && yum -y install net-tools && yum -y install initscripts && yum -y install epel-release && yum -y install nginx && yum clean all
RUN echo "daemon off;" >> /etc/nginx/nginx.conf
# expose Nginx ports http/https
EXPOSE 80 443
RUN curl https://www.sheldonbrown.com/web_sample1.html > /usr/share/nginx/index.html
RUN mv /usr/share/nginx/index.html /usr/share/nginx/html/index.html -f
RUN mkdir -p /local/nginx
RUN touch /local/nginx/start.sh
RUN chmod 755 /local/nginx/start.sh
RUN echo "#!/bin/bash" >> /local/nginx/start.sh
RUN echo "nginx" >> /local/nginx/start.sh
RUN echo "tail -f /var/log/nginx/access.log" >> /local/nginx/start.sh
ENTRYPOINT ["/bin/bash", "-c", "/local/nginx/start.sh"]
I'm building it with docker build -t "my_nginx" .
And then running it with docker run -i -t --rm -p 8888:80 --name nginx "my_nginx"
https://localhost:8888/ shows the page but no logging is shown.
If I press Ctrl-C, nginx is stopped but the tail on the logging is shown.
If I press Ctrl-C again, the container is gone.
Question: How can I let nginx run AND show the tail on the logging (which is preferably also visible using the "docker logs"-command)
The easiest way to accomplish this is just to use the Docker Hub nginx image, which deals with this for you. A Dockerfile that could be as little as
FROM nginx:1.19
# Specifically use ADD because it will fetch a URL
ADD https://www.sheldonbrown.com/web_sample1.html /usr/share/nginx/html/index.html
If you look at its Dockerfile it actually uses symbolic links to cause Nginx's "normal" logs to go to the container stdout
# forward request and error logs to docker log collector
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
That gets around most of the mechanics in your Dockerfile: you can just run nginx as the main container command without trying to use a second process to cat logs. You can basically trim out the entire last half, and get
FROM centos:7
ENV container docker
RUN yum -y install epel-release \
&& yum -y install net-tools initscripts nginx \
&& yum clean all
RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
&& ln -s /dev/stdout /var/log/nginx/access.log \
&& ln -s /dev/stderr /var/log/nginx/error.log
RUN curl -o /usr/share/nginx/html/index.html https://www.sheldonbrown.com/web_sample1.html
EXPOSE 80 443
CMD ["nginx"]
Yet another possibility here (with any of these images) is to mount your own volume over the container's /var/log/nginx directory. That gives you your own host-visible directory of logs that you can inspect at your convenience.
mkdir logs
docker run -v $PWD/logs:/var/log/nginx -d ...
less logs/access.log
(In the shell script you construct in the Dockerfile, you use the Nginx daemon off directive to run as a foreground process, which means the nginx command will never exit on its own. That in turn means the script never advances to the tail line, which is why you don't get logs out.)
You should remove the tail command from the Dockerfile, run the container with docker run -it -d --rm -p 8888:80 --name nginx "my_nginx" and then use docker logs -f nginx.
I installed docker image - centos 7 on my ubuntu machine. But ssh service not found. so I cant run this service.
[root#990e92224a82 /]# yum install openssh-server openssh-clients
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirror.dhakacom.com
* extras: mirror.dhakacom.com
* updates: mirror.dhakacom.com
Package openssh-server-6.6.1p1-31.el7.x86_64 already installed and latest version
Package openssh-clients-6.6.1p1-31.el7.x86_64 already installed and latest version
Nothing to do
[root#990e92224a82 /]# ss
ssh ssh-agent ssh-keygen sshd ssltap
ssh-add ssh-copy-id ssh-keyscan sshd-keygen
How can I remotely login docker image?
You have to do the following instructions on Dockerfile.
RUN yum install -y sudo wget telnet openssh-server vim git ncurses-term
RUN useradd your_account
RUN mkdir -p /home/your_account/.ssh && chown -R your_account /home/your_account/.ssh/
# Create known_hosts
RUN touch /home/your_account/.ssh/known_hosts
COPY files/authorized_keys /home/your_account/.ssh/
COPY files/config /home/your_account/.ssh/
COPY files/pam.d/sshd /etc/pam.d/sshd
RUN touch /home/your_account/.ssh/environment
RUN chown -R your_account /home/your_account/.ssh
RUN chmod 400 -R /home/your_account/.ssh/*
RUN chmod 700 -R /home/your_account/.ssh/known_hosts
RUN chmod 700 /home/your_account/.ssh/environment
# Enable sshd
COPY files/sshd_config /etc/ssh/
RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
# Add a account into sudoers and this account doesn't need to type his password
COPY files/sudoers /etc/
COPY files/start.sh /root/
I have to remove "pam_nologin.so" on the file /etc/pam.d/sshd, because when I upgrade the openssh-server's version to openssh-server-6.6.1p1-31.el7, the pam_nologin.so will disallow remote login for any users even the file /etc/nologin is not exist.
start.sh
#!/bin/bash
/usr/sbin/sshd -E /tmp/sshd.log
Start centos container
docker run -d -t -p $(sshPort):22 --name $(containerName) $(imageName) /bin/bash
docker exec -d $(containerName) bash -c "sh /root/start.sh"
Login container
ssh $(Docker ip) $(sshPort)
In extend to #puritys
You could do this in the Dockerfile instead
Last in the file:
ENTRYPOINT /usr/sbin/sshd -E /tmp/sshd.log && /bin/bash
Then you will only need to run:
docker run -d -p -t $(sshPort):22 --name $(containerName) $(imageName) /bin/bash
Here is my Dockerfile:
# Pull base image (Ubuntu)
FROM dockerfile/python
# Install socat
RUN \
cd /opt && \
wget http://www.dest-unreach.org/socat/download/socat-1.7.2.4.tar.gz && \
tar xvzf socat-1.7.2.4.tar.gz && \
rm -f socat-1.7.2.4.tar.gz && \
cd socat-1.7.2.4 && \
./configure && \
make && \
make install
RUN \
start-stop-daemon --quiet --oknodo --start --pidfile /run/my.pid --background --make-pidfile \
--exec /opt/socat-1.7.2.4/socat PTY,link=/dev/ttyMY,echo=0,raw,unlink-close=0 \
TCP-LISTEN:9334,reuseaddr,fork
# Define working directory.
WORKDIR /data
# Define default command.
CMD ["bash"]
I build an image from this Dockerfile and run it like this:
docker run -d -t -i myaccount/socat_test
After this I login into the container and check if socat daemon is running. But it is not. I just started playing around with docker. Am I misunderstanding the concept of Dockerfile? I would expect docker to run the socat command when the container starts.
You are confusing RUN and CMD. The RUN command is meant to build up the docker container, as you correctly did with the first one. The second command will also executed when building the container, but not when running it. If you want to execute commands when the docker container is started, you ought to use the CMD command.
More information can be found in the Dockerfile reference. For instance, you could also use ENTRYPOINT in stead of CMD.
Given:
container based on ubuntu:13.10
installed ssh (via apt-get install ssh)
Problem: each when I start container I have to run sshd manually service ssh start
Tried: update-rc.d ssh defaults, but it does not helps.
Question: how to setup container to start sshd service automatically during container start?
Just try:
ENTRYPOINT service ssh restart && bash
in your dockerfile, it works fun for me!
more details here: How to automatically start a service when running a docker container?
Here is a Dockerfile which installs ssh server and runs it:
# Build Ubuntu image with base functionality.
FROM ubuntu:focal AS ubuntu-base
ENV DEBIAN_FRONTEND noninteractive
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Setup the default user.
RUN useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo ubuntu
RUN echo 'ubuntu:ubuntu' | chpasswd
USER ubuntu
WORKDIR /home/ubuntu
# Build image with Python and SSHD.
FROM ubuntu-base AS ubuntu-with-sshd
USER root
# Install required tools.
RUN apt-get -qq update \
&& apt-get -qq --no-install-recommends install vim-tiny=2:8.1.* \
&& apt-get -qq --no-install-recommends install sudo=1.8.* \
&& apt-get -qq --no-install-recommends install python3-pip=20.0.* \
&& apt-get -qq --no-install-recommends install openssh-server=1:8.* \
&& apt-get -qq clean \
&& rm -rf /var/lib/apt/lists/*
# Configure SSHD.
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's#session\s*required\s*pam_loginuid.so#session optional pam_loginuid.so#g' -i /etc/pam.d/sshd
RUN mkdir /var/run/sshd
RUN bash -c 'install -m755 <(printf "#!/bin/sh\nexit 0") /usr/sbin/policy-rc.d'
RUN ex +'%s/^#\zeListenAddress/\1/g' -scwq /etc/ssh/sshd_config
RUN ex +'%s/^#\zeHostKey .*ssh_host_.*_key/\1/g' -scwq /etc/ssh/sshd_config
RUN RUNLEVEL=1 dpkg-reconfigure openssh-server
RUN ssh-keygen -A -v
RUN update-rc.d ssh defaults
# Configure sudo.
RUN ex +"%s/^%sudo.*$/%sudo ALL=(ALL:ALL) NOPASSWD:ALL/g" -scwq! /etc/sudoers
# Generate and configure user keys.
USER ubuntu
RUN ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
#COPY --chown=ubuntu:root "./files/authorized_keys" /home/ubuntu/.ssh/authorized_keys
# Setup default command and/or parameters.
EXPOSE 22
CMD ["/usr/bin/sudo", "/usr/sbin/sshd", "-D", "-o", "ListenAddress=0.0.0.0"]
Build with the following command:
docker build --target ubuntu-with-sshd -t ubuntu-with-sshd .
Then run with:
docker run -p 2222:22 ubuntu-with-sshd
To connect to container via local port, run: ssh -v localhost -p 2222.
To check for container IP address, use docker ps and docker inspect.
Here is example of docker-compose.yml file:
---
version: '3.4'
services:
ubuntu-with-sshd:
image: "ubuntu-with-sshd:latest"
build:
context: "."
target: "ubuntu-with-sshd"
networks:
mynet:
ipv4_address: 172.16.128.2
ports:
- "2222:22"
privileged: true # Required for /usr/sbin/init
networks:
mynet:
ipam:
config:
- subnet: 172.16.128.0/24
To run, type:
docker-compose up --build
I think the correct way to do it would follow docker's instructions to dockerizing the ssh service.
And in correlation to the specific question, the following lines added at the end of the dockerfile will achieve what you were looking for:
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]
Dockerize a SSHD service
I have created dockerfiler to run ssh inside. I think it is not secure, but for testing/development in DMZ it could be ok:
FROM ubuntu:20.04
USER root
# change root password to `ubuntu`
RUN echo 'root:ubuntu' | chpasswd
ENV DEBIAN_FRONTEND noninteractive
# install ssh server
RUN apt-get update && apt-get install -y \
openssh-server sudo \
&& rm -rf /var/lib/apt/lists/*
# workdir for ssh
RUN mkdir -p /run/sshd
# generate server keys
RUN ssh-keygen -A
# allow root to login
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
EXPOSE 22
# run ssh server
CMD ["/usr/sbin/sshd", "-D", "-o", "ListenAddress=0.0.0.0"]
You can start ssh server when starting your container probably. Something like this:
docker run ubuntu /usr/sbin/sshd -D
Check out this official tutorial.
This is what I did:
FROM nginx
# install gosu
# seealso:
# https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
# https://github.com/tianon/gosu/blob/master/INSTALL.md
# https://github.com/tianon/gosu
RUN set -eux; \
apt-get update; \
apt-get install -y gosu; \
rm -rf /var/lib/apt/lists/*; \
# verify that the binary works
gosu nobody true
ENV myenv='default'
RUN apt-get update && apt-get install -y openssh-server
RUN mkdir /var/run/sshd
COPY entrypoint.sh /entrypoint.sh
ENV AIRFLOW_HOME=/usr/local/airflow
RUN mkdir $AIRFLOW_HOME
RUN groupadd --gid 8080 airflow
RUN useradd --uid 8080 --gid 8080 -ms /bin/bash -d $AIRFLOW_HOME airflow
RUN echo 'airflow:mypass' | chpasswd
EXPOSE 22
CMD ["/entrypoint.sh"]
Inside entrypoint.sh:
echo "starting ssh as root"
gosu root service ssh start &
#gosu root /usr/sbin/sshd -D &
echo "starting tail user"
exec gosu airflow tail -f /dev/null
Well, I used the following command to solve that
docker run -i -t mycentos6 /bin/bash -c '/etc/init.d/sshd start && /bin/bash'
First login to your container and write an initialization script /bin/init as following:
# execute in the container
cat <<EOT >> /bin/init
#!/bin/bash
service ssh start
while true; do sleep 1; done
EOT
Then make the root user is permitted to logging via ssh:
# execute in the container
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
Commit the container to a new image after exiting from the container:
# execute in the server
docker commit <YOUR_CONTAINER> <ANY_REPO>:<ANY_TAG>
From now on, as long as you run your container with the following command, the ssh service will be automatically started.
# execute in the server
docker run -it -d --name <NAME> <REPO>:<TAG> /bin/init
docker exec -it <NAME> /bin/bash
Done.
You can try a more elegant way to do that with phusion/baseimage-docker
https://github.com/phusion/baseimage-docker#readme