この記事は約61分35秒で読むことができます。

dockerコンテナ同士でssh疎通した話

参考文献

ssh-keygen - 認証用の鍵を生成 - Linuxコマンド  
Compose file version 3 reference  
SSH通信って、結局何してるの?  
Compose のネットワーク機能  

参考文献よんで感じたこと

自鯖にログインしてきたユーザーが持って来たハッシュ値と鯖側でユーザーごとに生成しておいたハッシュ値をマッチングして本人であることを証明している感じかな。あらかじめ、自鯖側ではログインしてくるユーザーを知る必要がある(コンテナごとの公開鍵)。鯖はログインしてきたユーザに対して暗号を生成して、ログインユーザーのマシンに送り返す。ログインユーザーは送られてきた暗号を自分だけが保持している秘密鍵を使って、解読し、ハッシュ値を生成。作ったハッシュ値を鯖に送り返す。鯖は送られてきたハッシュ値と予めユーザーごとに生成して置いたハッシュ値をマッチングし、照合一致したら、ログインしてきていじっていいよ。照合不一致なら、denyする。ってかんじか。ちなみにログインユーザーは秘密鍵を作成するときに公開鍵も一緒につくっちゃってるらしいので、この公開鍵を鯖に送っておいて(公開鍵をauthorized_keysとして送る)、鯖がログインユーザごとのハッシュ値を生成するときに使用すれば、ハッシュ値をマッチングする際にご本人様であることを証明できるのかな。。rootユーザー以外にもユーザー作っておこうかな。

参考文献よんで感じたことがまちがっていたこと

以下の考え方が正しい。気づけてよかった。


SSH公開鍵認証
 
ゼロからはじめるLinuxサーバー構築・運用ガイド 動かしながら学ぶWebサーバーの作り方  

まえがき

仕事ではwindowsでteratermから鯖に接続しているけど、sshという技術を使って接続しているぐらいの理解。dockerコンテナ内でもそういうのつくってみよとおもった。自動化したかったけど、今のシェル力では実現できなかった。

フォルダ構成

ssh3フォルダは用意していない、めんどくさくなってしまった。

コード表示

[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   └── ssh2
└── tmpl
    └── a.sh

4 directories, 4 files

権限整備

dockerホストで

コード表示

[oracle@centos tadan]$ sudo chown -R oracle:docker share
[oracle@centos tadan]$ sudo chown -R oracle:docker tmpl
[oracle@centos tadan]$ ll
合計 20
-rw-r--r--. 1 oracle docker  531  5月 11 16:33 Dockerfile
-rw-r--r--. 1 oracle docker   58  5月 11 13:25 Makefile
-rw-r--r--. 1 oracle docker  962  5月 11 16:25 docker-compose.yml
drwxr-xr-x. 4 oracle docker 4096  5月 11 16:08 share
drwxr-xr-x. 2 oracle docker 4096  5月 11 16:19 tmpl

Dockerfile

oracleユーザーでログインするようにすると、権限まわりであぁとなるので、デフぉのrootで。suしてもだめだった気がする。

コード表示

[oracle@centos tadan]$ cat D*
FROM centos:latest

RUN yum install -y iputils \
yum install -y net-tools \
yum install -y iproute \
yum install -y vim \
yum install -y tree \
yum install -y lsof \
yum install -y expect \
yum install -y openssh-server \
yum install -y openssh-clients

ENV TZ='Asia/Tokyo'

RUN groupadd -g 1001 docker
RUN useradd -m -g docker -u 1000 oracle

RUN echo 'ORACLE_PWD' | passwd --stdin oracle
RUN echo 'ORACLE_PWD' | passwd --stdin root

RUN mkdir -p /home/oracle/.ssh

#USER oracle
#WORKDIR /home/oracle
EXPOSE 20
CMD ["/sbin/init"]

Makefile

エイリアス

コード表示

[oracle@centos tadan]$ cat M*
CMD=docker-compose
up:
	@$(CMD) up -d
down:
	@$(CMD) down

docker-compose.yml

ssh3コンテナは今回は起動しない。

コード表示

[oracle@centos tadan]$ docker --version
Docker version 18.09.5, build e8ff056
[oracle@centos tadan]$ cat d*
version: '3.7'
services:
  ssh_saba1:
    image: centos_ssh
    container_name: ssh1
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh1:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net:
        ipv4_address: 192.168.100.101
    ports:
      - '1:22'
  ssh_saba2:
    image: centos_ssh
    container_name: ssh2
    #command: bash -c "echo hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh2:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net:
        ipv4_address: 192.168.100.102
    ports:
      - '2:22'
#  ssh_saba3:
#    image: centos_ssh
#    container_name: ssh3
#    #command: bash -c "echo hoge"
#    privileged: true
#    volumes:
#      -  /home/oracle/tadan/share/ssh3:/home/oracle/.ssh
#      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
#    networks:
#      ssh_net:
#        ipv4_address: 192.168.100.103
#    ports:
#      - '3:22'
networks:
  ssh_net:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24

a.sh

コンテナ内でkickするやつ。sshの公開鍵と秘密鍵をコンテナ単位で作成。expectコマンド使って自動化しようとした名残だけある。

コード表示

[oracle@centos tadan]$ cat t*/a*
#!/bin/bash
PWD=""
expect -c "
spawn ssh-keygen -t rsa
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"\\\$\"
exit 0
"

centos_sshイメージの作成

dockerfileでマルチステージング機能あるぽくて、サイズ圧縮できるってどっかで見て試したけど、うまく使いこなせなかった。

コード表示

[oracle@centos tadan]$ docker build -t centos_ssh .
[oracle@centos tadan]$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos_ssh          latest              43f44c1e64a5        11 seconds ago      360MB
centos              latest              9f38484d220f        8 weeks ago         202MB

コンテナ起動前ネットワーク確認

ネットワークすき

コード表示

[oracle@centos tadan]$ brctl show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.0242818de210	no		
virbr0		8000.5254006a2171	yes		virbr0-nic
[oracle@centos tadan]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:d8:61:2c:f1:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.109/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ccc0:20d4:3aed:ca75/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic:  mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
6: docker0:  mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:81:8d:e2:10 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:81ff:fe8d:e210/64 scope link 
       valid_lft forever preferred_lft forever


[oracle@centos tadan]$ sudo iptables -t nat -L -n | grep -A 10 "Chain POSTROUTING"
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           

コンテナ起動

makeコマンドで。

コード表示

[oracle@centos tadan]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[oracle@centos tadan]$ make up
Creating network "tadan_ssh_net" with driver "bridge"
Creating ssh1 ... done
Creating ssh2 ... done
[oracle@centos tadan]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                       NAMES
4f8438a2804d        centos_ssh          "/sbin/init"        3 minutes ago       Up 3 minutes        20/tcp, 0.0.0.0:2->22/tcp   ssh2
6a3e6a11fc2e        centos_ssh          "/sbin/init"        3 minutes ago       Up 3 minutes        20/tcp, 0.0.0.0:1->22/tcp   ssh1

コンテナ起動後ネットワーク確認

docker0のIFは使われていない。独自に定義したbridgeルータにコンテナは接続している。

コード表示

[oracle@centos tadan]$ brctl show
bridge name	bridge id		STP enabled	interfaces
br-c37740979afc		8000.0242636f83e9	no		veth0e21071
							veth75a278d
docker0		8000.0242818de210	no		
virbr0		8000.5254006a2171	yes		virbr0-nic
[oracle@centos tadan]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:d8:61:2c:f1:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.109/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ccc0:20d4:3aed:ca75/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic:  mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
6: docker0:  mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:81:8d:e2:10 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:81ff:fe8d:e210/64 scope link 
       valid_lft forever preferred_lft forever
358: br-c37740979afc:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:63:6f:83:e9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global br-c37740979afc
       valid_lft forever preferred_lft forever
    inet6 fe80::42:63ff:fe6f:83e9/64 scope link 
       valid_lft forever preferred_lft forever
360: veth75a278d@if359:  mtu 1500 qdisc noqueue master br-c37740979afc state UP group default 
    link/ether 32:55:ae:38:be:ed brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::3055:aeff:fe38:beed/64 scope link 
       valid_lft forever preferred_lft forever
362: veth0e21071@if361:  mtu 1500 qdisc noqueue master br-c37740979afc state UP group default 
    link/ether 02:b8:bf:1a:82:a9 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::b8:bfff:fe1a:82a9/64 scope link 
       valid_lft forever preferred_lft forever


[oracle@centos tadan]$ sudo iptables -t nat -L -n | grep -A 10 "Chain POSTROUTING"
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.100.0/24     0.0.0.0/0           
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           

a.shをキック

コンテナごとに公開鍵と秘密鍵を作成。これが面倒。su oracle忘れそう。。

コード表示

[oracle@centos tadan]$ docker exec -it ssh1 /bin/bash
[root@6a3e6a11fc2e /]# whoami
root
[root@6a3e6a11fc2e /]# id
uid=0(root) gid=0(root) groups=0(root)
[root@6a3e6a11fc2e ~]# su oracle
[oracle@6a3e6a11fc2e root]$ cd ~ && pwd
/home/oracle
[oracle@6a3e6a11fc2e ~]$ cd .ssh
[oracle@6a3e6a11fc2e .ssh]$ ll
total 4
drwxr-xr-x. 2 oracle docker 4096 May 11 16:19 tmpl
[oracle@6a3e6a11fc2e .ssh]$ cd tmpl
[oracle@6a3e6a11fc2e tmpl]$ ll
total 4
-rwxr-xr-x. 1 oracle docker 185 May 11 16:13 a.sh
[oracle@6a3e6a11fc2e tmpl]$ id
uid=1000(oracle) gid=1001(docker) groups=1001(docker)
[oracle@6a3e6a11fc2e tmpl]$ ./a.sh
spawn ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qq8h9ksNyw0iBJMkC6MTkyv4lWoxMptVYB/kzKZ143w oracle@6a3e6a11fc2e
The key's randomart image is:
+---[RSA 2048]----+
|X+ooo            |
|BB =..           |
|=o .B.o          |
|B.++o+ .         |
|oBo=o o E        |
|o.+o * o         |
| .o = +          |
| . + o           |
|    =+.          |
+----[SHA256]-----+
[oracle@6a3e6a11fc2e tmpl]$ cd -
/home/oracle/.ssh
[oracle@6a3e6a11fc2e .ssh]$ ll
total 12
-rw-------. 1 oracle docker 1679 May 11 17:32 id_rsa
-rw-r--r--. 1 oracle docker  401 May 11 17:32 id_rsa.pub
drwxr-xr-x. 2 oracle docker 4096 May 11 16:19 tmpl
[oracle@6a3e6a11fc2e .ssh]$ exit
[root@6a3e6a11fc2e ~]# exit
[oracle@centos tadan]$ docker exec -it ssh2 /bin/bash
[root@4f8438a2804d /]# whoami
root
[root@4f8438a2804d /]# id
uid=0(root) gid=0(root) groups=0(root)
[root@4f8438a2804d /]# su oracle
[oracle@4f8438a2804d /]$ whoami
oracle
[oracle@4f8438a2804d /]$ id
uid=1000(oracle) gid=1001(docker) groups=1001(docker)
[oracle@4f8438a2804d /]$ cd ~ && pwd
/home/oracle
[oracle@4f8438a2804d ~]$ cd .ssh
[oracle@4f8438a2804d .ssh]$ ll
total 4
drwxr-xr-x. 2 oracle docker 4096 May 11 16:19 tmpl
[oracle@4f8438a2804d .ssh]$ cd tmpl
[oracle@4f8438a2804d tmpl]$ ll
total 4
-rwxr-xr-x. 1 oracle docker 185 May 11 16:13 a.sh
[oracle@4f8438a2804d tmpl]$ ./a.sh
spawn ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:a7sPCgRI/k9/g8S8xn/bxI7OrvdFttxbFwuDTqL83Ys oracle@4f8438a2804d
The key's randomart image is:
+---[RSA 2048]----+
| .               |
|o.               |
|...              |
|  ..  o     .    |
|   ... +S. o o + |
|   .o = +.+ . * =|
|    .. O+o . o =+|
|     ..o+o+oB . +|
|      . o*BEo*.. |
+----[SHA256]-----+
[oracle@4f8438a2804d tmpl]$ cd -
/home/oracle/.ssh
[oracle@4f8438a2804d .ssh]$ ll
total 12
-rw-------. 1 oracle docker 1675 May 11 17:33 id_rsa
-rw-r--r--. 1 oracle docker  401 May 11 17:33 id_rsa.pub
drwxr-xr-x. 2 oracle docker 4096 May 11 16:19 tmpl
[oracle@4f8438a2804d .ssh]$ exit
[root@4f8438a2804d /]# exit

dockerホストでauthorized_keysを作成

コンテナごとの公開鍵を互いに配布。

コード表示

[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── id_rsa
│   │   ├── id_rsa.pub
│   │   └── tmpl
│   └── ssh2
│       ├── id_rsa
│       ├── id_rsa.pub
│       └── tmpl
└── tmpl
    └── a.sh

6 directories, 8 files
[oracle@centos tadan]$ cp ./share/ssh1/id_rsa.pub ./share/ssh2/authorized_keys
[oracle@centos tadan]$ diff ./share/ssh1/id_rsa.pub ./share/ssh2/authorized_keys
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── id_rsa
│   │   ├── id_rsa.pub
│   │   └── tmpl
│   └── ssh2
│       ├── authorized_keys
│       ├── id_rsa
│       ├── id_rsa.pub
│       └── tmpl
└── tmpl
    └── a.sh

6 directories, 9 files
[oracle@centos tadan]$ cp ./share/ssh2/id_rsa.pub ./share/ssh1/authorized_keys
[oracle@centos tadan]$ diff ./share/ssh2/id_rsa.pub ./share/ssh1/authorized_keys
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── authorized_keys
│   │   ├── id_rsa
│   │   ├── id_rsa.pub
│   │   └── tmpl
│   └── ssh2
│       ├── authorized_keys
│       ├── id_rsa
│       ├── id_rsa.pub
│       └── tmpl
└── tmpl
    └── a.sh

6 directories, 10 files

sshdサービス起動確認

コード表示

[oracle@centos tadan]$ docker exec -it ssh1 /bin/bash
[root@6a3e6a11fc2e /]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-05-11 17:19:39 JST; 18min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1794 (sshd)
   CGroup: /docker/6a3e6a11fc2e4d26e1c0d521f6a1cee66c28352f71820538e4ceb18d06b95286/system.slice/sshd.service
           └─1794 /usr/sbin/sshd -D
           ‣ 1794 /usr/sbin/sshd -D

May 11 17:19:39 6a3e6a11fc2e systemd[1]: Starting OpenSSH server daemon...
May 11 17:19:39 6a3e6a11fc2e sshd[1794]: Server listening on 0.0.0.0 port 22.
May 11 17:19:39 6a3e6a11fc2e sshd[1794]: Server listening on :: port 22.
May 11 17:19:39 6a3e6a11fc2e systemd[1]: Started OpenSSH server daemon.
[root@6a3e6a11fc2e /]# lsof -i:22 -P
COMMAND  PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd    1794 root    3u  IPv4 1670476      0t0  TCP *:22 (LISTEN)
sshd    1794 root    4u  IPv6 1670485      0t0  TCP *:22 (LISTEN)
[root@6a3e6a11fc2e /]# exit
[oracle@centos tadan]$ docker exec -it ssh2 /bin/bash
[root@4f8438a2804d /]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-05-11 17:19:40 JST; 18min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1915 (sshd)
   CGroup: /docker/4f8438a2804da37b2b2334f4982bd58c8eb310402a9765991eb667d79988d75e/system.slice/sshd.service
           └─1915 /usr/sbin/sshd -D
           ‣ 1915 /usr/sbin/sshd -D

May 11 17:19:39 4f8438a2804d systemd[1]: Starting OpenSSH server daemon...
May 11 17:19:40 4f8438a2804d sshd[1915]: Server listening on 0.0.0.0 port 22.
May 11 17:19:40 4f8438a2804d sshd[1915]: Server listening on :: port 22.
May 11 17:19:40 4f8438a2804d systemd[1]: Started OpenSSH server daemon.
[root@4f8438a2804d /]# lsof -i:22 -P
COMMAND  PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd    1915 root    3u  IPv4 1671407      0t0  TCP *:22 (LISTEN)
sshd    1915 root    4u  IPv6 1671409      0t0  TCP *:22 (LISTEN)

ssh1からssh2のrootユーザーへログイン

できた

コード表示

[oracle@centos tadan]$ docker exec -it ssh1 /bin/bash
[root@6a3e6a11fc2e /]# ssh root@ssh2 
The authenticity of host 'ssh2 (192.168.100.102)' can't be established.
ECDSA key fingerprint is SHA256:YLGhVCPZjqdyU07cP241x2pJiuWc6eG25aAbrruLxdg.
ECDSA key fingerprint is MD5:14:c5:03:e2:e4:93:7f:99:b7:4b:3b:c3:df:78:5e:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ssh2,192.168.100.102' (ECDSA) to the list of known hosts.
root@ssh2's password: 
[root@4f8438a2804d ~]# whoami
root
[root@4f8438a2804d ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@4f8438a2804d ~]# ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
361: eth0@if362:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:66 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.102/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@4f8438a2804d ~]# logout
Connection to ssh2 closed.

ssh1からssh2のoracleユーザーへログイン

できた

コード表示

[root@6a3e6a11fc2e /]# ssh oracle@192.168.100.102
oracle@192.168.100.102's password: 
Last login: Sat May 11 08:32:54 2019
[oracle@4f8438a2804d ~]$ whoami
oracle
[oracle@4f8438a2804d ~]$ id
uid=1000(oracle) gid=1001(docker) groups=1001(docker)
[oracle@4f8438a2804d ~]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
361: eth0@if362:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:66 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.102/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever

[oracle@4f8438a2804d ~]$ logout
Connection to 192.168.100.102 closed.
[root@6a3e6a11fc2e /]# exit

ssh2からssh1のrootユーザーへログイン

できた

コード表示

[oracle@centos tadan]$ docker exec -it ssh2 /bin/bash
[root@4f8438a2804d /]# ssh root@ssh1
The authenticity of host 'ssh1 (192.168.100.101)' can't be established.
ECDSA key fingerprint is SHA256:m9E3P8+t6PNN7QQ1QHaq7xn2zdOWJ36pNBfogyP0QEk.
ECDSA key fingerprint is MD5:5a:f2:d3:9d:75:4e:b4:1d:28:3e:d5:9c:9e:4e:48:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ssh1,192.168.100.101' (ECDSA) to the list of known hosts.
root@ssh1's password: 
[root@6a3e6a11fc2e ~]# whoami
root
[root@6a3e6a11fc2e ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@6a3e6a11fc2e ~]# ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
359: eth0@if360:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:65 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.101/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@6a3e6a11fc2e ~]# logout
Connection to ssh1 closed.

ssh2からssh1のoracleユーザーへログイン

できた

コード表示

[root@4f8438a2804d /]# ssh oracle@192.168.100.101
oracle@192.168.100.101's password: 
Last login: Sat May 11 08:30:13 2019
[oracle@6a3e6a11fc2e ~]$ whoami
oracle
[oracle@6a3e6a11fc2e ~]$ id
uid=1000(oracle) gid=1001(docker) groups=1001(docker)
[oracle@6a3e6a11fc2e ~]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
359: eth0@if360:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:65 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.101/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[oracle@6a3e6a11fc2e ~]$ logout
Connection to 192.168.100.101 closed.
[root@4f8438a2804d /]# exit

あとがき

sshの練習になった。コンテナ名の色とコンテナの名前をおしゃれにしたい。以上、ありがとうございました。

Leave a Reply

Your email address will not be published. Required fields are marked *