この記事は約77分11秒で読むことができます。

異なるネットワークに属するdockerコンテナ間でsshポートフォーワーディング機能を利用して疎通できるか試した話(できた)

参考文献

dockerでコンテナの中からホストにsshで通信してみた  
SSHポートフォワード(トンネリング)を使って、遠隔地からLAN内のコンピュータにログインする  
SSH公開鍵認証メモ  

まえがき

参考文献記載のやつdockerでやってみたくなったので。dockerホストを中継器として捉えれば、異なるセグメント同士でも疎通できる気がした。

~/.sshにシンボリックリンク作成

気分でつくった

コード表示

[oracle@centos tadan]$ unlink .ssh
[oracle@centos tadan]$ ln -s ~/.ssh ./.ssh

フォルダ構成

コード表示

[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh1
│   │   ├── ssh1.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── config
│   │   ├── ssh2
│   │   ├── ssh2.pub
│   │   └── tmpl
│   ├── ssh3
│   │   ├── config
│   │   ├── ssh3
│   │   ├── ssh3.pub
│   │   └── tmpl
│   ├── ssh4
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh4
│   │   ├── ssh4.pub
│   │   └── tmpl
│   ├── ssh5
│   │   ├── config
│   │   ├── ssh5
│   │   ├── ssh5.pub
│   │   └── tmpl
│   └── ssh6
│       ├── config
│       ├── ssh6
│       ├── ssh6.pub
│       └── tmpl
└── tmpl
    ├── a.sh
    └── config

14 directories, 25 files

a.sh

コンテナごとに作りたいから引数準備

コード表示

[oracle@centos tadan]$ cat tmpl/a*
#!/bin/bash
USR="$1"
shift
NM="$@"
PWD=""
expect -c "
spawn ssh-keygen -f /home/${USR}/.ssh/${NM} -t rsa
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"\\\$\"
exit 0
"

tmpl/config

あとで置換するようにプレースホルダうめこみ

コード表示

[oracle@centos tadan]$ cat tmpl/c*
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh@
  User oracle

Dockerfile

コード表示

[oracle@centos tadan]$ cat D*
FROM centos:latest

RUN yum install -y iputils \
yum install -y net-tools \
yum install -y iproute \
yum install -y vim \
yum install -y tree \
yum install -y lsof \
yum install -y expect \
yum install -y openssh-server \
yum install -y openssh-clients

ENV TZ='Asia/Tokyo'

RUN groupadd -g 1001 docker
RUN useradd -m -g docker -u 1000 oracle

RUN echo 'ORACLE_PWD' | passwd --stdin oracle
RUN echo 'ORACLE_PWD' | passwd --stdin root

RUN mkdir -p /home/oracle/.ssh

#USER oracle
#WORKDIR /home/oracle
EXPOSE 20
CMD ["/sbin/init"]

Makefile

コード表示

[oracle@centos tadan]$ cat M*
CMD=docker-compose
up:
	@$(CMD) up -d
down:
	@$(CMD) down

docker-compose.yml

コード表示

[oracle@centos tadan]$ cat d*
version: '3.7'
services:
  ssh_saba1:
    image: centos_ssh
    container_name: ssh1
    hostname: ssh1
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh1:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_1:
        ipv4_address: 192.168.100.101
    ports:
      - '1:22'
  ssh_saba2:
    image: centos_ssh
    container_name: ssh2
    hostname: ssh2
    #command: bash -c "echo hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh2:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_1:
        ipv4_address: 192.168.100.102
    ports:
      - '2:22'
  ssh_saba3:
    image: centos_ssh
    container_name: ssh3
    hostname: ssh3
    #command: bash -c "echo hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh3:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_1:
        ipv4_address: 192.168.100.103
    ports:
      - '3:22'
  ssh_saba4:
    image: centos_ssh
    container_name: ssh4
    hostname: ssh4
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh4:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_2:
        ipv4_address: 192.168.200.101
    ports:
      - '4:22'
  ssh_saba5:
    image: centos_ssh
    container_name: ssh5
    hostname: ssh5
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh5:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_2:
        ipv4_address: 192.168.200.102
    ports:
      - '5:22'
  ssh_saba6:
    image: centos_ssh
    container_name: ssh6
    hostname: ssh6
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh6:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_2:
        ipv4_address: 192.168.200.103
    ports:
      - '6:22'
networks:
  ssh_net_1:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24
  ssh_net_2:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.200.0/24

コンテナ起動

コード表示

[oracle@centos tadan]$ make down
Stopping ssh4 ... done
Stopping ssh6 ... done
Stopping ssh3 ... done
Stopping ssh1 ... done
Stopping ssh5 ... done
Stopping ssh2 ... done
Removing ssh4 ... done
Removing ssh6 ... done
Removing ssh3 ... done
Removing ssh1 ... done
Removing ssh5 ... done
Removing ssh2 ... done
Removing network tadan_ssh_net_1
Removing network tadan_ssh_net_2
[oracle@centos tadan]$ make up
Creating network "tadan_ssh_net_1" with driver "bridge"
Creating network "tadan_ssh_net_2" with driver "bridge"
Creating ssh1 ... done
Creating ssh4 ... done
Creating ssh3 ... done
Creating ssh6 ... done
Creating ssh2 ... done
Creating ssh5 ... done
[oracle@centos tadan]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                       NAMES
a03dc9d7de51        centos_ssh          "/sbin/init"        14 seconds ago      Up 13 seconds       20/tcp, 0.0.0.0:2->22/tcp   ssh2
9ef461324642        centos_ssh          "/sbin/init"        14 seconds ago      Up 12 seconds       20/tcp, 0.0.0.0:5->22/tcp   ssh5
89e798d2ec0d        centos_ssh          "/sbin/init"        14 seconds ago      Up 12 seconds       20/tcp, 0.0.0.0:6->22/tcp   ssh6
ff0c588e6911        centos_ssh          "/sbin/init"        14 seconds ago      Up 12 seconds       20/tcp, 0.0.0.0:4->22/tcp   ssh4
a3d17c9ad59e        centos_ssh          "/sbin/init"        14 seconds ago      Up 13 seconds       20/tcp, 0.0.0.0:3->22/tcp   ssh3
1fe33ec64581        centos_ssh          "/sbin/init"        14 seconds ago      Up 13 seconds       20/tcp, 0.0.0.0:1->22/tcp   ssh1

dockerコンテナごとに公開鍵と秘密鍵を作成し、公開鍵をsshサーバとして起動するdockerホストに登録する

これはめんどいけど、安全。

dockerホスト側で公開鍵と秘密鍵を作成し、秘密鍵を各dockerコンテナに配布する

これはらくだけど、危い。

めんどい方法を楽に出来れば安全になるので、探した

あった。

SSHの公開鍵配布を簡単にやる  

ばばっと鍵作成

dockerホスト側で鍵消してから、dockerコンテナごとに公開鍵と秘密鍵を作成する。ランドマートきれいだなー。

コード表示

[oracle@centos tadan]$ rm -f ./share/ssh{1..6}/ssh* && seq 6 | xargs -I@ bash -c 'docker exec --user oracle ssh@ ./home/oracle/.ssh/tmpl/a.sh oracle ssh@'
spawn ssh-keygen -f /home/oracle/.ssh/ssh1 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh1.
Your public key has been saved in /home/oracle/.ssh/ssh1.pub.
The key fingerprint is:
SHA256:aA2NWKfkzchO9CyaiVll4iawi0S5dvFDablPJWwUmbU oracle@ssh1
The key's randomart image is:
+---[RSA 2048]----+
|... . @o*.       |
|.+ o / ^ ..      |
|..o X % OE       |
|o+ B X *         |
|+ + + B S        |
|     . .         |
|                 |
|                 |
|                 |
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh2 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh2.
Your public key has been saved in /home/oracle/.ssh/ssh2.pub.
The key fingerprint is:
SHA256:ekwfvr1Wzgd7R8U5+TPbCwsq5vFnBdlOGk4Kbs/KKoM oracle@ssh2
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|            o  .o|
|       .   = o +o|
|      . S = *   +|
|       * + + oooo|
|  .   o.= o..= +=|
| E o  .+oo.=o *.=|
|    o.++oo+.oo +o|
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh3 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh3.
Your public key has been saved in /home/oracle/.ssh/ssh3.pub.
The key fingerprint is:
SHA256:ua/Vs4if9RJF+l3SrqzbkQkwmCvTbtfF5g3eGI64TEk oracle@ssh3
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|         o    .  |
|        o o  o . |
|       . o o..o o|
|      o S E .o*+.|
|       + o =.O.Oo|
|        + * *oO.o|
|       . B =.=o. |
|        ooB ++o  |
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh4 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh4.
Your public key has been saved in /home/oracle/.ssh/ssh4.pub.
The key fingerprint is:
SHA256:sOUIiiAQMXuugjvDBLlk5lwcuGPEY1wN7+Uyj//v/lc oracle@ssh4
The key's randomart image is:
+---[RSA 2048]----+
|Boooo            |
|.X ...           |
|*.= o....        |
|=@ +..o*         |
|X.=  +o.S        |
|o=    =         E|
|*    . .        .|
|+o    .        . |
|.o     ...++...  |
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh5 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh5.
Your public key has been saved in /home/oracle/.ssh/ssh5.pub.
The key fingerprint is:
SHA256:22qDSW/RBYISJvZaCICNCW4SE0lmy57LWgp4Y2IaKWI oracle@ssh5
The key's randomart image is:
+---[RSA 2048]----+
|%Xo o. .         |
|X=o=. . . .      |
|.=. o.   . .     |
|+ .o        .    |
| o.     S. .     |
|o..   . .o.      |
|OE=  . +...      |
|OB .  o =.       |
|+      o..       |
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh6 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh6.
Your public key has been saved in /home/oracle/.ssh/ssh6.pub.
The key fingerprint is:
SHA256:Znwc4hth5MGV9Nsu60n/BFl0l8YIy3BoNvXZtWHbYNQ oracle@ssh6
The key's randomart image is:
+---[RSA 2048]----+
|       .o+==..*+*|
|       o.*=.oo+*E|
|        B oo.o.+o|
|       + + . o o |
|        S o . +  |
|       o +   . . |
|        .   o . .|
|           . = . |
|           .+ ...|
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh1
│   │   ├── ssh1.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── config
│   │   ├── ssh2
│   │   ├── ssh2.pub
│   │   └── tmpl
│   ├── ssh3
│   │   ├── config
│   │   ├── ssh3
│   │   ├── ssh3.pub
│   │   └── tmpl
│   ├── ssh4
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh4
│   │   ├── ssh4.pub
│   │   └── tmpl
│   ├── ssh5
│   │   ├── config
│   │   ├── ssh5
│   │   ├── ssh5.pub
│   │   └── tmpl
│   └── ssh6
│       ├── config
│       ├── ssh6
│       ├── ssh6.pub
│       └── tmpl
└── tmpl
    ├── a.sh
    └── config

14 directories, 25 files
[oracle@centos tadan]$ ll ./share/ssh{1..6}
./share/ssh1:
合計 20
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-r--r--. 1 oracle docker  175  5月 14 06:58 known_hosts
-rw-------. 1 oracle docker 1675  5月 14 07:25 ssh1
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh1.pub
drwxr-xr-x. 2 oracle docker 4096  5月 12 17:20 tmpl

./share/ssh2:
合計 16
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-------. 1 oracle docker 1675  5月 14 07:25 ssh2
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh2.pub
drwxr-xr-x. 2 oracle docker 4096  5月 12 17:20 tmpl

./share/ssh3:
合計 16
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-------. 1 oracle docker 1679  5月 14 07:25 ssh3
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh3.pub
drwxr-xr-x. 2 oracle docker 4096  5月 12 17:20 tmpl

./share/ssh4:
合計 20
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-r--r--. 1 oracle docker  175  5月 14 07:18 known_hosts
-rw-------. 1 oracle docker 1679  5月 14 07:25 ssh4
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh4.pub
drwxr-xr-x. 2 oracle docker 4096  5月 13 19:54 tmpl

./share/ssh5:
合計 16
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-------. 1 oracle docker 1675  5月 14 07:25 ssh5
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh5.pub
drwxr-xr-x. 2 oracle docker 4096  5月 13 19:59 tmpl

./share/ssh6:
合計 16
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-------. 1 oracle docker 1679  5月 14 07:25 ssh6
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh6.pub
drwxr-xr-x. 2 oracle docker 4096  5月 13 19:59 tmpl
[oracle@centos tadan]$ find $(pwd) -name "*pub" | sort
/home/oracle/tadan/share/ssh1/ssh1.pub
/home/oracle/tadan/share/ssh2/ssh2.pub
/home/oracle/tadan/share/ssh3/ssh3.pub
/home/oracle/tadan/share/ssh4/ssh4.pub
/home/oracle/tadan/share/ssh5/ssh5.pub
/home/oracle/tadan/share/ssh6/ssh6.pub

dockerコンテナごとに作成した公開鍵をdockerホストのauthorized_keysに登録する

さっと。リンクはった意味。

コード表示

[oracle@centos tadan]$ rm ~/.ssh/authorized_keys || touch ~/.ssh/authorized_keys && find $(pwd) -name "*pub" | sort | xargs -I@ bash -c "cat @ >> ~/.ssh/authorized_keys"
[oracle@centos tadan]$ cd ~/.ssh
[oracle@centos .ssh]$ cat a*
[oracle@centos tadan]$ rm ~/.ssh/authorized_keys || touch ~/.ssh/authorized_keys && find $(pwd) -name "*pub" | sort | xargs -I@ bash -c "cat @ >> ~/.ssh/authorized_keys"
[oracle@centos tadan]$ cd ~/.ssh
[oracle@centos .ssh]$ cat a*
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnytJwMdrWyLuAvlQQY51oBau7so2qAxxWHFVYube+HPaBHRizwvyx6I+udmybcpyJxwoqOrnrapXqGvf22cVNqeSENmq0U1QISnszejUAY4XtZHG0MJwLbvY9ICnCUzjamPMbgbslbyVweC+1vG7oVhSqdKSzrSrID4DYpMslZ571jTS9fgi8+YM9xIQyivKufzbYo+GAHy5tAPiqRRGlqLOthEf9eOGINgPvXsBXyWeb5Mrzqa88c0MG6x/Sdf7TNpBDlfU1Le9mHGjaIjoLGbVBPuf0LfqhdikCqP1F3S4t/KTiUYa0ViVhzNxzoEowYMmRBMWOI1H9wFS2Oy9t oracle@ssh1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8LaiJCxVODsz+vnbQcgZPN2ZIZ6h7LJQWHuH3ryIaX5a8cu2xR740QHpFWdJdV/MYcqxRXKivoLQL7mhdWYpMLF/yGZUoxbmU+KNrFFaxCS++LKVn+OjjwefGrgvTTlpNXOqPB3KnGkcbWFVbW0H3doGMIBUzKXam0JP2tz8F+vQN+dXrAknm0M+ua7bmony3MNyOQ9RZY8KmtIhoktvGrZjon1OEO0BPOWcSpRT/N7bdEgl6b37ho/qVTcrJ6vJWcSaUlzptKRScxnPsQs1NmHPjS/HAMqx/1cdI/A+iFE7PNyPipufFGM2w3AINbd+9JYZ6wPf+NXSPYwNwGc0/ oracle@ssh2
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQMVxQe1VjKh61oPyfmcoMs+TdN2xoVDbvP3erR1qozc5nbBaKKS4oII+dixLX8fg1O+fMM3wqu0AEwWT+Y+F/CCAJF3CgcWjEZA9AN0dmjU88D6VD5DtmteZKq5i3QpbLtZRWJxg5Votcz/QSTaM+O4cpuARPMLV9JEYL9C7iXxJMLQd8X3+eu1qpuqNLEF1mHm25IRbxQXG9pTTiOZLFyXs64sFnIYYCa33bmMLvLZ8rwIjqFIbpcVJSB/qtt1mQkt/i0T+F00yzJdYOCA4b2hLtRqQB/19mFbWSiOFnVqkP4526x2ToEY5sENtyM4ygykYQyDyrVlegViRlvnvz oracle@ssh3
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU5uYFQA6BV1Oqh6WWchaiV72L8Dkp/apLnaSRZ7f/+wU3nKTjvc9VT8vAMMF9U7kEdmVbEi0NhjYohsrtLkD6BWaOolBCy3decCeJWvuxsYtxR/+ssRAq8IX+lhqks7d4vlggeavmAjKyUyEIBHOdicUIex3Pu9AEFbXh8W0zdi/cwNRyL1T1S3UrCjgiVWwtY41hdjPV/lLYJa1ku/epa8CzY2ozrIAEwrydY/vQQBJO1+MtiLdqgkbTKZ8dSmoXZpJNOkUBlp7MjNKR04kHPtUIHiozdNII4F9FBX8B+1KcTWnVgR6FKPN+I5uhwtXnocZ8p3ePIeu5S61pBvnn oracle@ssh4
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKGCSdnQXWDDBAnJF90RBrBK6Tfcoc3/sXJyvhBF0Rq4BvzuEUx718ezV2J20E0iuaxwaL+pgyQEXsOLOU90b3eCx81QHuoZb5cX4TX6egAJhv9nBbOoXHOrf2ZmiNXNSsGYGaow7N3wCanNOfWfG64KZpwS/x4/p0aFMnXu5PBq4TdeHhZGpNHb+FNDean7PFFe5wukDBOpMpa56l68OH8inlQ3uANFkRfj4cfeQX+uMYEKvnC7QXIeu3g9gyzVOSngsYGZAbombijJwNlaQzLAGnan6Ib0AMa2YlilrEH0cxnCgX3FHZpe/4znujNOIdArlIsbF6IzZl053EPgDn oracle@ssh5
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIer/jMtRhzYCDxkjElnX4n7/uXhXvKc3P8UskdYh53n0hyOOJixCkwPJHY7la09FQXvGM+Xm4NdDrY/LjRbG9YgYILAppL7UpexWuJlyyyMMbThJvbu8ukTaZzOg6Z/vvveVmVBs+tFNMJU01PCPjmLNDU1ATBeL85dHb2lUWEa7On1e2PNXKpbpaF61S3O3DBp8H81w+QNF899MikCDEuyJe2ZIfZgnbpqz4o8mEOxzn22YtlKEIkXmNlb06N65c7SWqmsYnqp+nNqlmHsfOt8ufsx91pwjpU7IM9/X7pNgjtv9UomjbX67pw7tT8cW48nPHgkleW/bAA6wLtwCD oracle@ssh6

各dockerコンテナのconfigファイルにdockerホストへの接続情報を記載する

dockerコンテナからssh接続できるように設定する。あらかじめテンプレート用意しコンテナごとに複写して置換する。

コード表示

[oracle@centos tadan]$ rm ./share/ssh{1..6}/c*
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── known_hosts
│   │   ├── ssh1
│   │   ├── ssh1.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── ssh2
│   │   ├── ssh2.pub
│   │   └── tmpl
│   ├── ssh3
│   │   ├── ssh3
│   │   ├── ssh3.pub
│   │   └── tmpl
│   ├── ssh4
│   │   ├── known_hosts
│   │   ├── ssh4
│   │   ├── ssh4.pub
│   │   └── tmpl
│   ├── ssh5
│   │   ├── ssh5
│   │   ├── ssh5.pub
│   │   └── tmpl
│   └── ssh6
│       ├── ssh6
│       ├── ssh6.pub
│       └── tmpl
└── tmpl
    ├── a.sh
    └── config

14 directories, 19 files
[oracle@centos tadan]$ seq 6 | xargs -I{} bash -c 'cp $(pwd)/tmpl/config $(pwd)/share/ssh{}/config && sed -i s/@/{}/g $(pwd)/share/ssh{}/config'
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh1
│   │   ├── ssh1.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── config
│   │   ├── ssh2
│   │   ├── ssh2.pub
│   │   └── tmpl
│   ├── ssh3
│   │   ├── config
│   │   ├── ssh3
│   │   ├── ssh3.pub
│   │   └── tmpl
│   ├── ssh4
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh4
│   │   ├── ssh4.pub
│   │   └── tmpl
│   ├── ssh5
│   │   ├── config
│   │   ├── ssh5
│   │   ├── ssh5.pub
│   │   └── tmpl
│   └── ssh6
│       ├── config
│       ├── ssh6
│       ├── ssh6.pub
│       └── tmpl
└── tmpl
    ├── a.sh
    └── config

14 directories, 25 files
[oracle@centos tadan]$ cat ./share/ssh{1..6}/c*
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh1
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh2
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh3
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh4
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh5
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh6
  User oracle

dockerホストでsshdサービス起動

サービス起動確認

コード表示

[oracle@centos .ssh]$ sudo systemctl restart sshd
[oracle@centos .ssh]$ systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 月 2019-05-13 22:26:04 JST; 3s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 10295 (sshd)
    Tasks: 1
   Memory: 1.0M
   CGroup: /system.slice/sshd.service
           └─10295 /usr/sbin/sshd -D

dockerコンテナ間の接続を確認する

現状どうなっているか。セグメントは越えられない。

コード表示

[oracle@centos tadan]$ docker exec --user oracle --workdir ~/.ssh -it ssh1 /bin/bash
[oracle@ssh1 .ssh]$ ip r
default via 192.168.100.1 dev eth0 
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.101 
[oracle@ssh1 .ssh]$ whoami
oracle
[oracle@ssh1 .ssh]$ hostname
ssh1
[oracle@ssh1 .ssh]$ ping -c 1 192.168.100.102
PING 192.168.100.102 (192.168.100.102) 56(84) bytes of data.
64 bytes from 192.168.100.102: icmp_seq=1 ttl=64 time=0.083 ms

--- 192.168.100.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.083/0.083/0.083/0.000 ms
[oracle@ssh1 .ssh]$ ping -c 1 192.168.100.103
PING 192.168.100.103 (192.168.100.103) 56(84) bytes of data.
64 bytes from 192.168.100.103: icmp_seq=1 ttl=64 time=0.057 ms

--- 192.168.100.103 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.057/0.057/0.057/0.000 ms
[oracle@ssh1 .ssh]$ ping -c 1 192.168.100.101
PING 192.168.100.101 (192.168.100.101) 56(84) bytes of data.
64 bytes from 192.168.100.101: icmp_seq=1 ttl=64 time=0.024 ms

--- 192.168.100.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms
[oracle@ssh1 .ssh]$ ping -c 1 192.168.200.101
PING 192.168.200.101 (192.168.200.101) 56(84) bytes of data.
^C
--- 192.168.200.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[oracle@ssh1 .ssh]$ ping -c 1 192.168.200.102
PING 192.168.200.102 (192.168.200.102) 56(84) bytes of data.
^C
--- 192.168.200.102 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[oracle@ssh1 .ssh]$ ping -c 1 192.168.200.103
PING 192.168.200.103 (192.168.200.103) 56(84) bytes of data.
^C
--- 192.168.200.103 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

dockerコンテナからdockerホストにssh接続できるか確認

yesちゃんといれること。各セグメントから代表1コンテナで確認。

コード表示

[oracle@ssh1 .ssh]$ sed -i /192.168.1.109/d  known_hosts
[oracle@ssh1 .ssh]$ ssh centos
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:yOr7hVcqUf559Yl1lTurqPd7V+QQd7OPztlTzOHEpF4.
ECDSA key fingerprint is MD5:03:e5:6a:4f:f1:65:88:f5:88:6d:ad:ff:7a:72:bd:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
Last login: Tue May 14 06:56:59 2019 from 192.168.100.101
[oracle@centos ~]$ whoami
oracle
[oracle@centos ~]$ hostname
centos
[oracle@centos ~]$ ip r | grep eno1
default via 192.168.1.1 dev eno1 proto static metric 100 
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.109 metric 100 
[oracle@centos ~]$ ログアウト
Connection to 192.168.1.109 closed.
[oracle@centos tadan]$ docker exec --user oracle --workdir ~/.ssh -it ssh4 /bin/bash
[oracle@ssh4 .ssh]$ ll
total 20
-rw-r--r--. 1 oracle docker   88 May 14 06:49 config
-rw-r--r--. 1 oracle docker  175 May 13 23:20 known_hosts
-rw-------. 1 oracle docker 1679 May 13 22:35 ssh4
-rw-r--r--. 1 oracle docker  393 May 13 22:35 ssh4.pub
drwxr-xr-x. 2 oracle docker 4096 May 14 06:15 tmpl
[oracle@ssh4 .ssh]$ cat k*
192.168.1.109 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMUYxEWsHgM7+gYRAClMKLNNre9v84lsIL5Tf6K4TBxFhn5JhpRFPy/rBgH84DLnaSj+2uazgzVY332JCwxqHLw=
[oracle@ssh4 .ssh]$ sed -i /192.168.1.109/d  known_hosts
[oracle@ssh4 .ssh]$ cat k*
[oracle@ssh4 .ssh]$ ssh centos
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:yOr7hVcqUf559Yl1lTurqPd7V+QQd7OPztlTzOHEpF4.
ECDSA key fingerprint is MD5:03:e5:6a:4f:f1:65:88:f5:88:6d:ad:ff:7a:72:bd:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
Last login: Tue May 14 06:58:04 2019 from 192.168.100.101
[oracle@centos ~]$ whoami
oracle
[oracle@centos ~]$ hostname
centos
[oracle@centos ~]$ ip r | grep eno1
default via 192.168.1.1 dev eno1 proto static metric 100 
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.109 metric 100 
[oracle@centos ~]$ ログアウト
Connection to 192.168.1.109 closed.

sshポートフォーワーディング設定

セグメント跨ぎたい。ssh4(192.168.200.101)からssh1(192.168.100.101)へ通信したいとなったと仮定する。そのときは中継器として見立てているdockerホストからssh1へ向けてポート転送設定をおこなう。

コード表示

[oracle@centos tadan]$ cd .ssh
[oracle@centos .ssh]$ ll
合計 16
-rw-r--r--. 1 oracle docker 2358  5月 13 22:36 authorized_keys
-rw-r--r--. 1 oracle docker   88  5月 14 06:36 config
-rw-------. 1 oracle docker 1679  5月 12 17:23 id_rsa
-rw-r--r--. 1 oracle docker  395  5月 12 17:23 id_rsa.pub
-rw-r--r--. 1 oracle docker    0  5月 14 07:13 known_hosts
[oracle@centos .ssh]$ ssh 192.168.1.109 -R 10022:192.168.100.101:22
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:yOr7hVcqUf559Yl1lTurqPd7V+QQd7OPztlTzOHEpF4.
ECDSA key fingerprint is MD5:03:e5:6a:4f:f1:65:88:f5:88:6d:ad:ff:7a:72:bd:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
oracle@192.168.1.109's password: 
Last login: Tue May 14 07:11:02 2019 from centos
[oracle@centos ~]$ 

端末もういっこ開いて、ssh4からssh1に接続できるか試す

oracle@localhost’s password: には転送先マシンのものを入力する。

コード表示

[oracle@centos ~]$ docker exec --user oracle --workdir ~/.ssh -it ssh4 /bin/bash
[oracle@ssh4 .ssh]$ ll
total 20
-rw-r--r--. 1 oracle docker   88 May 14 06:49 config
-rw-r--r--. 1 oracle docker  175 May 14 07:17 known_hosts
-rw-------. 1 oracle docker 1679 May 13 22:35 ssh4
-rw-r--r--. 1 oracle docker  393 May 13 22:35 ssh4.pub
drwxr-xr-x. 2 oracle docker 4096 May 14 06:15 tmpl
[oracle@ssh4 .ssh]$ cat k*
192.168.1.109 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMUYxEWsHgM7+gYRAClMKLNNre9v84lsIL5Tf6K4TBxFhn5JhpRFPy/rBgH84DLnaSj+2uazgzVY332JCwxqHLw=
[oracle@ssh4 .ssh]$ sed -i /192.168.1.109/d k*
[oracle@ssh4 .ssh]$ cat k*
[oracle@ssh4 .ssh]$ ll
total 16
-rw-r--r--. 1 oracle docker   88 May 14 06:49 config
-rw-r--r--. 1 oracle docker    0 May 14 07:17 known_hosts
-rw-------. 1 oracle docker 1679 May 13 22:35 ssh4
-rw-r--r--. 1 oracle docker  393 May 13 22:35 ssh4.pub
drwxr-xr-x. 2 oracle docker 4096 May 14 06:15 tmpl
[oracle@ssh4 .ssh]$ ssh oracle@centos
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:yOr7hVcqUf559Yl1lTurqPd7V+QQd7OPztlTzOHEpF4.
ECDSA key fingerprint is MD5:03:e5:6a:4f:f1:65:88:f5:88:6d:ad:ff:7a:72:bd:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
Last login: Tue May 14 07:14:30 2019 from centos
[oracle@centos ~]$ ssh localhost -p 10022
The authenticity of host '[localhost]:10022 ([::1]:10022)' can't be established.
ECDSA key fingerprint is SHA256:gNBn8Jg8Z2W6pX6CkcJsj+TjcLbPsAuCOGoV/mohFmk.
ECDSA key fingerprint is MD5:74:1f:58:b0:72:51:45:cf:e0:2a:cf:b1:9f:75:e1:ec.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:10022' (ECDSA) to the list of known hosts.
oracle@localhost's password: 
Last login: Mon May 13 21:27:34 2019
[oracle@ssh1 ~]$ ip r           
default via 192.168.100.1 dev eth0 
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.101 

異なるセグメントはまたげた話

ちょっとカオス化してきたから、色変えたいなtmuxとかうまく使えばいい感じに出来そうだな。タグLANも試してみよう。以上、ありがとうございました。

Leave a Reply

Your email address will not be published. Required fields are marked *