dockerのフォルダ構成見直してみた話

フォルダ構成

tmplにはサービスごとにフォルダきってtmplateファイル作成しておく。必要なら。各コンテナに配備する。今回のサービスはssh。httpが必要なら都度フォルダきる。

コード表示

[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── scripts
│   ├── env
│   │   ├── cmn
│   │   │   ├── path.sh
│   │   │   └── tz.sh
│   │   └── ssh
│   ├── inst
│   │   ├── cmn
│   │   │   └── yum_install.sh
│   │   └── ssh
│   │       └── yum_install.sh
│   ├── main
│   │   ├── cmn
│   │   └── ssh
│   │       ├── create_dir.sh
│   │       ├── create_grp.sh
│   │       ├── create_pwd.sh
│   │       ├── create_usr.sh
│   │       └── define_seq.sh
│   ├── post
│   │   ├── cmn
│   │   └── ssh
│   └── pre
│       ├── cmn
│       └── ssh
├── share
│   ├── saba1
│   │   └── ssh
│   │       └── tmpl
│   ├── saba2
│   │   └── ssh
│   │       └── tmpl
│   ├── saba3
│   │   └── ssh
│   │       └── tmpl
│   ├── saba4
│   │   └── ssh
│   │       └── tmpl
│   ├── saba5
│   │   └── ssh
│   │       └── tmpl
│   └── saba6
│       └── ssh
│           └── tmpl
└── tmpl
    └── ssh
        ├── config
        └── genkey.sh

37 directories, 14 files

フォルダ作成

コード表示

[oracle@centos ~]$ mkdir tadan
[oracle@centos ~]$ cd tadan
[oracle@centos tadan]$ mkdir -p ./scripts/{env,inst,main,post,pre}/{cmn,ssh}
[oracle@centos tadan]$ mkdir -p tmpl/{ssh}

Dockerfile

コード表示

[oracle@centos tadan]$ cat D*
FROM centos:latest

ENV MNT_DIR=/mnt
ENV ENV_DIR=${MNT_DIR}/env
ENV ENV_CMN_DIR=${ENV_DIR}/cmn
ENV ENV_SSH_DIR=${ENV_DIR}/ssh
ENV INST_DIR=${MNT_DIR}/inst
ENV INST_CMN_DIR=${INST_DIR}/cmn
ENV INST_SSH_DIR=${INST_DIR}/ssh
ENV PRE_DIR=${MNT_DIR}/pre
ENV PRE_CMN_DIR=${PRE_DIR}/cmn
ENV PRE_SSH_DIR=${PRE_DIR}/ssh
ENV MAIN_DIR=${MNT_DIR}/main
ENV MAIN_CMN_DIR=${MAIN_DIR}/cmn
ENV MAIN_SSH_DIR=${MAIN_DIR}/ssh
ENV POST_DIR=${MNT_DIR}/post
ENV POST_CMN_DIR=${POST_DIR}/cmn
ENV POST_SSH_DIR=${POST_DIR}/ssh

COPY ./scripts ${MNT_DIR}

RUN find ${INST_CMN_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && chmod u+x ${line} && bash -c ${line};done
RUN find ${INST_SSH_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && chmod u+x ${line} && bash -c ${line};done
RUN find ${PRE_CMN_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && chmod u+x ${line} && bash -c ${line};done
RUN find ${PRE_SSH_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && chmod u+x ${line} && bash -c ${line};done
RUN find ${MAIN_CMN_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && chmod u+x ${line} && bash -c ${line};done
RUN [ -e ${MAIN_SSH_DIR}/define_seq.sh ] && chmod u+x ${MAIN_SSH_DIR}/define_seq.sh && ${MAIN_SSH_DIR}/define_seq.sh
RUN find ${POST_CMN_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && chmod u+x ${line} && bash -c ${line};done
RUN find ${POST_SSH_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && chmod u+x ${line} && bash -c ${line};done

USER oracle
WORKDIR /home/oracle

EXPOSE 20
CMD ["/sbin/init"]

Makefile

コード表示

[oracle@centos tadan]$ cat M*
CMD=docker-compose
up:
	@$(CMD) up -d
down:
	@$(CMD) down

docker-compose.yml

コード表示

[oracle@centos tadan]$ cat d*
version: '3.7'
services:
  saba1:
    image: centos_aine
    container_name: saba1
    hostname: saba1
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/saba1/ssh:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl/ssh:/home/oracle/.ssh/tmpl
    networks:
      saba_net_1:
        ipv4_address: 192.168.100.101
    ports:
      - '1:22'
  saba2:
    image: centos_aine
    container_name: saba2
    hostname: saba2
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/saba2/ssh:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl/ssh:/home/oracle/.ssh/tmpl
    networks:
      saba_net_1:
        ipv4_address: 192.168.100.102
    ports:
      - '2:22'
  saba3:
    image: centos_aine
    container_name: saba3
    hostname: saba3
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/saba3/ssh:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl/ssh:/home/oracle/.ssh/tmpl
    networks:
      saba_net_1:
        ipv4_address: 192.168.100.103
    ports:
      - '3:22'
  saba4:
    image: centos_aine
    container_name: saba4
    hostname: saba4
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/saba4/ssh:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl/ssh:/home/oracle/.ssh/tmpl
    networks:
      saba_net_2:
        ipv4_address: 192.168.200.101
    ports:
      - '4:22'
  saba5:
    image: centos_aine
    container_name: saba5
    hostname: saba5
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/saba5/ssh:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl/ssh:/home/oracle/.ssh/tmpl
    networks:
      saba_net_2:
        ipv4_address: 192.168.200.102
    ports:
      - '5:22'
  saba6:
    image: centos_aine
    container_name: saba6
    hostname: saba6
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/saba6/ssh:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl/ssh:/home/oracle/.ssh/tmpl
    networks:
      saba_net_2:
        ipv4_address: 192.168.200.103
    ports:
      - '6:22'
networks:
  saba_net_1:
    name: saba_net_1
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24
  saba_net_2:
    name: saba_net_2
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.200.0/24

/tmpl/ssh/genkey.sh

コード表示

[oracle@centos tadan]$ cat $(find $(pwd) -name "*gen*")
#!/bin/bash
USR="$1"
shift
NM="$@"
PWD=""
expect -c "
spawn ssh-keygen -f /home/${USR}/.ssh/${NM} -t rsa
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"\\\$\"
exit 0
"

/scripts/main/ssh/create_usr.sh

コード表示

[oracle@centos tadan]$ cat $(find $(pwd) -name "*usr*")
#!/bin/bash
useradd -m -g docker -u 1000 oracle

/scripts/main/ssh/create_dir.sh

コード表示

[oracle@centos tadan]$ cat $(find $(pwd) -name "*dir*")
#!/bin/bash
mkdir -p /home/oracle/.ssh

/scripts/main/ssh/create_grp.sh

コード表示

[oracle@centos tadan]$ cat $(find $(pwd) -name "*grp*")
#!/bin/bash
groupadd -g 1001 docker

/scripts/main/ssh/create_pwd.sh

コード表示

[oracle@centos tadan]$ cat $(find $(pwd) -name "*pwd*")
#!/bin/bash
echo 'ORACLE_PWD' | passwd --stdin oracle
echo 'ORACLE_PWD' | passwd --stdin root

/scripts/main/ssh/define_seq.sh

sourceコマンドで順番を制御できる。実行順序をここに集約できるからいいとおもう。

コード表示

[oracle@centos tadan]$ cat $(find $(pwd) -name "*seq*")
#!/bin/bash
find ${ENV_CMN_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && source ${line};done
find ${ENV_SSH_DIR} -name "*.sh" | while read line;do [ -e ${line} ] && source ${line};done
[ -e ${MAIN_SSH_DIR}/create_grp.sh ] && source ${MAIN_SSH_DIR}/create_grp.sh
[ -e ${MAIN_SSH_DIR}/create_usr.sh ] && source ${MAIN_SSH_DIR}/create_usr.sh
[ -e ${MAIN_SSH_DIR}/create_pwd.sh ] && source ${MAIN_SSH_DIR}/create_pwd.sh
[ -e ${MAIN_SSH_DIR}/create_dir.sh ] && source ${MAIN_SSH_DIR}/create_dir.sh

/scripts/env/cmn/path.sh

これはあってもなくてもいいかも。dockerfileでもENVしているし。

コード表示

[oracle@centos tadan]$ cat $(find $(pwd) -name "*path*")
#!/bin/bash
MNT_DIR=/mnt
ENV_DIR=${MNT_DIR}/env
INST_DIR=${MNT_DIR}/inst
PRE_DIR=${MNT_DIR}/pre
MAIN_DIR=${MNT_DIR}/main
MAIN_CMN_DIR=${MAIN_DIR}/cmn
MAIN_SSH_DIR=${MAIN_DIR}/ssh
POST_DIR=${MNT_DIR}/post

/scripts/env/cmn/tz.sh

コード表示

[oracle@centos tadan]$ cat $(find $(pwd) -name "*tz*")
#!/bin/bash
TZ=Asia/Tokyo

/scripts/inst/cmn/yum_install.sh

コード表示

[oracle@centos tadan]$ cat /home/oracle/tadan/scripts/inst/cmn/yum_install.sh
#!/bin/bash
yum install -y iputils \
yum install -y net-tools \
yum install -y iproute \
yum install -y vim \
yum install -y tree \
yum install -y lsof \
yum install -y expect

/scripts/inst/ssh/yum_install.sh

コード表示

[oracle@centos tadan]$ cat /home/oracle/tadan/scripts/inst/ssh/yum_install.sh
#!/bin/bash
yum install -y openssh-server \
yum install -y openssh-clients

異なるネットワークに属するdockerコンテナ間でsshポートフォーワーディング機能を利用して疎通できるか試した話(できた)

参考文献

dockerでコンテナの中からホストにsshで通信してみた  
SSHポートフォワード(トンネリング)を使って、遠隔地からLAN内のコンピュータにログインする  
SSH公開鍵認証メモ  

まえがき

参考文献記載のやつdockerでやってみたくなったので。dockerホストを中継器として捉えれば、異なるセグメント同士でも疎通できる気がした。

~/.sshにシンボリックリンク作成

気分でつくった

コード表示

[oracle@centos tadan]$ unlink .ssh
[oracle@centos tadan]$ ln -s ~/.ssh ./.ssh

フォルダ構成

コード表示

[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh1
│   │   ├── ssh1.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── config
│   │   ├── ssh2
│   │   ├── ssh2.pub
│   │   └── tmpl
│   ├── ssh3
│   │   ├── config
│   │   ├── ssh3
│   │   ├── ssh3.pub
│   │   └── tmpl
│   ├── ssh4
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh4
│   │   ├── ssh4.pub
│   │   └── tmpl
│   ├── ssh5
│   │   ├── config
│   │   ├── ssh5
│   │   ├── ssh5.pub
│   │   └── tmpl
│   └── ssh6
│       ├── config
│       ├── ssh6
│       ├── ssh6.pub
│       └── tmpl
└── tmpl
    ├── a.sh
    └── config

14 directories, 25 files

a.sh

コンテナごとに作りたいから引数準備

コード表示

[oracle@centos tadan]$ cat tmpl/a*
#!/bin/bash
USR="$1"
shift
NM="$@"
PWD=""
expect -c "
spawn ssh-keygen -f /home/${USR}/.ssh/${NM} -t rsa
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"\\\$\"
exit 0
"

tmpl/config

あとで置換するようにプレースホルダうめこみ

コード表示

[oracle@centos tadan]$ cat tmpl/c*
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh@
  User oracle

Dockerfile

コード表示

[oracle@centos tadan]$ cat D*
FROM centos:latest

RUN yum install -y iputils \
yum install -y net-tools \
yum install -y iproute \
yum install -y vim \
yum install -y tree \
yum install -y lsof \
yum install -y expect \
yum install -y openssh-server \
yum install -y openssh-clients

ENV TZ='Asia/Tokyo'

RUN groupadd -g 1001 docker
RUN useradd -m -g docker -u 1000 oracle

RUN echo 'ORACLE_PWD' | passwd --stdin oracle
RUN echo 'ORACLE_PWD' | passwd --stdin root

RUN mkdir -p /home/oracle/.ssh

#USER oracle
#WORKDIR /home/oracle
EXPOSE 20
CMD ["/sbin/init"]

Makefile

コード表示

[oracle@centos tadan]$ cat M*
CMD=docker-compose
up:
	@$(CMD) up -d
down:
	@$(CMD) down

docker-compose.yml

コード表示

[oracle@centos tadan]$ cat d*
version: '3.7'
services:
  ssh_saba1:
    image: centos_ssh
    container_name: ssh1
    hostname: ssh1
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh1:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_1:
        ipv4_address: 192.168.100.101
    ports:
      - '1:22'
  ssh_saba2:
    image: centos_ssh
    container_name: ssh2
    hostname: ssh2
    #command: bash -c "echo hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh2:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_1:
        ipv4_address: 192.168.100.102
    ports:
      - '2:22'
  ssh_saba3:
    image: centos_ssh
    container_name: ssh3
    hostname: ssh3
    #command: bash -c "echo hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh3:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_1:
        ipv4_address: 192.168.100.103
    ports:
      - '3:22'
  ssh_saba4:
    image: centos_ssh
    container_name: ssh4
    hostname: ssh4
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh4:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_2:
        ipv4_address: 192.168.200.101
    ports:
      - '4:22'
  ssh_saba5:
    image: centos_ssh
    container_name: ssh5
    hostname: ssh5
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh5:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_2:
        ipv4_address: 192.168.200.102
    ports:
      - '5:22'
  ssh_saba6:
    image: centos_ssh
    container_name: ssh6
    hostname: ssh6
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh6:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net_2:
        ipv4_address: 192.168.200.103
    ports:
      - '6:22'
networks:
  ssh_net_1:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24
  ssh_net_2:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.200.0/24

コンテナ起動

コード表示

[oracle@centos tadan]$ make down
Stopping ssh4 ... done
Stopping ssh6 ... done
Stopping ssh3 ... done
Stopping ssh1 ... done
Stopping ssh5 ... done
Stopping ssh2 ... done
Removing ssh4 ... done
Removing ssh6 ... done
Removing ssh3 ... done
Removing ssh1 ... done
Removing ssh5 ... done
Removing ssh2 ... done
Removing network tadan_ssh_net_1
Removing network tadan_ssh_net_2
[oracle@centos tadan]$ make up
Creating network "tadan_ssh_net_1" with driver "bridge"
Creating network "tadan_ssh_net_2" with driver "bridge"
Creating ssh1 ... done
Creating ssh4 ... done
Creating ssh3 ... done
Creating ssh6 ... done
Creating ssh2 ... done
Creating ssh5 ... done
[oracle@centos tadan]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                       NAMES
a03dc9d7de51        centos_ssh          "/sbin/init"        14 seconds ago      Up 13 seconds       20/tcp, 0.0.0.0:2->22/tcp   ssh2
9ef461324642        centos_ssh          "/sbin/init"        14 seconds ago      Up 12 seconds       20/tcp, 0.0.0.0:5->22/tcp   ssh5
89e798d2ec0d        centos_ssh          "/sbin/init"        14 seconds ago      Up 12 seconds       20/tcp, 0.0.0.0:6->22/tcp   ssh6
ff0c588e6911        centos_ssh          "/sbin/init"        14 seconds ago      Up 12 seconds       20/tcp, 0.0.0.0:4->22/tcp   ssh4
a3d17c9ad59e        centos_ssh          "/sbin/init"        14 seconds ago      Up 13 seconds       20/tcp, 0.0.0.0:3->22/tcp   ssh3
1fe33ec64581        centos_ssh          "/sbin/init"        14 seconds ago      Up 13 seconds       20/tcp, 0.0.0.0:1->22/tcp   ssh1

dockerコンテナごとに公開鍵と秘密鍵を作成し、公開鍵をsshサーバとして起動するdockerホストに登録する

これはめんどいけど、安全。

dockerホスト側で公開鍵と秘密鍵を作成し、秘密鍵を各dockerコンテナに配布する

これはらくだけど、危い。

めんどい方法を楽に出来れば安全になるので、探した

あった。

SSHの公開鍵配布を簡単にやる  

ばばっと鍵作成

dockerホスト側で鍵消してから、dockerコンテナごとに公開鍵と秘密鍵を作成する。ランドマートきれいだなー。

コード表示

[oracle@centos tadan]$ rm -f ./share/ssh{1..6}/ssh* && seq 6 | xargs -I@ bash -c 'docker exec --user oracle ssh@ ./home/oracle/.ssh/tmpl/a.sh oracle ssh@'
spawn ssh-keygen -f /home/oracle/.ssh/ssh1 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh1.
Your public key has been saved in /home/oracle/.ssh/ssh1.pub.
The key fingerprint is:
SHA256:aA2NWKfkzchO9CyaiVll4iawi0S5dvFDablPJWwUmbU oracle@ssh1
The key's randomart image is:
+---[RSA 2048]----+
|... . @o*.       |
|.+ o / ^ ..      |
|..o X % OE       |
|o+ B X *         |
|+ + + B S        |
|     . .         |
|                 |
|                 |
|                 |
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh2 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh2.
Your public key has been saved in /home/oracle/.ssh/ssh2.pub.
The key fingerprint is:
SHA256:ekwfvr1Wzgd7R8U5+TPbCwsq5vFnBdlOGk4Kbs/KKoM oracle@ssh2
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|            o  .o|
|       .   = o +o|
|      . S = *   +|
|       * + + oooo|
|  .   o.= o..= +=|
| E o  .+oo.=o *.=|
|    o.++oo+.oo +o|
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh3 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh3.
Your public key has been saved in /home/oracle/.ssh/ssh3.pub.
The key fingerprint is:
SHA256:ua/Vs4if9RJF+l3SrqzbkQkwmCvTbtfF5g3eGI64TEk oracle@ssh3
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|         o    .  |
|        o o  o . |
|       . o o..o o|
|      o S E .o*+.|
|       + o =.O.Oo|
|        + * *oO.o|
|       . B =.=o. |
|        ooB ++o  |
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh4 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh4.
Your public key has been saved in /home/oracle/.ssh/ssh4.pub.
The key fingerprint is:
SHA256:sOUIiiAQMXuugjvDBLlk5lwcuGPEY1wN7+Uyj//v/lc oracle@ssh4
The key's randomart image is:
+---[RSA 2048]----+
|Boooo            |
|.X ...           |
|*.= o....        |
|=@ +..o*         |
|X.=  +o.S        |
|o=    =         E|
|*    . .        .|
|+o    .        . |
|.o     ...++...  |
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh5 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh5.
Your public key has been saved in /home/oracle/.ssh/ssh5.pub.
The key fingerprint is:
SHA256:22qDSW/RBYISJvZaCICNCW4SE0lmy57LWgp4Y2IaKWI oracle@ssh5
The key's randomart image is:
+---[RSA 2048]----+
|%Xo o. .         |
|X=o=. . . .      |
|.=. o.   . .     |
|+ .o        .    |
| o.     S. .     |
|o..   . .o.      |
|OE=  . +...      |
|OB .  o =.       |
|+      o..       |
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
spawn ssh-keygen -f /home/oracle/.ssh/ssh6 -t rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/ssh6.
Your public key has been saved in /home/oracle/.ssh/ssh6.pub.
The key fingerprint is:
SHA256:Znwc4hth5MGV9Nsu60n/BFl0l8YIy3BoNvXZtWHbYNQ oracle@ssh6
The key's randomart image is:
+---[RSA 2048]----+
|       .o+==..*+*|
|       o.*=.oo+*E|
|        B oo.o.+o|
|       + + . o o |
|        S o . +  |
|       o +   . . |
|        .   o . .|
|           . = . |
|           .+ ...|
+----[SHA256]-----+
send: spawn id exp5 not open
    while executing
"send "\n""
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh1
│   │   ├── ssh1.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── config
│   │   ├── ssh2
│   │   ├── ssh2.pub
│   │   └── tmpl
│   ├── ssh3
│   │   ├── config
│   │   ├── ssh3
│   │   ├── ssh3.pub
│   │   └── tmpl
│   ├── ssh4
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh4
│   │   ├── ssh4.pub
│   │   └── tmpl
│   ├── ssh5
│   │   ├── config
│   │   ├── ssh5
│   │   ├── ssh5.pub
│   │   └── tmpl
│   └── ssh6
│       ├── config
│       ├── ssh6
│       ├── ssh6.pub
│       └── tmpl
└── tmpl
    ├── a.sh
    └── config

14 directories, 25 files
[oracle@centos tadan]$ ll ./share/ssh{1..6}
./share/ssh1:
合計 20
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-r--r--. 1 oracle docker  175  5月 14 06:58 known_hosts
-rw-------. 1 oracle docker 1675  5月 14 07:25 ssh1
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh1.pub
drwxr-xr-x. 2 oracle docker 4096  5月 12 17:20 tmpl

./share/ssh2:
合計 16
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-------. 1 oracle docker 1675  5月 14 07:25 ssh2
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh2.pub
drwxr-xr-x. 2 oracle docker 4096  5月 12 17:20 tmpl

./share/ssh3:
合計 16
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-------. 1 oracle docker 1679  5月 14 07:25 ssh3
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh3.pub
drwxr-xr-x. 2 oracle docker 4096  5月 12 17:20 tmpl

./share/ssh4:
合計 20
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-r--r--. 1 oracle docker  175  5月 14 07:18 known_hosts
-rw-------. 1 oracle docker 1679  5月 14 07:25 ssh4
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh4.pub
drwxr-xr-x. 2 oracle docker 4096  5月 13 19:54 tmpl

./share/ssh5:
合計 16
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-------. 1 oracle docker 1675  5月 14 07:25 ssh5
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh5.pub
drwxr-xr-x. 2 oracle docker 4096  5月 13 19:59 tmpl

./share/ssh6:
合計 16
-rw-r--r--. 1 oracle docker   88  5月 14 06:49 config
-rw-------. 1 oracle docker 1679  5月 14 07:25 ssh6
-rw-r--r--. 1 oracle docker  393  5月 14 07:25 ssh6.pub
drwxr-xr-x. 2 oracle docker 4096  5月 13 19:59 tmpl
[oracle@centos tadan]$ find $(pwd) -name "*pub" | sort
/home/oracle/tadan/share/ssh1/ssh1.pub
/home/oracle/tadan/share/ssh2/ssh2.pub
/home/oracle/tadan/share/ssh3/ssh3.pub
/home/oracle/tadan/share/ssh4/ssh4.pub
/home/oracle/tadan/share/ssh5/ssh5.pub
/home/oracle/tadan/share/ssh6/ssh6.pub

dockerコンテナごとに作成した公開鍵をdockerホストのauthorized_keysに登録する

さっと。リンクはった意味。

コード表示

[oracle@centos tadan]$ rm ~/.ssh/authorized_keys || touch ~/.ssh/authorized_keys && find $(pwd) -name "*pub" | sort | xargs -I@ bash -c "cat @ >> ~/.ssh/authorized_keys"
[oracle@centos tadan]$ cd ~/.ssh
[oracle@centos .ssh]$ cat a*
[oracle@centos tadan]$ rm ~/.ssh/authorized_keys || touch ~/.ssh/authorized_keys && find $(pwd) -name "*pub" | sort | xargs -I@ bash -c "cat @ >> ~/.ssh/authorized_keys"
[oracle@centos tadan]$ cd ~/.ssh
[oracle@centos .ssh]$ cat a*
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnytJwMdrWyLuAvlQQY51oBau7so2qAxxWHFVYube+HPaBHRizwvyx6I+udmybcpyJxwoqOrnrapXqGvf22cVNqeSENmq0U1QISnszejUAY4XtZHG0MJwLbvY9ICnCUzjamPMbgbslbyVweC+1vG7oVhSqdKSzrSrID4DYpMslZ571jTS9fgi8+YM9xIQyivKufzbYo+GAHy5tAPiqRRGlqLOthEf9eOGINgPvXsBXyWeb5Mrzqa88c0MG6x/Sdf7TNpBDlfU1Le9mHGjaIjoLGbVBPuf0LfqhdikCqP1F3S4t/KTiUYa0ViVhzNxzoEowYMmRBMWOI1H9wFS2Oy9t oracle@ssh1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8LaiJCxVODsz+vnbQcgZPN2ZIZ6h7LJQWHuH3ryIaX5a8cu2xR740QHpFWdJdV/MYcqxRXKivoLQL7mhdWYpMLF/yGZUoxbmU+KNrFFaxCS++LKVn+OjjwefGrgvTTlpNXOqPB3KnGkcbWFVbW0H3doGMIBUzKXam0JP2tz8F+vQN+dXrAknm0M+ua7bmony3MNyOQ9RZY8KmtIhoktvGrZjon1OEO0BPOWcSpRT/N7bdEgl6b37ho/qVTcrJ6vJWcSaUlzptKRScxnPsQs1NmHPjS/HAMqx/1cdI/A+iFE7PNyPipufFGM2w3AINbd+9JYZ6wPf+NXSPYwNwGc0/ oracle@ssh2
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQMVxQe1VjKh61oPyfmcoMs+TdN2xoVDbvP3erR1qozc5nbBaKKS4oII+dixLX8fg1O+fMM3wqu0AEwWT+Y+F/CCAJF3CgcWjEZA9AN0dmjU88D6VD5DtmteZKq5i3QpbLtZRWJxg5Votcz/QSTaM+O4cpuARPMLV9JEYL9C7iXxJMLQd8X3+eu1qpuqNLEF1mHm25IRbxQXG9pTTiOZLFyXs64sFnIYYCa33bmMLvLZ8rwIjqFIbpcVJSB/qtt1mQkt/i0T+F00yzJdYOCA4b2hLtRqQB/19mFbWSiOFnVqkP4526x2ToEY5sENtyM4ygykYQyDyrVlegViRlvnvz oracle@ssh3
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU5uYFQA6BV1Oqh6WWchaiV72L8Dkp/apLnaSRZ7f/+wU3nKTjvc9VT8vAMMF9U7kEdmVbEi0NhjYohsrtLkD6BWaOolBCy3decCeJWvuxsYtxR/+ssRAq8IX+lhqks7d4vlggeavmAjKyUyEIBHOdicUIex3Pu9AEFbXh8W0zdi/cwNRyL1T1S3UrCjgiVWwtY41hdjPV/lLYJa1ku/epa8CzY2ozrIAEwrydY/vQQBJO1+MtiLdqgkbTKZ8dSmoXZpJNOkUBlp7MjNKR04kHPtUIHiozdNII4F9FBX8B+1KcTWnVgR6FKPN+I5uhwtXnocZ8p3ePIeu5S61pBvnn oracle@ssh4
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKGCSdnQXWDDBAnJF90RBrBK6Tfcoc3/sXJyvhBF0Rq4BvzuEUx718ezV2J20E0iuaxwaL+pgyQEXsOLOU90b3eCx81QHuoZb5cX4TX6egAJhv9nBbOoXHOrf2ZmiNXNSsGYGaow7N3wCanNOfWfG64KZpwS/x4/p0aFMnXu5PBq4TdeHhZGpNHb+FNDean7PFFe5wukDBOpMpa56l68OH8inlQ3uANFkRfj4cfeQX+uMYEKvnC7QXIeu3g9gyzVOSngsYGZAbombijJwNlaQzLAGnan6Ib0AMa2YlilrEH0cxnCgX3FHZpe/4znujNOIdArlIsbF6IzZl053EPgDn oracle@ssh5
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIer/jMtRhzYCDxkjElnX4n7/uXhXvKc3P8UskdYh53n0hyOOJixCkwPJHY7la09FQXvGM+Xm4NdDrY/LjRbG9YgYILAppL7UpexWuJlyyyMMbThJvbu8ukTaZzOg6Z/vvveVmVBs+tFNMJU01PCPjmLNDU1ATBeL85dHb2lUWEa7On1e2PNXKpbpaF61S3O3DBp8H81w+QNF899MikCDEuyJe2ZIfZgnbpqz4o8mEOxzn22YtlKEIkXmNlb06N65c7SWqmsYnqp+nNqlmHsfOt8ufsx91pwjpU7IM9/X7pNgjtv9UomjbX67pw7tT8cW48nPHgkleW/bAA6wLtwCD oracle@ssh6

各dockerコンテナのconfigファイルにdockerホストへの接続情報を記載する

dockerコンテナからssh接続できるように設定する。あらかじめテンプレート用意しコンテナごとに複写して置換する。

コード表示

[oracle@centos tadan]$ rm ./share/ssh{1..6}/c*
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── known_hosts
│   │   ├── ssh1
│   │   ├── ssh1.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── ssh2
│   │   ├── ssh2.pub
│   │   └── tmpl
│   ├── ssh3
│   │   ├── ssh3
│   │   ├── ssh3.pub
│   │   └── tmpl
│   ├── ssh4
│   │   ├── known_hosts
│   │   ├── ssh4
│   │   ├── ssh4.pub
│   │   └── tmpl
│   ├── ssh5
│   │   ├── ssh5
│   │   ├── ssh5.pub
│   │   └── tmpl
│   └── ssh6
│       ├── ssh6
│       ├── ssh6.pub
│       └── tmpl
└── tmpl
    ├── a.sh
    └── config

14 directories, 19 files
[oracle@centos tadan]$ seq 6 | xargs -I{} bash -c 'cp $(pwd)/tmpl/config $(pwd)/share/ssh{}/config && sed -i s/@/{}/g $(pwd)/share/ssh{}/config'
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh1
│   │   ├── ssh1.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── config
│   │   ├── ssh2
│   │   ├── ssh2.pub
│   │   └── tmpl
│   ├── ssh3
│   │   ├── config
│   │   ├── ssh3
│   │   ├── ssh3.pub
│   │   └── tmpl
│   ├── ssh4
│   │   ├── config
│   │   ├── known_hosts
│   │   ├── ssh4
│   │   ├── ssh4.pub
│   │   └── tmpl
│   ├── ssh5
│   │   ├── config
│   │   ├── ssh5
│   │   ├── ssh5.pub
│   │   └── tmpl
│   └── ssh6
│       ├── config
│       ├── ssh6
│       ├── ssh6.pub
│       └── tmpl
└── tmpl
    ├── a.sh
    └── config

14 directories, 25 files
[oracle@centos tadan]$ cat ./share/ssh{1..6}/c*
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh1
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh2
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh3
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh4
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh5
  User oracle
Host centos
  Hostname 192.168.1.109
  Port 22
  Identityfile ~/.ssh/ssh6
  User oracle

dockerホストでsshdサービス起動

サービス起動確認

コード表示

[oracle@centos .ssh]$ sudo systemctl restart sshd
[oracle@centos .ssh]$ systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 月 2019-05-13 22:26:04 JST; 3s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 10295 (sshd)
    Tasks: 1
   Memory: 1.0M
   CGroup: /system.slice/sshd.service
           └─10295 /usr/sbin/sshd -D

dockerコンテナ間の接続を確認する

現状どうなっているか。セグメントは越えられない。

コード表示

[oracle@centos tadan]$ docker exec --user oracle --workdir ~/.ssh -it ssh1 /bin/bash
[oracle@ssh1 .ssh]$ ip r
default via 192.168.100.1 dev eth0 
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.101 
[oracle@ssh1 .ssh]$ whoami
oracle
[oracle@ssh1 .ssh]$ hostname
ssh1
[oracle@ssh1 .ssh]$ ping -c 1 192.168.100.102
PING 192.168.100.102 (192.168.100.102) 56(84) bytes of data.
64 bytes from 192.168.100.102: icmp_seq=1 ttl=64 time=0.083 ms

--- 192.168.100.102 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.083/0.083/0.083/0.000 ms
[oracle@ssh1 .ssh]$ ping -c 1 192.168.100.103
PING 192.168.100.103 (192.168.100.103) 56(84) bytes of data.
64 bytes from 192.168.100.103: icmp_seq=1 ttl=64 time=0.057 ms

--- 192.168.100.103 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.057/0.057/0.057/0.000 ms
[oracle@ssh1 .ssh]$ ping -c 1 192.168.100.101
PING 192.168.100.101 (192.168.100.101) 56(84) bytes of data.
64 bytes from 192.168.100.101: icmp_seq=1 ttl=64 time=0.024 ms

--- 192.168.100.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms
[oracle@ssh1 .ssh]$ ping -c 1 192.168.200.101
PING 192.168.200.101 (192.168.200.101) 56(84) bytes of data.
^C
--- 192.168.200.101 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[oracle@ssh1 .ssh]$ ping -c 1 192.168.200.102
PING 192.168.200.102 (192.168.200.102) 56(84) bytes of data.
^C
--- 192.168.200.102 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[oracle@ssh1 .ssh]$ ping -c 1 192.168.200.103
PING 192.168.200.103 (192.168.200.103) 56(84) bytes of data.
^C
--- 192.168.200.103 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

dockerコンテナからdockerホストにssh接続できるか確認

yesちゃんといれること。各セグメントから代表1コンテナで確認。

コード表示

[oracle@ssh1 .ssh]$ sed -i /192.168.1.109/d  known_hosts
[oracle@ssh1 .ssh]$ ssh centos
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:yOr7hVcqUf559Yl1lTurqPd7V+QQd7OPztlTzOHEpF4.
ECDSA key fingerprint is MD5:03:e5:6a:4f:f1:65:88:f5:88:6d:ad:ff:7a:72:bd:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
Last login: Tue May 14 06:56:59 2019 from 192.168.100.101
[oracle@centos ~]$ whoami
oracle
[oracle@centos ~]$ hostname
centos
[oracle@centos ~]$ ip r | grep eno1
default via 192.168.1.1 dev eno1 proto static metric 100 
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.109 metric 100 
[oracle@centos ~]$ ログアウト
Connection to 192.168.1.109 closed.
[oracle@centos tadan]$ docker exec --user oracle --workdir ~/.ssh -it ssh4 /bin/bash
[oracle@ssh4 .ssh]$ ll
total 20
-rw-r--r--. 1 oracle docker   88 May 14 06:49 config
-rw-r--r--. 1 oracle docker  175 May 13 23:20 known_hosts
-rw-------. 1 oracle docker 1679 May 13 22:35 ssh4
-rw-r--r--. 1 oracle docker  393 May 13 22:35 ssh4.pub
drwxr-xr-x. 2 oracle docker 4096 May 14 06:15 tmpl
[oracle@ssh4 .ssh]$ cat k*
192.168.1.109 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMUYxEWsHgM7+gYRAClMKLNNre9v84lsIL5Tf6K4TBxFhn5JhpRFPy/rBgH84DLnaSj+2uazgzVY332JCwxqHLw=
[oracle@ssh4 .ssh]$ sed -i /192.168.1.109/d  known_hosts
[oracle@ssh4 .ssh]$ cat k*
[oracle@ssh4 .ssh]$ ssh centos
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:yOr7hVcqUf559Yl1lTurqPd7V+QQd7OPztlTzOHEpF4.
ECDSA key fingerprint is MD5:03:e5:6a:4f:f1:65:88:f5:88:6d:ad:ff:7a:72:bd:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
Last login: Tue May 14 06:58:04 2019 from 192.168.100.101
[oracle@centos ~]$ whoami
oracle
[oracle@centos ~]$ hostname
centos
[oracle@centos ~]$ ip r | grep eno1
default via 192.168.1.1 dev eno1 proto static metric 100 
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.109 metric 100 
[oracle@centos ~]$ ログアウト
Connection to 192.168.1.109 closed.

sshポートフォーワーディング設定

セグメント跨ぎたい。ssh4(192.168.200.101)からssh1(192.168.100.101)へ通信したいとなったと仮定する。そのときは中継器として見立てているdockerホストからssh1へ向けてポート転送設定をおこなう。

コード表示

[oracle@centos tadan]$ cd .ssh
[oracle@centos .ssh]$ ll
合計 16
-rw-r--r--. 1 oracle docker 2358  5月 13 22:36 authorized_keys
-rw-r--r--. 1 oracle docker   88  5月 14 06:36 config
-rw-------. 1 oracle docker 1679  5月 12 17:23 id_rsa
-rw-r--r--. 1 oracle docker  395  5月 12 17:23 id_rsa.pub
-rw-r--r--. 1 oracle docker    0  5月 14 07:13 known_hosts
[oracle@centos .ssh]$ ssh 192.168.1.109 -R 10022:192.168.100.101:22
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:yOr7hVcqUf559Yl1lTurqPd7V+QQd7OPztlTzOHEpF4.
ECDSA key fingerprint is MD5:03:e5:6a:4f:f1:65:88:f5:88:6d:ad:ff:7a:72:bd:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
oracle@192.168.1.109's password: 
Last login: Tue May 14 07:11:02 2019 from centos
[oracle@centos ~]$ 

端末もういっこ開いて、ssh4からssh1に接続できるか試す

oracle@localhost’s password: には転送先マシンのものを入力する。

コード表示

[oracle@centos ~]$ docker exec --user oracle --workdir ~/.ssh -it ssh4 /bin/bash
[oracle@ssh4 .ssh]$ ll
total 20
-rw-r--r--. 1 oracle docker   88 May 14 06:49 config
-rw-r--r--. 1 oracle docker  175 May 14 07:17 known_hosts
-rw-------. 1 oracle docker 1679 May 13 22:35 ssh4
-rw-r--r--. 1 oracle docker  393 May 13 22:35 ssh4.pub
drwxr-xr-x. 2 oracle docker 4096 May 14 06:15 tmpl
[oracle@ssh4 .ssh]$ cat k*
192.168.1.109 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMUYxEWsHgM7+gYRAClMKLNNre9v84lsIL5Tf6K4TBxFhn5JhpRFPy/rBgH84DLnaSj+2uazgzVY332JCwxqHLw=
[oracle@ssh4 .ssh]$ sed -i /192.168.1.109/d k*
[oracle@ssh4 .ssh]$ cat k*
[oracle@ssh4 .ssh]$ ll
total 16
-rw-r--r--. 1 oracle docker   88 May 14 06:49 config
-rw-r--r--. 1 oracle docker    0 May 14 07:17 known_hosts
-rw-------. 1 oracle docker 1679 May 13 22:35 ssh4
-rw-r--r--. 1 oracle docker  393 May 13 22:35 ssh4.pub
drwxr-xr-x. 2 oracle docker 4096 May 14 06:15 tmpl
[oracle@ssh4 .ssh]$ ssh oracle@centos
The authenticity of host '192.168.1.109 (192.168.1.109)' can't be established.
ECDSA key fingerprint is SHA256:yOr7hVcqUf559Yl1lTurqPd7V+QQd7OPztlTzOHEpF4.
ECDSA key fingerprint is MD5:03:e5:6a:4f:f1:65:88:f5:88:6d:ad:ff:7a:72:bd:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.109' (ECDSA) to the list of known hosts.
Last login: Tue May 14 07:14:30 2019 from centos
[oracle@centos ~]$ ssh localhost -p 10022
The authenticity of host '[localhost]:10022 ([::1]:10022)' can't be established.
ECDSA key fingerprint is SHA256:gNBn8Jg8Z2W6pX6CkcJsj+TjcLbPsAuCOGoV/mohFmk.
ECDSA key fingerprint is MD5:74:1f:58:b0:72:51:45:cf:e0:2a:cf:b1:9f:75:e1:ec.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:10022' (ECDSA) to the list of known hosts.
oracle@localhost's password: 
Last login: Mon May 13 21:27:34 2019
[oracle@ssh1 ~]$ ip r           
default via 192.168.100.1 dev eth0 
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.101 

異なるセグメントはまたげた話

ちょっとカオス化してきたから、色変えたいなtmuxとかうまく使えばいい感じに出来そうだな。タグLANも試してみよう。以上、ありがとうございました。

dockerホストとdockerコンテナでX転送して遊んでみた話

参考文献

4.5. X11 転送を使う  
X11でX11 forwarding request failed on channel 0とエラー表示されて、窓が飛んでこない場合  
ssh X Forwarding できないときの対処  
X11 Forwarding  
多段sshを行うときに、ローカルの秘密鍵を参照し続ける  
Linux - X Window System  
Linux - X Window System  
Linux - X Window System  
C.3. X サーバーの設定ファイル  

環境

参考文献は6なんだよな。。

コード表示

[oracle@centos .ssh]$ cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core) 

dockerホスト側(sshクライアント側)でのXserverサービス起動確認

サービス名はgdm.service。centosをインストールするときにGNOME選択して、アドオンにXserver互換オプションチェック入れておいたから、マシン立ち上がったら、サービス自動起動するのかな。

コード表示

[oracle@centos .ssh]$ systemctl status gdm.service
● gdm.service - GNOME Display Manager
   Loaded: loaded (/usr/lib/systemd/system/gdm.service; enabled; vendor preset: enabled)
   Active: active (running) since 日 2019-05-12 16:26:16 JST; 5h 55min ago
 Main PID: 1119 (gdm)
    Tasks: 18
   Memory: 89.4M
   CGroup: /system.slice/gdm.service
           ├─ 1119 /usr/sbin/gdm
           └─21036 /usr/bin/X :0 -background none -noreset -audit 4 -verbose -auth /run/gdm/auth-for-gdm-dIETUH/database -seat seat0 -nolisten tcp vt1

xorgでググる

/etc/X11/配下がたのしそう。

コード表示

[root@centos .ssh]# find / -name "*xorg*"
/usr/share/X11/xorg.conf.d
/usr/share/X11/xkb/rules/xorg.lst
/usr/share/X11/xkb/rules/xorg
/usr/share/X11/xkb/rules/xorg.xml
/etc/X11/xorg.conf.d
/etc/X11/fontpath.d/xorg-x11-fonts-Type1
[oracle@centos X11]$ pwd
/etc/X11
[oracle@centos X11]$ tree -a
.
├── Xmodmap
├── Xresources
├── applnk
├── fontpath.d
│   ├── cjkuni-uming-fonts -> /usr/share/fonts/cjkuni-uming/
│   ├── default-ghostscript -> /usr/share/fonts/default/ghostscript
│   ├── fonts-default -> /usr/share/fonts/default/Type1
│   ├── liberation-fonts -> /usr/share/fonts/liberation
│   ├── xorg-x11-fonts-100dpi:unscaled:pri=30 -> /usr/share/X11/fonts/100dpi
│   ├── xorg-x11-fonts-Type1 -> /usr/share/X11/fonts/Type1
│   └── xorg-x11-fonts-misc:unscaled:pri=10 -> /usr/share/X11/fonts/misc
├── mwm
│   └── system.mwmrc
├── xinit
│   ├── Xclients
│   ├── Xclients.d
│   ├── Xsession
│   ├── xinitrc
│   ├── xinitrc-common
│   ├── xinitrc.d
│   │   ├── 00-start-message-bus.sh
│   │   ├── 10-qt5-check-opengl2.sh
│   │   ├── 50-xinput.sh
│   │   ├── localuser.sh
│   │   ├── xmbind.sh
│   │   └── zz-liveinst.sh
│   ├── xinput.d
│   │   ├── ibus.conf
│   │   ├── none.conf
│   │   ├── xcompose.conf
│   │   └── xim.conf
│   └── xinputrc -> /etc/alternatives/xinputrc
└── xorg.conf.d
    └── 00-keyboard.conf

15 directories, 19 files

manはここ

コード表示

[oracle@centos X11]$ man 5 xorg.conf
[oracle@centos X11]$ man 1 Xorg
[oracle@centos X11]$ man 1 xhost

dockerコンテナ(sshサーバー)からdockerホスト(sshクライアント)へリモートアクセスできるように設定する

ホスト名とかで指定しても、denyされたので、ipで指定してみたらいけた。指定したsshサーバーからのレスポンスを受け取ることができるようにする。

コード表示

[oracle@centos .ssh]$ xhost +192.168.100.101
192.168.100.101 being added to access control list

dockerコンテナ(sshサーバー)にxauthをインストール

dockerホスト側ではxauthは違うレポから提供されているけど、dockerコンテナ側で用意するのはbaseレポから提供されているものでOK。Failed to set locale, defaulting to Cとかでてるけど、環境変数指定していないだけだと思う。そのままでOK。指定しないとCがデフぉみたいな感じ。

コード表示

[root@638ccb67f9ca ssh]# yum install -y xauth
[oracle@centos X11]$ yum list installed | grep xauth
xorg-x11-xauth.x86_64                   1:1.0.9-1.el7                  @anaconda
[oracle@centos X11]$ ssh ssh1
root@192.168.100.101's password: 
Last login: Sun May 12 10:01:50 2019 from gateway
[root@638ccb67f9ca ~]# yum list installed | grep xauth
Failed to set locale, defaulting to C
xorg-x11-xauth.x86_64                   1:1.0.9-1.el7                   @base   

dockerコンテナ内(Xクラインアント)で起動したアプリケーションをdockerホスト(Xサーバー)に転送ないし送信できるように設定する

引っ張ってくる。pullするイメージ。リモートで作業した結果をpullする感じかな。/etc/ssh/で作業するよ。X11Forwarding yesとX11DisplayOffset 10とX11UseLocalhost noがコメントアウトされていないこと。環境変数DISPLAYに転送先のIP指定しておく。設定変更したら、sshdサービス再起動。

コード表示

[oracle@centos .ssh]$ ssh ssh1
root@192.168.100.101's password: 
Last login: Sun May 12 09:25:13 2019 from gateway
[root@638ccb67f9ca ~]# cd /etc/ssh/
[root@638ccb67f9ca ssh]# ll
total 604
-rw-r--r--. 1 root root     581843 Apr 11  2018 moduli
-rw-r--r--. 1 root root       2276 Apr 11  2018 ssh_config
-rw-r-----. 1 root ssh_keys    227 May 12 08:20 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 May 12 08:20 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 May 12 08:20 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 May 12 08:20 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   1679 May 12 08:20 ssh_host_rsa_key
-rw-r--r--. 1 root root        382 May 12 08:20 ssh_host_rsa_key.pub
-rw-------. 1 root root       3907 Apr 11  2018 sshd_config
[root@638ccb67f9ca ssh]# cat /etc/ssh/sshd_config | grep X11
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#	X11Forwarding no
[root@638ccb67f9ca ssh]# cp sshd_config org_sshd_config
[root@638ccb67f9ca ssh]# vi /etc/ssh/sshd_config
[root@638ccb67f9ca ssh]# diff sshd_config org_sshd_config
102,103c102,103
< X11DisplayOffset 10
< X11UseLocalhost no
---
> #X11DisplayOffset 10
> #X11UseLocalhost yes
[root@638ccb67f9ca ~]# cat /etc/ssh/sshd_config | grep X11
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
#	X11Forwarding no
[root@638ccb67f9ca ~]# systemctl restart sshd
[root@638ccb67f9ca ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-05-12 13:37:19 UTC; 7s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 8768 (sshd)
   CGroup: /docker/638ccb67f9caf21a7ad35524eb9c3b09950ca17f7cda1d8f5ee33ad0537d7078/system.slice/sshd.service
           └─8768 /usr/sbin/sshd -D
           ‣ 8768 /usr/sbin/sshd -D

May 12 13:37:19 638ccb67f9ca systemd[1]: Starting OpenSSH server daemon...
May 12 13:37:19 638ccb67f9ca sshd[8768]: Server listening on 0.0.0.0 port 22.
May 12 13:37:19 638ccb67f9ca sshd[8768]: Server listening on :: port 22.
May 12 13:37:19 638ccb67f9ca systemd[1]: Started OpenSSH server daemon.

dockerホストからdockerコンテナに接続してみる

sshで。-vはデバッグオプション。-XがX転送で。-Cが転送量の圧縮だっけな。

コード表示

[oracle@centos .ssh]$ pwd
/home/oracle/.ssh
[oracle@centos .ssh]$ ll
合計 16
-rw-r--r--. 1 oracle docker  352  5月 12 22:56 config
-rw-------. 1 oracle docker 1679  5月 12 17:23 id_rsa
-rw-r--r--. 1 oracle docker  395  5月 12 17:23 id_rsa.pub
-rw-r--r--. 1 oracle docker  531  5月 12 17:37 known_hosts
[oracle@centos .ssh]$ cat c*
Host ssh3
  Hostname 192.168.100.103
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
  ProxyCommand ssh -W %h:%p 192.168.100.102
Host ssh2
  Hostname 192.168.100.102
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
  ProxyCommand ssh -W %h:%p 192.168.100.101
Host ssh1
  Hostname 192.168.100.101
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
[oracle@centos .ssh]$ ssh -vXC ssh1
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /home/oracle/.ssh/config
debug1: /home/oracle/.ssh/config line 13: Applying options for ssh1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.168.100.101 [192.168.100.101] port 22.
debug1: Connection established.
debug1: identity file /home/oracle/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/oracle/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.100.101:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:  compression: zlib@openssh.com
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:  compression: zlib@openssh.com
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:YJHAd648yfk43PAAx3L0vp0IKhBINaYEEGb53Mxn7pw
debug1: Host '192.168.100.101' is known and matches the ECDSA host key.
debug1: Found key in /home/oracle/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1000)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1000)

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/oracle/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
root@192.168.100.101's password: 
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (password).
Authenticated to 192.168.100.101 ([192.168.100.101]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: exec
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env XMODIFIERS = @im=ibus
debug1: Sending env LANG = ja_JP.UTF-8
Last login: Sun May 12 13:51:37 2019 from gateway
[root@638ccb67f9ca ~]# whoami
root
[root@638ccb67f9ca ~]# hostname
638ccb67f9ca
[root@638ccb67f9ca ~]# ip a show eth0
23: eth0@if24:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:65 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.101/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever

DBUSでXclientとXserver同士を接着させる呪文を唱える

dbus-x11-1.10.24-12.el7.x86_64をいんすこ。

コード表示

[root@638ccb67f9ca ~]# yum provides dbus-launch
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: ftp.riken.jp
 * extras: ftp.riken.jp
 * updates: ftp.riken.jp
1:dbus-x11-1.10.24-12.el7.x86_64 : X11-requiring add-ons for D-BUS
Repo        : base
Matched from:
Filename    : /usr/bin/dbus-launch



1:dbus-x11-1.10.24-13.el7_6.x86_64 : X11-requiring add-ons for D-BUS
Repo        : updates
Matched from:
Filename    : /usr/bin/dbus-launch



1:dbus-x11-1.10.24-12.el7.x86_64 : X11-requiring add-ons for D-BUS
Repo        : @base
Matched from:
Filename    : /usr/bin/dbus-launch



[root@638ccb67f9ca ~]# yum list installed | grep dbus*
Failed to set locale, defaulting to C
dbus.x86_64                             1:1.10.24-12.el7                @CentOS 
dbus-glib.x86_64                        0.100-7.el7                     @CentOS 
dbus-libs.x86_64                        1:1.10.24-12.el7                @CentOS 
dbus-python.x86_64                      1.1.1-9.el7                     @CentOS 
dbus-x11.x86_64                         1:1.10.24-12.el7                @base   
[root@638ccb67f9ca ~]# which dbus-launch
/usr/bin/dbus-launch
[root@638ccb67f9ca ~]# eval `dbus-launch --sh-syntax`
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 192.168.100.101 52204
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: channel 1: FORCE input drain
[root@638ccb67f9ca ~]# debug1: channel 1: free: x11, nchannels 2

[root@638ccb67f9ca ~]# export DBUS_SESSION_BUS_ADDRESS
[root@638ccb67f9ca ~]# export DBUS_SESSION_BUS_PID
[root@638ccb67f9ca ~echo $DBUS_SESSION_BUS_ADDRESS
unix:abstract=/tmp/dbus-gtDglgmnGA,guid=8131513d6d575324bd5d33555cd827fa
[root@638ccb67f9ca ~]# echo $DBUS_SESSION_BUS_PID
8856
[root@638ccb67f9ca ~]# ps 8856
  PID TTY      STAT   TIME COMMAND
 8856 ?        Ss     0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
[root@638ccb67f9ca ~]# ps aux 
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  43324  3576 ?        Ss   08:20   0:00 /sbin/init
root        17  0.0  0.0  39084  6308 ?        Ss   08:20   0:00 /usr/lib/systemd/systemd-journald
root        30  0.0  0.0  42656  1788 ?        Ss   08:20   0:00 /usr/lib/systemd/systemd-udevd
root       985  0.0  0.0  26508  1840 ?        Ss   08:20   0:00 /usr/lib/systemd/systemd-logind
dbus      1113  0.0  0.0  58104  2340 ?        Ss   08:20   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root      8079  0.0  0.0  57988  1360 ?        Ss   09:50   0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root      8799  0.0  0.0 112860  4304 ?        Ss   13:50   0:00 /usr/sbin/sshd -D
root      8818  0.0  0.0 155608  6388 ?        Rs   13:58   0:00 sshd: root@pts/0
root      8820  0.0  0.0  15224  1912 pts/0    Ss   13:58   0:00 -bash
root      8856  0.0  0.0  57988   884 ?        Ss   14:04   0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root      8864  0.0  0.0  55144  1764 pts/0    R+   14:07   0:00 ps aux

Xクライアントアプリをdockerコンテナ側で用意

yumする。xeyesはxorg-x11-apps-7.7-7.el7.x86_64として提供されている。

コード表示

[root@638ccb67f9ca ~]# yum install -y xeyes xterm firefox
[root@638ccb67f9ca ~]# yum provides xeyes        
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
 * base: ftp.riken.jp
 * extras: ftp.riken.jp
 * updates: ftp.riken.jp
xorg-x11-apps-7.7-7.el7.x86_64 : X.Org X11 applications
Repo        : base
Matched from:
Provides    : xeyes



xorg-x11-apps-7.7-7.el7.x86_64 : X.Org X11 applications
Repo        : @base
Matched from:
Provides    : xeyes
[root@638ccb67f9ca ~]# yum list installed | grep -E "xorg|xterm|firefox"
Failed to set locale, defaulting to C
firefox.x86_64                          60.6.1-1.el7.centos             @updates
xorg-x11-apps.x86_64                    7.7-7.el7                       @base   
xorg-x11-server-utils.x86_64            7.7-20.el7                      @base   
xorg-x11-xauth.x86_64                   1:1.0.9-1.el7                   @base   
xorg-x11-xinit.x86_64                   1.3.4-2.el7                     @base   
xterm.x86_64                            295-3.el7                       @base   

大切なのはdockerコンテナ内(sshサーバ)で、DISPLAYとDBUS_SESSION_BUS_PIDとDBUS_SESSION_BUS_ADDRESSを確認すること

ちょっとかんたんにX転送する場合としない場合、ssh鯖内でeval `dbus-launch –sh-syntax`する場合としない場合で比較してみる

X転送しない場合

コード表示

[oracle@centos .ssh]$ ssh ssh1
root@192.168.100.101's password: 
Last login: Sun May 12 14:25:33 2019 from gateway
[root@638ccb67f9ca ~]# echo $DISPLAY

[root@638ccb67f9ca ~]# echo $DBUS_SESSION_BUS_PID

[root@638ccb67f9ca ~]# echo $DBUS_SESSION_BUS_ADDRESS

[root@638ccb67f9ca ~]# logout
Connection to 192.168.100.101 closed.
[oracle@centos .ssh]$ 

X転送する場合

コード表示

[oracle@centos .ssh]$ ssh -XC ssh1
root@192.168.100.101's password: 
Last login: Sun May 12 14:32:12 2019 from gateway
[root@638ccb67f9ca ~]# echo $DISPLAY
192.168.100.101:10.0
[root@638ccb67f9ca ~]# echo $DBUS_SESSION_BUS_PID

[root@638ccb67f9ca ~]# echo $DBUS_SESSION_BUS_ADDRESS

[root@638ccb67f9ca ~]# logout
Connection to 192.168.100.101 closed.
[oracle@centos .ssh]$ 

X転送してeval `dbus-launch –sh-syntax`もする場合

コード表示

[oracle@centos .ssh]$ ssh -XC ssh1
root@192.168.100.101's password: 
Last login: Sun May 12 14:32:48 2019 from gateway
[root@638ccb67f9ca ~]# eval `dbus-launch --sh-syntax`
[root@638ccb67f9ca ~]# echo $DBUS_SESSION_BUS_PID
8978
[root@638ccb67f9ca ~]# echo $DBUS_SESSION_BUS_ADDRESS
unix:abstract=/tmp/dbus-1bRTlpm0VX,guid=689e9f7764605cb41f5144695cd82ef2
[root@638ccb67f9ca ~]# ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  43324  3576 ?        Ss   08:20   0:00 /sbin/init
root        17  0.0  0.0  39084  6344 ?        Ss   08:20   0:00 /usr/lib/systemd/systemd-journald
root        30  0.0  0.0  42656  1788 ?        Ss   08:20   0:00 /usr/lib/systemd/systemd-udevd
root       985  0.0  0.0  26508  1840 ?        Ss   08:20   0:00 /usr/lib/systemd/systemd-logind
dbus      1113  0.0  0.0  58104  2340 ?        Ss   08:20   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root      8079  0.0  0.0  57988  1360 ?        Ss   09:50   0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root      8799  0.0  0.0 112860  4340 ?        Ss   13:50   0:00 /usr/sbin/sshd -D
root      8856  0.0  0.0  57988   884 ?        Ss   14:04   0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root      8956  0.0  0.0 155608  6388 ?        Ss   14:33   0:00 sshd: root@pts/0
root      8958  0.0  0.0  15224  1912 pts/0    Ss   14:33   0:00 -bash
root      8978  0.0  0.0  57988   884 ?        Ss   14:34   0:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
root      8979  0.0  0.0  55144  1764 pts/0    R+   14:34   0:00 ps aux

Xクライアントでアプリ実行してfin

ぉぉぉ

コード表示

[root@638ccb67f9ca ~]# xeyes &
[2] 8985
[1]   Done                    xeyes
[root@638ccb67f9ca ~]# Warning: locale not supported by C library, locale unchanged
^C
[root@638ccb67f9ca ~]# xterm &
[3] 8986
[2]   Done                    xeyes
[root@638ccb67f9ca ~]# Warning: locale not supported by C library, locale unchanged
^C
[3]+  Done                    xterm
[root@638ccb67f9ca ~]# xterm &
[1] 9005
[root@638ccb67f9ca ~]# Warning: locale not supported by C library, locale unchanged
^C
[1]+  Done                    xterm



あとがき

xtermは便利そ。端末複製できる点がよい。firefoxとかは文字化けの原因しらべよ。Xはちょーたのしい!!!!以上、ありがとうございました。

多段ssh接続をdockerホストからdockerコンテナに向けてやってみた話

参考文献

多段ssh設定のまとめ  
SSH 多段接続で三段先のサーバに接続する  
多段sshを行うときに、ローカルの秘密鍵を参照し続ける  
Compose file version 3 reference  
Compose のネットワーク機能  

まえがき

フォルダ構成

ssh3フォルダは用意。a.shは使わない。

コード表示

[oracle@centos tadan]$ rm ./share/ssh{1..3}/*pub
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   └── tmpl
│   ├── ssh2
│   │   └── tmpl
│   └── ssh3
│       └── tmpl
└── tmpl
    └── a.sh

8 directories, 4 files

権限整備

dockerホストで

コード表示

[oracle@centos tadan]$ sudo chown -R oracle:docker share
[oracle@centos tadan]$ sudo chown -R oracle:docker tmpl
[oracle@centos tadan]$ ll
合計 20
-rw-r--r--. 1 oracle docker  531  5月 11 16:33 Dockerfile
-rw-r--r--. 1 oracle docker   58  5月 11 13:25 Makefile
-rw-r--r--. 1 oracle docker  962  5月 11 16:25 docker-compose.yml
drwxr-xr-x. 4 oracle docker 4096  5月 11 16:08 share
drwxr-xr-x. 2 oracle docker 4096  5月 11 16:19 tmpl

Dockerfile

oracleユーザーでログインするようにすると、権限まわりであぁとなるので、デフぉのrootで。suしてもだめだった気がする。

コード表示

[oracle@centos tadan]$ cat D*
FROM centos:latest

RUN yum install -y iputils \
yum install -y net-tools \
yum install -y iproute \
yum install -y vim \
yum install -y tree \
yum install -y lsof \
yum install -y expect \
yum install -y openssh-server \
yum install -y openssh-clients

ENV TZ='Asia/Tokyo'

RUN groupadd -g 1001 docker
RUN useradd -m -g docker -u 1000 oracle

RUN echo 'ORACLE_PWD' | passwd --stdin oracle
RUN echo 'ORACLE_PWD' | passwd --stdin root

RUN mkdir -p /home/oracle/.ssh

#USER oracle
#WORKDIR /home/oracle
EXPOSE 20
CMD ["/sbin/init"]

Makefile

エイリアス

コード表示

[oracle@centos tadan]$ cat M*
CMD=docker-compose
up:
	@$(CMD) up -d
down:
	@$(CMD) down

docker-compose.yml

3コンテナ起動。

コード表示

[oracle@centos tadan]$ docker --version
Docker version 18.09.5, build e8ff056
[oracle@centos tadan]$ cat d*
version: '3.7'
services:
  ssh_saba1:
    image: centos_ssh
    container_name: ssh1
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh1:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net:
        ipv4_address: 192.168.100.101
    ports:
      - '1:22'
  ssh_saba2:
    image: centos_ssh
    container_name: ssh2
    #command: bash -c "echo hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh2:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net:
        ipv4_address: 192.168.100.102
    ports:
      - '2:22'
  ssh_saba3:
    image: centos_ssh
    container_name: ssh3
    #command: bash -c "echo hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh3:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net:
        ipv4_address: 192.168.100.103
    ports:
      - '3:22'
networks:
  ssh_net:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24

a.sh

コンテナ内でkickするやつ。sshの公開鍵と秘密鍵をコンテナ単位で作成。expectコマンド使って自動化しようとした名残だけある。今回はローカル(docker ホスト)で鍵作成。

コード表示

[oracle@centos tadan]$ cat t*/a*
#!/bin/bash
PWD=""
expect -c "
spawn ssh-keygen -t rsa
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"\\\$\"
exit 0
"

centos_sshイメージの作成

dockerfileでマルチステージング機能あるぽくて、サイズ圧縮できるってどっかで見て試したけど、うまく使いこなせなかった。

コード表示

[oracle@centos tadan]$ docker build -t centos_ssh .
[oracle@centos tadan]$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos_ssh          latest              43f44c1e64a5        11 seconds ago      360MB
centos              latest              9f38484d220f        8 weeks ago         202MB

コンテナ起動前ネットワーク確認

ネットワークすき

コード表示

[oracle@centos tadan]$ brctl show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.0242818de210	no		
virbr0		8000.5254006a2171	yes		virbr0-nic
[oracle@centos tadan]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:d8:61:2c:f1:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.109/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ccc0:20d4:3aed:ca75/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic:  mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
6: docker0:  mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:81:8d:e2:10 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:81ff:fe8d:e210/64 scope link 
       valid_lft forever preferred_lft forever


[oracle@centos tadan]$ sudo iptables -t nat -L -n | grep -A 10 "Chain POSTROUTING"
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           

コンテナ起動

makeコマンドで。

コード表示

[oracle@centos tadan]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[oracle@centos tadan]$ make up
Creating network "tadan_ssh_net" with driver "bridge"
Creating ssh1 ... done
Creating ssh2 ... done
Creating ssh3 ... done
[oracle@centos tadan]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                       NAMES
4869f3cec966        centos_ssh          "/sbin/init"        13 hours ago        Up 13 hours         20/tcp, 0.0.0.0:1->22/tcp   ssh1
5f6b238319ff        centos_ssh          "/sbin/init"        13 hours ago        Up 13 hours         20/tcp, 0.0.0.0:2->22/tcp   ssh2
50e75a25f30f        centos_ssh          "/sbin/init"        13 hours ago        Up 13 hours         20/tcp, 0.0.0.0:3->22/tcp   ssh3

コンテナ起動後ネットワーク確認

docker0のIFは使われていない。独自に定義したbridgeルータにコンテナは接続している。

コード表示

[oracle@centos tadan]$ brctl show
bridge name	bridge id		STP enabled	interfaces
br-3cb3a09916e1		8000.0242011202de	no		veth3ab229f
							vetha272766
							vethc24b63c
docker0		8000.0242818de210	no		
virbr0		8000.5254006a2171	yes		virbr0-nic
[oracle@centos tadan]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:d8:61:2c:f1:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.109/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ccc0:20d4:3aed:ca75/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic:  mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
6: docker0:  mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:81:8d:e2:10 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:81ff:fe8d:e210/64 scope link 
       valid_lft forever preferred_lft forever
363: br-3cb3a09916e1:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:01:12:02:de brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global br-3cb3a09916e1
       valid_lft forever preferred_lft forever
    inet6 fe80::42:1ff:fe12:2de/64 scope link 
       valid_lft forever preferred_lft forever
365: vetha272766@if364:  mtu 1500 qdisc noqueue master br-3cb3a09916e1 state UP group default 
    link/ether c2:10:0e:d3:93:fb brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::c010:eff:fed3:93fb/64 scope link 
       valid_lft forever preferred_lft forever
367: veth3ab229f@if366:  mtu 1500 qdisc noqueue master br-3cb3a09916e1 state UP group default 
    link/ether 66:3f:98:2c:cc:97 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::643f:98ff:fe2c:cc97/64 scope link 
       valid_lft forever preferred_lft forever
369: vethc24b63c@if368:  mtu 1500 qdisc noqueue master br-3cb3a09916e1 state UP group default 
    link/ether b6:f4:23:67:1d:3a brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::b4f4:23ff:fe67:1d3a/64 scope link 
       valid_lft forever preferred_lft forever
[oracle@centos tadan]$ sudo iptables -t nat -L -n | grep -A 10 "Chain POSTROUTING"
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.100.0/24     0.0.0.0/0           
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           

a.shをキックしない。

今回はローカル(docker ホスト)で鍵作成。

コード表示

[oracle@centos .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:bxKbA6TM6rg/RG5ANOqORnL/7wP/247Mjbsnr8D7Hvg oracle@centos
The key's randomart image is:
+---[RSA 2048]----+
|.o               |
|...              |
|o     .          |
|o .o o           |
|.*. + . S        |
|=.+o  .o *       |
|.=. .  oO +      |
|.o.  .  oX.*.    |
|ooo.  .o+=EX=    |
+----[SHA256]-----+

dockerホストから各コンテナに公開鍵を配布

コンテナごとに公開鍵を配布。

コード表示

[oracle@centos tadan]$ echo -e $(pwd)/share/ssh{1..3}\\n | xargs -I@ bash -c 'cp ~/.ssh/*pub @'
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── id_rsa.pub
│   │   └── tmpl
│   ├── ssh2
│   │   ├── id_rsa.pub
│   │   └── tmpl
│   └── ssh3
│       ├── id_rsa.pub
│       └── tmpl
└── tmpl
    └── a.sh

8 directories, 7 files

sshdサービス起動確認

コード表示

[oracle@centos .ssh]$ docker exec -it ssh1 /bin/bash
[root@4869f3cec966 /]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-05-11 18:27:07 JST; 13h ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 2344 (sshd)
   CGroup: /docker/4869f3cec966c4611962f1b02c163264d8e292c8df4a3b320b8e8b08fbb86d35/system.slice/sshd.service
           └─2344 /usr/sbin/sshd -D
           ‣ 2344 /usr/sbin/sshd -D

May 11 18:27:07 4869f3cec966 systemd[1]: Starting OpenSSH server daemon...
May 11 18:27:07 4869f3cec966 sshd[2344]: Server listening on 0.0.0.0 port 22.
May 11 18:27:07 4869f3cec966 sshd[2344]: Server listening on :: port 22.
May 11 18:27:07 4869f3cec966 systemd[1]: Started OpenSSH server daemon.
May 11 21:57:48 4869f3cec966 sshd[5431]: Accepted password for root from 192.168.100.1 port 33038 ssh2
May 11 21:57:55 4869f3cec966 sshd[5448]: Connection closed by 192.168.100.1 port 33044 [preauth]
May 12 07:22:11 4869f3cec966 sshd[5454]: Accepted password for root from 192.168.100.1 port 42396 ssh2
May 12 07:23:04 4869f3cec966 sshd[5471]: Accepted password for root from 192.168.100.1 port 42410 ssh2
[root@4869f3cec966 /]# exit
[oracle@centos .ssh]$ docker exec -it ssh2 /bin/bash
[root@5f6b238319ff /]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-05-11 18:27:07 JST; 13h ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1866 (sshd)
   CGroup: /docker/5f6b238319ff35260f1385261064b6f67562554c668cf4f009682acf20202b54/system.slice/sshd.service
           └─1866 /usr/sbin/sshd -D
           ‣ 1866 /usr/sbin/sshd -D

May 11 18:27:07 5f6b238319ff systemd[1]: Starting OpenSSH server daemon...
May 11 18:27:07 5f6b238319ff sshd[1866]: Server listening on 0.0.0.0 port 22.
May 11 18:27:07 5f6b238319ff sshd[1866]: Server listening on :: port 22.
May 11 18:27:07 5f6b238319ff systemd[1]: Started OpenSSH server daemon.
May 11 21:51:32 5f6b238319ff sshd[5402]: Accepted password for root from 192.168.100.1 port 46484 ssh2
May 11 22:09:56 5f6b238319ff sshd[5419]: Accepted password for oracle from 192.168.100.1 port 47334 ssh2
May 11 22:16:08 5f6b238319ff sshd[5422]: Accepted password for oracle from 192.168.100.1 port 47626 ssh2
May 11 22:17:21 5f6b238319ff sshd[5425]: Accepted password for oracle from 192.168.100.1 port 47646 ssh2
May 11 22:17:53 5f6b238319ff sshd[5428]: Accepted password for oracle from 192.168.100.1 port 47660 ssh2
[root@5f6b238319ff /]# exit
[oracle@centos .ssh]$ docker exec -it ssh3 /bin/bash
[root@50e75a25f30f /]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-05-11 18:27:06 JST; 13h ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1884 (sshd)
   CGroup: /docker/50e75a25f30f6af7dd199924be5505094f35b0550ee87113f252fea2f5815194/system.slice/sshd.service
           └─1884 /usr/sbin/sshd -D
           ‣ 1884 /usr/sbin/sshd -D

May 11 18:27:06 50e75a25f30f systemd[1]: Starting OpenSSH server daemon...
May 11 18:27:06 50e75a25f30f sshd[1884]: Server listening on 0.0.0.0 port 22.
May 11 18:27:06 50e75a25f30f sshd[1884]: Server listening on :: port 22.
May 11 18:27:06 50e75a25f30f systemd[1]: Started OpenSSH server daemon.
May 11 21:48:59 50e75a25f30f sshd[8002]: Accepted password for root from 192.168.100.1 port 59862 ssh2
May 11 21:54:55 50e75a25f30f sshd[8020]: Connection closed by 192.168.100.1 port 60144 [preauth]
May 11 22:10:02 50e75a25f30f sshd[8022]: Accepted password for root from 192.168.100.102 port 50252 ssh2
May 11 22:16:23 50e75a25f30f sshd[8040]: Accepted password for root from 192.168.100.102 port 50542 ssh2
May 11 22:17:28 50e75a25f30f sshd[8073]: Accepted password for oracle from 192.168.100.102 port 50568 ssh2
May 11 22:17:58 50e75a25f30f sshd[8095]: Accepted password for root from 192.168.100.102 port 50576 ssh2

こっちのほうが楽。-itオプション指定しないこと。

コード表示

[oracle@centos tadan]$ seq 3 | xargs -I@ bash -c 'docker exec ssh@ systemctl status sshd'
[oracle@centos tadan]$ seq 3 | xargs -I@ bash -c 'docker exec ssh@ systemctl status sshd'
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-05-12 17:20:27 JST; 13min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 2015 (sshd)
   CGroup: /docker/638ccb67f9caf21a7ad35524eb9c3b09950ca17f7cda1d8f5ee33ad0537d7078/system.slice/sshd.service
           └─2015 /usr/sbin/sshd -D
           ‣ 2015 /usr/sbin/sshd -D

May 12 17:20:27 638ccb67f9ca systemd[1]: Starting OpenSSH server daemon...
May 12 17:20:27 638ccb67f9ca sshd[2015]: Server listening on 0.0.0.0 port 22.
May 12 17:20:27 638ccb67f9ca sshd[2015]: Server listening on :: port 22.
May 12 17:20:27 638ccb67f9ca systemd[1]: Started OpenSSH server daemon.
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-05-12 17:20:27 JST; 13min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1991 (sshd)
   CGroup: /docker/f62321332bb2fc8952c5de347678c9c362fec317c7316670b61c87e9397ef99c/system.slice/sshd.service
           └─1991 /usr/sbin/sshd -D
           ‣ 1991 /usr/sbin/sshd -D

May 12 17:20:27 f62321332bb2 systemd[1]: Starting OpenSSH server daemon...
May 12 17:20:27 f62321332bb2 sshd[1991]: Server listening on 0.0.0.0 port 22.
May 12 17:20:27 f62321332bb2 sshd[1991]: Server listening on :: port 22.
May 12 17:20:27 f62321332bb2 systemd[1]: Started OpenSSH server daemon.
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-05-12 17:20:27 JST; 13min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1405 (sshd)
   CGroup: /docker/cb4b615a81692c9bb1d2283d49cb84d24ecae03b69210e08724255afca9f03b5/system.slice/sshd.service
           └─1405 /usr/sbin/sshd -D
           ‣ 1405 /usr/sbin/sshd -D

May 12 17:20:27 cb4b615a8169 systemd[1]: Starting OpenSSH server daemon...
May 12 17:20:27 cb4b615a8169 sshd[1405]: Server listening on 0.0.0.0 port 22.
May 12 17:20:27 cb4b615a8169 sshd[1405]: Server listening on :: port 22.
May 12 17:20:27 cb4b615a8169 systemd[1]: Started OpenSSH server daemon.

dockerホストからssh3コンテナまでssh疎通できるかconfigファイル編集しながら試す。

ssh1まで

できた

コード表示

[oracle@centos .ssh]$ pwd
/home/oracle/.ssh
[oracle@centos .ssh]$ whoami
oracle
[oracle@centos .ssh]$ ip a show eth0
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:d8:61:2c:f1:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.109/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ccc0:20d4:3aed:ca75/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[oracle@centos .ssh]$ cat c*
#Host ssh3
#  Hostname 192.168.100.103
#  Port 22
#  Identityfile ~/.ssh/id_rsa
#  User root
#  ProxyCommand ssh -W %h:%p 192.168.100.102
#Host ssh2
#  Hostname 192.168.100.102
#  Port 22
#  Identityfile ~/.ssh/id_rsa
#  User root
#  ProxyCommand ssh -W %h:%p 192.168.100.101
Host ssh1
  Hostname 192.168.100.101
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
[oracle@centos .ssh]$ ssh ssh1
root@192.168.100.101's password: 
Last login: Sat May 11 22:23:04 2019 from gateway
[root@4869f3cec966 ~]# whoami
root
[root@4869f3cec966 ~]# ip a show eth0
368: eth0@if369:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:65 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.101/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@4869f3cec966 ~]# logout
Connection to 192.168.100.101 closed.
[oracle@centos .ssh]$ ssh oracle@ssh1
oracle@192.168.100.101's password: 
[oracle@4869f3cec966 ~]$ whoami
oracle
[oracle@4869f3cec966 ~]$ ip a show eth0
368: eth0@if369:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:65 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.101/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[oracle@4869f3cec966 ~]$ logout
Connection to 192.168.100.101 closed.



[oracle@centos .ssh]$ ssh ssh2
ssh: Could not resolve hostname ssh2: Name or service not known
[oracle@centos .ssh]$ ssh ssh3
ssh: Could not resolve hostname ssh3: Name or service not known

ssh2まで

できた

コード表示

[oracle@centos .ssh]$ cat c*
#Host ssh3
#  Hostname 192.168.100.103
#  Port 22
#  Identityfile ~/.ssh/id_rsa
#  User root
#  ProxyCommand ssh -W %h:%p 192.168.100.102
Host ssh2
  Hostname 192.168.100.102
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
  ProxyCommand ssh -W %h:%p 192.168.100.101
Host ssh1
  Hostname 192.168.100.101
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
[oracle@centos .ssh]$ ssh ssh2
oracle@192.168.100.101's password: 
root@192.168.100.102's password: 
Last login: Sat May 11 12:51:32 2019 from gateway
[root@5f6b238319ff ~]# whoami
root
[root@5f6b238319ff ~]# ip a show eth0
366: eth0@if367:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:66 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.102/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever


[root@5f6b238319ff ~]# logout
Connection to 192.168.100.102 closed.
Killed by signal 1.
[oracle@centos .ssh]$ ssh oracle@ssh2
oracle@192.168.100.101's password: 
oracle@192.168.100.102's password: 
Permission denied, please try again.
oracle@192.168.100.102's password: 
Last failed login: Sat May 11 22:48:43 UTC 2019 from ssh1.tadan_ssh_net on ssh:notty
There was 1 failed login attempt since the last successful login.
[oracle@5f6b238319ff ~]$ whoami
oracle
[oracle@5f6b238319ff ~]$ ip a show eth0
366: eth0@if367:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:66 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.102/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[oracle@5f6b238319ff ~]$ logout
Connection to 192.168.100.102 closed.
Killed by signal 1.
[oracle@centos .ssh]$ ssh ssh3
ssh: Could not resolve hostname ssh3: Name or service not known

ssh3まで

できた

コード表示

[oracle@centos .ssh]$ cat c*
Host ssh3
  Hostname 192.168.100.103
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
  ProxyCommand ssh -W %h:%p 192.168.100.102
Host ssh2
  Hostname 192.168.100.102
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
  ProxyCommand ssh -W %h:%p 192.168.100.101
Host ssh1
  Hostname 192.168.100.101
  Port 22
  Identityfile ~/.ssh/id_rsa
  User root
[oracle@centos .ssh]$ ssh ssh3
oracle@192.168.100.102's password: 
root@192.168.100.103's password: 
Last login: Sat May 11 13:17:58 2019 from ssh2.tadan_ssh_net
[root@50e75a25f30f ~]# whoami
root
[root@50e75a25f30f ~]# ip a show eth0
364: eth0@if365:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:67 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.103/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@50e75a25f30f ~]# logout
Connection to 192.168.100.103 closed.
Killed by signal 1.


[oracle@centos .ssh]$ ssh oracle@ssh3
oracle@192.168.100.102's password: 
oracle@192.168.100.103's password: 
Last login: Sat May 11 13:17:28 2019 from ssh2.tadan_ssh_net
[oracle@50e75a25f30f ~]$ whoami
oracle
[oracle@50e75a25f30f ~]$ ip a show eth0
364: eth0@if365:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:67 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.103/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[oracle@50e75a25f30f ~]$ logout
Connection to 192.168.100.103 closed.
Killed by signal 1.

あとがき

多段sshの練習になった。コンテナ名の色とコンテナの名前をおしゃれにしたい。以上、ありがとうございました。

dockerコンテナ同士でssh疎通した話

参考文献

ssh-keygen - 認証用の鍵を生成 - Linuxコマンド  
Compose file version 3 reference  
SSH通信って、結局何してるの?  
Compose のネットワーク機能  

参考文献よんで感じたこと

自鯖にログインしてきたユーザーが持って来たハッシュ値と鯖側でユーザーごとに生成しておいたハッシュ値をマッチングして本人であることを証明している感じかな。あらかじめ、自鯖側ではログインしてくるユーザーを知る必要がある(コンテナごとの公開鍵)。鯖はログインしてきたユーザに対して暗号を生成して、ログインユーザーのマシンに送り返す。ログインユーザーは送られてきた暗号を自分だけが保持している秘密鍵を使って、解読し、ハッシュ値を生成。作ったハッシュ値を鯖に送り返す。鯖は送られてきたハッシュ値と予めユーザーごとに生成して置いたハッシュ値をマッチングし、照合一致したら、ログインしてきていじっていいよ。照合不一致なら、denyする。ってかんじか。ちなみにログインユーザーは秘密鍵を作成するときに公開鍵も一緒につくっちゃってるらしいので、この公開鍵を鯖に送っておいて(公開鍵をauthorized_keysとして送る)、鯖がログインユーザごとのハッシュ値を生成するときに使用すれば、ハッシュ値をマッチングする際にご本人様であることを証明できるのかな。。rootユーザー以外にもユーザー作っておこうかな。

参考文献よんで感じたことがまちがっていたこと

以下の考え方が正しい。気づけてよかった。


SSH公開鍵認証
 
ゼロからはじめるLinuxサーバー構築・運用ガイド 動かしながら学ぶWebサーバーの作り方  

まえがき

仕事ではwindowsでteratermから鯖に接続しているけど、sshという技術を使って接続しているぐらいの理解。dockerコンテナ内でもそういうのつくってみよとおもった。自動化したかったけど、今のシェル力では実現できなかった。

フォルダ構成

ssh3フォルダは用意していない、めんどくさくなってしまった。

コード表示

[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   └── ssh2
└── tmpl
    └── a.sh

4 directories, 4 files

権限整備

dockerホストで

コード表示

[oracle@centos tadan]$ sudo chown -R oracle:docker share
[oracle@centos tadan]$ sudo chown -R oracle:docker tmpl
[oracle@centos tadan]$ ll
合計 20
-rw-r--r--. 1 oracle docker  531  5月 11 16:33 Dockerfile
-rw-r--r--. 1 oracle docker   58  5月 11 13:25 Makefile
-rw-r--r--. 1 oracle docker  962  5月 11 16:25 docker-compose.yml
drwxr-xr-x. 4 oracle docker 4096  5月 11 16:08 share
drwxr-xr-x. 2 oracle docker 4096  5月 11 16:19 tmpl

Dockerfile

oracleユーザーでログインするようにすると、権限まわりであぁとなるので、デフぉのrootで。suしてもだめだった気がする。

コード表示

[oracle@centos tadan]$ cat D*
FROM centos:latest

RUN yum install -y iputils \
yum install -y net-tools \
yum install -y iproute \
yum install -y vim \
yum install -y tree \
yum install -y lsof \
yum install -y expect \
yum install -y openssh-server \
yum install -y openssh-clients

ENV TZ='Asia/Tokyo'

RUN groupadd -g 1001 docker
RUN useradd -m -g docker -u 1000 oracle

RUN echo 'ORACLE_PWD' | passwd --stdin oracle
RUN echo 'ORACLE_PWD' | passwd --stdin root

RUN mkdir -p /home/oracle/.ssh

#USER oracle
#WORKDIR /home/oracle
EXPOSE 20
CMD ["/sbin/init"]

Makefile

エイリアス

コード表示

[oracle@centos tadan]$ cat M*
CMD=docker-compose
up:
	@$(CMD) up -d
down:
	@$(CMD) down

docker-compose.yml

ssh3コンテナは今回は起動しない。

コード表示

[oracle@centos tadan]$ docker --version
Docker version 18.09.5, build e8ff056
[oracle@centos tadan]$ cat d*
version: '3.7'
services:
  ssh_saba1:
    image: centos_ssh
    container_name: ssh1
    #command: bash -c "ehoc hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh1:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net:
        ipv4_address: 192.168.100.101
    ports:
      - '1:22'
  ssh_saba2:
    image: centos_ssh
    container_name: ssh2
    #command: bash -c "echo hoge"
    privileged: true
    volumes:
      -  /home/oracle/tadan/share/ssh2:/home/oracle/.ssh
      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
    networks:
      ssh_net:
        ipv4_address: 192.168.100.102
    ports:
      - '2:22'
#  ssh_saba3:
#    image: centos_ssh
#    container_name: ssh3
#    #command: bash -c "echo hoge"
#    privileged: true
#    volumes:
#      -  /home/oracle/tadan/share/ssh3:/home/oracle/.ssh
#      -  /home/oracle/tadan/tmpl:/home/oracle/.ssh/tmpl
#    networks:
#      ssh_net:
#        ipv4_address: 192.168.100.103
#    ports:
#      - '3:22'
networks:
  ssh_net:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.100.0/24

a.sh

コンテナ内でkickするやつ。sshの公開鍵と秘密鍵をコンテナ単位で作成。expectコマンド使って自動化しようとした名残だけある。

コード表示

[oracle@centos tadan]$ cat t*/a*
#!/bin/bash
PWD=""
expect -c "
spawn ssh-keygen -t rsa
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"Enter\"
send \"${PWD}\n\"
expect \"\\\$\"
exit 0
"

centos_sshイメージの作成

dockerfileでマルチステージング機能あるぽくて、サイズ圧縮できるってどっかで見て試したけど、うまく使いこなせなかった。

コード表示

[oracle@centos tadan]$ docker build -t centos_ssh .
[oracle@centos tadan]$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos_ssh          latest              43f44c1e64a5        11 seconds ago      360MB
centos              latest              9f38484d220f        8 weeks ago         202MB

コンテナ起動前ネットワーク確認

ネットワークすき

コード表示

[oracle@centos tadan]$ brctl show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.0242818de210	no		
virbr0		8000.5254006a2171	yes		virbr0-nic
[oracle@centos tadan]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:d8:61:2c:f1:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.109/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ccc0:20d4:3aed:ca75/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic:  mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
6: docker0:  mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:81:8d:e2:10 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:81ff:fe8d:e210/64 scope link 
       valid_lft forever preferred_lft forever


[oracle@centos tadan]$ sudo iptables -t nat -L -n | grep -A 10 "Chain POSTROUTING"
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           

コンテナ起動

makeコマンドで。

コード表示

[oracle@centos tadan]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[oracle@centos tadan]$ make up
Creating network "tadan_ssh_net" with driver "bridge"
Creating ssh1 ... done
Creating ssh2 ... done
[oracle@centos tadan]$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                       NAMES
4f8438a2804d        centos_ssh          "/sbin/init"        3 minutes ago       Up 3 minutes        20/tcp, 0.0.0.0:2->22/tcp   ssh2
6a3e6a11fc2e        centos_ssh          "/sbin/init"        3 minutes ago       Up 3 minutes        20/tcp, 0.0.0.0:1->22/tcp   ssh1

コンテナ起動後ネットワーク確認

docker0のIFは使われていない。独自に定義したbridgeルータにコンテナは接続している。

コード表示

[oracle@centos tadan]$ brctl show
bridge name	bridge id		STP enabled	interfaces
br-c37740979afc		8000.0242636f83e9	no		veth0e21071
							veth75a278d
docker0		8000.0242818de210	no		
virbr0		8000.5254006a2171	yes		virbr0-nic
[oracle@centos tadan]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:d8:61:2c:f1:5b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.109/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::ccc0:20d4:3aed:ca75/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic:  mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:6a:21:71 brd ff:ff:ff:ff:ff:ff
6: docker0:  mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:81:8d:e2:10 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:81ff:fe8d:e210/64 scope link 
       valid_lft forever preferred_lft forever
358: br-c37740979afc:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:63:6f:83:e9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global br-c37740979afc
       valid_lft forever preferred_lft forever
    inet6 fe80::42:63ff:fe6f:83e9/64 scope link 
       valid_lft forever preferred_lft forever
360: veth75a278d@if359:  mtu 1500 qdisc noqueue master br-c37740979afc state UP group default 
    link/ether 32:55:ae:38:be:ed brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::3055:aeff:fe38:beed/64 scope link 
       valid_lft forever preferred_lft forever
362: veth0e21071@if361:  mtu 1500 qdisc noqueue master br-c37740979afc state UP group default 
    link/ether 02:b8:bf:1a:82:a9 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::b8:bfff:fe1a:82a9/64 scope link 
       valid_lft forever preferred_lft forever


[oracle@centos tadan]$ sudo iptables -t nat -L -n | grep -A 10 "Chain POSTROUTING"
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.100.0/24     0.0.0.0/0           
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
POSTROUTING_direct  all  --  0.0.0.0/0            0.0.0.0/0           
POSTROUTING_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           

a.shをキック

コンテナごとに公開鍵と秘密鍵を作成。これが面倒。su oracle忘れそう。。

コード表示

[oracle@centos tadan]$ docker exec -it ssh1 /bin/bash
[root@6a3e6a11fc2e /]# whoami
root
[root@6a3e6a11fc2e /]# id
uid=0(root) gid=0(root) groups=0(root)
[root@6a3e6a11fc2e ~]# su oracle
[oracle@6a3e6a11fc2e root]$ cd ~ && pwd
/home/oracle
[oracle@6a3e6a11fc2e ~]$ cd .ssh
[oracle@6a3e6a11fc2e .ssh]$ ll
total 4
drwxr-xr-x. 2 oracle docker 4096 May 11 16:19 tmpl
[oracle@6a3e6a11fc2e .ssh]$ cd tmpl
[oracle@6a3e6a11fc2e tmpl]$ ll
total 4
-rwxr-xr-x. 1 oracle docker 185 May 11 16:13 a.sh
[oracle@6a3e6a11fc2e tmpl]$ id
uid=1000(oracle) gid=1001(docker) groups=1001(docker)
[oracle@6a3e6a11fc2e tmpl]$ ./a.sh
spawn ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qq8h9ksNyw0iBJMkC6MTkyv4lWoxMptVYB/kzKZ143w oracle@6a3e6a11fc2e
The key's randomart image is:
+---[RSA 2048]----+
|X+ooo            |
|BB =..           |
|=o .B.o          |
|B.++o+ .         |
|oBo=o o E        |
|o.+o * o         |
| .o = +          |
| . + o           |
|    =+.          |
+----[SHA256]-----+
[oracle@6a3e6a11fc2e tmpl]$ cd -
/home/oracle/.ssh
[oracle@6a3e6a11fc2e .ssh]$ ll
total 12
-rw-------. 1 oracle docker 1679 May 11 17:32 id_rsa
-rw-r--r--. 1 oracle docker  401 May 11 17:32 id_rsa.pub
drwxr-xr-x. 2 oracle docker 4096 May 11 16:19 tmpl
[oracle@6a3e6a11fc2e .ssh]$ exit
[root@6a3e6a11fc2e ~]# exit
[oracle@centos tadan]$ docker exec -it ssh2 /bin/bash
[root@4f8438a2804d /]# whoami
root
[root@4f8438a2804d /]# id
uid=0(root) gid=0(root) groups=0(root)
[root@4f8438a2804d /]# su oracle
[oracle@4f8438a2804d /]$ whoami
oracle
[oracle@4f8438a2804d /]$ id
uid=1000(oracle) gid=1001(docker) groups=1001(docker)
[oracle@4f8438a2804d /]$ cd ~ && pwd
/home/oracle
[oracle@4f8438a2804d ~]$ cd .ssh
[oracle@4f8438a2804d .ssh]$ ll
total 4
drwxr-xr-x. 2 oracle docker 4096 May 11 16:19 tmpl
[oracle@4f8438a2804d .ssh]$ cd tmpl
[oracle@4f8438a2804d tmpl]$ ll
total 4
-rwxr-xr-x. 1 oracle docker 185 May 11 16:13 a.sh
[oracle@4f8438a2804d tmpl]$ ./a.sh
spawn ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oracle/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oracle/.ssh/id_rsa.
Your public key has been saved in /home/oracle/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:a7sPCgRI/k9/g8S8xn/bxI7OrvdFttxbFwuDTqL83Ys oracle@4f8438a2804d
The key's randomart image is:
+---[RSA 2048]----+
| .               |
|o.               |
|...              |
|  ..  o     .    |
|   ... +S. o o + |
|   .o = +.+ . * =|
|    .. O+o . o =+|
|     ..o+o+oB . +|
|      . o*BEo*.. |
+----[SHA256]-----+
[oracle@4f8438a2804d tmpl]$ cd -
/home/oracle/.ssh
[oracle@4f8438a2804d .ssh]$ ll
total 12
-rw-------. 1 oracle docker 1675 May 11 17:33 id_rsa
-rw-r--r--. 1 oracle docker  401 May 11 17:33 id_rsa.pub
drwxr-xr-x. 2 oracle docker 4096 May 11 16:19 tmpl
[oracle@4f8438a2804d .ssh]$ exit
[root@4f8438a2804d /]# exit

dockerホストでauthorized_keysを作成

コンテナごとの公開鍵を互いに配布。

コード表示

[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── id_rsa
│   │   ├── id_rsa.pub
│   │   └── tmpl
│   └── ssh2
│       ├── id_rsa
│       ├── id_rsa.pub
│       └── tmpl
└── tmpl
    └── a.sh

6 directories, 8 files
[oracle@centos tadan]$ cp ./share/ssh1/id_rsa.pub ./share/ssh2/authorized_keys
[oracle@centos tadan]$ diff ./share/ssh1/id_rsa.pub ./share/ssh2/authorized_keys
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── id_rsa
│   │   ├── id_rsa.pub
│   │   └── tmpl
│   └── ssh2
│       ├── authorized_keys
│       ├── id_rsa
│       ├── id_rsa.pub
│       └── tmpl
└── tmpl
    └── a.sh

6 directories, 9 files
[oracle@centos tadan]$ cp ./share/ssh2/id_rsa.pub ./share/ssh1/authorized_keys
[oracle@centos tadan]$ diff ./share/ssh2/id_rsa.pub ./share/ssh1/authorized_keys
[oracle@centos tadan]$ tree
.
├── Dockerfile
├── Makefile
├── docker-compose.yml
├── share
│   ├── ssh1
│   │   ├── authorized_keys
│   │   ├── id_rsa
│   │   ├── id_rsa.pub
│   │   └── tmpl
│   └── ssh2
│       ├── authorized_keys
│       ├── id_rsa
│       ├── id_rsa.pub
│       └── tmpl
└── tmpl
    └── a.sh

6 directories, 10 files

sshdサービス起動確認

コード表示

[oracle@centos tadan]$ docker exec -it ssh1 /bin/bash
[root@6a3e6a11fc2e /]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-05-11 17:19:39 JST; 18min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1794 (sshd)
   CGroup: /docker/6a3e6a11fc2e4d26e1c0d521f6a1cee66c28352f71820538e4ceb18d06b95286/system.slice/sshd.service
           └─1794 /usr/sbin/sshd -D
           ‣ 1794 /usr/sbin/sshd -D

May 11 17:19:39 6a3e6a11fc2e systemd[1]: Starting OpenSSH server daemon...
May 11 17:19:39 6a3e6a11fc2e sshd[1794]: Server listening on 0.0.0.0 port 22.
May 11 17:19:39 6a3e6a11fc2e sshd[1794]: Server listening on :: port 22.
May 11 17:19:39 6a3e6a11fc2e systemd[1]: Started OpenSSH server daemon.
[root@6a3e6a11fc2e /]# lsof -i:22 -P
COMMAND  PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd    1794 root    3u  IPv4 1670476      0t0  TCP *:22 (LISTEN)
sshd    1794 root    4u  IPv6 1670485      0t0  TCP *:22 (LISTEN)
[root@6a3e6a11fc2e /]# exit
[oracle@centos tadan]$ docker exec -it ssh2 /bin/bash
[root@4f8438a2804d /]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-05-11 17:19:40 JST; 18min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1915 (sshd)
   CGroup: /docker/4f8438a2804da37b2b2334f4982bd58c8eb310402a9765991eb667d79988d75e/system.slice/sshd.service
           └─1915 /usr/sbin/sshd -D
           ‣ 1915 /usr/sbin/sshd -D

May 11 17:19:39 4f8438a2804d systemd[1]: Starting OpenSSH server daemon...
May 11 17:19:40 4f8438a2804d sshd[1915]: Server listening on 0.0.0.0 port 22.
May 11 17:19:40 4f8438a2804d sshd[1915]: Server listening on :: port 22.
May 11 17:19:40 4f8438a2804d systemd[1]: Started OpenSSH server daemon.
[root@4f8438a2804d /]# lsof -i:22 -P
COMMAND  PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd    1915 root    3u  IPv4 1671407      0t0  TCP *:22 (LISTEN)
sshd    1915 root    4u  IPv6 1671409      0t0  TCP *:22 (LISTEN)

ssh1からssh2のrootユーザーへログイン

できた

コード表示

[oracle@centos tadan]$ docker exec -it ssh1 /bin/bash
[root@6a3e6a11fc2e /]# ssh root@ssh2 
The authenticity of host 'ssh2 (192.168.100.102)' can't be established.
ECDSA key fingerprint is SHA256:YLGhVCPZjqdyU07cP241x2pJiuWc6eG25aAbrruLxdg.
ECDSA key fingerprint is MD5:14:c5:03:e2:e4:93:7f:99:b7:4b:3b:c3:df:78:5e:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ssh2,192.168.100.102' (ECDSA) to the list of known hosts.
root@ssh2's password: 
[root@4f8438a2804d ~]# whoami
root
[root@4f8438a2804d ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@4f8438a2804d ~]# ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
361: eth0@if362:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:66 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.102/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@4f8438a2804d ~]# logout
Connection to ssh2 closed.

ssh1からssh2のoracleユーザーへログイン

できた

コード表示

[root@6a3e6a11fc2e /]# ssh oracle@192.168.100.102
oracle@192.168.100.102's password: 
Last login: Sat May 11 08:32:54 2019
[oracle@4f8438a2804d ~]$ whoami
oracle
[oracle@4f8438a2804d ~]$ id
uid=1000(oracle) gid=1001(docker) groups=1001(docker)
[oracle@4f8438a2804d ~]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
361: eth0@if362:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:66 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.102/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever

[oracle@4f8438a2804d ~]$ logout
Connection to 192.168.100.102 closed.
[root@6a3e6a11fc2e /]# exit

ssh2からssh1のrootユーザーへログイン

できた

コード表示

[oracle@centos tadan]$ docker exec -it ssh2 /bin/bash
[root@4f8438a2804d /]# ssh root@ssh1
The authenticity of host 'ssh1 (192.168.100.101)' can't be established.
ECDSA key fingerprint is SHA256:m9E3P8+t6PNN7QQ1QHaq7xn2zdOWJ36pNBfogyP0QEk.
ECDSA key fingerprint is MD5:5a:f2:d3:9d:75:4e:b4:1d:28:3e:d5:9c:9e:4e:48:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ssh1,192.168.100.101' (ECDSA) to the list of known hosts.
root@ssh1's password: 
[root@6a3e6a11fc2e ~]# whoami
root
[root@6a3e6a11fc2e ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@6a3e6a11fc2e ~]# ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
359: eth0@if360:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:65 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.101/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@6a3e6a11fc2e ~]# logout
Connection to ssh1 closed.

ssh2からssh1のoracleユーザーへログイン

できた

コード表示

[root@4f8438a2804d /]# ssh oracle@192.168.100.101
oracle@192.168.100.101's password: 
Last login: Sat May 11 08:30:13 2019
[oracle@6a3e6a11fc2e ~]$ whoami
oracle
[oracle@6a3e6a11fc2e ~]$ id
uid=1000(oracle) gid=1001(docker) groups=1001(docker)
[oracle@6a3e6a11fc2e ~]$ ip a show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
359: eth0@if360:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:c0:a8:64:65 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.100.101/24 brd 192.168.100.255 scope global eth0
       valid_lft forever preferred_lft forever
[oracle@6a3e6a11fc2e ~]$ logout
Connection to 192.168.100.101 closed.
[root@4f8438a2804d /]# exit

あとがき

sshの練習になった。コンテナ名の色とコンテナの名前をおしゃれにしたい。以上、ありがとうございました。

docker compose最新版いんすと

コマンド

コード表示

sudo curl -L https://github.com/docker/compose/releases/download/$(curl https://api.github.com/repos/docker/compose/releases/latest | jq .name -r)/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose && sudo chmod +x /usr/local/bin/docker-compose

[oracle@centos bin]$ docker-compose --version
docker-compose version 1.24.0, build 0aa59064