我希望能够以 root 以外的用户身份启动 Docker 容器,并能够通过 ssh 访问它。当我以 root 身份启动 sshd 时,我可以登录它。当我将其切换为以另一个用户身份启动容器,然后尝试以该用户身份 ssh 登录时,我收到错误“无法绑定任何地址”。和“绑定到端口 22 :: 失败:权限被拒绝。”。
我已经将其他用户设置为具有root权限,但仍然不起作用。
请注意,我试图让它在 Alpine Linux 中工作并将其用作 Fargate 任务 - 当 Fargate 最初连接到容器时,会立即传递一个公钥,该公钥会在幕后放入授权密钥文件中。我还确保在发生故障时将 Fargate ssh 作为其他用户。在下面的例子中,我将其设置为 ernie。当我在下面的文件中将用户设置为 root 并更改 Fargate 代码以使用 root 作为用户时,我可以很好地进入容器。将 ernie 设置为我收到错误的用户是很麻烦的。
我的 Dockerfile :
FROM alpine:latest
# Set the name of the user we want to use
ENV LOGINUSER="ernie"
# --------------------------------------------------------------------------------#
# Install and configure sshd.3 #
# https://www.cyberciti.biz/faq/how-to-install-openssh-server-on-alpine-linux-including-docker/ #
# https://docs.docker.com/engine/examples/running_ssh_service for reference. #
# --------------------------------------------------------------------------------#
RUN apk add --no-cache openssh-server bash shadow sudo\
&& mkdir -p /var/run/sshd
RUN adduser --disabled-password --gecos "" $LOGINUSER
# https://ostechnix.com/add-delete-and-grant-sudo-privileges-to-users-in-alpine-linux/
RUN echo '%wheel ALL=(ALL) ALL' > /etc/sudoers.d/wheel
RUN adduser $LOGINUSER wheel
RUN cat /etc/ssh/sshd_config && echo "AllowUsers $LOGINUSER" >> /etc/ssh/sshd_config
RUN echo "$LOGINUSER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$LOGINUSER
RUN chmod 0440 /etc/sudoers.d
#RUN echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
RUN echo 'root:dummy_passwd'|chpasswd
EXPOSE 22
# change ownership of /etc/ssh to the user we want to use
RUN sudo chown -R $LOGINUSER /etc/ssh
RUN sudo chown -R $LOGINUSER /run
####################CREATE CUSTOM SSHD CONFIG ###########################
RUN mkdir /opt/custom_ssh
RUN chmod -R 777 /opt/custom_ssh/
# Need to chown to allow ernie access - remove for root to work again
RUN chown -R $LOGINUSER:$LOGINUSER /opt/custom_ssh
USER $LOGINUSER
RUN ssh-keygen -f /opt/custom_ssh/ssh_host_rsa_key -N '' -t rsa
RUN ssh-keygen -f /opt/custom_ssh/ssh_host_dsa_key -N '' -t dsa
# This creates the keys in
RUN ssh-keygen -A
RUN echo 'Port 22' >> opt/custom_ssh/sshd_config
RUN echo 'AuthorizedKeysFile /opt/custom_ssh/authorized_keys' >> /opt/custom_ssh/sshd_config
RUN echo 'Subsystem sftp /usr/lib/ssh/sftp-server' >> /opt/custom_ssh/sshd_config
RUN echo 'X11Forwarding no' >> /opt/custom_ssh/sshd_config
RUN echo 'GatewayPorts no' >> /opt/custom_ssh/sshd_config
RUN echo 'AllowTcpForwarding no' >> /opt/custom_ssh/sshd_config
RUN echo 'StrictModes no' >> /opt/custom_ssh/sshd_config
RUN echo 'PubkeyAcceptedKeyTypes +ssh-rsa' >> /opt/custom_ssh/sshd_config
RUN echo 'PubkeyAuthentication yes' >> /opt/custom_ssh/sshd_config
RUN chmod 644 /opt/custom_ssh/sshd_config
USER $LOGINUSER
ENTRYPOINT ["/docker-entrypoint.sh"]
我的 docker-entrypoint.sh 文件
#!/bin/sh
# Needed for Fargate connection
setUpSSH() {
echo "DEBUG - I am in the setUpSSh function"
echo "DEBUG - the public key passed in is $$SSH_PUBLIC_KEY"
# Block the container to start without an SSH public key.
if [ -z "$SSH_PUBLIC_KEY" ]; then
echo 'Need your SSH public key as the SSH_PUBLIC_KEY environment variable.'
exit 1
fi
# Create a folder to store user's SSH keys if it does not exist.
USER_SSH_KEYS_FOLDER=/opt/custom_ssh
[ ! -d ${USER_SSH_KEYS_FOLDER} ] && mkdir -p ${USER_SSH_KEYS_FOLDER}
# Copy contents from the `SSH_PUBLIC_KEY` environment variable
# to the `$USER_SSH_KEYS_FOLDER/authorized_keys` file.
# The environment variable must be set when the container starts.
echo ${SSH_PUBLIC_KEY} > ${USER_SSH_KEYS_FOLDER}/authorized_keys
echo " DEBUG - cat ${USER_SSH_KEYS_FOLDER}/authorized_key"
# Clear the `SSH_PUBLIC_KEY` environment variable.
unset SSH_PUBLIC_KEY
}
setUpSSH
/usr/sbin/sshd -D -e -f /opt/custom_ssh/sshd_config
# Start the SSH daemon
#exec "$@"
答案1
只有 root 可以绑定到小于 1024 的端口。但是您的 ssh 守护程序没有理由必须侦听端口 22。您可以将其配置为侦听任何其他 > 1024 的端口(在此用例中,2222 对于 SSH 来说很常见)。
如果您的客户端确实必须连接到端口 22,那么您只需在 ECS 任务定义中将外部端口 22 映射到内部端口 2222 即可。请参阅此处的“端口映射”:https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html