在使用sshd docker 镜像时, 发现一个比较诡异的问题, 有些启动的容器可以连接, 有些不能.
例如 : 
启动2个容器(这两个容器都有问题) : 
[root@localhost ~]# docker run -d --name di digoal/sshd_ceph:giant
[root@localhost ~]# docker run -d --name da digoal/sshd
这两个容器的CMD如下 : 
[root@localhost ~]# docker inspect -f '{{.Config.Cmd}}' da
[/usr/sbin/sshd -D]
[root@localhost ~]# docker inspect -f '{{.Config.Cmd}}' di
[/usr/sbin/sshd -D]
查看他们的IP
[root@localhost ~]# docker inspect -f '{{.NetworkSettings.IPAddress}}' di
172.17.0.7
[root@localhost ~]# docker inspect -f '{{.NetworkSettings.IPAddress}}' da
172.17.0.8
 
使用ssh客户端连接, 被拒绝.
[root@localhost ~]# ssh 172.17.0.8
root@172.17.0.8's password: 
Last login: Tue Dec 16 20:22:12 2014 from 172.17.42.1
Connection to 172.17.0.8 closed.
 
[root@localhost ~]# ssh 172.17.0.7
root@172.17.0.7's password: 
Last login: Tue Dec 16 20:21:58 2014 from 172.17.42.1
Connection to 172.17.0.7 closed.
 
排错, 先删除这两个容器 : 
[root@localhost ~]# docker stop di
di
[root@localhost ~]# docker stop da
da
[root@localhost ~]# docker rm da
da
[root@localhost ~]# docker rm di
di
排错时, 使用交互模式打开容器, 使用/bin/bash覆盖/usr/sbin/sshd -D. 并将sshd日志输出到挂载在宿主机的/tmp目录.
[root@localhost ~]# docker run --rm -t -i --name=da --volume=/tmp:/data01 digoal/sshd_ceph:giant /bin/bash
[root@f563c0940d2b /]# /usr/sbin/sshd -D -E /data01/sshd.log
查看容器IP
[root@localhost tmp]# docker inspect -f '{{.NetworkSettings.IPAddress}}' da
172.17.0.11
使用SSH客户端连接这个容器, 同样被退出.
[root@localhost tmp]# ssh 172.17.0.11
The authenticity of host '172.17.0.11 (172.17.0.11)' can't be established.
ECDSA key fingerprint is db:5c:6b:2a:bc:9e:3e:31:24:1b:c0:8d:5f:96:f2:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.11' (ECDSA) to the list of known hosts.
root@172.17.0.11's password: 
Last login: Tue Dec  9 15:20:36 2014 from 172.17.42.1
Connection to 172.17.0.11 closed.
 
查看容器的sshd日志如下, 原因找到了. : 
[root@localhost tmp]# cat /tmp/sshd.log 
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Accepted password for root from 172.17.42.1 port 41153 ssh2
PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Received disconnect from 172.17.42.1: 11: disconnected by user
 
解决办法1, 修改/etc/pam.d/sshd  : 
[root@f563c0940d2b /]# /usr/sbin/sshd -D -E /data01/sshd.log
^C
注释如下
[root@f563c0940d2b /]# vi /etc/pam.d/sshd 
#session    required     pam_loginuid.so
现在可以连接了
[root@localhost tmp]# ssh 172.17.0.11
root@172.17.0.11's password: 
Last login: Tue Dec 16 20:28:15 2014 from 172.17.42.1
[root@f563c0940d2b ~]# 
 
解决办法2, 使用超级权限启动容器 : 
[root@f563c0940d2b /]# exit
exit
[root@localhost ~]# docker run --rm -t -i --name=da --privileged=true --volume=/tmp:/data01 digoal/sshd_ceph:giant /bin/bash
[root@44e686983f3a /]# /usr/sbin/sshd -D -E /data01/sshd.log
 
[root@localhost tmp]# docker inspect -f '{{.NetworkSettings.IPAddress}}' da
172.17.0.13
正常连接 : 
[root@localhost tmp]# ssh 172.17.0.13
The authenticity of host '172.17.0.13 (172.17.0.13)' can't be established.
ECDSA key fingerprint is db:5c:6b:2a:bc:9e:3e:31:24:1b:c0:8d:5f:96:f2:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.13' (ECDSA) to the list of known hosts.
root@172.17.0.13's password: 
Last login: Tue Dec  9 15:20:36 2014 from 172.17.42.1
[root@44e686983f3a ~]# 
[root@44e686983f3a ~]# cat /etc/pam.d/sshd |grep pam_loginuid
session    required     pam_loginuid.so
 
最后, 建议在创建sshd镜像时, 就将session    required     pam_loginuid.so注释掉. 
那么以后使用这个镜像启动容器, 就不会出现文章开头的问题了.
 

[参考]

1. man docker-run
       --privileged=true|false Give extended privileges to this container.  By default,  Docker  containers  are  “unprivileged”
       (=false)  and  cannot,  for  example, run a Docker daemon inside the Docker container.  This is because by default a con‐
       tainer is not allowed to access any devices.  A “privileged” container is given access to all devices.
 
       When the operator executes docker run --privileged, Docker will enable access to all devices on the host as well  as  set
       some configuration in AppArmor to allow the container nearly all the same access to the host as processes running outside
       of a container on the host.
2. man sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
#UsePAM no
UsePAM yes
 
     UsePAM  Enables the Pluggable Authentication Module interface.  If set to “yes” this will enable PAM authentication using
             ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing
             for all authentication types.
 
             Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you
             should disable either PasswordAuthentication or ChallengeResponseAuthentication.
 
             If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user.  The default is “no”.

docker sshd image problem, session required pam_loginuid.so, cann't login的更多相关文章

  1. Spring Boot(十一)Redis集成从Docker安装到分布式Session共享

    一.简介 Redis是一个开源的使用ANSI C语言编写.支持网络.可基于内存亦可持久化的日志型.Key-Value数据库,并提供多种语言的API,Redis也是技术领域使用最为广泛的存储中间件,它是 ...

  2. docker no permmition problem

    resolved by: sudo docker run --privileged ....

  3. mvc ajax访问后台时session过期无法跳转到Login页面问题解决

    public class BaseController : Controller { protected User UserInfo { set { Session["UserInfo&qu ...

  4. Filter实现session超时自动跳转到login页,超过试用期不许登录

    新建一个过滤器 package com.autumn.filter; import com.autumn.pojo.Users; import javax.servlet.*; import java ...

  5. Centos7 Docker 多主机 容器互连--基于OVS

    来一张自己画的图,mark:2016年6月27日17:09:14 自己理解,如有错误 多谢指教. centos7, 部署OVS和docker.以及基于centos6.8的ssh images 命令. ...

  6. Centos上Docker 使用dockerfile构建容器实现ssh

    这几日在学习docker.遇到的问题数一年都数不完,网上大多数都是ubuntu的,百度或者谷歌的时候心好累.写写文档来帮助使用centos的docker爱好者们. docker基本操作这里就不介绍了 ...

  7. Docker SSH

    1. Dockerfile   -->docker build -t centos6-ssh https://git.oschina.net/feedao/Docker_shell/raw/st ...

  8. 搭建docker私有仓库,建立k8s集群

    服务器IP角色分布 192.168.5.2 etcd server 192.168.5.2 kubernetes master 192.168.5.3 kubernetes node 192.168. ...

  9. docker note

    docker --bip="10.1.42.1/16" -d 挂载宿主机目录 Docker支持挂载宿主机目录,支持宿主机目录和容器之间文件目录进行映射,彼此共享: docker r ...

随机推荐

  1. Ural 1519 Formula 1 插头DP

    这是一道经典的插头DP单回路模板题. 用最小表示法来记录连通性,由于二进制的速度,考虑使用8进制. 1.当同时存在左.上插头的时候,需要判断两插头所在连通块是否相同,若相同,只能在最后一个非障碍点相连 ...

  2. js异步处理工作机制(setTimeout, setInterval)

    经常谈到异步,但是发现自己一直没深入理解setTimeout, setInterval,逛论坛的时候发现了这篇好文章,分享一下. ————————————————————以下为原文—————————— ...

  3. input输入框限制输入英文,数字,汉字

    <h1>js验证输入框内容</h1><br /><br /> 只能输入英文<input type="text" onkeyup ...

  4. 采用FPGA实现音频模数转换器

    http://www.21ic.com/app/eda/200905/42832.htm http://www.eefocus.com/article/09-10/84673s.html 摘 要 简要 ...

  5. Digital Current-Mode Control Challenges Analog Counterparts

    http://electronicdesign.com/digital-ics/digital-current-mode-control-challenges-analog-counterparts ...

  6. 关闭OOMER

    http://www.cnblogs.com/itfriend/archive/2011/12/14/2287160.html http://blog.csdn.net/gugemichael/art ...

  7. loading(正在加载特效)

    <!DOCTYPE html> <html> <head lang="en"> <meta charset="UTF-8&quo ...

  8. redis的主从配置 扩容

    由于redis的集群功能没有完全编写好,见:http://redis.io/topics/cluster-spec 集群只有测试版的第8个版本redis3.0.0 见 http://redis.io/ ...

  9. 推荐一份 Google 面试指南

    经常有不少读者在我公众号后台留言,说自己还是应届毕业生,缺乏工作经验与项目经验,不知道如何才能通过面试? 其实,项目经验固然重要,但是企业也知道,对于应届毕业生,是很难有拿得出手的项目经验出来的,毕竟 ...

  10. android用jsonReader来解析json

    对于这个json: { "id" : "3232", "data" : [{ "data1" : "555&q ...