无法从 docker 主机 SSH 到 docker 容器

Question

我在 openstack 上创建了一个 docker 主机并启动了一个容器，其端口 22 映射到 docker 主机上的一个端口。关注此link 我仍然无法从 docker 主机 ssh 到容器。它给出了这个错误：

$> ssh -v root@172.17.0.9 -p 32775

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.17.0.9 [172.17.0.9] port 32775.
debug1: connect to address 172.17.0.9 port 32775: Connection refused
ssh: connect to host 172.17.0.9 port 32775: Connection refused

当我在 docker run 中使用 -P 选项时，默认情况下会添加 Iptables 规则。它看起来像这样：

$> iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:80
MASQUERADE  tcp  --  172.17.0.9           172.17.0.9           tcp dpt:22

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9090 to:172.17.0.3:80
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:32775 to:172.17.0.9:22

容器看起来像：

$> docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                     PORTS                   NAMES
46111bb52063        sshns               "/usr/sbin/sshd -D"      9 hours ago         Up 3 hours                 0.0.0.0:32776->22/tcp   TestSSHcontainer

我需要 ssh 只是为了我的目的。我知道 docker exec 选项。在 sshd_config 和 ssh_config 上尝试了 PermitRootLogin yes 等 docker 主机和容器上的更改，但均未成功。

bash-4.2# /usr/sbin/sshd -Dd
WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several problems.
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #1 type 3 ECDSA
debug1: private host key: #2 type 4 ED25519
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-Dd'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on ::.
Bind to port 22 on :: failed: Address already in use.
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
Cannot bind any address.

bash-4.2# netstat -anp | grep 22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
bash-4.2# ps -eaf | grep ssh
root         1     0  0 19:17 ?        00:00:00 /usr/sbin/sshd -D
root        26    16  0 22:58 ?        00:00:00 grep ssh

我还缺少什么吗？

Answer 1

您使用的是容器的 ip，但使用的是容器的 host port mapping。尝试ssh -v root@172.17.0.9 或ssh -v root@localhost -p <port_mapping_on_host>（您的docker ps -a 显示您在主机上的移植映射是32776）