1. 创建目录，名字随意

mkdir dockfile

cd dockfile

2. 创建名字为Dockerfile的文件

touch Dockerfile

3. 编辑内容如下

FROM centos
MAINTAINER liufeng "liuf@geoscene.cn"RUN     /bin/echo  'root:123456'|chpasswd
RUN     useradd test
RUN     /bin/echo 'test:123456'|chpasswd
RUN     /bin/echo -e "LANG=\"en_US.UTF-8\"" >/etc/default/localRUN     /usr/bin/sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
RUN     /usr/bin/sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repo
RUN     /usr/bin/sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-AppStream.repoRUN     sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
RUN     sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repo
RUN     sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-BaseOS.repoRUN     sed -i 's/mirrorlist=/#mirrorlist=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
RUN     sed -i 's/#baseurl=/baseurl=/g' /etc/yum.repos.d/CentOS-Linux-Extras.repo
RUN     sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/CentOS-Linux-Extras.repoRUN     yum -y install openssh-server net-tools lsof telnet
RUN sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_configRUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_keyRUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_keyRUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtimeEXPOSE  22
EXPOSE  80CMD /usr/sbin/sshd -D

4. 执行docker build -t centos:sshd  . 

（实际该命令也是读取Dockerfile文件中的内容，发送给docker的服务端进程，然后创建container后，执行里面的各个指令后，使用docker commit后保存镜像，然后再自动删除container）

5. 查看创建好的镜像

docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos              sshd                bb3f612b4aab        16 minutes ago      277MB

6. 启动该镜像

docker run -P -d centos:sshd
7b9b21f834a7a3f20132c3e5c476299cd19ebf0de7d9d1a86c7933c01bde33bc

7. 查看container（由于启动使用了-P选项，所以随机选择了端口映射）

docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                                          NAMES
55e6f83d15ed        centos:sshd         "/bin/sh -c '/usr/sbâ¦"   39 seconds ago      Up 38 seconds       0.0.0.0:32794->22/tcp, 0.0.0.0:32793->80/tcp   clever_chatterjee

8. 从别的机器登录

C:\Users\admin>ssh root@192.168.100.138 -p 32794
The authenticity of host '[192.168.100.138]:32794 ([192.168.100.138]:32794)' can't be established.
RSA key fingerprint is SHA256:CcVVULJGCEJ/hacR1SqQj5RRQ2v+fRrSQPvSj4n7ksA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.100.138]:32794' (RSA) to the list of known hosts.
root@192.168.100.138's password:
[root@55e6f83d15ed ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever
242: eth0@if243: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group defaultlink/ether 02:42:ac:11:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 172.17.0.7/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever

9. 原理

docker 使用iptables的nat进行ip和port的转换实现的，而且是在PREROUTING实现的

[root@bigdataserver docker]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCALChain INPUT (policy ACCEPT)
target     prot opt source               destinationChain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCALChain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  bogon/16             anywhere
MASQUERADE  all  --  bogon/16             anywhere
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:commplex-main
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:http
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:ssh
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:http
MASQUERADE  tcp  --  bogon                bogon                tcp dpt:sshChain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:filenet-nch to:172.17.0.3:5000
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32791 to:172.17.0.6:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32792 to:172.17.0.6:22
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32793 to:172.17.0.7:80
DNAT       tcp  --  anywhere             anywhere             tcp dpt:32794 to:172.17.0.7:22

由于iptables的实现是在内核级别，所以虽然能看到docker-proxy进程会listen 32794端口，但是实际上使用strace监听该进程会发现不会有任何的系统调用在上面，并且杀掉该进行也不会影响链接。