【工具链】使用ssh+dialog指令设定服务器指定用户仅容器访问

## 1.ssh配置指定用户的访问指令

1.1. 安装ssh访问

```bash
sudo apt install openssh-server
```
1.2. 配置指定用户访问

```bash
# 修改配置文件
vi /etc/ssh/sshd_config

# 在文件末尾修改，User后跟指定用户列表，ForceCommand 后可以指定任意执行脚本或命令
Match User 
    [local_user_name1,local_user_name2...]
    PasswordAuthentication yes
    ForceCommand /etc/ssh_interactive/ssh_interactive_script.sh
```

## 2.添加执行脚本ssh_interactive_script.sh的内容

2.1. 确保安装了dialog命令，因为会使用

```bash
sudo apt install dialog
```

```bash
# 脚本内容
LD='\033[1m'
RED='\033[0;31m'
GREEN='\033[32m'
WHITE='\033[34m'
YELLOW='\033[33m'
NO_COLOR='\033[0m'
BLUE='\033[0;34m'

function info() {
    (>&2 echo -e "[${WHITE}${BOLD} INFO ${NO_COLOR}] $*")
}

function error() {
    (>&2 echo -e "[${RED} ERROR ${NO_COLOR}] $*")
}

function warning() {
    (>&2 echo -e "[${YELLOW} WARNING ${NO_COLOR}] $*")
}

function ok() {
    (>&2 echo -e "[${GREEN}${BOLD} OK ${NO_COLOR}] $*")
}

function print_delim() {
    echo '================================================='
}

function success() {
    print_delim
    ok "$1"
    print_delim
}

function fail() {
    print_delim
    error "$1"
    print_delim
}

function create_container() {
    ssh_port=$(dialog --stdout --title "Enter ssh port" --inputbox "Port_Used:$(netstat -tuln | grep 'LISTEN' | awk '{print $4}' | awk -F: '{print $NF}' | sort -n --unique | paste -sd "," )" 45 100)
    if [ -z $ssh_port ]; then
        exit 1
    fi

custom_port=$(dialog --stdout --title "Enter custom port" --inputbox "Port_Used:$(netstat -tuln | grep 'LISTEN' | awk '{print $4}' | awk -F: '{print $NF}' | sort -n --unique | paste -sd "," )" 45 100)
    if [ -z $custom_port ]; then
        exit 1
    fi

dialog --yesno "need ai_data?" 0 0
    if [ $? -eq 0 ]; then
        need_data=1
    else
        need_data=0
    fi
    create_container.sh create $ssh_port $custom_port $username $selected_image $need_data '--privileged --cap-add sys_ptrace -e NVIDIA_VISIBLE_DEVICES=all -e NVIDIA_DRIVER_CAPABILITIES=compute,utility'
    docker exec -it $container_name /bin/bash
}

username=$USER
add_or_remove_array=()
add_or_remove_array+=("ADD")
add_or_remove_array+=("add_a_new_container")
add_or_remove_array+=("REMOVE")
add_or_remove_array+=("remove_a_existent_container")
add_or_remove_array+=("SHOW")
add_or_remove_array+=("show_all_your_containers")

add_or_remove=$(dialog --stdout --menu "Select container action:" 0 0 0 ${add_or_remove_array[@]})
if [ -z $add_or_remove ]; then
    exit 1
fi
if [[ $add_or_remove == "SHOW" ]]; then
    echo "Your containers in this server are following: "
    docker ps -a | grep $username
    exit 0
fi

docker_tag=$(docker images --format "{{.Tag}}")
tags_array=()
while read -r line; do
    tags_array+=("$line")
    tags_array+=("-")
done <<< "$docker_tag"

selected_image=$(dialog --stdout --menu "Select an image:" 0 0 0 ${tags_array[@]})
if [ -z $selected_image ]; then
    exit 1
fi
container_name="${selected_image}_${username}"

if [[ $add_or_remove == "ADD" ]]; then
    if [ "$(docker ps -a -q -f name=$container_name)" ]; then
        dialog --yesno "Container $container_name already exists. Do you want to remove and recreate it?" 0 0
        response=$?
        if [ $response -eq 0 ]; then
            docker rm -f $container_name
            create_container
        else
            docker exec -it $container_name /bin/bash
        fi
    else
        create_container
    fi
else
    if [ "$(docker ps -a -q -f name=$container_name)" ]; then
        echo The container $container_name has been removed.
        docker rm -f $container_name
    else
        echo The container $container_name does not exist.
        exit 1
    fi
fi

```

2.2. 样例执行结果如下图

![](/media/202405/2024-05-20_102442_9114580.7691853061775751.png)

## 3.完成create_container.sh脚本内容

3.1. 创建用户时因为要使用docker命令，确保用户位于docker分组

3.2. 脚本内容
```bash
#!/bin/bash
# Description: This script is used to create container for each user.
# Author: dingfeng
# Parameters:
# ssh_port: Used for ssh login.
# custom_port: Used for custom usage.
# user: Used for data transform from container to host. It will create a folder in /data/datasets/users/ with the name of the username given.
# image tag: the tag of the docker image in crdc_airi group

BOLD='\033[1m'
RED='\033[0;31m'
GREEN='\033[32m'
WHITE='\033[34m'
YELLOW='\033[33m'
NO_COLOR='\033[0m'
BLUE='\033[0;34m'

function info() {
    (>&2 echo -e "[${WHITE}${BOLD} INFO ${NO_COLOR}] $*")
}

function error() {
    (>&2 echo -e "[${RED} ERROR ${NO_COLOR}] $*")
}

function warning() {
    (>&2 echo -e "[${YELLOW} WARNING ${NO_COLOR}] $*")
}

function ok() {
    (>&2 echo -e "[${GREEN}${BOLD} OK ${NO_COLOR}] $*")
}

function print_delim() {
    echo '================================================='
}

function success() {
    print_delim
    ok "$1"
    print_delim
}

function fail() {
    print_delim
    error "$1"
    print_delim
}

function create_container() {
    if [ -z $2 ]; then
        fail "ssh_port not given"
        exit 1
    fi
    ssh_port=$2
    is_port_used=$(netstat -an | grep $ssh_port | awk 'END{print NR}')
    if [ $is_port_used -ne 0 ]; then
        fail "The given ssh_port ${ssh_port} is used"
        exit 1
    fi
    info "ssh_port: $ssh_port"

if [ -z $3 ]; then
        fail "custom_port not given"
        exit 1
    fi
    custom_port=$3
    is_port_used=$(netstat -an | grep $custom_port | awk 'END{print NR}')
    if [ $is_port_used -ne 0 ]; then
        fail "The given custom_port ${custom_port} is used"
        exit 1
    fi
    info "custom_port: $custom_port"

if [ -z $4 ]; then
        fail "username not given"
        exit 1
    fi
    user=$4
    info "user: $user"

if [ -z $5 ]; then
        fail "image tag not given"
        exit 1
    fi
    tag=$5
    info "tag: $tag"

if [ -z $6 ]; then
        warning "Is /data/ai_data/ use in your container? End with: 1(yes) 0(no)"
        exit 1
    fi
    mount_ai_data=""
    if [ $6 -ne 0 ]; then
        info "The container has /data/ai_data!"
        mount_ai_data="--mount type=bind,source=/data/ai_data,destination=/data/ai_data,readonly --mount type=bind,source=/data/lab_data_b,destination=/data/lab_data_b,readonly"
    fi

option=""
    if [ -z $7 ]; then
        info "No option"
        warning "if need -e NVIDIA_VISIBLE_DEVICES=0,1 could be add"
        warning "if cuda not found. -e NVIDIA_VISIBLE_DEVICES=all -e NVIDIA_DRIVER_CAPABILITIES=compute,utility, could be used"
    else
        index=1
        for i in $@; do
            tmp=$i
            if [ $index -gt 6 ]; then
                option="$option $tmp "
            fi
            index=$((index+1))
        done
        info $option
    fi

mkdir -p /data/ai_data/users/$user
    mkdir -p /data/dataset/$user
    docker run -d --restart=always --shm-size 64g --name="${tag}_${user}" -p $ssh_port:22 -p $custom_port:8000 $option $mount_ai_data -v /data/ai_data/users/$user:/data/dataset/$user dockerhub.namespace.com/crdc_airi/ubuntu:$tag /etc/start_ssh.sh
    if [ $? -ne 0 ]; then
        fail "Create container error!"
        exit 1
    fi
    success "Create container success!"
}

function print_usage() {
    echo -e "\n${RED}Usage${NO_COLOR}:"
    echo -e "${BOLD}./create_container.sh${NO_COLOR} [OPTION]"

echo -e "\n${RED}Options${NO_COLOR}: create container"

echo -e "\n${BLUE}Examples${NO_COLOR}:"
    info "[Pad3] create_container.sh create 11111 11112 firstname.lastname python-env-pad3d-v1.2"
    info "[Pad2d] create_container.sh create 11111 11112 firstname.lastname python-env-pad2d-v1.2"
    info "[tidl] create_container.sh create 11111 11112 firstname.lastname td04_tidl_0703_ci-v2.0"
    info "[psdk0703] create_container.sh create 11111 11112 firstname.lastname psdk_td04-v07_03_00-v1.1"
}

function main() {
    local cmd=$1
    case $cmd in
        create)
            create_container $@
            ;;
        *)
            print_usage
            ;;
    esac
}

main $@

```