Replace security date tags with patch version bumps in scheduled builds

The scheduled weekly security build now bumps the patch version
(e.g. noble-1.0.2 -> noble-1.0.3) instead of appending
-security.YYYYMMDD. Each rebuild creates a proper GitHub release
with the new patch tag and pushes Docker images accordingly.

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: samip5
+custom: https://www.buymeacoffee.com/skykrypt

.github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,29 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels:kind: possible bug
+assignees: ''
+---
+
+# Details
+
+**Image version:**
+
+<!-- Note: This should be the docker image version you're referring to -->
+
+**What steps did you take and what happened:**
+
+<!-- Note: This should be a clear and concise description of what the bug is. -->
+
+**What did you expect to happen:**
+
+<!-- Note: This should be a clear and concise description of what you expected to happen. -->
+
+**Anything else you would like to add:**
+
+<!-- Note: Miscellaneous information that will assist in solving the issue. -->
+
+**Additional Information:**
+
+<!-- Note: Anything to give further context to the bug report. -->

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,6 @@
+---
+blank_issues_enabled: false
+contact_links:
+    - name: Discuss on Discord
+      url: https://discord.gg/PRT86Cdgnr
+      about: Join our Discord community

.github/ISSUE_TEMPLATE/enhancement.md

@@ -0,0 +1,21 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: kind:enhancement
+assignees: ''
+---
+
+# Details
+
+**Describe the solution you'd like:**
+
+<!-- Note: A clear and concise description of what you want to happen. -->
+
+**Anything else you would like to add:**
+
+<!-- Note: Miscellaneous information that will assist in solving the issue. -->
+
+**Additional Information:**
+
+<!-- Note: Anything to give further context to the requested new feature. -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,32 @@
+<!--
+Before you open the request please review the following guidelines and tips to help it be more easily integrated:
+
+- Describe the scope of your change - i.e. what the change does.
+- Describe any known limitations with your change.
+- Please run any tests or examples that can exercise your modified code.
+
+Thank you for contributing! We will try to test and integrate the change as soon as we can. There is no need to bump or check in on a pull request (it will clutter the discussion of the request).
+
+Also don't be worried if the request is closed or not integrated sometimes our priorities might not match the priorities of the pull request. Don't fret, the open source community thrives on forks and GitHub makes it easy to keep your changes in a forked repo.
+-->
+
+**Description of the change**
+
+<!-- Describe the scope of your change - i.e. what the change does. -->
+
+**Benefits**
+
+<!-- What benefits will be realized by the code change? -->
+
+**Possible drawbacks**
+
+<!-- Describe any known limitations with your change -->
+
+**Applicable issues**
+
+<!-- Enter any applicable Issues here (You can reference an issue using #) -->
+- fixes #
+
+**Additional information**
+
+<!-- If there's anything else that's important and relevant to your pull request, mention that information here.-->

.github/workflows/main.yml

@@ -0,0 +1,86 @@
+name: Release
+
+on:
+    workflow_dispatch:
+    release:
+     types: [published]
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        if: "!contains(github.event.head_commit.message, '[ci-skip]')"
+        steps:
+          - name: Checkout
+            uses: actions/checkout@v4
+
+          - name: Prepare
+            id: prep
+            run: |
+              DOCKER_IMAGE=phusion/baseimage
+              GIT_BRANCH=${GITHUB_REF##*/}
+              # Set the platforms to build for here and thus reduce duplicating it.
+              PLATFORMS=amd64,arm,arm64
+              TAGS="${DOCKER_IMAGE}:${GIT_BRANCH}, ghcr.io/${{ github.repository_owner }}/baseimage:${GIT_BRANCH}"
+
+              # Determine BASE_IMAGE from release tag prefix (e.g. noble-1.0.2 -> ubuntu:24.04)
+              if [[ "${GIT_BRANCH}" == noble-* ]]; then
+                BASE_IMAGE="ubuntu:24.04"
+              elif [[ "${GIT_BRANCH}" == jammy-* ]]; then
+                BASE_IMAGE="ubuntu:22.04"
+              else
+                # Default to noble (latest LTS) for unrecognised tag prefixes
+                echo "::warning::Unrecognized release tag prefix '${GIT_BRANCH}'. Expected it to start with 'noble-' or 'jammy-'. Defaulting BASE_IMAGE to ubuntu:24.04 (Noble)."
+                BASE_IMAGE="ubuntu:24.04"
+              fi
+              
+              # Set output parameters.
+              
+              if [ "${{github.event_name}}" == "pull_request" ]; then
+                echo "push=false" >> $GITHUB_OUTPUT
+              else
+                echo "push=true" >> $GITHUB_OUTPUT
+                echo "tags=${TAGS}" >> $GITHUB_OUTPUT
+                echo "branch=${GIT_BRANCH}" >> $GITHUB_OUTPUT
+                echo "docker_image=${DOCKER_IMAGE}" >> $GITHUB_OUTPUT
+              fi
+              echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
+              echo "base_image=${BASE_IMAGE}" >> $GITHUB_OUTPUT
+
+
+          - name: Set up QEMU
+            uses: docker/setup-qemu-action@v3
+            with:
+              platforms: ${{ steps.prep.outputs.platforms }}
+
+          - name: Login to GHCR (Github Container Registry)
+            uses: docker/login-action@v3
+            if: github.event_name != 'pull_request'
+            with:
+             registry: ghcr.io
+             username: ${{ github.actor }}
+             password: ${{ secrets.GITHUB_TOKEN }}
+
+          - name: Set up Docker Buildx
+            id: buildx
+            uses: docker/setup-buildx-action@v3
+            with:
+              install: true
+              version: latest
+              driver-opts: image=moby/buildkit:latest
+
+
+          - name: Login to Docker Hub
+            if: github.event_name != 'pull_request'
+            uses: docker/login-action@v3
+            with:
+                username: ${{ secrets.DOCKER_USERNAME }}
+                password: ${{ secrets.DOCKER_PASSWORD }}
+
+          - name: Build and Push
+            uses: docker/build-push-action@v6
+            with:
+              builder: ${{ steps.buildx.outputs.name }}
+              context: image
+              platforms: ${{ steps.prep.outputs.platforms }}
+              push: ${{ steps.prep.outputs.push }}
+              tags: ${{ steps.prep.outputs.tags }}
+              build-args: BASE_IMAGE=${{ steps.prep.outputs.base_image }}

.github/workflows/scheduled-build.yml

@@ -0,0 +1,117 @@
+name: Scheduled Security Build
+
+on:
+    schedule:
+        - cron: '0 2 * * 0'  # Every Sunday at 02:00 UTC
+    workflow_dispatch:
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        permissions:
+            contents: write
+            packages: write
+        strategy:
+            fail-fast: false
+            matrix:
+                include:
+                    - ubuntu_codename: noble
+                      base_image: ubuntu:24.04
+                    - ubuntu_codename: jammy
+                      base_image: ubuntu:22.04
+        steps:
+          - name: Get latest release tag and compute next patch version
+            id: release
+            run: |
+              LATEST_TAG=$(gh release list \
+                --repo ${{ github.repository }} \
+                --exclude-pre-releases \
+                --exclude-drafts \
+                --json tagName \
+                --jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-"))] | first | .tagName')
+              if [ -z "${LATEST_TAG}" ]; then
+                echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
+                exit 1
+              fi
+              # Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
+              if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
+                echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
+                exit 1
+              fi
+              PREFIX="${LATEST_TAG%.*}"            # noble-1.0
+              PATCH="${LATEST_TAG##*.}"            # 2
+              NEXT_PATCH=$((PATCH + 1))
+              NEXT_TAG="${PREFIX}.${NEXT_PATCH}"  # noble-1.0.3
+              echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+              echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          - name: Checkout release tag
+            uses: actions/checkout@v4
+            with:
+              ref: ${{ steps.release.outputs.current_tag }}
+
+          - name: Prepare
+            id: prep
+            run: |
+              DOCKER_IMAGE=phusion/baseimage
+              NEXT_TAG=${{ steps.release.outputs.next_tag }}
+              PLATFORMS=amd64,arm,arm64
+              TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
+              TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
+              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
+              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
+              echo "tags=${TAGS}" >> $GITHUB_OUTPUT
+              echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
+
+          - name: Set up QEMU
+            uses: docker/setup-qemu-action@v3
+            with:
+              platforms: ${{ steps.prep.outputs.platforms }}
+
+          - name: Set up Docker Buildx
+            uses: docker/setup-buildx-action@v3
+            with:
+              install: true
+              version: latest
+              driver-opts: image=moby/buildkit:latest
+
+          - name: Login to GHCR (Github Container Registry)
+            uses: docker/login-action@v3
+            with:
+              registry: ghcr.io
+              username: ${{ github.actor }}
+              password: ${{ secrets.GITHUB_TOKEN }}
+
+          - name: Login to Docker Hub
+            uses: docker/login-action@v3
+            with:
+              username: ${{ secrets.DOCKER_USERNAME }}
+              password: ${{ secrets.DOCKER_PASSWORD }}
+
+          - name: Build and Push
+            uses: docker/build-push-action@v6
+            with:
+              context: image
+              platforms: ${{ steps.prep.outputs.platforms }}
+              push: true
+              tags: ${{ steps.prep.outputs.tags }}
+              build-args: BASE_IMAGE=${{ matrix.base_image }}
+              no-cache: true
+
+          - name: Create GitHub Release
+            run: |
+              gh release create "${{ steps.release.outputs.next_tag }}" \
+                --repo "${{ github.repository }}" \
+                --target "${{ steps.release.outputs.current_tag }}" \
+                --title "${{ steps.release.outputs.next_tag }}" \
+                --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
+
+              Images pushed:
+              - \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yml

@@ -0,0 +1,20 @@
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '0 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.'
+          stale-pr-message: 'This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.'
+          close-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'
+          close-pr-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Pull Request. Do not hesitate to reopen it later if necessary.'
+          days-before-stale: 15
+          days-before-close: 5
+          exempt-issue-labels: 'on-hold'
+          exempt-pr-labels: 'on-hold'
+          operations-per-run: 50

.gitignore

@@ -1,3 +1,5 @@
 .DS_Store
 .vagrant
 *.swp
+*.tar.gz
+*.log

.travis.yml

@@ -1,7 +0,0 @@
-sudo: required
-
-services:
-  - docker
-  
-script:
-  - make build

CODE_OF_CONDUCT.md

@@ -0,0 +1,52 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at Phusion Passenger:
+
+[FloorD](https://github.com/floord) (she/her), floor@phusion.nl, English / Dutch / German
+
+[Scarhand](https://github.com/scarhand) (he/his), niels@phusion.nl, English / Dutch
+
+The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2013-2015 Phusion Holding B.V.
+Copyright (c) 2013-2025 Phusion Holding B.V.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -1,29 +1,57 @@
-NAME = phusion/baseimage
-VERSION = 0.9.21
+VERSION ?= noble-1.0.2
+ifdef BASE_IMAGE
+	BUILD_ARG = --build-arg BASE_IMAGE=$(BASE_IMAGE)
+	ifndef NAME
+		NAME = phusion/baseimage-$(subst :,-,${BASE_IMAGE})
+	endif
+else
+	NAME ?= phusion/baseimage
+endif
+ifdef TAG_ARCH
+	# VERSION_ARG = $(VERSION)-$(subst /,-,$(subst :,-,${BASE_IMAGE}))-$(TAG_ARCH)
+	VERSION_ARG = $(VERSION)-$(TAG_ARCH)
+	LATEST_VERSION = latest-$(TAG_ARCH)
+else
+	# VERSION_ARG = $(VERSION)-$(subst /,-,$(subst :,-,${BASE_IMAGE}))
+	VERSION_ARG = $(VERSION)
+	LATEST_VERSION = latest
+endif
+VERSION_ARG ?= $(VERSION)
 
 .PHONY: all build test tag_latest release ssh
 
 all: build
 
 build:
-	docker build -t $(NAME):$(VERSION) --rm image
+	docker build --no-cache -t $(NAME):$(VERSION_ARG) $(BUILD_ARG) --build-arg QEMU_ARCH=$(QEMU_ARCH) --platform $(PLATFORM) --rm image
+
+build_multiarch:
+	env NAME=$(NAME) VERSION=$(VERSION_ARG) ./build-multiarch.sh
 
 test:
-	env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
+	env NAME=$(NAME) VERSION=$(VERSION_ARG) ./test/runner.sh
 
 tag_latest:
-	docker tag $(NAME):$(VERSION) $(NAME):latest
+	docker tag $(NAME):$(VERSION_ARG) $(NAME):$(LATEST_VERSION)
 
-release: test tag_latest
-	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
-	@if ! head -n 1 Changelog.md | grep -q 'release date'; then echo 'Please note the release date in Changelog.md.' && false; fi
+tag_multiarch_latest:
+	env NAME=$(NAME) VERSION=$(VERSION) TAG_LATEST=true ./build-multiarch.sh
+
+release: test
+	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION_ARG); then echo "$(NAME) version $(VERSION_ARG) is not yet built. Please run 'make build'"; false; fi
 	docker push $(NAME)
-	@echo "*** Don't forget to create a tag. git tag $(VERSION) && git push origin $(VERSION)"
+	@echo "*** Don't forget to create a tag by creating an official GitHub release."
 
+ssh: SSH_COMMAND?=
 ssh:
-	chmod 600 image/services/sshd/keys/insecure_key
-	@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
+	ID=$$(docker ps | grep -F "$(NAME):$(VERSION_ARG)" | awk '{ print $$1 }') && \
 		if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
-		IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \
-		echo "SSHing into $$IP" && \
-		ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/services/sshd/keys/insecure_key root@$$IP
+		tools/docker-ssh $$ID ${SSH_COMMAND}
+
+test_release:
+	echo test_release
+	env
+
+test_master:
+	echo test_master
+	env

README.md

@@ -1,9 +1,8 @@
 # A minimal Ubuntu base image modified for Docker-friendliness
 
-[![](https://badge.imagelayers.io/phusion/baseimage:0.9.17.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io')
-[![Travis](https://img.shields.io/travis/phusion/baseimage-docker.svg)](https://travis-ci.org/phusion/baseimage-docker)
+[![Release](https://github.com/phusion/baseimage-docker/actions/workflows/main.yml/badge.svg)](https://github.com/phusion/baseimage-docker/actions/workflows/main.yml)
 
-_Baseimage-docker only consumes 6 MB RAM and is much powerful than Busybox or Alpine. See why below._
+_Baseimage-docker only consumes 8.3 MB RAM and is much more powerful than Busybox or Alpine. See why below._
 
 Baseimage-docker is a special [Docker](https://www.docker.com) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
 
@@ -13,7 +12,7 @@ Baseimage-docker is a special [Docker](https://www.docker.com) image that is con
 
 You can use it as a base for your own Docker images.
 
-Baseimage-docker is available for pulling from [the Docker registry](https://registry.hub.docker.com/u/phusion/baseimage/)!
+Baseimage-docker is available for pulling from [the Docker registry](https://hub.docker.com/r/phusion/baseimage) and [GHCR (GitHub Container Registry)](https://github.com/phusion/baseimage-docker/pkgs/container/baseimage)!
 
 ### What are the problems with the stock Ubuntu base image?
 
@@ -36,7 +35,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 **Related resources**:
   [Website](http://phusion.github.io/baseimage-docker/) |
   [Github](https://github.com/phusion/baseimage-docker) |
-  [Docker registry](https://index.docker.io/u/phusion/baseimage/) |
+  [Docker registry](https://registry.hub.docker.com/r/phusion/baseimage/) |
   [Discussion forum](https://groups.google.com/d/forum/passenger-docker) |
   [Twitter](https://twitter.com/phusion_nl) |
   [Blog](http://blog.phusion.nl/)
@@ -57,6 +56,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
      * [Environment variable dumps](#envvar_dumps)
      * [Modifying environment variables](#modifying_envvars)
      * [Security](#envvar_security)
+   * [System logging](#logging)
    * [Upgrading the operating system inside the container](#upgrading_os)
  * [Container administration](#container_administration)
    * [Running a one-shot command in a new container](#oneshot)
@@ -86,7 +86,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
-| Ubuntu 16.04 LTS | The base system. |
+| Ubuntu 24.04 LTS | The base system. |
 | A **correct** init process | _Main article: [Docker and the PID 1 zombie reaping problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)._ <br><br>According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly. As a result, their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which stops all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs".<br><br>Why syslog-ng?<br>I've had bad experience with rsyslog. I regularly run into bugs with rsyslog, and once in a while it takes my log host down by entering a 100% CPU loop in which it can't do anything. Syslog-ng seems to be much more stable. |
@@ -95,8 +95,9 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | cron | The cron daemon must be running for cron jobs to work. |
 | [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
 | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. |
+| `install_clean` | A tool for installing `apt` packages that automatically cleans up after itself.  All arguments are passed to `apt-get -y install --no-install-recommends` and after installation the apt caches are cleared.  To include recommended packages, add `--install-recommends`. |
 
-Baseimage-docker is very lightweight: it only consumes 6 MB of memory.
+Baseimage-docker is very lightweight: it only consumes 8.3 MB of memory.
 
 <a name="docker_single_process"></a>
 ### Wait, I thought Docker is about running a single process in a container?
@@ -154,26 +155,45 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
 <a name="adding_additional_daemons"></a>
 ### Adding additional daemons
 
-You can add additional daemons (e.g. your own app) to the image by creating runit entries. You only have to write a small shell script which runs your daemon, and runit will keep it up and running for you, restarting it when it crashes, etc.
+A daemon is a program which runs in the background of its system, such
+as a web server.
 
-The shell script must be called `run`, must be executable, and is to be placed in the directory `/etc/service/<NAME>`.
+You can add additional daemons (for example, your own app) to the image
+by creating runit service directories. You only have to write a small
+shell script which runs your daemon;
+[`runsv`](http://smarden.org/runit/runsv.8.html) will start your script,
+and - by default - restart it upon its exit, after waiting one second.
 
-Here's an example showing you how a memcached server runit entry can be made.
+The shell script must be called `run`, must be executable, and is to be
+placed in the directory `/etc/service/<NAME>`. `runsv` will switch to
+the directory and invoke `./run` after your container starts.
 
-In `memcached.sh` (make sure this file is chmod +x):
+**Be certain that you do not start your container using interactive mode
+(`-it`) with another command, as `runit` must be the first process to run. If you do this, your runit service directories won't be started. For instance, `docker run -it <name> bash` will bring you to bash in your container, but you'll lose all your daemons.**
 
-    #!/bin/sh
-    # `/sbin/setuser memcache` runs the given command as the user `memcache`.
-    # If you omit that part, the command will be run as root.
-    exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
+Here's an example showing you how a `runit` service directory can be
+made for a `memcached` server.
 
-In `Dockerfile`:
+In `memcached.sh`, or whatever you choose to name your file (make sure
+this file is chmod +x):
+```bash
+#!/bin/sh
+# `/sbin/setuser memcache` runs the given command as the user `memcache`.
+# If you omit that part, the command will be run as root.
+exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
+```
+In an accompanying `Dockerfile`:
 
-    RUN mkdir /etc/service/memcached
-    COPY memcached.sh /etc/service/memcached/run
-    RUN chmod +x /etc/service/memcached/run
-
-Note that the shell script must run the daemon **without letting it daemonize/fork it**. Usually, daemons provide a command line flag or a config file option for that.
+```Dockerfile
+RUN mkdir /etc/service/memcached
+COPY memcached.sh /etc/service/memcached/run
+RUN chmod +x /etc/service/memcached/run
+```
+A given shell script must run **without daemonizing or forking itself**;
+this is because `runit` will start and restart your script on its own.
+Usually, daemons provide a command line flag or a config file option for
+preventing such behavior - essentially, you just want your script to run
+in the foreground, not the background.
 
 <a name="running_startup_scripts"></a>
 ### Running scripts during container startup
@@ -198,7 +218,7 @@ In `Dockerfile`:
 
     RUN mkdir -p /etc/my_init.d
     COPY logtime.sh /etc/my_init.d/logtime.sh
-	  RUN chmod +x /etc/my_init.d/logtime.sh
+    RUN chmod +x /etc/my_init.d/logtime.sh
 
 <a name="environment_variables"></a>
 
@@ -217,6 +237,12 @@ environment variables:
     # Give all other processes (such as those which have been forked) 5 minutes to timeout
     ENV KILL_ALL_PROCESSES_TIMEOUT=300
 
+Note: Prior to 0.11.1, the default values for `KILL_PROCESS_TIMEOUT` and `KILL_ALL_PROCESSES_TIMEOUT`
+were 5 seconds. In version 0.11.1+ the default process timeout has been adjusted to 30 seconds to
+allow more time for containers to terminate gracefully. The default timeout of your container runtime
+may supersede this setting, for example Docker currently applies a [10s timeout](https://docs.docker.com/engine/reference/commandline/stop/#options)
+by default before sending SIGKILL, upon `docker stop` or receiving SIGTERM.
+
 ### Environment variables
 
 If you use `/sbin/my_init` as the main container command, then any environment variables set with `docker run --env` or with the `ENV` command in the Dockerfile, will be picked up by `my_init`. These variables will also be passed to all child processes, including `/etc/my_init.d` startup scripts, Runit and Runit-managed services. There are however a few caveats you should be aware of:
@@ -302,10 +328,18 @@ If you are sure that your environment variables don't contain sensitive data, th
     RUN chmod 755 /etc/container_environment
     RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
 
+<a name="logging"></a>
+### System logging
+
+Baseimage-docker uses syslog-ng to provide a syslog facility to the container. Syslog-ng is not managed as an runit service (see below). Syslog messages are forwarded to the console.
+
+#### Log startup/shutdown sequence
+In order to ensure that all application log messages are captured by syslog-ng, syslog-ng is started separately before the runit supervisor process, and shutdown after runit exits. This uses the [startup script facility](#running_startup_scripts) provided by this image. This avoids a race condition which would exist if syslog-ng were managed as an runit service, where runit kills syslog-ng in parallel with the container's other services, causing log messages to be dropped during a graceful shutdown if syslog-ng exits while logs are still being produced by other services.
+
 <a name="upgrading_os"></a>
 ### Upgrading the operating system inside the container
 
-Baseimage-docker images contain an Ubuntu 16.04 operating system. You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
+Baseimage-docker images contain an Ubuntu operating system (see OS version at [Overview](#overview)). You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
 
 While we release Baseimage-docker images with the latest OS updates from time to time, you do not have to rely on us. You can update the OS inside Baseimage-docker images yourself, and it is recommended that you do this instead of waiting for us.
 
@@ -440,7 +474,7 @@ Then, you can start your container with
 
     docker run -d -v `pwd`/myfolder:/etc/my_init.d my/dockerimage
 
-This will initialize sshd on container boot.  You can then access it with the insecure key as below, or using the methods to add a secure key.  Further, you can publish the port to your machine with -p 22:2222 allowing you to ssh to localhost:2222 instead of looking up the ip address.
+This will initialize sshd on container boot.  You can then access it with the insecure key as below, or using the methods to add a secure key.  Further, you can publish the port to your machine with -p 2222:22 allowing you to ssh to 127.0.0.1:2222 instead of looking up the ip address of the container.
 
 <a name="ssh_keys"></a>
 #### About SSH keys
@@ -485,7 +519,7 @@ Edit your Dockerfile to install the insecure key permanently:
 
     RUN /usr/sbin/enable_insecure_key
 
-Instructions for logging in the container is the same as in section [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only).
+Instructions for logging into the container is the same as in section [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only).
 
 <a name="using_your_own_key"></a>
 #### Using your own key
@@ -550,6 +584,12 @@ Clone this repository:
 
 Start a virtual machine with Docker in it. You can use the Vagrantfile that we've already provided.
 
+First, install `vagrant-disksize` plug-in:
+
+    vagrant plugin install vagrant-disksize
+
+Then, start the virtual machine
+
     vagrant up
     vagrant ssh
     cd /vagrant
@@ -562,14 +602,29 @@ If you want to call the resulting image something else, pass the NAME variable,
 
     make build NAME=joe/baseimage
 
+You can also change the `ubuntu` base-image to `debian` as these distributions are quite similar.
+
+    make build BASE_IMAGE=debian:stretch
+
+The image will be: `phusion/baseimage-debian-stretch`. Use the `NAME` variable in combination with the `BASE_IMAGE` one to call it `joe/stretch`.
+
+    make build BASE_IMAGE=debian:stretch NAME=joe/stretch
+
+To verify that the various services are started, when the image is run as a container, add `test` to the end of your make invocations, e.g.:
+
+    make build BASE_IMAGE=debian:stretch NAME=joe/stretch test
+
+
 <a name="removing_optional_services"></a>
 ### Removing optional services
 
 The default baseimage-docker installs `syslog-ng`, `cron` and `sshd` services during the build process.
 
-In case you don't need one or more of these services in your image, you can disable its installation.
+In case you don't need one or more of these services in your image, you can disable its installation through the `image/buildconfig` that is sourced within `image/system_services.sh`.  Do this at build time by passing a variable in with `--build-arg`  as in `docker build --build-arg DISABLE_SYSLOG=1 image/`, or you may set the variable in `image/Dockerfile` with an ENV setting above the RUN directive.
 
-As shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file.
+These represent build-time configuration, so setting them in the shell env at build-time [will not have any effect](https://github.com/phusion/baseimage-docker/issues/459#issuecomment-439177442).  Setting them in child images' Dockerfiles will also not have any effect.)
+
+You can also set them directly as shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file.
 
     ### In ./image/buildconfig
     # ...
@@ -587,7 +642,8 @@ Then you can proceed with `make build` command.
  * Using baseimage-docker? [Tweet about us](https://twitter.com/share) or [follow us on Twitter](https://twitter.com/phusion_nl).
  * Having problems? Want to participate in development? Please post a message at [the discussion forum](https://groups.google.com/d/forum/passenger-docker).
  * Looking for a more complete base image, one that is ideal for Ruby, Python, Node.js and Meteor web apps? Take a look at [passenger-docker](https://github.com/phusion/passenger-docker).
+ * Need a helping hand? Phusion also offers [consulting](https://www.phusion.nl/consultancy) on a wide range of topics, including Web Development, UI/UX Research & Design, Technology Migration and Auditing. 
 
-[<img src="http://www.phusion.nl/assets/logo.png">](http://www.phusion.nl/)
+[<img src="https://avatars.githubusercontent.com/u/830588?s=200&v=4">](https://www.phusion.nl/)
 
 Please enjoy baseimage-docker, a product by [Phusion](http://www.phusion.nl/). :-)

README_ZH_cn_.md

@@ -82,7 +82,7 @@ Baseimage-docker让这一切完美。在"内容"部分描述了所有这些修
 
 | 模块        | 为什么包含这些？以及备注 |
 | ---------------- | ------------------- |
-| Ubuntu 16.04 LTS | 基础系统。 |
+| Ubuntu 24.04 LTS | 基础系统。 |
 | 一个**正确**的初始化进程  | *主要文章：[Docker和PID 1 僵尸进程回收问题](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)*<br/><br/>根据Unix进程模型，[初始化进程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 继承了所有[孤立的子进程](https://en.wikipedia.org/wiki/Orphan_process)，并且必须[进行回收](https://en.wikipedia.org/wiki/Wait_(system_call))。大多数Docker容器没有一个初始化进程可以正确的完成此操作，随着时间的推移会导致他们的容器出现了大量的[僵尸进程](https://en.wikipedia.org/wiki/Zombie_process)。<br/><br/>而且，`docker stop`发送SIGTERM信号给初始化进程，照理说此信号应该可以停止所有服务。不幸的是由于它们对硬件进行了关闭操作，导致Docker内的大多数初始化系统没有正确执行。这会导致进程强行被SIGKILL信号关闭，从而丧失了一个正确取消初始化设置的机会。这会导致文件损坏。<br/><br/>Baseimage-docker配有一个名为`/sbin/my_init`的初始化进程来同时正确的完成这些任务。 |
 | 修复了APT与Docker不兼容的问题 | 详情参见：https://github.com/dotcloud/docker/issues/1024 。 |
 | syslog-ng | 对于很多服务－包括kernel自身，都需要一个syslog后台进程，以便可以正确的将log输出到/var/log/syslog中。如果没有运行syslog后台进程，很多重要的信息就会默默的丢失了。<br/><br/>只对本地进行监听。所有syslog信息会被转发给“docker logs”。 |

README_zh_tw.md

@@ -82,7 +82,7 @@ Baseimage-docker讓這一切完美。在"內容"部分描述了所有這些修
 
 | 模塊        | 爲什麼包含這些？以及備註 |
 | ---------------- | ------------------- |
-| Ubuntu 16.04 LTS | 基礎系統。 |
+| Ubuntu 24.04 LTS | 基礎系統。 |
 | 一個**正確**的初始化行程  | *主要文章：[Docker和PID 1 殭屍行程回收問題](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)*<br/><br/>根據Unix行程模型，[初始化行程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 繼承了所有[孤立的子行程](https://en.wikipedia.org/wiki/Orphan_process)，並且必須[進行回收](https://en.wikipedia.org/wiki/Wait_(system_call))。大多數Docker容器沒有一個初始化行程可以正確的完成此操作，隨着時間的推移會導致他們的容器出現了大量的[殭屍行程](https://en.wikipedia.org/wiki/Zombie_process)。<br/><br/>而且，`docker stop`發送SIGTERM信號給初始化行程，照理說此信號應該可以停止所有服務。不幸的是由於它們對硬體進行了關閉操作，導致Docker內的大多數初始化系統沒有正確執行。這會導致行程強行被SIGKILL信號關閉，從而喪失了一個正確取消初始化設置的機會。這會導致文件損壞。<br/><br/>Baseimage-docker配有一個名爲`/sbin/my_init`的初始化行程來同時正確的完成這些任務。 |
 | 修復了APT與Docker不兼容的問題 | 詳情參見：https://github.com/dotcloud/docker/issues/1024 。 |
 | syslog-ng | 對於很多服務－包括kernel自身，都需要一個syslog後臺行程，以便可以正確的將log輸出到/var/log/syslog中。如果沒有運行syslog後臺行程，很多重要的信息就會默默的丟失了。<br/><br/>只對本地進行監聽。所有syslog信息會被轉發給“docker logs”。 |

Vagrantfile

@@ -1,54 +1,74 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
-ROOT = File.dirname(File.absolute_path(__FILE__))
 
-# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
-VAGRANTFILE_API_VERSION = '2'
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+	# The most common configuration options are documented and commented below.
+	# For a complete reference, please see the online documentation at
+	# https://docs.vagrantup.com.
 
-# Default env properties which can be overridden
-# Example overrides:
-#   echo "ENV['PASSENGER_DOCKER_PATH'] ||= '../../phusion/passenger-docker'   " >> ~/.vagrant.d/Vagrantfile
-#   echo "ENV['BASE_BOX_URL']          ||= 'd\:/dev/vm/vagrant/boxes/phusion/'" >> ~/.vagrant.d/Vagrantfile
-BASE_BOX_URL          = ENV['BASE_BOX_URL']    || 'https://oss-binaries.phusionpassenger.com/vagrant/boxes/latest/'
-VAGRANT_BOX_URL       = ENV['VAGRANT_BOX_URL'] || BASE_BOX_URL + 'ubuntu-14.04-amd64-vbox.box'
-VMWARE_BOX_URL        = ENV['VMWARE_BOX_URL']  || BASE_BOX_URL + 'ubuntu-14.04-amd64-vmwarefusion.box'
-BASEIMAGE_PATH        = ENV['BASEIMAGE_PATH' ] || '.'
-PASSENGER_DOCKER_PATH = ENV['PASSENGER_PATH' ] || '../passenger-docker'
-DOCKERIZER_PATH       = ENV['DOCKERIZER_PATH'] || '../dockerizer'
+	# Every Vagrant development environment requires a box. You can search for
+	# boxes at https://atlas.hashicorp.com/search.
+	config.vm.box = "ubuntu/noble64"
+	config.disksize.size = '50GB'
 
-$script = <<SCRIPT
-wget -q -O - https://get.docker.io/gpg | apt-key add -
-echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list
-apt-get update -qq
-apt-get install -q -y --force-yes lxc-docker
-usermod -a -G docker vagrant
-docker version
-su - vagrant -c 'echo alias d=docker >> ~/.bash_aliases'
-SCRIPT
+	# Disable automatic box update checking. If you disable this, then
+	# boxes will only be checked for updates when the user runs
+	# `vagrant box outdated`. This is not recommended.
+	# config.vm.box_check_update = false
 
-Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = 'phusion-open-ubuntu-14.04-amd64'
-  config.vm.box_url = VAGRANT_BOX_URL
-  config.ssh.forward_agent = true
-  passenger_docker_path = File.absolute_path(PASSENGER_DOCKER_PATH, ROOT)
-  if File.directory?(passenger_docker_path)
-    config.vm.synced_folder passenger_docker_path, '/vagrant/passenger-docker'
+	# Create a forwarded port mapping which allows access to a specific port
+	# within the machine from a port on the host machine. In the example below,
+	# accessing "localhost:8080" will access port 80 on the guest machine.
+	# config.vm.network "forwarded_port", guest: 80, host: 8080
+
+	# Create a private network, which allows host-only access to the machine
+	# using a specific IP.
+	# config.vm.network "private_network", ip: "192.168.33.10"
+
+	# Create a public network, which generally matched to bridged network.
+	# Bridged networks make the machine appear as another physical device on
+	# your network.
+	# config.vm.network "public_network"
+
+	# Share an additional folder to the guest VM. The first argument is
+	# the path on the host to the actual folder. The second argument is
+	# the path on the guest to mount the folder. And the optional third
+	# argument is a set of non-required options.
+	# config.vm.synced_folder "../data", "/vagrant_data"
+
+	# Provider-specific configuration so you can fine-tune various
+	# backing providers for Vagrant. These expose provider-specific options.
+	# Example for VirtualBox:
+	#
+	# config.vm.provider "virtualbox" do |vb|
+	#   # Display the VirtualBox GUI when booting the machine
+	#   vb.gui = true
+	#
+	#   # Customize the amount of memory on the VM:
+	#   vb.memory = "1024"
+	# end
+	#
+	# View the documentation for the provider you are using for more
+	# information on available options.
+
+	# Define a Vagrant Push strategy for pushing to Atlas. Other push strategies
+	# such as FTP and Heroku are also available. See the documentation at
+	# https://docs.vagrantup.com/v2/push/atlas.html for more information.
+	# config.push.define "atlas" do |push|
+	#   push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME"
+	# end
+
+	# Enable provisioning with a shell script. Additional provisioners such as
+	# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
+	# documentation for more information about their specific syntax and use.
+	# config.vm.provision "shell", inline: <<-SHELL
+	#   apt-get update
+	#   apt-get install -y apache2
+	# SHELL
+	config.vm.provision :shell,
+	  path: "vagrant-libs/bootstrap.sh"
   end
-  baseimage_path = File.absolute_path(BASEIMAGE_PATH, ROOT)
-  if File.directory?(baseimage_path)
-    config.vm.synced_folder baseimage_path, "/vagrant/baseimage-docker"
-  end
-  dockerizer_path = File.absolute_path(DOCKERIZER_PATH, ROOT)
-  if File.directory?(dockerizer_path)
-    config.vm.synced_folder dockerizer_path, '/vagrant/dockerizer'
-  end
-
-  config.vm.provider :vmware_fusion do |f, override|
-    override.vm.box_url = VMWARE_BOX_URL
-    f.vmx['displayName'] = 'baseimage-docker'
-  end
-
-  if Dir.glob("#{File.dirname(__FILE__)}/.vagrant/machines/default/*/id").empty?
-    config.vm.provision :shell, :inline => $script
-  end
-end

build-multiarch.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+set -x
+
+for arch in $ARCHS; do
+    docker pull $NAME:$VERSION-${arch}
+
+    if [[ $TAG_LATEST != 'true' ]]; then 
+        docker manifest create --amend $NAME:$VERSION $NAME:$VERSION-${arch}
+        docker manifest annotate $NAME:$VERSION $NAME:$VERSION-${arch} --arch ${arch}
+    else
+        docker manifest create --amend $NAME:latest $NAME:$VERSION-${arch}
+        docker manifest annotate $NAME:latest $NAME:$VERSION-${arch} --arch ${arch}
+    fi
+done
+
+echo "Push manifests"
+if [[ $TAG_LATEST != 'true' ]]; then 
+    docker manifest push $NAME:$VERSION
+else
+    docker manifest push $NAME:latest
+fi

build.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+# # Prepare qemu
+# if [ '$QEMU_ARCH' != 'amd64' ]; then
+#     # docker run --rm --privileged multiarch/qemu-user-static:register --reset
+# fi
+
+# Get qemu package
+echo "Getting qemu package for $QEMU_ARCH"
+
+# Fake qemu for amd64 builds to avoid breaking COPY in Dockerfile
+if [[ $QEMU_ARCH == "amd64" ]]; then
+	touch x86_64_qemu-"$QEMU_ARCH"-static.tar.gz
+	mv x86_64_qemu-${QEMU_ARCH}-static.tar.gz image
+else
+	curl -L -o x86_64_qemu-"$QEMU_ARCH"-static.tar.gz https://github.com/multiarch/qemu-user-static/releases/download/"$QEMU_VERSION"/x86_64_qemu-"$QEMU_ARCH"-static.tar.gz
+	mv x86_64_qemu-${QEMU_ARCH}-static.tar.gz image
+fi

image/Dockerfile

@@ -1,16 +1,19 @@
-FROM ubuntu:16.04
-MAINTAINER Phusion <info@phusion.nl>
+ARG BASE_IMAGE=ubuntu:24.04
+FROM $BASE_IMAGE
+
+ARG QEMU_ARCH
+#ADD x86_64_qemu-${QEMU_ARCH}-static.tar.gz /usr/bin
 
 COPY . /bd_build
 
 RUN /bd_build/prepare.sh && \
 	/bd_build/system_services.sh && \
 	/bd_build/utilities.sh && \
-	/bd_build/fix_pam_bug.sh && \
 	/bd_build/cleanup.sh
 
-ENV LANG en_US.UTF-8
-ENV LANGUAGE en_US:en
-ENV LC_ALL en_US.UTF-8
+ENV DEBIAN_FRONTEND="teletype" \
+    LANG="en_US.UTF-8" \
+    LANGUAGE="en_US:en" \
+    LC_ALL="en_US.UTF-8"
 
 CMD ["/sbin/my_init"]

image/bin/install_clean

@@ -0,0 +1,17 @@
+#!/bin/bash -e
+#  Apt installer helper for Docker images
+
+ARGS="$*"
+NO_RECOMMENDS="--no-install-recommends"
+RECOMMENDS="--install-recommends"
+if [[ $ARGS =~ "$RECOMMENDS" ]]; then
+    NO_RECOMMENDS=""
+    ARGS=$(sed "s/$RECOMMENDS//g" <<<"$ARGS")
+fi
+
+echo "Installing $ARGS"
+
+apt-get -q update && apt-get -qy install $NO_RECOMMENDS $ARGS \
+    && apt-get -qy autoremove \
+    && apt-get clean \
+    && rm -r /var/lib/apt/lists/*

image/bin/my_init

@@ -1,359 +1,420 @@
 #!/usr/bin/python3 -u
-import os, os.path, sys, stat, signal, errno, argparse, time, json, re
+# -*- coding: utf-8 -*-
 
-KILL_PROCESS_TIMEOUT = int(os.environ.get('KILL_PROCESS_TIMEOUT', 5))
-KILL_ALL_PROCESSES_TIMEOUT = int(os.environ.get('KILL_ALL_PROCESSES_TIMEOUT', 5))
+import argparse
+import errno
+import json
+import os
+import os.path
+import re
+import signal
+import stat
+import sys
+import time
+
+ENV_INIT_DIRECTORY = os.environ.get('ENV_INIT_DIRECTORY', '/etc/my_init.d')
+
+KILL_PROCESS_TIMEOUT = int(os.environ.get('KILL_PROCESS_TIMEOUT', 30))
+KILL_ALL_PROCESSES_TIMEOUT = int(os.environ.get('KILL_ALL_PROCESSES_TIMEOUT', 30))
 
 LOG_LEVEL_ERROR = 1
-LOG_LEVEL_WARN  = 1
-LOG_LEVEL_INFO  = 2
+LOG_LEVEL_WARN = 1
+LOG_LEVEL_INFO = 2
 LOG_LEVEL_DEBUG = 3
 
-SHENV_NAME_WHITELIST_REGEX = re.compile('[^\w\-_\.]')
+SHENV_NAME_WHITELIST_REGEX = re.compile(r'\W')
 
 log_level = None
 
 terminated_child_processes = {}
 
-class AlarmException(Exception):
-	pass
-
-def error(message):
-	if log_level >= LOG_LEVEL_ERROR:
-		sys.stderr.write("*** %s\n" % message)
-
-def warn(message):
-	if log_level >= LOG_LEVEL_WARN:
-		sys.stderr.write("*** %s\n" % message)
-
-def info(message):
-	if log_level >= LOG_LEVEL_INFO:
-		sys.stderr.write("*** %s\n" % message)
-
-def debug(message):
-	if log_level >= LOG_LEVEL_DEBUG:
-		sys.stderr.write("*** %s\n" % message)
-
-def ignore_signals_and_raise_keyboard_interrupt(signame):
-	signal.signal(signal.SIGTERM, signal.SIG_IGN)
-	signal.signal(signal.SIGINT, signal.SIG_IGN)
-	raise KeyboardInterrupt(signame)
-
-def raise_alarm_exception():
-	raise AlarmException('Alarm')
-
-def listdir(path):
-	try:
-		result = os.stat(path)
-	except OSError:
-		return []
-	if stat.S_ISDIR(result.st_mode):
-		return sorted(os.listdir(path))
-	else:
-		return []
-
-def is_exe(path):
-	try:
-		return os.path.isfile(path) and os.access(path, os.X_OK)
-	except OSError:
-		return False
-
-def import_envvars(clear_existing_environment = True, override_existing_environment = True):
-	if not os.path.exists("/etc/container_environment"):
-		return
-	new_env = {}
-	for envfile in listdir("/etc/container_environment"):
-		name = os.path.basename(envfile)
-		with open("/etc/container_environment/" + envfile, "r") as f:
-			# Text files often end with a trailing newline, which we
-			# don't want to include in the env variable value. See
-			# https://github.com/phusion/baseimage-docker/pull/49
-			value = re.sub('\n\Z', '', f.read())
-		new_env[name] = value
-	if clear_existing_environment:
-		os.environ.clear()
-	for name, value in new_env.items():
-		if override_existing_environment or not name in os.environ:
-			os.environ[name] = value
-
-def export_envvars(to_dir = True):
-	if not os.path.exists("/etc/container_environment"):
-		return
-	shell_dump = ""
-	for name, value in os.environ.items():
-		if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
-			continue
-		if to_dir:
-			with open("/etc/container_environment/" + name, "w") as f:
-				f.write(value)
-		shell_dump += "export " + sanitize_shenvname(name) + "=" + shquote(value) + "\n"
-	with open("/etc/container_environment.sh", "w") as f:
-		f.write(shell_dump)
-	with open("/etc/container_environment.json", "w") as f:
-		f.write(json.dumps(dict(os.environ)))
-
 _find_unsafe = re.compile(r'[^\w@%+=:,./-]').search
 
-def shquote(s):
-	"""Return a shell-escaped version of the string *s*."""
-	if not s:
-		return "''"
-	if _find_unsafe(s) is None:
-		return s
 
-	# use single quotes, and put single quotes into double quotes
-	# the string $'b is then quoted as '$'"'"'b'
-	return "'" + s.replace("'", "'\"'\"'") + "'"
+class AlarmException(Exception):
+    pass
+
+
+def error(message):
+    if log_level >= LOG_LEVEL_ERROR:
+        sys.stderr.write("*** %s\n" % message)
+
+
+def warn(message):
+    if log_level >= LOG_LEVEL_WARN:
+        sys.stderr.write("*** %s\n" % message)
+
+
+def info(message):
+    if log_level >= LOG_LEVEL_INFO:
+        sys.stderr.write("*** %s\n" % message)
+
+
+def debug(message):
+    if log_level >= LOG_LEVEL_DEBUG:
+        sys.stderr.write("*** %s\n" % message)
+
+
+def ignore_signals_and_raise_keyboard_interrupt(signame):
+    signal.signal(signal.SIGTERM, signal.SIG_IGN)
+    signal.signal(signal.SIGINT, signal.SIG_IGN)
+    raise KeyboardInterrupt(signame)
+
+
+def raise_alarm_exception():
+    raise AlarmException('Alarm')
+
+
+def listdir(path):
+    try:
+        result = os.stat(path)
+    except OSError:
+        return []
+    if stat.S_ISDIR(result.st_mode):
+        return sorted(os.listdir(path))
+    else:
+        return []
+
+
+def is_exe(path):
+    try:
+        return os.path.isfile(path) and os.access(path, os.X_OK)
+    except OSError:
+        return False
+
+
+def import_envvars(clear_existing_environment=True, override_existing_environment=True):
+    if not os.path.exists("/etc/container_environment"):
+        return
+    new_env = {}
+    for envfile in listdir("/etc/container_environment"):
+        name = os.path.basename(envfile)
+        with open("/etc/container_environment/" + envfile, "r") as f:
+            # Text files often end with a trailing newline, which we
+            # don't want to include in the env variable value. See
+            # https://github.com/phusion/baseimage-docker/pull/49
+            value = re.sub('\n\\Z', '', f.read())
+        new_env[name] = value
+    if clear_existing_environment:
+        os.environ.clear()
+    for name, value in new_env.items():
+        if override_existing_environment or name not in os.environ:
+            os.environ[name] = value
+
+
+def export_envvars(to_dir=True):
+    if not os.path.exists("/etc/container_environment"):
+        return
+    shell_dump = ""
+    for name, value in os.environ.items():
+        if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
+            continue
+        if to_dir:
+            with open("/etc/container_environment/" + name, "w") as f:
+                f.write(value)
+        shell_dump += "export " + sanitize_shenvname(name) + "=" + shquote(value) + "\n"
+    with open("/etc/container_environment.sh", "w") as f:
+        f.write(shell_dump)
+    with open("/etc/container_environment.json", "w") as f:
+        f.write(json.dumps(dict(os.environ)))
+
+
+def shquote(s):
+    """Return a shell-escaped version of the string *s*."""
+    if not s:
+        return "''"
+    if _find_unsafe(s) is None:
+        return s
+
+    # use single quotes, and put single quotes into double quotes
+    # the string $'b is then quoted as '$'"'"'b'
+    return "'" + s.replace("'", "'\"'\"'") + "'"
+
 
 def sanitize_shenvname(s):
-	return re.sub(SHENV_NAME_WHITELIST_REGEX, "_", s)
+    """Return string with [0-9a-zA-Z_] characters"""
+    return re.sub(SHENV_NAME_WHITELIST_REGEX, "_", s)
+
 
 # Waits for the child process with the given PID, while at the same time
 # reaping any other child processes that have exited (e.g. adopted child
 # processes that have terminated).
+
 def waitpid_reap_other_children(pid):
-	global terminated_child_processes
+    global terminated_child_processes
 
-	status = terminated_child_processes.get(pid)
-	if status:
-		# A previous call to waitpid_reap_other_children(),
-		# with an argument not equal to the current argument,
-		# already waited for this process. Return the status
-		# that was obtained back then.
-		del terminated_child_processes[pid]
-		return status
+    status = terminated_child_processes.get(pid)
+    if status:
+        # A previous call to waitpid_reap_other_children(),
+        # with an argument not equal to the current argument,
+        # already waited for this process. Return the status
+        # that was obtained back then.
+        del terminated_child_processes[pid]
+        return status
 
-	done = False
-	status = None
-	while not done:
-		try:
-			# https://github.com/phusion/baseimage-docker/issues/151#issuecomment-92660569
-			this_pid, status = os.waitpid(pid, os.WNOHANG)
-			if this_pid == 0:
-				this_pid, status = os.waitpid(-1, 0)
-			if this_pid == pid:
-				done = True
-			else:
-				# Save status for later.
-				terminated_child_processes[this_pid] = status
-		except OSError as e:
-			if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
-				return None
-			else:
-				raise
-	return status
+    done = False
+    status = None
+    while not done:
+        try:
+            # https://github.com/phusion/baseimage-docker/issues/151#issuecomment-92660569
+            this_pid, status = os.waitpid(pid, os.WNOHANG)
+            if this_pid == 0:
+                this_pid, status = os.waitpid(-1, 0)
+            if this_pid == pid:
+                done = True
+            else:
+                # Save status for later.
+                terminated_child_processes[this_pid] = status
+        except OSError as e:
+            if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
+                return None
+            else:
+                raise
+    return status
+
+
+def stop_child_process(name, pid, signo=signal.SIGTERM, time_limit=KILL_PROCESS_TIMEOUT):
+    info("Shutting down %s (PID %d)..." % (name, pid))
+    try:
+        os.kill(pid, signo)
+    except OSError:
+        pass
+    signal.alarm(time_limit)
+    try:
+        try:
+            waitpid_reap_other_children(pid)
+        except OSError:
+            pass
+    except AlarmException:
+        warn("%s (PID %d) did not shut down in time. Forcing it to exit." % (name, pid))
+        try:
+            os.kill(pid, signal.SIGKILL)
+        except OSError:
+            pass
+        try:
+            waitpid_reap_other_children(pid)
+        except OSError:
+            pass
+    finally:
+        signal.alarm(0)
 
-def stop_child_process(name, pid, signo = signal.SIGTERM, time_limit = KILL_PROCESS_TIMEOUT):
-	info("Shutting down %s (PID %d)..." % (name, pid))
-	try:
-		os.kill(pid, signo)
-	except OSError:
-		pass
-	signal.alarm(time_limit)
-	try:
-		try:
-			waitpid_reap_other_children(pid)
-		except OSError:
-			pass
-	except AlarmException:
-		warn("%s (PID %d) did not shut down in time. Forcing it to exit." % (name, pid))
-		try:
-			os.kill(pid, signal.SIGKILL)
-		except OSError:
-			pass
-		try:
-			waitpid_reap_other_children(pid)
-		except OSError:
-			pass
-	finally:
-		signal.alarm(0)
 
 def run_command_killable(*argv):
-	filename = argv[0]
-	status = None
-	pid = os.spawnvp(os.P_NOWAIT, filename, argv)
-	try:
-		status = waitpid_reap_other_children(pid)
-	except BaseException as s:
-		warn("An error occurred. Aborting.")
-		stop_child_process(filename, pid)
-		raise
-	if status != 0:
-		if status is None:
-			error("%s exited with unknown status\n" % filename)
-		else:
-			error("%s failed with status %d\n" % (filename, os.WEXITSTATUS(status)))
-		sys.exit(1)
+    filename = argv[0]
+    status = None
+    pid = os.spawnvp(os.P_NOWAIT, filename, argv)
+    try:
+        status = waitpid_reap_other_children(pid)
+    except BaseException:
+        warn("An error occurred. Aborting.")
+        stop_child_process(filename, pid)
+        raise
+    if status != 0:
+        if status is None:
+            error("%s exited with unknown status\n" % filename)
+        else:
+            error("%s failed with status %d\n" % (filename, os.WEXITSTATUS(status)))
+        sys.exit(1)
+
 
 def run_command_killable_and_import_envvars(*argv):
-	run_command_killable(*argv)
-	import_envvars()
-	export_envvars(False)
+    run_command_killable(*argv)
+    import_envvars()
+    export_envvars(False)
+
 
 def kill_all_processes(time_limit):
-	info("Killing all processes...")
-	try:
-		os.kill(-1, signal.SIGTERM)
-	except OSError:
-		pass
-	signal.alarm(time_limit)
-	try:
-		# Wait until no more child processes exist.
-		done = False
-		while not done:
-			try:
-				os.waitpid(-1, 0)
-			except OSError as e:
-				if e.errno == errno.ECHILD:
-					done = True
-				else:
-					raise
-	except AlarmException:
-		warn("Not all processes have exited in time. Forcing them to exit.")
-		try:
-			os.kill(-1, signal.SIGKILL)
-		except OSError:
-			pass
-	finally:
-		signal.alarm(0)
+    info("Killing all processes...")
+    try:
+        os.kill(-1, signal.SIGTERM)
+    except OSError:
+        pass
+    signal.alarm(time_limit)
+    try:
+        # Wait until no more child processes exist.
+        done = False
+        while not done:
+            try:
+                os.waitpid(-1, 0)
+            except OSError as e:
+                if e.errno == errno.ECHILD:
+                    done = True
+                else:
+                    raise
+    except AlarmException:
+        warn("Not all processes have exited in time. Forcing them to exit.")
+        try:
+            os.kill(-1, signal.SIGKILL)
+        except OSError:
+            pass
+    finally:
+        signal.alarm(0)
+
 
 def run_startup_files():
-	# Run /etc/my_init.d/*
-	for name in listdir("/etc/my_init.d"):
-		filename = "/etc/my_init.d/" + name
-		if is_exe(filename):
-			info("Running %s..." % filename)
-			run_command_killable_and_import_envvars(filename)
+    # Run ENV_INIT_DIRECTORY/*
+    for name in listdir(ENV_INIT_DIRECTORY):
+        filename = os.path.join(ENV_INIT_DIRECTORY, name)
+        if is_exe(filename):
+            info("Running %s..." % filename)
+            run_command_killable_and_import_envvars(filename)
+
+    # Run /etc/rc.local.
+    if is_exe("/etc/rc.local"):
+        info("Running /etc/rc.local...")
+        run_command_killable_and_import_envvars("/etc/rc.local")
+
+
+def run_pre_shutdown_scripts():
+    debug("Running pre-shutdown scripts...")
+
+    # Run /etc/my_init.pre_shutdown.d/*
+    for name in listdir("/etc/my_init.pre_shutdown.d"):
+        filename = "/etc/my_init.pre_shutdown.d/" + name
+        if is_exe(filename):
+            info("Running %s..." % filename)
+            run_command_killable(filename)
+
+
+def run_post_shutdown_scripts():
+    debug("Running post-shutdown scripts...")
+
+    # Run /etc/my_init.post_shutdown.d/*
+    for name in listdir("/etc/my_init.post_shutdown.d"):
+        filename = "/etc/my_init.post_shutdown.d/" + name
+        if is_exe(filename):
+            info("Running %s..." % filename)
+            run_command_killable(filename)
 
-	# Run /etc/rc.local.
-	if is_exe("/etc/rc.local"):
-		info("Running /etc/rc.local...")
-		run_command_killable_and_import_envvars("/etc/rc.local")
 
 def start_runit():
-	info("Booting runit daemon...")
-	pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
-		"-P", "/etc/service")
-	info("Runit started as PID %d" % pid)
-	return pid
+    info("Booting runit daemon...")
+    pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
+                    "-P", "/etc/service")
+    info("Runit started as PID %d" % pid)
+    return pid
+
 
 def wait_for_runit_or_interrupt(pid):
-	try:
-		status = waitpid_reap_other_children(pid)
-		return (True, status)
-	except KeyboardInterrupt:
-		return (False, None)
+	status = waitpid_reap_other_children(pid)
+	return (True, status)
+
+
+def shutdown_runit_services(quiet=False):
+    if not quiet:
+        debug("Begin shutting down runit services...")
+    os.system("/usr/bin/sv -w %d force-stop /etc/service/* > /dev/null" % KILL_PROCESS_TIMEOUT)
 
-def shutdown_runit_services(quiet = False):
-	if not quiet:
-		debug("Begin shutting down runit services...")
-	os.system("/usr/bin/sv -w %d down /etc/service/*", KILL_PROCESS_TIMEOUT)
 
 def wait_for_runit_services():
-	debug("Waiting for runit services to exit...")
-	done = False
-	while not done:
-		done = os.system("/usr/bin/sv status /etc/service/* | grep -q '^run:'") != 0
-		if not done:
-			time.sleep(0.1)
-			# According to https://github.com/phusion/baseimage-docker/issues/315
-			# there is a bug or race condition in Runit, causing it
-			# not to shutdown services that are already being started.
-			# So during shutdown we repeatedly instruct Runit to shutdown
-			# services.
-			shutdown_runit_services(True)
+    debug("Waiting for runit services to exit...")
+    done = False
+    while not done:
+        done = os.system("/usr/bin/sv status /etc/service/* | grep -q '^run:'") != 0
+        if not done:
+            time.sleep(0.1)
+            # According to https://github.com/phusion/baseimage-docker/issues/315
+            # there is a bug or race condition in Runit, causing it
+            # not to shutdown services that are already being started.
+            # So during shutdown we repeatedly instruct Runit to shutdown
+            # services.
+            shutdown_runit_services(True)
+
 
 def install_insecure_key():
-	info("Installing insecure SSH key for user root")
-	run_command_killable("/usr/sbin/enable_insecure_key")
+    info("Installing insecure SSH key for user root")
+    run_command_killable("/usr/sbin/enable_insecure_key")
+
 
 def main(args):
-	import_envvars(False, False)
-	export_envvars()
+    import_envvars(False, False)
+    export_envvars()
 
-	if args.enable_insecure_key:
-		install_insecure_key()
+    if args.enable_insecure_key:
+        install_insecure_key()
 
-	if not args.skip_startup_files:
-		run_startup_files()
+    if not args.skip_startup_files:
+        run_startup_files()
 
-	runit_exited = False
-	exit_code = None
+    runit_exited = False
+    exit_code = None
 
-	if not args.skip_runit:
-		runit_pid = start_runit()
-	try:
-		exit_status = None
-		if len(args.main_command) == 0:
-			runit_exited, exit_code = wait_for_runit_or_interrupt(runit_pid)
-			if runit_exited:
-				if exit_code is None:
-					info("Runit exited with unknown status")
-					exit_status = 1
-				else:
-					exit_status = os.WEXITSTATUS(exit_code)
-					info("Runit exited with status %d" % exit_status)
-		else:
-			info("Running %s..." % " ".join(args.main_command))
-			pid = os.spawnvp(os.P_NOWAIT, args.main_command[0], args.main_command)
-			try:
-				exit_code = waitpid_reap_other_children(pid)
-				if exit_code is None:
-					info("%s exited with unknown status." % args.main_command[0])
-					exit_status = 1
-				else:
-					exit_status = os.WEXITSTATUS(exit_code)
-					info("%s exited with status %d." % (args.main_command[0], exit_status))
-			except KeyboardInterrupt:
-				stop_child_process(args.main_command[0], pid)
-				raise
-			except BaseException as s:
-				warn("An error occurred. Aborting.")
-				stop_child_process(args.main_command[0], pid)
-				raise
-		sys.exit(exit_status)
-	finally:
-		if not args.skip_runit:
-			shutdown_runit_services()
-			if not runit_exited:
-				stop_child_process("runit daemon", runit_pid)
-			wait_for_runit_services()
+    if not args.skip_runit:
+        runit_pid = start_runit()
+    try:
+        exit_status = None
+        if len(args.main_command) == 0:
+            runit_exited, exit_code = wait_for_runit_or_interrupt(runit_pid)
+            if runit_exited:
+                if exit_code is None:
+                    info("Runit exited with unknown status")
+                    exit_status = 1
+                else:
+                    exit_status = os.WEXITSTATUS(exit_code)
+                    info("Runit exited with status %d" % exit_status)
+        else:
+            info("Running %s..." % " ".join(args.main_command))
+            pid = os.spawnvp(os.P_NOWAIT, args.main_command[0], args.main_command)
+            try:
+                exit_code = waitpid_reap_other_children(pid)
+                if exit_code is None:
+                    info("%s exited with unknown status." % args.main_command[0])
+                    exit_status = 1
+                else:
+                    exit_status = os.WEXITSTATUS(exit_code)
+                    info("%s exited with status %d." % (args.main_command[0], exit_status))
+            except KeyboardInterrupt:
+                stop_child_process(args.main_command[0], pid)
+                raise
+            except BaseException:
+                warn("An error occurred. Aborting.")
+                stop_child_process(args.main_command[0], pid)
+                raise
+        sys.exit(exit_status)
+    finally:
+        if not args.skip_runit:
+            run_pre_shutdown_scripts()
+            shutdown_runit_services()
+            if not runit_exited:
+                stop_child_process("runit daemon", runit_pid)
+            wait_for_runit_services()
+            run_post_shutdown_scripts()
 
 # Parse options.
-parser = argparse.ArgumentParser(description = 'Initialize the system.')
-parser.add_argument('main_command', metavar = 'MAIN_COMMAND', type = str, nargs = '*',
-	help = 'The main command to run. (default: runit)')
-parser.add_argument('--enable-insecure-key', dest = 'enable_insecure_key',
-	action = 'store_const', const = True, default = False,
-	help = 'Install the insecure SSH key')
-parser.add_argument('--skip-startup-files', dest = 'skip_startup_files',
-	action = 'store_const', const = True, default = False,
-	help = 'Skip running /etc/my_init.d/* and /etc/rc.local')
-parser.add_argument('--skip-runit', dest = 'skip_runit',
-	action = 'store_const', const = True, default = False,
-	help = 'Do not run runit services')
-parser.add_argument('--no-kill-all-on-exit', dest = 'kill_all_on_exit',
-	action = 'store_const', const = False, default = True,
-	help = 'Don\'t kill all processes on the system upon exiting')
-parser.add_argument('--quiet', dest = 'log_level',
-	action = 'store_const', const = LOG_LEVEL_WARN, default = LOG_LEVEL_INFO,
-	help = 'Only print warnings and errors')
+parser = argparse.ArgumentParser(description='Initialize the system.')
+parser.add_argument('main_command', metavar='MAIN_COMMAND', type=str, nargs='*',
+                    help='The main command to run. (default: runit)')
+parser.add_argument('--enable-insecure-key', dest='enable_insecure_key',
+                    action='store_const', const=True, default=False,
+                    help='Install the insecure SSH key')
+parser.add_argument('--skip-startup-files', dest='skip_startup_files',
+                    action='store_const', const=True, default=False,
+                    help='Skip running /etc/my_init.d/* and /etc/rc.local')
+parser.add_argument('--skip-runit', dest='skip_runit',
+                    action='store_const', const=True, default=False,
+                    help='Do not run runit services')
+parser.add_argument('--no-kill-all-on-exit', dest='kill_all_on_exit',
+                    action='store_const', const=False, default=True,
+                    help='Don\'t kill all processes on the system upon exiting')
+parser.add_argument('--quiet', dest='log_level',
+                    action='store_const', const=LOG_LEVEL_WARN, default=LOG_LEVEL_INFO,
+                    help='Only print warnings and errors')
 args = parser.parse_args()
 log_level = args.log_level
 
 if args.skip_runit and len(args.main_command) == 0:
-	error("When --skip-runit is given, you must also pass a main command.")
-	sys.exit(1)
+    error("When --skip-runit is given, you must also pass a main command.")
+    sys.exit(1)
 
 # Run main function.
 signal.signal(signal.SIGTERM, lambda signum, frame: ignore_signals_and_raise_keyboard_interrupt('SIGTERM'))
 signal.signal(signal.SIGINT, lambda signum, frame: ignore_signals_and_raise_keyboard_interrupt('SIGINT'))
 signal.signal(signal.SIGALRM, lambda signum, frame: raise_alarm_exception())
 try:
-	main(args)
+    main(args)
 except KeyboardInterrupt:
-	warn("Init system aborted.")
-	exit(2)
+    warn("Init system aborted.")
+    exit(2)
 finally:
-	if args.kill_all_on_exit:
-		kill_all_processes(KILL_ALL_PROCESSES_TIMEOUT)
+    if args.kill_all_on_exit:
+        kill_all_processes(KILL_ALL_PROCESSES_TIMEOUT)

image/bin/setuser

@@ -1,4 +1,5 @@
 #!/usr/bin/python3
+
 '''
 Copyright (c) 2013-2015 Phusion Holding B.V.
 

image/cleanup.sh

@@ -8,4 +8,8 @@ find /bd_build/ -not \( -name 'bd_build' -or -name 'buildconfig' -or -name 'clea
 rm -rf /tmp/* /var/tmp/*
 rm -rf /var/lib/apt/lists/*
 
+# clean up python bytecode
+find / -mount -name *.pyc -delete
+find / -mount -name *__pycache__* -delete
+
 rm -f /etc/ssh/ssh_host_*

image/fix_pam_bug.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-set -e
-source /bd_build/buildconfig
-set -x
-
-# Fixes https://github.com/docker/docker/issues/6345
-# The Github is closed, but some apps such as pbuilder still triggers it.
-
-export CONFIGURE_OPTS=--disable-audit
-cd /tmp
-
-$minimal_apt_get_install gdebi-core
-apt-get build-dep -y --no-install-recommends pam
-apt-get source -y -b pam
-gdebi -n libpam-doc*.deb libpam-modules*.deb libpam-runtime*.deb libpam0g*.deb
-rm -rf *.deb *.gz *.dsc *.changes pam-*
-
-# Unfortunately there is no way to automatically remove build deps, so we do this manually.
-apt-get remove -y gdebi-core autoconf automake autopoint autotools-dev binutils bsdmainutils \
-	build-essential bzip2 cpp cpp-5 debhelper dh-autoreconf dh-strip-nondeterminism \
-	diffstat docbook-xml docbook-xsl dpkg-dev flex g++ g++-5 gcc gcc-5 gettext gettext-base \
-	groff-base intltool-debian libarchive-zip-perl libasan2 libasprintf0v5 libatomic1 \
-	libaudit-dev libc-dev-bin libc6-dev libcc1-0 libcilkrts5 libcrack2 libcrack2-dev libcroco3 \
-	libdb-dev libdb5.3-dev libdpkg-perl libfile-stripnondeterminism-perl libfl-dev libgc1c2 \
-	libgcc-5-dev libgdbm3 libgomp1 libgpm2 libicu55 libisl15 libitm1 liblsan0 libmpc3 \
-	libmpfr4 libmpx0 libpcre16-3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libperl5.22 \
-	libpipeline1 libquadmath0 libselinux1-dev libsepol1-dev libsigsegv2 libstdc++-5-dev \
-	libtimedate-perl libtool libtsan0 libubsan0 libunistring0 libxml2 libxml2-utils \
-	libxslt1.1 linux-libc-dev m4 make man-db patch perl perl-modules-5.22 pkg-config \
-	po-debconf quilt sgml-base sgml-data w3m xml-core xsltproc xz-utils
-
-apt-get remove -y gdebi-core
-apt-get autoremove -y

image/prepare.sh

@@ -10,9 +10,13 @@ export INITRD=no
 mkdir -p /etc/container_environment
 echo -n no > /etc/container_environment/INITRD
 
-## Enable Ubuntu Universe and Multiverse.
-sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
-sed -i 's/^#\s*\(deb.*multiverse\)$/\1/g' /etc/apt/sources.list
+## Enable Ubuntu Universe, Multiverse, and deb-src for main.
+if grep -E '^ID=' /etc/os-release | grep -q ubuntu; then
+  sed -i 's/^#\s*\(deb.*main restricted\)$/\1/g' /etc/apt/sources.list
+  sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
+  sed -i 's/^#\s*\(deb.*multiverse\)$/\1/g' /etc/apt/sources.list
+fi
+
 apt-get update
 
 ## Fix some issues with APT packages.
@@ -27,6 +31,9 @@ ln -sf /bin/true /sbin/initctl
 dpkg-divert --local --rename --add /usr/bin/ischroot
 ln -sf /bin/true /usr/bin/ischroot
 
+# apt-utils fix for Ubuntu 16.04
+$minimal_apt_get_install apt-utils
+
 ## Install HTTPS support for APT.
 $minimal_apt_get_install apt-transport-https ca-certificates
 
@@ -34,10 +41,20 @@ $minimal_apt_get_install apt-transport-https ca-certificates
 $minimal_apt_get_install software-properties-common
 
 ## Upgrade all packages.
-apt-get dist-upgrade -y --no-install-recommends
+apt-get dist-upgrade -y --no-install-recommends -o Dpkg::Options::="--force-confold"
 
 ## Fix locale.
-$minimal_apt_get_install language-pack-en
+case $(lsb_release -is) in
+  Ubuntu)
+    $minimal_apt_get_install language-pack-en
+    ;;
+  Debian)
+    $minimal_apt_get_install locales locales-all
+    echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+    ;;
+  *)
+    ;;
+esac
 locale-gen en_US
 update-locale LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8
 echo -n en_US.UTF-8 > /etc/container_environment/LANG

image/services/cron/cron.runit

@@ -1,2 +1,8 @@
 #!/bin/sh
+
+# Touch cron files to fix 'NUMBER OF HARD LINKS > 1' issue. See  https://github.com/phusion/baseimage-docker/issues/198
+touch -c /var/spool/cron/crontabs/*
+touch -c /etc/crontab
+touch -c /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*
+
 exec /usr/sbin/cron -f

image/services/cron/cron.sh

@@ -17,3 +17,4 @@ rm -f /etc/cron.daily/upstart
 rm -f /etc/cron.daily/dpkg
 rm -f /etc/cron.daily/password
 rm -f /etc/cron.weekly/fstrim
+rm -f /etc/cron.d/e2scrub_all

image/services/syslog-ng/logrotate.conf

@@ -18,19 +18,4 @@ create
 # packages drop log rotation information into this directory
 include /etc/logrotate.d
 
-# no packages own wtmp, or btmp -- we'll rotate them here
-/var/log/wtmp {
-    missingok
-    monthly
-    create 0664 root utmp
-    rotate 1
-}
-
-/var/log/btmp {
-    missingok
-    monthly
-    create 0660 root utmp
-    rotate 1
-}
-
 # system-specific logs may be configured here

image/services/syslog-ng/logrotate_syslogng

@@ -1,5 +1,4 @@
-/var/log/syslog
-{
+/var/log/syslog {
 	rotate 7
 	daily
 	missingok
@@ -7,8 +6,9 @@
 	delaycompress
 	compress
 	postrotate
-		sv reload syslog-ng > /dev/null
-		sv restart syslog-forwarder > /dev/null
+		if [ -f /var/run/syslog-ng.pid ]; then
+			kill -HUP `cat /var/run/syslog-ng.pid`
+		fi
 	endscript
 }
 
@@ -23,8 +23,7 @@
 /var/log/lpr.log
 /var/log/cron.log
 /var/log/debug
-/var/log/messages
-{
+/var/log/messages {
 	rotate 4
 	weekly
 	missingok
@@ -33,7 +32,8 @@
 	delaycompress
 	sharedscripts
 	postrotate
-		sv reload syslog-ng > /dev/null
-		sv restart syslog-forwarder > /dev/null
+		if [ -f /var/run/syslog-ng.pid ]; then
+			kill -HUP `cat /var/run/syslog-ng.pid`
+		fi
 	endscript
 }

image/services/syslog-ng/smart-multi-line.fsm

@@ -0,0 +1,83 @@
+#
+# Copyright 2023 Balazs Scheidler
+# Copyright 2016 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# The regular expressions were extracted from
+# https://github.com/GoogleCloudPlatform/fluent-plugin-detect-exceptions
+# and converted into a TSV format by Balazs Scheidler.
+#
+# List of tab separated fields
+#
+# comma-separated-states /regexp/ new_state
+#
+
+# java
+start_state,java_start_exception	/(?:Exception|Error|Throwable|V8 errors stack trace)[:\r\n]/	java_after_exception
+java_after_exception	/^[\t ]*nested exception is:[\t ]*/	java_start_exception
+java_after_exception	/^[\r\n]*$/	java_after_exception
+java_after_exception,java	/^[\t ]+(?:eval )?at /	java
+java_after_exception,java	/^[\t ]+--- End of inner exception stack trace ---$/	java
+java_after_exception,java	/^--- End of stack trace from previous location where exception was thrown ---$/	java
+java_after_exception,java	/^[\t ]*(?:Caused by|Suppressed):/	java_after_exception
+java_after_exception,java	/^[\t ]*... \d+ (?:more|common frames omitted)/	java
+
+# python
+start_state	/^Traceback \(most recent call last\):$/	python
+python	/^[\t ]*File /	python_code
+python_code	/[^\t ]/	python
+python	/^(?:[^\s.():]+\.)*[^\s.():]+:/	start_state
+
+# PHP
+start_state	/(?:PHP\ (?:Notice|Parse\ error|Fatal\ error|Warning):)|(?:exception\ '[^']+'\ with\ message\ ')/	php_stack_begin
+php_stack_begin	/^Stack trace:/	php_stack_frames
+php_stack_frames	/^#\d/	php_stack_frames
+php_stack_frames	/^\s+thrown in /	start_state
+
+# Go
+start_state	/\bpanic: /	go_after_panic
+start_state	/http: panic serving/	go_goroutine
+go_after_panic,go_after_signal,go_frame_1	/^$/	go_goroutine
+go_after_panic	/^\[signal /	go_after_signal
+go_goroutine	/^goroutine \d+ \[[^\]]+\]:$/	go_frame_1
+go_frame_1	/^(?:[^\s.:]+\.)*[^\s.():]+\(|^created by /	go_frame_2
+go_frame_2	/^\s/	go_frame_1
+
+# Ruby
+start_state	/Error \(.*\):$/	ruby_before_rails_trace
+ruby_before_rails_trace	/^  $/	ruby
+ruby_before_rails_trace	/^[\t ]+.*?\.rb:\d+:in `/	ruby
+ruby	/^[\t ]+.*?\.rb:\d+:in `/	ruby
+
+# Dart
+start_state	/^Unhandled exception:$/	dart_exc
+dart_exc	/^(Instance of)|(Exception)|(Bad state)|(IntegerDivisionByZeroException)|(Invalid argument)|(RangeError)|(Assertion failed)|(Cannot instantiate)|(Reading static variable)|(UnimplementedError)|(Unsupported operation)|(Concurrent modification)|(Out of Memory)|(Stack Overflow)/	dart_stack
+dart_exc	/^'.+?':.+?$/	dart_type_err_1
+dart_type_err_1	/^#\d+\s+.+?\(.+?\)$/	dart_stack
+dart_type_err_1	/^.+?$/	dart_type_err_2
+dart_type_err_2	/^.*?\^.*?$/	dart_type_err_3
+dart_type_err_3	/^$/	dart_type_err_4
+dart_type_err_4	/^$/	dart_stack
+dart_exc	/^FormatException/	dart_format_err_1
+dart_format_err_1	/^#\d+\s+.+?\(.+?\)$/	dart_stack
+dart_format_err_1	/^./	dart_format_err_2
+dart_format_err_2	/^.*?\^/	dart_format_err_3
+dart_format_err_3	/^$/	dart_stack
+dart_exc	/^NoSuchMethodError:/	dart_method_err_1
+dart_method_err_1	/^Receiver:/	dart_method_err_2
+dart_method_err_2	/^Tried calling:/	dart_method_err_3
+dart_method_err_3	/^Found:/	dart_stack
+dart_method_err_3	/^#\d+\s+.+?\(.+?\)$/	dart_stack
+dart_stack	/^#\d+\s+.+?\(.+?\)$/	dart_stack
+dart_stack	/^<asynchronous suspension>$/	dart_stack

image/services/syslog-ng/syslog-forwarder.runit

@@ -1,2 +0,0 @@
-#!/bin/sh
-exec tail -F -n 0 /var/log/syslog

image/services/syslog-ng/syslog-ng.conf

@@ -1,14 +1,13 @@
-@version: 3.5
+@version: 4.3
 @include "scl.conf"
-@include "`scl-root`/system/tty10.conf"
 
 # Syslog-ng configuration file, compatible with default Debian syslogd
 # installation.
 
 # First, set some global options.
 options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
-	  owner("root"); group("adm"); perm(0640); stats_freq(0);
-	  bad_hostname("^gconfd$");
+	  dns_cache(no); owner("root"); group("adm"); perm(0640);
+	  stats(freq(0)); bad_hostname("^gconfd$");
 };
 
 ########################
@@ -54,7 +53,7 @@ destination d_newscrit { file("/var/log/news/news.crit"); };
 destination d_newserr { file("/var/log/news/news.err"); };
 destination d_newsnotice { file("/var/log/news/news.notice"); };
 
-# Some `catch-all' logfiles.
+# Some 'catch-all' logfiles.
 #
 destination d_debug { file("/var/log/debug"); };
 destination d_error { file("/var/log/error"); };
@@ -74,10 +73,13 @@ destination d_xconsole { pipe("/dev/xconsole"); };
 # Debian only
 destination d_ppp { file("/var/log/ppp.log"); };
 
+# stdout for docker
+destination d_stdout { ##SYSLOG_OUTPUT_MODE_DEV_STDOUT##("/dev/stdout"); };
+
 ########################
 # Filters
 ########################
-# Here's come the filter options. With this rules, we can set which 
+# Here's come the filter options. With this rules, we can set which
 # message go where.
 
 filter f_dbg { level(debug); };
@@ -89,7 +91,7 @@ filter f_crit { level(crit .. emerg); };
 
 filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
 filter f_error { level(err .. emerg) ; };
-filter f_messages { level(info,notice,warn) and 
+filter f_messages { level(info,notice,warn) and
                     not facility(auth,authpriv,cron,daemon,mail,news); };
 
 filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
@@ -119,7 +121,7 @@ log { source(s_src); filter(f_cron); destination(d_cron); };
 log { source(s_src); filter(f_daemon); destination(d_daemon); };
 log { source(s_src); filter(f_kern); destination(d_kern); };
 log { source(s_src); filter(f_lpr); destination(d_lpr); };
-log { source(s_src); filter(f_syslog3); destination(d_syslog); };
+log { source(s_src); filter(f_syslog3); destination(d_syslog); destination(d_stdout); };
 log { source(s_src); filter(f_user); destination(d_user); };
 log { source(s_src); filter(f_uucp); destination(d_uucp); };
 
@@ -131,6 +133,8 @@ log { source(s_src); filter(f_mail); destination(d_mail); };
 log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
 log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
 log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
+#log { source(s_src); filter(f_cnews); destination(d_console_all); };
+#log { source(s_src); filter(f_cother); destination(d_console_all); };
 
 #log { source(s_src); filter(f_ppp); destination(d_ppp); };
 

image/services/syslog-ng/syslog-ng.init

@@ -0,0 +1,45 @@
+#!/bin/bash
+set -em
+
+# If /dev/log is either a named pipe or it was placed there accidentally,
+# e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
+# then we remove it.
+if [ ! -S /dev/log ]; then rm -f /dev/log; fi
+if [ ! -S /var/lib/syslog-ng/syslog-ng.ctl ]; then rm -f /var/lib/syslog-ng/syslog-ng.ctl; fi
+
+# determine output mode on /dev/stdout because of the issue documented at https://github.com/phusion/baseimage-docker/issues/468
+if [ -p /dev/stdout ]; then
+  sed -i 's/##SYSLOG_OUTPUT_MODE_DEV_STDOUT##/pipe/' /etc/syslog-ng/syslog-ng.conf
+else
+  sed -i 's/##SYSLOG_OUTPUT_MODE_DEV_STDOUT##/file/' /etc/syslog-ng/syslog-ng.conf
+fi
+
+# If /var/log is writable by another user logrotate will fail
+/bin/chown root:root /var/log
+/bin/chmod 0755 /var/log
+
+PIDFILE="/var/run/syslog-ng.pid"
+SYSLOGNG_OPTS=""
+
+[ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng
+
+syslogng_wait() {
+    if [ "$2" -ne 0 ]; then
+        return 1
+    fi
+
+    RET=1
+    for i in $(seq 1 30); do
+        status=0
+        syslog-ng-ctl stats >/dev/null 2>&1 || status=$?
+        if [ "$status" != "$1" ]; then
+            RET=0
+            break
+        fi
+        sleep 1s
+    done
+    return $RET
+}
+
+/usr/sbin/syslog-ng --pidfile "$PIDFILE" -F $SYSLOGNG_OPTS &
+syslogng_wait 1 $?

image/services/syslog-ng/syslog-ng.runit

@@ -1,32 +0,0 @@
-#!/bin/sh
-set -e
-
-# If /dev/log is either a named pipe or it was placed there accidentally,
-# e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
-# then we remove it.
-if [ ! -S /dev/log ]; then rm -f /dev/log; fi
-if [ ! -S /var/lib/syslog-ng/syslog-ng.ctl ]; then rm -f /var/lib/syslog-ng/syslog-ng.ctl; fi
-
-SYSLOGNG_OPTS=""
-
-[ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng
-
-case "x$CONSOLE_LOG_LEVEL" in
-  x[1-8])
-    dmesg -n $CONSOLE_LOG_LEVEL
-    ;;
-  x)
-    ;;
-  *)
-    echo "CONSOLE_LOG_LEVEL is of unaccepted value."
-    ;;
-esac
-
-if [ ! -e /dev/xconsole ]
-then
-  mknod -m 640 /dev/xconsole p
-  chown root:adm /dev/xconsole
-  [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
-fi
-
-exec syslog-ng -F -p /var/run/syslog-ng.pid $SYSLOGNG_OPTS

image/services/syslog-ng/syslog-ng.sh

@@ -7,18 +7,15 @@ SYSLOG_NG_BUILD_PATH=/bd_build/services/syslog-ng
 
 ## Install a syslog daemon.
 $minimal_apt_get_install syslog-ng-core
-mkdir /etc/service/syslog-ng
-cp $SYSLOG_NG_BUILD_PATH/syslog-ng.runit /etc/service/syslog-ng/run
+cp $SYSLOG_NG_BUILD_PATH/syslog-ng.init /etc/my_init.d/10_syslog-ng.init
+cp $SYSLOG_NG_BUILD_PATH/syslog-ng.shutdown /etc/my_init.post_shutdown.d/10_syslog-ng.shutdown
+cp $SYSLOG_NG_BUILD_PATH/smart-multi-line.fsm /usr/share/syslog-ng/smart-multi-line.fsm
 mkdir -p /var/lib/syslog-ng
 cp $SYSLOG_NG_BUILD_PATH/syslog_ng_default /etc/default/syslog-ng
 touch /var/log/syslog
 chmod u=rw,g=r,o= /var/log/syslog
 cp $SYSLOG_NG_BUILD_PATH/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
 
-## Install syslog to "docker logs" forwarder.
-mkdir /etc/service/syslog-forwarder
-cp $SYSLOG_NG_BUILD_PATH/syslog-forwarder.runit /etc/service/syslog-forwarder/run
-
 ## Install logrotate.
 $minimal_apt_get_install logrotate
 cp $SYSLOG_NG_BUILD_PATH/logrotate.conf /etc/logrotate.conf

image/services/syslog-ng/syslog-ng.shutdown

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+PIDFILE="/var/run/syslog-ng.pid"
+
+syslogng_wait() {
+    if [ "$2" -ne 0 ]; then
+        return 1
+    fi
+
+    RET=1
+    for i in $(seq 1 30); do
+        status=0
+        syslog-ng-ctl stats >/dev/null 2>&1 || status=$?
+        if [ "$status" != "$1" ]; then
+            RET=0
+            break
+        fi
+        sleep 1s
+    done
+    return $RET
+}
+
+if [ -f "$PIDFILE" ]; then
+    kill $(cat "$PIDFILE")
+fi
+
+syslogng_wait 0 $?

image/system_services.sh

@@ -6,6 +6,8 @@ set -x
 ## Install init process.
 cp /bd_build/bin/my_init /sbin/
 mkdir -p /etc/my_init.d
+mkdir -p /etc/my_init.pre_shutdown.d
+mkdir -p /etc/my_init.post_shutdown.d
 mkdir -p /etc/container_environment
 touch /etc/container_environment.sh
 touch /etc/container_environment.json

image/utilities.sh

@@ -4,8 +4,11 @@ source /bd_build/buildconfig
 set -x
 
 ## Often used tools.
-$minimal_apt_get_install curl less vim-tiny psmisc
+$minimal_apt_get_install curl less vim-tiny psmisc gpg-agent dirmngr
 ln -s /usr/bin/vim.tiny /usr/bin/vim
 
 ## This tool runs a command as another user and sets $HOME.
 cp /bd_build/bin/setuser /sbin/setuser
+
+## This tool allows installation of apt packages with automatic cache cleanup.
+cp /bd_build/bin/install_clean /sbin/install_clean

test/runner.sh

@@ -14,29 +14,25 @@ function cleanup()
 	docker rm $ID >/dev/null
 }
 
-PWD=`pwd`
-
 echo " --> Starting insecure container"
-ID=`docker run -d -v $PWD/test:/test $NAME:$VERSION /sbin/my_init --enable-insecure-key`
+ID=`docker run -d -p 22 $NAME:$VERSION /sbin/my_init --enable-insecure-key`
 sleep 1
 
-echo " --> Obtaining IP"
-IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$ID"`
-if [[ "$IP" = "" ]]; then
-	abort "Unable to obtain container IP"
+echo " --> Obtaining SSH port number"
+SSHPORT=`docker inspect --format='{{(index (index .NetworkSettings.Ports "22/tcp") 0).HostPort}}' "$ID"`
+if [[ "$SSHPORT" = "" ]]; then
+	abort "Unable to obtain container SSH port number"
 fi
 
 trap cleanup EXIT
 
 echo " --> Enabling SSH in the container"
-docker exec -t -i $ID /etc/my_init.d/00_regen_ssh_host_keys.sh -f
-docker exec -t -i $ID rm /etc/service/sshd/down
-docker exec -t -i $ID sv start /etc/service/sshd
+docker exec $ID /etc/my_init.d/00_regen_ssh_host_keys.sh -f
+docker exec $ID rm /etc/service/sshd/down
+docker exec $ID sv start /etc/service/sshd
 sleep 1
 
 echo " --> Logging into container and running tests"
-cp image/services/sshd/keys/insecure_key /tmp/insecure_key
-chmod 600 /tmp/insecure_key
 sleep 1 # Give container some more time to start up.
-ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/insecure_key root@$IP \
-	/bin/bash /test/test.sh
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+tools/docker-ssh $ID bash < test/test.sh

tools/docker-ssh

@@ -58,6 +58,13 @@ fi
 
 KNOWN_HOSTS_FILE=`mktemp /tmp/docker-ssh.XXXXXXXXX`
 IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
+PORT=`docker inspect -f '{{(index (index .NetworkSettings.Ports "22/tcp") 0).HostPort}}' "$CONTAINER_ID"`
+if test "`uname`" = "Darwin"; then
+    IP="127.0.0.1"
+else
+    PORT=22
+fi
+echo "SSHing into $IP:$PORT"
 
 # Prevent SSH from warning about adding a host to the known_hosts file.
 ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
@@ -68,6 +75,7 @@ if ! ssh -i ~/.baseimage_docker_insecure_key \
 	-o PasswordAuthentication=no \
 	-o KbdInteractiveAuthentication=no \
 	-o ChallengeResponseAuthentication=no \
+	-p $PORT \
 	"root@$IP" "$@"
 then
 	STATUS=$?

vagrant-libs/bootstrap.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -eux
+
+# Update Packages
+sudo apt-get update
+# sudo apt-get -y upgrade
+# sudo apt-get -y dist-upgrade
+
+# Install Packages
+sudo apt-get install -y build-essential checkinstall libreadline-gplv2-dev \
+    libncursesw5-dev libssl-dev libsqlite3-dev tk-dev libgdbm-dev libc6-dev \
+    libbz2-dev libffi-dev python3-pip unzip lsb-release software-properties-common \
+    curl wget git rsync # python-dev python3-venv
+
+# Install Docker
+sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-cache policy docker-ce
+sudo apt-get install -y docker-ce docker-compose
+# Re-install docker-compose to side-step a bug
+# docker build -t terraform-azure-vm . >> "free(): invalid pointer"
+# https://github.com/docker/for-linux/issues/563
+sudo apt-get remove -y golang-docker-credential-helpers
+sudo curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+echo '{"experimental": true}' > /etc/docker/daemon.json
+service docker restart
+
+# Add vagrant user to docker group
+sudo usermod -aG docker vagrant
+