Merge pull request #373 from phusion/next

Update README.md regarding ignored env vars.
Merge pull request #370 from phusion/next
2026-03-26 12:29:07 +00:00 · 2017-03-20 21:00:45 -07:00 · 2017-03-20 20:50:22 -07:00 · 2017-03-20 12:49:11 -07:00 · 2017-03-06 14:52:15 +00:00 · 2017-03-06 14:51:22 +00:00
42 changed files with 685 additions and 1307 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,2 +0,0 @@
 github: samip5
 custom: https://www.buymeacoffee.com/skykrypt
--- a/.github/ISSUE_TEMPLATE/bug.md
+++ b/.github/ISSUE_TEMPLATE/bug.md
@@ -1,29 +0,0 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: ''
 labels:kind: possible bug
 assignees: ''
 ---
 # Details
 **Image version:**
 <!-- Note: This should be the docker image version you're referring to -->
 **What steps did you take and what happened:**
 <!-- Note: This should be a clear and concise description of what the bug is. -->
 **What did you expect to happen:**
 <!-- Note: This should be a clear and concise description of what you expected to happen. -->
 **Anything else you would like to add:**
 <!-- Note: Miscellaneous information that will assist in solving the issue. -->
 **Additional Information:**
 <!-- Note: Anything to give further context to the bug report. -->
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,6 +0,0 @@
 ---
 blank_issues_enabled: false
 contact_links:
    - name: Discuss on Discord
      url: https://discord.gg/PRT86Cdgnr
      about: Join our Discord community
--- a/.github/ISSUE_TEMPLATE/enhancement.md
+++ b/.github/ISSUE_TEMPLATE/enhancement.md
@@ -1,21 +0,0 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: ''
 labels: kind:enhancement
 assignees: ''
 ---
 # Details
 **Describe the solution you'd like:**
 <!-- Note: A clear and concise description of what you want to happen. -->
 **Anything else you would like to add:**
 <!-- Note: Miscellaneous information that will assist in solving the issue. -->
 **Additional Information:**
 <!-- Note: Anything to give further context to the requested new feature. -->
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,32 +0,0 @@
 <!--
 Before you open the request please review the following guidelines and tips to help it be more easily integrated:
 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
 - Please run any tests or examples that can exercise your modified code.
 Thank you for contributing! We will try to test and integrate the change as soon as we can. There is no need to bump or check in on a pull request (it will clutter the discussion of the request).
 Also don't be worried if the request is closed or not integrated sometimes our priorities might not match the priorities of the pull request. Don't fret, the open source community thrives on forks and GitHub makes it easy to keep your changes in a forked repo.
 -->
 **Description of the change**
 <!-- Describe the scope of your change - i.e. what the change does. -->
 **Benefits**
 <!-- What benefits will be realized by the code change? -->
 **Possible drawbacks**
 <!-- Describe any known limitations with your change -->
 **Applicable issues**
 <!-- Enter any applicable Issues here (You can reference an issue using #) -->
 - fixes #
 **Additional information**
 <!-- If there's anything else that's important and relevant to your pull request, mention that information here.-->
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,91 +0,0 @@
 name: Release
 on:
    workflow_dispatch:
    release:
     types: [published]
 permissions:
    contents: read
    packages: write
 jobs:
    build:
        runs-on: ubuntu-latest
        if: "!contains(github.event.head_commit.message, '[ci-skip]')"
        steps:
          - name: Checkout
            uses: actions/checkout@v4
          - name: Prepare
            id: prep
            run: |
              DOCKER_IMAGE=phusion/baseimage
              GIT_BRANCH=${GITHUB_REF##*/}
              # Set the platforms to build for here and thus reduce duplicating it.
              PLATFORMS=amd64,arm,arm64
              TAGS="${DOCKER_IMAGE}:${GIT_BRANCH}, ghcr.io/${{ github.repository_owner }}/baseimage:${GIT_BRANCH}"
              # Determine BASE_IMAGE from release tag prefix (e.g. noble-1.0.2 -> ubuntu:24.04)
              if [[ "${GIT_BRANCH}" == noble-* ]]; then
                BASE_IMAGE="ubuntu:24.04"
              elif [[ "${GIT_BRANCH}" == jammy-* ]]; then
                BASE_IMAGE="ubuntu:22.04"
              else
                # Default to noble (latest LTS) for unrecognised tag prefixes
                echo "::warning::Unrecognized release tag prefix '${GIT_BRANCH}'. Expected it to start with 'noble-' or 'jammy-'. Defaulting BASE_IMAGE to ubuntu:24.04 (Noble)."
                BASE_IMAGE="ubuntu:24.04"
              fi
              # Set output parameters.
              if [ "${{github.event_name}}" == "pull_request" ]; then
                echo "push=false" >> $GITHUB_OUTPUT
              else
                echo "push=true" >> $GITHUB_OUTPUT
                echo "tags=${TAGS}" >> $GITHUB_OUTPUT
                echo "branch=${GIT_BRANCH}" >> $GITHUB_OUTPUT
                echo "docker_image=${DOCKER_IMAGE}" >> $GITHUB_OUTPUT
              fi
              echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
              echo "base_image=${BASE_IMAGE}" >> $GITHUB_OUTPUT
          - name: Set up QEMU
            uses: docker/setup-qemu-action@v3
            with:
              platforms: ${{ steps.prep.outputs.platforms }}
          - name: Login to GHCR (Github Container Registry)
            uses: docker/login-action@v3
            if: github.event_name != 'pull_request'
            with:
             registry: ghcr.io
             username: ${{ github.actor }}
             password: ${{ secrets.GITHUB_TOKEN }}
          - name: Set up Docker Buildx
            id: buildx
            uses: docker/setup-buildx-action@v3
            with:
              install: true
              version: latest
              driver-opts: image=moby/buildkit:latest
          - name: Login to Docker Hub
            if: github.event_name != 'pull_request'
            uses: docker/login-action@v3
            with:
                username: ${{ secrets.DOCKER_USERNAME }}
                password: ${{ secrets.DOCKER_PASSWORD }}
          - name: Build and Push
            uses: docker/build-push-action@v6
            with:
              builder: ${{ steps.buildx.outputs.name }}
              context: image
              platforms: ${{ steps.prep.outputs.platforms }}
              push: ${{ steps.prep.outputs.push }}
              tags: ${{ steps.prep.outputs.tags }}
              build-args: BASE_IMAGE=${{ steps.prep.outputs.base_image }}
--- a/.github/workflows/scheduled-build.yml
+++ b/.github/workflows/scheduled-build.yml
@@ -1,126 +0,0 @@
 name: Scheduled Security Build
 on:
    schedule:
        - cron: '0 2 * * 0'  # Every Sunday at 02:00 UTC
    workflow_dispatch:
 permissions:
    contents: write
    packages: write
 jobs:
    build:
        runs-on: ubuntu-latest
        permissions:
            contents: write
            packages: write
        strategy:
            fail-fast: false
            matrix:
                include:
                    - ubuntu_codename: noble
                      base_image: ubuntu:24.04
                    - ubuntu_codename: jammy
                      base_image: ubuntu:22.04
        steps:
          - name: Get latest release tag and compute next patch version
            id: release
            run: |
              LATEST_TAG=$(gh release list \
                --repo ${{ github.repository }} \
                --exclude-pre-releases \
                --exclude-drafts \
                --json tagName \
                --jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-"))] | first | .tagName')
              if [ -z "${LATEST_TAG}" ]; then
                echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
                exit 1
              fi
              # Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
              if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
                echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
                exit 1
              fi
              PREFIX="${LATEST_TAG%.*}"            # noble-1.0
              PATCH="${LATEST_TAG##*.}"            # 2
              NEXT_PATCH=$((PATCH + 1))
              NEXT_TAG="${PREFIX}.${NEXT_PATCH}"  # noble-1.0.3
              echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
              echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
            env:
              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          - name: Checkout release tag
            uses: actions/checkout@v4
            with:
              ref: ${{ steps.release.outputs.current_tag }}
          - name: Prepare
            id: prep
            run: |
              DOCKER_IMAGE=phusion/baseimage
              NEXT_TAG=${{ steps.release.outputs.next_tag }}
              PLATFORMS=amd64,arm,arm64
              TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
              TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
              echo "tags=${TAGS}" >> $GITHUB_OUTPUT
              echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
          - name: Set up QEMU
            uses: docker/setup-qemu-action@v3
            with:
              platforms: ${{ steps.prep.outputs.platforms }}
          - name: Set up Docker Buildx
            uses: docker/setup-buildx-action@v3
            with:
              install: true
              version: latest
              driver-opts: image=moby/buildkit:latest
          - name: Login to GHCR (Github Container Registry)
            uses: docker/login-action@v3
            with:
              registry: ghcr.io
              username: ${{ github.actor }}
              password: ${{ secrets.GITHUB_TOKEN }}
          - name: Login to Docker Hub
            uses: docker/login-action@v3
            with:
              username: ${{ secrets.DOCKER_USERNAME }}
              password: ${{ secrets.DOCKER_PASSWORD }}
          - name: Build and Push
            uses: docker/build-push-action@v6
            with:
              context: image
              platforms: ${{ steps.prep.outputs.platforms }}
              push: true
              tags: ${{ steps.prep.outputs.tags }}
              build-args: BASE_IMAGE=${{ matrix.base_image }}
              no-cache: true
          - name: Check gh auth status
            run: gh auth status
            env:
              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          - name: Create GitHub Release
            run: |
              gh release create "${{ steps.release.outputs.next_tag }}" \
                --repo "${{ github.repository }}" \
                --target "${{ steps.release.outputs.current_tag }}" \
                --title "${{ steps.release.outputs.next_tag }}" \
                --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
              Images pushed:
              - \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
              - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
            env:
              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,20 +0,0 @@
 name: 'Close stale issues and PRs'
 on:
  schedule:
    - cron: '0 1 * * *'
 jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@v9
        with:
          stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.'
          stale-pr-message: 'This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.'
          close-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'
          close-pr-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Pull Request. Do not hesitate to reopen it later if necessary.'
          days-before-stale: 15
          days-before-close: 5
          exempt-issue-labels: 'on-hold'
          exempt-pr-labels: 'on-hold'
          operations-per-run: 50
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,3 @@
 .DS_Store
 .vagrant
 *.swp
 *.tar.gz
 *.log
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,52 +0,0 @@
 # Contributor Covenant Code of Conduct
 ## Our Pledge
 In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
 ## Our Standards
 Examples of behavior that contributes to creating a positive environment include:
 * Using welcoming and inclusive language
 * Being respectful of differing viewpoints and experiences
 * Gracefully accepting constructive criticism
 * Focusing on what is best for the community
 * Showing empathy towards other community members
 Examples of unacceptable behavior by participants include:
 * The use of sexualized language or imagery and unwelcome sexual attention or advances
 * Trolling, insulting/derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or electronic address, without explicit permission
 * Other conduct which could reasonably be considered inappropriate in a professional setting
 ## Our Responsibilities
 Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
 Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
 ## Scope
 This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
 ## Enforcement
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at Phusion Passenger:
 [FloorD](https://github.com/floord) (she/her), floor@phusion.nl, English / Dutch / German
 [Scarhand](https://github.com/scarhand) (he/his), niels@phusion.nl, English / Dutch
 The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
 Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
 ## Attribution
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
 [homepage]: http://contributor-covenant.org
 [version]: http://contributor-covenant.org/version/1/4/
--- a/Changelog.md
+++ b/Changelog.md
@@ -1 +1,149 @@
-For the Changelog, please see [Releases](https://github.com/phusion/baseimage-docker/releases) on GitHub
+## 0.9.19 (release date: 2016-07-08)
 * Upgraded to Ubuntu 16.04. Thanks to Pierre Jacomet for submitting this patch.
 * During shutdown, repeatedly tell Runit to shutdown services in order to workaround a potential race condition in Runit itself. Closes GH-315. Thanks to Chris Kite for submitting this patch.
 * Fixed a problem in PAM which may cause chpasswd and related tools to fail. This is caused by Docker bug 6345 which is already closed, but for some reason the problem still persists. Closes GH-181. Thanks to Michael Zedeler for submitting the patch.
 * Fixed the syslog-ng logrotate script to correctly restart the syslog-to-Docker-logs forwarder. Closes GH-292. Thanks to Ernestas Lukoševičius for submitting the patch.
 ## 0.9.18 (release date: 2015-12-08)
 * The latest OpenSSL updates have been pulled in. This fixes [CVE-2015-3193](https://www.openssl.org/news/secadv/20151203.txt) and a few others. Upgrading is strongly recommended.
 * Fixes disabling all services. Thanks to Enderson Maia.
 ## 0.9.17 (release date: 2015-07-15)
 * The latest OpenSSL updates have been pulled in. This fixes [CVE-2015-1793](http://openssl.org/news/secadv_20150709.txt). Upgrading is strongly recommended.
 * Removed nano and replaced vim with vim-tiny. This reduces Baseimage-docker's virtual size by 42 MB.
 * Fixed an issue in `my_init` which could cause it to hang during shutdown. Thanks to Joe "SAPikachu" Hu for contributing the fix. Closes GH-151.
 * When `my_init` generates `/etc/container_environment.sh`, it now ensures that environment variable names do not include any characters unsupported by Bash. Unsupported characters are now replaced with underscores. This fixes compatibility issues with Docker Compose. Closes GH-230.
 * `my_init` no longer reads from and writes to `/etc/container_environment` if that directory does not exist. Previously it would abort with an error. This change makes it easier to reuse `my_init` in other (non-Baseimage-docker-based) projects without having to modify it.
 * Baseimage-docker no longer sets the HOME environment variable by default. We used to set HOME by default to work around [Docker issue 2968](https://github.com/docker/docker/issues/2968) where HOME defaults to /, but this issue is now fixed. Furthermore, the fact that we set HOME interfered with the USER stanza: USER would no longer set HOME. So we got rid of our HOME variable. Closes GH-231.
 * Some unnecessary Ubuntu cron jobs have been removed. Closes GH-205.
 * Syslog-ng no longer forwards messages to /dev/tty10. Closes GH-222.
 * It is now possible to build your own Baseimage-docker variant that has cron, syslog or sshd disabled. Thanks to Enderson Tadeu S. Maia. Closes GH-182.
 ## 0.9.16 (release date: 2015-01-20)
 * `docker exec` is now the default and recommended mechanism for running commands in the container. SSH is now disabled by default, but is still supported for those cases where "docker exec" is not appropriate. Closes GH-168.
 * All syslog output is now forwarded to `docker logs`. Closes GH-123.
 * The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream. Closes GH-155.
 * Logrotate now reloads syslog-ng properly. Closes GH-167.
 * Fixed some locale issues. Closes GH-178. Thanks to David J. M. Karlsen.
 * Fixed problems with cron. Closes GH-115.
 * Contribution by Bryan Bishop.
 ## 0.9.15 (release date: 2014-10-03)
 * Fixed the setuid bit on /usr/bin/sudo. This problem was caused by Docker bug #6828.
 ## 0.9.14 (release date: 2014-10-01)
 * Installed all the latest Ubuntu security updates. This patches Shellshock, among other things.
 * Some documentation updates by andreamtp.
 ## 0.9.13 (release date: 2014-08-22)
 * Fixed `my_init` not properly exiting with a non-zero exit status when Ctrl-C is pressed.
 * The GID of the `docker_env` group has been changed from 1000 to 8377, in order to avoid GID conflicts with any groups that you might want to introduce inside the container.
 * The syslog-ng socket is now deleted before starting the syslog-ng daemon, to avoid the daemon from failing to start due to garbage on the filesystem. Thanks to Kingdon Barrett. Closes GH-129.
 * Typo fixes by Arkadi Shishlov.
 ## 0.9.12 (release date: 2014-07-24)
 * We now officially support `nsenter` as an alternative way to login to the container. With official support, we mean that we've provided extensive documentation on how to use `nsenter`, as well as related convenience tools. However, because `nsenter` has various issues, and for backward compatibility reasons, we still support SSH. Please refer to the README for details about `nsenter`, and what the pros and cons are compared to SSH.
   * The `docker-bash` tool has been modified to use `nsenter` instead of SSH.
   * What was previously the `docker-bash` tool, has now been renamed to `docker-ssh`. It now also works on a regular sh shell too, instead of bash specifically.
 * Added a workaround for Docker's inability to modify /etc/hosts in the container ([Docker bug 2267](https://github.com/dotcloud/docker/issues/2267)). Please refer to the README for details.
 * Fixed an issue with SSH X11 forwarding. Thanks to Anatoly Bubenkov. Closes GH-105.
 * The init system now prints its own log messages to stderr. Thanks to mephi42. Closes GH-106.
 ## 0.9.11 (release date: 2014-06-24)
 * Introduced the `docker-bash` tool. This is a shortcut tool for logging into a container using SSH. Usage: `docker-bash <CONTAINER ID>`. See the README for details.
 * Fixed various process waiting issues in `my_init`. Closes GH-27, GH-82 and GH-83. Thanks to André Luiz dos Santos and Paul Annesley.
 * The `ca-certificates` package is now installed by default. This is because we include `apt-transport-https`, but Ubuntu 14.04 no longer installs `ca-certificates` by default anymore. Closes GH-73.
 * Output print by Runit services are now redirected to the Docker logs instead of to proctitle. Thanks to Paul Annesley.
 * Container environment variables are now made available to SSH root shells. If you login with SSH through a non-root account, then container environment variables are only made available if that user is a member of the `docker_env` group. Thanks to Bernard Potocki.
 * `add-apt-repository` is now installed by default. Closes GH-74.
 * Various minor fixes and contributions thanks to yebyen, John Eckhart, Christoffer Sawicki and Brant Fitzsimmons.
 ## 0.9.10 (release date: 2014-05-12)
 * Upgraded to Ubuntu 14.04 (Trusty). We will no longer release images based on 12.04.
   Thanks to contributions by mpeterson, Paul Jimenez, Santiago M. Mola and Kingdon Barrett.
 * Fixed a problem with my_init not correctly passing child processes' exit status. Fixes GH-45.
 * When reading environment variables from /etc/container_environment, the trailing newline (if any) is ignored. This makes commands like this work, without unintentially adding a newline to the environment variable value:
        echo my_value > /etc/container_environment/FOO
   If you intended on adding a newline to the value, ensure you have *two* trailing newlines:
        echo -e "my_value\n" > /etc/container_environment/FOO
 * It was not possible to use `docker run -e` to override environment variables defined in /etc/container_environment. This has been fixed (GH-52). Thanks to Stuart Campbell for reporting this bug.
 ## 0.9.9 (release date: 2014-03-25)
 * Fixed a problem with rssh. (Slawomir Chodnicki)
 * The `INITRD` environment variable is now set in the container by default. This prevents updates to the `initramfs` from running grub or lilo.
 * The `ischroot` tool in Ubuntu has been modified to always return true. This prevents updates to the `initscripts` package from breaking /dev/shm.
 * Various minor bug fixes, improvements and typo corrections. (Felix Hummel, Laurent Sarrazin, Dung Quang, Amir Gur)
 ## 0.9.8 (release date: 2014-02-26)
 * Fixed a regression in `my_init` which causes it to delete environment variables passed from Docker.
 * Fixed `my_init` not properly forcing Runit to shut down if Runit appears to refuse to respond to SIGTERM.
 ## 0.9.7 (release date: 2014-02-25)
 * Improved and fixed bugs in `my_init` (Thomas LÉVEIL):
   * It is now possible to enable the insecure key by passing `--enable-insecure-key` to `my_init`. This allows users to easily enable the insecure key for convenience reasons, without having the insecure key enabled permanently in the image.
   * `my_init` now exports environment variables to the directory `/etc/container_environment` and to the files `/etc/container_environment.sh`, `/etc/container_environment.json`. This allows all applications to query what the original environment variables were. It is also possible to change the environment variables in `my_init` by modifying `/etc/container_environment`. More information can be found in the README, section "Environment variables".
   * Fixed a bug that causes it not to print messages to stdout when there is no pseudo terminal. This is because Python buffers stdout by default.
   * Fixed an incorrectly printed message.
 * The insecure key is now also available in PuTTY format. (Thomas LÉVEIL)
 * Fixed `enable_insecure_key` removing already installed SSH keys. (Thomas LÉVEIL)
 * The baseimage-docker image no longer EXPOSEs any ports by default. The EXPOSE entries were originally there to enable some default guest-to-host port forwarding entries, but in recent Docker versions they changed the meaning of EXPOSE, and now EXPOSE is used for linking containers. As such, we no longer have a reason to EXPOSE any ports by default. Fixes GH-15.
 * Fixed syslog-ng not being able to start because of a missing afsql module. Fixes the issue described in [pull request 7](https://github.com/phusion/baseimage-docker/pull/7).
 * Removed some default Ubuntu cron jobs which are not useful in Docker containers.
 * Added the logrotate service. Fixes GH-22.
 * Fixed some warnings in `/etc/my_init.d/00_regen_ssh_host_keys.sh`.
 * Fixed some typos in the documentation. (Dr Nic Williams, Tomer Cohen)
 ## 0.9.6 (release date: 2014-02-17)
 * Fixed a bug in `my_init`: child processes that have been adopted during execution of init scripts are now properly reaped.
 * Much improved `my_init`:
   * It is now possible to run and watch a custom command, possibly in addition to running runit. See "Running a one-shot command in the container" in the README.
   * It is now possible to skip running startup files such as /etc/rc.local.
   * Shutdown is now much faster. It previously took a few seconds, but it is now almost instantaneous.
   * It ensures that all processes in the container are properly shut down with SIGTERM, even those that are not direct child processes of `my_init`.
 * `setuser` now also sets auxilliary groups, as well as more environment variables such as `USER` and `UID`.
 ## 0.9.5 (release date: 2014-02-06)
 * Environment variables are now no longer reset by runit. This is achieved by running `runsvdir` directly instead of through Debian's `runsvdir-start`.
 * The insecure SSH key is now disabled by default. You have to explicitly opt-in to use it.
 ## 0.9.4 (release date: 2014-02-03)
 * Fixed syslog-ng startup problem.
 ## 0.9.3 (release date: 2014-01-31)
 * It looks like Docker changed their Ubuntu 12.04 base image, thereby breaking our Dockerfile. This has been fixed.
 * The init system (`/sbin/my_init`) now supports running scripts during startup. You can put startup scripts `/etc/my_init.d`. `/etc/rc.local` is also run during startup.
 * To improve security, the base image no longer contains pregenerated SSH host keys. Instead, users of the base image are encouraged to regenerate one in their Dockerfile. If the user does not do that, then random SSH host keys are generated during container boot.
 ## 0.9.2 (release date: 2013-12-11)
 * Fixed SFTP support. Thanks Joris van de Donk!
 ## 0.9.1 (release date: 2013-11-12)
 * Improved init process script (`/sbin/my_init`): it now handles shutdown correctly. Previously, `docker stop` would not have any effect on `my_init`, causing the whole container to be killed with SIGKILL. The new init process script gracefully shuts down all runit services, then exits.
 ## 0.9.0 (release date: 2013-11-12)
 * Initial release
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,4 +1,4 @@
-Copyright (c) 2013-2025 Phusion Holding B.V.
+Copyright (c) 2013-2015 Phusion Holding B.V.
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/56
+++ b/56
@@ -1,57 +1,29 @@
-VERSION ?= noble-1.0.2
+NAME = phusion/baseimage
-ifdef BASE_IMAGE
+VERSION = 0.9.19
 	BUILD_ARG = --build-arg BASE_IMAGE=$(BASE_IMAGE)
 	ifndef NAME
 		NAME = phusion/baseimage-$(subst :,-,${BASE_IMAGE})
 	endif
 else
 	NAME ?= phusion/baseimage
 endif
 ifdef TAG_ARCH
 	# VERSION_ARG = $(VERSION)-$(subst /,-,$(subst :,-,${BASE_IMAGE}))-$(TAG_ARCH)
 	VERSION_ARG = $(VERSION)-$(TAG_ARCH)
 	LATEST_VERSION = latest-$(TAG_ARCH)
 else
 	# VERSION_ARG = $(VERSION)-$(subst /,-,$(subst :,-,${BASE_IMAGE}))
 	VERSION_ARG = $(VERSION)
 	LATEST_VERSION = latest
 endif
 VERSION_ARG ?= $(VERSION)
 .PHONY: all build test tag_latest release ssh
 all: build
 build:
-	docker build --no-cache -t $(NAME):$(VERSION_ARG) $(BUILD_ARG) --build-arg QEMU_ARCH=$(QEMU_ARCH) --platform $(PLATFORM) --rm image
+	docker build -t $(NAME):$(VERSION) --rm image
 build_multiarch:
 	env NAME=$(NAME) VERSION=$(VERSION_ARG) ./build-multiarch.sh
 test:
-	env NAME=$(NAME) VERSION=$(VERSION_ARG) ./test/runner.sh
+	env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
 tag_latest:
-	docker tag $(NAME):$(VERSION_ARG) $(NAME):$(LATEST_VERSION)
+	docker tag $(NAME):$(VERSION) $(NAME):latest
-tag_multiarch_latest:
+release: test tag_latest
-	env NAME=$(NAME) VERSION=$(VERSION) TAG_LATEST=true ./build-multiarch.sh
+	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
-
+	@if ! head -n 1 Changelog.md | grep -q 'release date'; then echo 'Please note the release date in Changelog.md.' && false; fi
 release: test
 	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION_ARG); then echo "$(NAME) version $(VERSION_ARG) is not yet built. Please run 'make build'"; false; fi
 	docker push $(NAME)
-	@echo "*** Don't forget to create a tag by creating an official GitHub release."
+	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
 ssh: SSH_COMMAND?=
 ssh:
-	ID=$$(docker ps | grep -F "$(NAME):$(VERSION_ARG)" | awk '{ print $$1 }') && \
+	chmod 600 image/services/sshd/keys/insecure_key
 	@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
 		if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
-		tools/docker-ssh $$ID ${SSH_COMMAND}
+		IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \
-
+		echo "SSHing into $$IP" && \
-test_release:
+		ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/services/sshd/keys/insecure_key root@$$IP
 	echo test_release
 	env
 test_master:
 	echo test_master
 	env
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 # A minimal Ubuntu base image modified for Docker-friendliness
-[![Release](https://github.com/phusion/baseimage-docker/actions/workflows/main.yml/badge.svg)](https://github.com/phusion/baseimage-docker/actions/workflows/main.yml)
+[![](https://badge.imagelayers.io/phusion/baseimage:0.9.17.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io')
-_Baseimage-docker only consumes 8.3 MB RAM and is much more powerful than Busybox or Alpine. See why below._
+_Baseimage-docker only consumes 6 MB RAM and is much powerful than Busybox or Alpine. See why below._
 Baseimage-docker is a special [Docker](https://www.docker.com) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
@@ -12,11 +12,11 @@ Baseimage-docker is a special [Docker](https://www.docker.com) image that is con
 You can use it as a base for your own Docker images.
-Baseimage-docker is available for pulling from [the Docker registry](https://hub.docker.com/r/phusion/baseimage) and [GHCR (GitHub Container Registry)](https://github.com/phusion/baseimage-docker/pkgs/container/baseimage)!
+Baseimage-docker is available for pulling from [the Docker registry](https://registry.hub.docker.com/u/phusion/baseimage/)!
 ### What are the problems with the stock Ubuntu base image?
-Ubuntu is not designed to be run inside Docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system; you want a minimal system.  Configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
+Ubuntu is not designed to be run inside Docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
 Baseimage-docker gets everything right. The "Contents" section describes all the things that it modifies.
@@ -26,7 +26,7 @@ Baseimage-docker gets everything right. The "Contents" section describes all the
 You can configure the stock `ubuntu` image yourself from your Dockerfile, so why bother using baseimage-docker?
 * Configuring the base system for Docker-friendliness is no easy task. As stated before, there are many corner cases. By the time that you've gotten all that right, you've reinvented baseimage-docker. Using baseimage-docker will save you from this effort.
- * It reduces the time needed to write a correct Dockerfile. You won't have to worry about the base system and you can focus on the stack and the app.
+ * It reduces the time needed to write a correct Dockerfile. You won't have to worry about the base system and can focus on your stack and your app.
 * It reduces the time needed to run `docker build`, allowing you to iterate your Dockerfile more quickly.
 * It reduces download time during redeploys. Docker only needs to download the base image once: during the first deploy. On every subsequent deploys, only the changes you make on top of the base image are downloaded.
@@ -35,7 +35,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 **Related resources**:
  [Website](http://phusion.github.io/baseimage-docker/) |
  [Github](https://github.com/phusion/baseimage-docker) |
-  [Docker registry](https://registry.hub.docker.com/r/phusion/baseimage/) |
+  [Docker registry](https://index.docker.io/u/phusion/baseimage/) |
  [Discussion forum](https://groups.google.com/d/forum/passenger-docker) |
  [Twitter](https://twitter.com/phusion_nl) |
  [Blog](http://blog.phusion.nl/)
@@ -56,7 +56,6 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
     * [Environment variable dumps](#envvar_dumps)
     * [Modifying environment variables](#modifying_envvars)
     * [Security](#envvar_security)
   * [System logging](#logging)
   * [Upgrading the operating system inside the container](#upgrading_os)
 * [Container administration](#container_administration)
   * [Running a one-shot command in a new container](#oneshot)
@@ -86,8 +85,8 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
-| Ubuntu 24.04 LTS | The base system. |
+| Ubuntu 16.04 LTS | The base system. |
-| A **correct** init process | _Main article: [Docker and the PID 1 zombie reaping problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)._ <br><br>According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly. As a result, their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which stops all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
+| A **correct** init process | _Main article: [Docker and the PID 1 zombie reaping problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)._ <br><br>According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs".<br><br>Why syslog-ng?<br>I've had bad experience with rsyslog. I regularly run into bugs with rsyslog, and once in a while it takes my log host down by entering a 100% CPU loop in which it can't do anything. Syslog-ng seems to be much more stable. |
 | logrotate | Rotates and compresses logs on a regular basis. |
@@ -95,9 +94,8 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | cron | The cron daemon must be running for cron jobs to work. |
 | [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
 | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. |
 | `install_clean` | A tool for installing `apt` packages that automatically cleans up after itself.  All arguments are passed to `apt-get -y install --no-install-recommends` and after installation the apt caches are cleared.  To include recommended packages, add `--install-recommends`. |
-Baseimage-docker is very lightweight: it only consumes 8.3 MB of memory.
+Baseimage-docker is very lightweight: it only consumes 6 MB of memory.
 <a name="docker_single_process"></a>
 ### Wait, I thought Docker is about running a single process in a container?
@@ -113,11 +111,11 @@ Do we advocate running multiple *logical services* in a single container? Not ne
 <a name="fat_containers"></a>
 ### Does Baseimage-docker advocate "fat containers" or "treating containers as VMs"?
-There are people who think that Baseimage-docker advocates treating containers as VMs because Baseimage-docker advocates the use of multiple processes. Therefore, they also think that Baseimage-docker does not follow the Docker philosophy. Neither of these impressions are true.
+There are people who are under the impression that Baseimage-docker advocates treating containers as VMs, because of the fact that Baseimage-docker advocates the use of multiple processes. Therefore they are also under the impression that Baseimage-docker does not follow the Docker philosophy. Neither of these impressions are true.
 The Docker developers advocate running a single *logical service* inside a single container. But we are not disputing that. Baseimage-docker advocates running multiple *OS processes* inside a single container, and a single logical service can consist of multiple OS processes.
-It follows that Baseimage-docker also does not deny the Docker philosophy. In fact, many of the modifications we introduce are explicitly in line with the Docker philosophy. For example, using environment variables to pass parameters to containers is very much the "Docker way", and providing [a mechanism to easily work with environment variables](#environment_variables) in the presence of multiple processes that may run as different users.
+It follows from this that Baseimage-docker also does not deny the Docker philosophy. In fact, many of the modifications we introduce are explicitly in line with the Docker philosophy. For example, using environment variables to pass parameters to containers is very much the "Docker way", and provide [a mechanism to easily work with environment variables](#environment_variables) in the presence of multiple processes that may run as different users.
 <a name="inspecting"></a>
 ## Inspecting baseimage-docker
@@ -155,45 +153,26 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
 <a name="adding_additional_daemons"></a>
 ### Adding additional daemons
-A daemon is a program which runs in the background of its system, such
+You can add additional daemons (e.g. your own app) to the image by creating runit entries. You only have to write a small shell script which runs your daemon, and runit will keep it up and running for you, restarting it when it crashes, etc.
 as a web server.
-You can add additional daemons (for example, your own app) to the image
+The shell script must be called `run`, must be executable, and is to be placed in the directory `/etc/service/<NAME>`.
 by creating runit service directories. You only have to write a small
 shell script which runs your daemon;
 [`runsv`](http://smarden.org/runit/runsv.8.html) will start your script,
 and - by default - restart it upon its exit, after waiting one second.
-The shell script must be called `run`, must be executable, and is to be
+Here's an example showing you how a memcached server runit entry can be made.
 placed in the directory `/etc/service/<NAME>`. `runsv` will switch to
 the directory and invoke `./run` after your container starts.
-**Be certain that you do not start your container using interactive mode
+In `memcached.sh` (make sure this file is chmod +x):
 (`-it`) with another command, as `runit` must be the first process to run. If you do this, your runit service directories won't be started. For instance, `docker run -it <name> bash` will bring you to bash in your container, but you'll lose all your daemons.**
-Here's an example showing you how a `runit` service directory can be
+    #!/bin/sh
-made for a `memcached` server.
+    # `/sbin/setuser memcache` runs the given command as the user `memcache`.
    # If you omit that part, the command will be run as root.
    exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
-In `memcached.sh`, or whatever you choose to name your file (make sure
+In `Dockerfile`:
 this file is chmod +x):
 ```bash
 #!/bin/sh
 # `/sbin/setuser memcache` runs the given command as the user `memcache`.
 # If you omit that part, the command will be run as root.
 exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
 ```
 In an accompanying `Dockerfile`:
-```Dockerfile
+    RUN mkdir /etc/service/memcached
-RUN mkdir /etc/service/memcached
+    COPY memcached.sh /etc/service/memcached/run
-COPY memcached.sh /etc/service/memcached/run
+    RUN chmod +x /etc/service/memcached/run
-RUN chmod +x /etc/service/memcached/run
+
-```
+Note that the shell script must run the daemon **without letting it daemonize/fork it**. Usually, daemons provide a command line flag or a config file option for that.
 A given shell script must run **without daemonizing or forking itself**;
 this is because `runit` will start and restart your script on its own.
 Usually, daemons provide a command line flag or a config file option for
 preventing such behavior - essentially, you just want your script to run
 in the foreground, not the background.
 <a name="running_startup_scripts"></a>
 ### Running scripts during container startup
@@ -218,31 +197,9 @@ In `Dockerfile`:
    RUN mkdir -p /etc/my_init.d
    COPY logtime.sh /etc/my_init.d/logtime.sh
-    RUN chmod +x /etc/my_init.d/logtime.sh
+	  RUN chmod +x /etc/my_init.d/logtime.sh
 <a name="environment_variables"></a>
 #### Shutting down your process
 `/sbin/my_init` handles termination of children processes at shutdown. When it receives a SIGTERM
 it will pass the signal onto the child processes for correct shutdown. If your process is started with
 a shell script, make sure you `exec` the actual process, otherwise the shell will receive the signal
 and not your process.
 `/sbin/my_init` will terminate processes after a 5 second timeout. This can be adjusted by setting
 environment variables:
    # Give children processes 5 minutes to timeout
    ENV KILL_PROCESS_TIMEOUT=300
    # Give all other processes (such as those which have been forked) 5 minutes to timeout
    ENV KILL_ALL_PROCESSES_TIMEOUT=300
 Note: Prior to 0.11.1, the default values for `KILL_PROCESS_TIMEOUT` and `KILL_ALL_PROCESSES_TIMEOUT`
 were 5 seconds. In version 0.11.1+ the default process timeout has been adjusted to 30 seconds to
 allow more time for containers to terminate gracefully. The default timeout of your container runtime
 may supersede this setting, for example Docker currently applies a [10s timeout](https://docs.docker.com/engine/reference/commandline/stop/#options)
 by default before sending SIGKILL, upon `docker stop` or receiving SIGTERM.
 ### Environment variables
 If you use `/sbin/my_init` as the main container command, then any environment variables set with `docker run --env` or with the `ENV` command in the Dockerfile, will be picked up by `my_init`. These variables will also be passed to all child processes, including `/etc/my_init.d` startup scripts, Runit and Runit-managed services. There are however a few caveats you should be aware of:
@@ -257,7 +214,7 @@ If you use `/sbin/my_init` as the main container command, then any environment v
 <a name="envvar_central_definition"></a>
 #### Centrally defining your own environment variables
-During startup, before running any [startup scripts](#running_startup_scripts), `my_init` imports environment variables from the directory `/etc/container_environment`. This directory contains files named after the environment variable names. The file contents contain the environment variable values. This directory is therefore a good place to centrally define your own environment variables, which will be inherited by all startup scripts and Runit services.
+During startup, before running any [startup scripts](#running_startup_scripts), `my_init` imports environment variables from the directory `/etc/container_environment`. This directory contains files who are named after the environment variable names. The file contents contain the environment variable values. This directory is therefore a good place to centrally define your own environment variables, which will be inherited by all startup scripts and Runit services.
 For example, here's how you can define an environment variable from your Dockerfile:
@@ -273,14 +230,14 @@ You can verify that it works, as follows:
 **Handling newlines**
-If you've looked carefully, you'll notice that the 'echo' command actually prints a newline. Why does $MY_NAME not contain a newline then? It's because `my_init` strips the trailing newline. If you intended on the value having a newline, you should add *another* newline, like this:
+If you've looked carefully, you'll notice that the 'echo' command actually prints a newline. Why does $MY_NAME not contain a newline then? It's because `my_init` strips the trailing newline, if any. If you intended on the value having a newline, you should add *another* newline, like this:
    RUN echo -e "Apachai Hopachai\n" > /etc/container_environment/MY_NAME
 <a name="envvar_dumps"></a>
 #### Environment variable dumps
-While the previously mentioned mechanism is good for centrally defining environment variables, itself does not prevent services (e.g. Nginx) from changing and resetting environment variables from child processes. However, the `my_init` mechanism does make it easy for you to query what the original environment variables are.
+While the previously mentioned mechanism is good for centrally defining environment variables, it by itself does not prevent services (e.g. Nginx) from changing and resetting environment variables from child processes. However, the `my_init` mechanism does make it easy for you to query what the original environment variables are.
 During startup, right after importing environment variables from `/etc/container_environment`, `my_init` will dump all its environment variables (that is, all variables imported from `container_environment`, as well as all variables it picked up from `docker run --env`) to the following locations, in the following formats:
@@ -288,7 +245,7 @@ During startup, right after importing environment variables from `/etc/container
 * `/etc/container_environment.sh` - a dump of the environment variables in Bash format. You can source the file directly from a Bash shell script.
 * `/etc/container_environment.json` - a dump of the environment variables in JSON format.
-The multiple formats make it easy for you to query the original environment variables no matter which language your scripts/apps are written in.
+The multiple formats makes it easy for you to query the original environment variables no matter which language your scripts/apps are written in.
 Here is an example shell session showing you how the dumps look like:
@@ -321,27 +278,19 @@ But note that:
 <a name="envvar_security"></a>
 #### Security
-Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only to the `docker_env` group (so that any user added this group will have these variables automatically loaded).
+Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only by the `docker_env` group (so that any user added this group will have these variables automatically loaded).
 If you are sure that your environment variables don't contain sensitive data, then you can also relax the permissions on that directory and those files by making them world-readable:
    RUN chmod 755 /etc/container_environment
    RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
 <a name="logging"></a>
 ### System logging
 Baseimage-docker uses syslog-ng to provide a syslog facility to the container. Syslog-ng is not managed as an runit service (see below). Syslog messages are forwarded to the console.
 #### Log startup/shutdown sequence
 In order to ensure that all application log messages are captured by syslog-ng, syslog-ng is started separately before the runit supervisor process, and shutdown after runit exits. This uses the [startup script facility](#running_startup_scripts) provided by this image. This avoids a race condition which would exist if syslog-ng were managed as an runit service, where runit kills syslog-ng in parallel with the container's other services, causing log messages to be dropped during a graceful shutdown if syslog-ng exits while logs are still being produced by other services.
 <a name="upgrading_os"></a>
 ### Upgrading the operating system inside the container
-Baseimage-docker images contain an Ubuntu operating system (see OS version at [Overview](#overview)). You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
+Baseimage-docker images contain an Ubuntu 16.04 operating system. You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
-While we release Baseimage-docker images with the latest OS updates from time to time, you do not have to rely on us. You can update the OS inside Baseimage-docker images yourself, and it is recommended that you do this instead of waiting for us.
+While we release Baseimage-docker images with the latest OS updates from time to time, you do not have to rely on us. You can update the OS inside Baseimage-docker images yourself, and it is recommend that you do this instead of waiting for us.
 To upgrade the OS in the image, run this in your Dockerfile:
@@ -474,7 +423,7 @@ Then, you can start your container with
    docker run -d -v `pwd`/myfolder:/etc/my_init.d my/dockerimage
-This will initialize sshd on container boot.  You can then access it with the insecure key as below, or using the methods to add a secure key.  Further, you can publish the port to your machine with -p 2222:22 allowing you to ssh to 127.0.0.1:2222 instead of looking up the ip address of the container.
+This will initialize sshd on container boot.  You can then access it with the insecure key as below, or using the methods to add a secure key.  Further, you can publish the port to your machine with -p 22:2222 allowing you to ssh to localhost:2222 instead of looking up the ip address.
 <a name="ssh_keys"></a>
 #### About SSH keys
@@ -519,7 +468,7 @@ Edit your Dockerfile to install the insecure key permanently:
    RUN /usr/sbin/enable_insecure_key
-Instructions for logging into the container is the same as in section [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only).
+Instructions for logging in the container is the same as in section [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only).
 <a name="using_your_own_key"></a>
 #### Using your own key
@@ -584,12 +533,6 @@ Clone this repository:
 Start a virtual machine with Docker in it. You can use the Vagrantfile that we've already provided.
 First, install `vagrant-disksize` plug-in:
    vagrant plugin install vagrant-disksize
 Then, start the virtual machine
    vagrant up
    vagrant ssh
    cd /vagrant
@@ -602,29 +545,14 @@ If you want to call the resulting image something else, pass the NAME variable,
    make build NAME=joe/baseimage
 You can also change the `ubuntu` base-image to `debian` as these distributions are quite similar.
    make build BASE_IMAGE=debian:stretch
 The image will be: `phusion/baseimage-debian-stretch`. Use the `NAME` variable in combination with the `BASE_IMAGE` one to call it `joe/stretch`.
    make build BASE_IMAGE=debian:stretch NAME=joe/stretch
 To verify that the various services are started, when the image is run as a container, add `test` to the end of your make invocations, e.g.:
    make build BASE_IMAGE=debian:stretch NAME=joe/stretch test
 <a name="removing_optional_services"></a>
 ### Removing optional services
 The default baseimage-docker installs `syslog-ng`, `cron` and `sshd` services during the build process.
-In case you don't need one or more of these services in your image, you can disable its installation through the `image/buildconfig` that is sourced within `image/system_services.sh`.  Do this at build time by passing a variable in with `--build-arg`  as in `docker build --build-arg DISABLE_SYSLOG=1 image/`, or you may set the variable in `image/Dockerfile` with an ENV setting above the RUN directive.
+In case you don't need one or more of these services in your image, you can disable its installation.
-These represent build-time configuration, so setting them in the shell env at build-time [will not have any effect](https://github.com/phusion/baseimage-docker/issues/459#issuecomment-439177442).  Setting them in child images' Dockerfiles will also not have any effect.)
+As shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file.
 You can also set them directly as shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file.
    ### In ./image/buildconfig
    # ...
@@ -642,8 +570,7 @@ Then you can proceed with `make build` command.
 * Using baseimage-docker? [Tweet about us](https://twitter.com/share) or [follow us on Twitter](https://twitter.com/phusion_nl).
 * Having problems? Want to participate in development? Please post a message at [the discussion forum](https://groups.google.com/d/forum/passenger-docker).
 * Looking for a more complete base image, one that is ideal for Ruby, Python, Node.js and Meteor web apps? Take a look at [passenger-docker](https://github.com/phusion/passenger-docker).
 * Need a helping hand? Phusion also offers [consulting](https://www.phusion.nl/consultancy) on a wide range of topics, including Web Development, UI/UX Research & Design, Technology Migration and Auditing. 
-[<img src="https://avatars.githubusercontent.com/u/830588?s=200&v=4">](https://www.phusion.nl/)
+[<img src="http://www.phusion.nl/assets/logo.png">](http://www.phusion.nl/)
 Please enjoy baseimage-docker, a product by [Phusion](http://www.phusion.nl/). :-)
--- a/README_ZH_cn_.md
+++ b/README_ZH_cn_.md
@@ -10,10 +10,10 @@ Baseimage-docker是一个特殊的[Docker](http://www.docker.io)镜像，在Dock
 可以把它作为自己的基础Docker镜像。
 Baseimage-docker项目可以直接从Docker的[registry](https://index.docker.io/u/phusion/baseimage/)获取！
-
+        
 <a name="what-are-the-problems-with-the-stock-ubuntu-base-image"></a>
 ### 原生的Ubuntu基础镜像有什么问题呢？          
-
+            
 原生Ubuntu不是为了在Docker内运行而设计的。它的初始化系统Upstart，假定运行的环境要么是真实的硬件，要么是虚拟的硬件，而不是在Docker容器内。但是在一个Docker的容器内，并不需要一个完整的系统，你需要的只是一个很小的系统。但是如果你不是非常熟悉Unix的系统模型，想要在Docker容器内裁减出最小的系统，会碰到很多难以正确解决的陌生的技术坑。这些坑会引起很多莫名其妙的问题。
 Baseimage-docker让这一切完美。在"内容"部分描述了所有这些修改。
@@ -22,7 +22,7 @@ Baseimage-docker让这一切完美。在"内容"部分描述了所有这些修
 ### 为什么使用baseimage-docker？
 你自己可以从Dockerfile配置一个原生`ubuntu`镜像，为什么还要多此一举的使用baseimage-docker呢?
-
+        
 * 配置一个Docker友好的基础系统并不是一个简单的任务。如前所述，过程中会碰到很多坑。当你搞定这些坑之后，只不过是又重新发明了一个baseimage-docker而已。使用baseimage-docker可以免去你这方面需要做的努力。          
 * 减少需要正确编写Dockerfile文件的时间。你不用再担心基础系统，可以专注于你自己的技术栈和你的项目。            
 * 减少需要运行`docker build`的时间，让你更快的迭代Dockerfile。         
@@ -82,7 +82,7 @@ Baseimage-docker让这一切完美。在"内容"部分描述了所有这些修
 | 模块        | 为什么包含这些？以及备注 |
 | ---------------- | ------------------- |
-| Ubuntu 24.04 LTS | 基础系统。 |
+| Ubuntu 16.04 LTS | 基础系统。 |
 | 一个**正确**的初始化进程  | *主要文章：[Docker和PID 1 僵尸进程回收问题](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)*<br/><br/>根据Unix进程模型，[初始化进程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 继承了所有[孤立的子进程](https://en.wikipedia.org/wiki/Orphan_process)，并且必须[进行回收](https://en.wikipedia.org/wiki/Wait_(system_call))。大多数Docker容器没有一个初始化进程可以正确的完成此操作，随着时间的推移会导致他们的容器出现了大量的[僵尸进程](https://en.wikipedia.org/wiki/Zombie_process)。<br/><br/>而且，`docker stop`发送SIGTERM信号给初始化进程，照理说此信号应该可以停止所有服务。不幸的是由于它们对硬件进行了关闭操作，导致Docker内的大多数初始化系统没有正确执行。这会导致进程强行被SIGKILL信号关闭，从而丧失了一个正确取消初始化设置的机会。这会导致文件损坏。<br/><br/>Baseimage-docker配有一个名为`/sbin/my_init`的初始化进程来同时正确的完成这些任务。 |
 | 修复了APT与Docker不兼容的问题 | 详情参见：https://github.com/dotcloud/docker/issues/1024 。 |
 | syslog-ng | 对于很多服务－包括kernel自身，都需要一个syslog后台进程，以便可以正确的将log输出到/var/log/syslog中。如果没有运行syslog后台进程，很多重要的信息就会默默的丢失了。<br/><br/>只对本地进行监听。所有syslog信息会被转发给“docker logs”。 |
@@ -123,18 +123,18 @@ Baseimage-docker *鼓励* 通过runit来运行多进程.
 	# 使用phusion/baseimage作为基础镜像,去构建你自己的镜像,需要下载一个明确的版本,千万不要使用`latest`.
 	# 查看https://github.com/phusion/baseimage-docker/blob/master/Changelog.md,可用看到版本的列表.
 	FROM phusion/baseimage:<VERSION>
-
+	
 	# 设置正确的环境变量.
 	ENV HOME /root
-
+	
 	# 生成SSH keys,baseimage-docker不包含任何的key,所以需要你自己生成.你也可以注释掉这句命令,系统在启动过程中,会生成一个.
 	RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
-
+	
 	# 初始化baseimage-docker系统
 	CMD ["/sbin/my_init"]
-
+	
 	# 这里可以放置你自己需要构建的命令
-
+	
 	# 当完成后,清除APT.
 	RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@@ -152,7 +152,7 @@ Baseimage-docker *鼓励* 通过runit来运行多进程.
 	#!/bin/sh
 	# `/sbin/setuser memcache` 指定一个`memcache`用户来运行命令.如果你忽略了这部分,就会使用root用户执行.
 	exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
-
+	
 	### 在Dockerfile中:
    RUN mkdir /etc/service/memcached
    COPY memcached.sh /etc/service/memcached/run
@@ -188,7 +188,7 @@ baseimage-docker的初始化脚本 `/sbin/my_init`,在启动的时候进程运
 * 在Unix系统中,环境变量都会被子进程给继承.这就意味着,子进程不可能修改环境变量或者修改其他进程的环境变量.
 * 由于上面提到的一点,这里没有一个可以为所有应用和服务集中定义环境的地方.Debian提供了一个`/etc/environment` 文件,解决一些问题.
 * 某些服务更改环境变量是为了给子进程使用.Nginx有这样的一个例子:它移除了所有的环境变量,除非你通过`env`进行了配置,明确了某些是保留的.如果你部署了任何应用在Nginx镜像(例如:使用[passenger-docker](https://github.com/phusion/passenger-docker)镜像或者使用Phusion Passenger作为你的镜像.),那么你通过Docker,你不会看到任何环境变量.
-
+ 
 `my_init`提供了一个办法来解决这些问题.
@@ -289,7 +289,7 @@ baseimage-docker的初始化脚本 `/sbin/my_init`,在启动的时候进程运
 <a name="disabling_ssh"></a>
 ### 禁用SSH
-Baseimage-docker默认是支持SSH的,所以可以[使用SSH](#login_ssh)来[管理你的容器](#container_administration).万一你不想支持SSH,你只要禁用它就可以:
+Baseimage-docker默认是支持SSH的,所以可以[使用SSH](#login_ssh)来[管理你的容器](#container_administration).万一你不想支持SSH,你可以只要禁用它:
    RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
@@ -338,7 +338,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
    *** Shutting down runit daemon (PID 80)...
    *** Killing all processes...
-你会发现默认的启动流程太复杂或者你不希望执行启动文件, 你可以自定义这些参数传递给 `my_init`. 调用`docker run YOUR_IMAGE /sbin/my_init --help`可以看到帮助信息.
+你会发现默认的启动的流程太负责.或者你不希望执行启动文件.你可以自定义所有通过给`my_init`增加参数.调用`docker run YOUR_IMAGE /sbin/my_init --help`可以看到帮助信息.
 例如上面运行`ls`命令,同时要求不运行启动脚本,减少信息打印,运行runit所有命令.
@@ -348,12 +348,12 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
 <a name="run_inside_existing_container"></a>
 ### 在一个已经运行的容器中,运行一条命令
-这里有两种办法, 在一个已经运行的容器内执行命令.
+这里有两种办法去在一个已经运行的容器中运行命令.
- * 通过`nseneter`工具. 这个工具用于Linux内核调用在内嵌容器中运行命令. 可以查看[通过`nsenter`,登录容器或者在容器内执行命令](#login_nsenter).
+ * 通过`nseneter`工具.这个工具用于Linux内核调用在内嵌容器中运行命令.可以查看[通过`nsenter`,登录容器或者在容器内执行命令](#login_nsenter).
- * 通过SSH.这种办法需要在容器中运行ssh服务,而且需要你创建自己的sshkey. 可以查看[通过`ssh`,登录容器或者在容器内执行命令](#login_ssh).
+ * 通过SSH.这种办法需要在容器中运行ssh服务,而且需要你创建自己的sshkey.可以查看[通过`ssh`,登录容器或者在容器内执行命令](#login_ssh).
-两种方法都是他们各自的优点和确定, 你可以学习他们各自的章节来了解他们.
+两种方法都是他们各自的优点和确定,你可以学习他们各自的章节来了他们.
 <a name="login_nsenter"></a>
 ### 通过`nsenter`,登录容器或者在容器内执行命令
@@ -387,11 +387,11 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
    docker ps
-一旦得到容器的id, 找到运行容器的主进程`PID`.
+一旦拥有容器的id,找到运行容器的主要进程额`PID`.
    docker inspect -f "{{ .State.Pid }}" <ID>
-现在你已得到容器的主进程PID, 就可以使用`nsenter`来登录容器, 或者在容器中执行命令:
+现在你有的容器的主进程的PID,就可以使用`nsenter`来登录容器,或者在容器里面执行命令:
    # 登录容器
    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid bash -l
@@ -401,9 +401,8 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
 <a name="docker_bash"></a>
 #### `docker-bash`工具
 目前(2017-03-31), 英文文档没有发现这个命令
-查找一个容器的主要进程的PID和输入这么长的nsenter命令很快会变得乏味无比.幸运的是,我们提供了一个`docker-bash` 工具,它可以自动完成只要的工具.这个工具是运行在*docker主机*上面,不是在docker容器中.
+查找一个容器的主要进程的PID和输入这么长的nsenter命令很快会变得乏味无论.幸运的是,我们提供了一个`docker-bash` 工具,它可以自动完成只要的工具.这个工具是运行在*docker主机*上面,不是在docker容器中.
 该工具还附带了一个预编译的二进制`nsenter`,这样你不需要自己安装`nsenter`了.`docker-bash`是很简单的使用的.
@@ -436,7 +435,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
   * 不需要docker主机提供root权限.
   * 运行你让用户登录到容器,而不需要登录到docker主机.然而,默认这是不启用的,因为baseimage-docker默认不是开放ssh服务的.
 * 缺点
-   * 需要设置ssh key.然而,baseimage-docker会提供一种方法,会让key的生成变得很容易.阅读更多信息.
+   * 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容易.阅读更多信息.
 第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认是不安装任何key的,所以任何人都无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全性,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.**
@@ -454,13 +453,11 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
    docker ps
-一旦你得到容器的ID,就能找到容器使用的IP地址:
+一旦你拥有容器的ID,就能找到容器使用的IP地址:
    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
-译者注:  类似 `"{{ .NetworkSettings.IPAddress }}"` 是用到了 [Go的模板语法](https://gohugo.io/templates/go-templates/).
+现在你有得了IP地址,你就看通过SSH来登录容器,或者在容器中执行命令了:
 现在你得到了IP地址, 你就可以通过SSH来登录容器,或者在容器中执行命令了:
    # 下载key
    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key
@@ -504,7 +501,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
-现在你有得了IP地址,你就可以通过SSH来登录容器,或者在容器中执行命令了:
+现在你有得了IP地址,你就看通过SSH来登录容器,或者在容器中执行命令了:
    # 登录容器
    ssh -i /path-to/your_key root@<IP address>
@@ -543,7 +540,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
    git clone https://github.com/phusion/baseimage-docker.git
    cd baseimage-docker
-创建一个包含docker在内的虚拟机.你可以使用我们提供的Vagrantfile.
+创建一个包含docker在的虚拟机.你可以使用我们提供的Vagrantfile.
    vagrant up
    vagrant ssh
@@ -553,7 +550,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
    make build
-如果你想修改镜像的名称, 通过`NAME`变量可以设置:
+如果你想把创建的镜像名字,叫其他名字,通过`NAME`变量可以设置:
    make build NAME=joe/baseimage
--- a/README_zh_tw.md
+++ b/README_zh_tw.md
@@ -82,7 +82,7 @@ Baseimage-docker讓這一切完美。在"內容"部分描述了所有這些修
 | 模塊        | 爲什麼包含這些？以及備註 |
 | ---------------- | ------------------- |
-| Ubuntu 24.04 LTS | 基礎系統。 |
+| Ubuntu 16.04 LTS | 基礎系統。 |
 | 一個**正確**的初始化行程  | *主要文章：[Docker和PID 1 殭屍行程回收問題](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)*<br/><br/>根據Unix行程模型，[初始化行程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 繼承了所有[孤立的子行程](https://en.wikipedia.org/wiki/Orphan_process)，並且必須[進行回收](https://en.wikipedia.org/wiki/Wait_(system_call))。大多數Docker容器沒有一個初始化行程可以正確的完成此操作，隨着時間的推移會導致他們的容器出現了大量的[殭屍行程](https://en.wikipedia.org/wiki/Zombie_process)。<br/><br/>而且，`docker stop`發送SIGTERM信號給初始化行程，照理說此信號應該可以停止所有服務。不幸的是由於它們對硬體進行了關閉操作，導致Docker內的大多數初始化系統沒有正確執行。這會導致行程強行被SIGKILL信號關閉，從而喪失了一個正確取消初始化設置的機會。這會導致文件損壞。<br/><br/>Baseimage-docker配有一個名爲`/sbin/my_init`的初始化行程來同時正確的完成這些任務。 |
 | 修復了APT與Docker不兼容的問題 | 詳情參見：https://github.com/dotcloud/docker/issues/1024 。 |
 | syslog-ng | 對於很多服務－包括kernel自身，都需要一個syslog後臺行程，以便可以正確的將log輸出到/var/log/syslog中。如果沒有運行syslog後臺行程，很多重要的信息就會默默的丟失了。<br/><br/>只對本地進行監聽。所有syslog信息會被轉發給“docker logs”。 |
--- a/114
+++ b/114
@@ -1,74 +1,54 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
 ROOT = File.dirname(File.absolute_path(__FILE__))
-# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
-# configures the configuration version (we support older styles for
+VAGRANTFILE_API_VERSION = '2'
 # backwards compatibility). Please don't change it unless you know what
 # you're doing.
 Vagrant.configure("2") do |config|
 	# The most common configuration options are documented and commented below.
 	# For a complete reference, please see the online documentation at
 	# https://docs.vagrantup.com.
-	# Every Vagrant development environment requires a box. You can search for
+# Default env properties which can be overridden
-	# boxes at https://atlas.hashicorp.com/search.
+# Example overrides:
-	config.vm.box = "ubuntu/noble64"
+#   echo "ENV['PASSENGER_DOCKER_PATH'] ||= '../../phusion/passenger-docker'   " >> ~/.vagrant.d/Vagrantfile
-	config.disksize.size = '50GB'
+#   echo "ENV['BASE_BOX_URL']          ||= 'd\:/dev/vm/vagrant/boxes/phusion/'" >> ~/.vagrant.d/Vagrantfile
 BASE_BOX_URL          = ENV['BASE_BOX_URL']    || 'https://oss-binaries.phusionpassenger.com/vagrant/boxes/latest/'
 VAGRANT_BOX_URL       = ENV['VAGRANT_BOX_URL'] || BASE_BOX_URL + 'ubuntu-14.04-amd64-vbox.box'
 VMWARE_BOX_URL        = ENV['VMWARE_BOX_URL']  || BASE_BOX_URL + 'ubuntu-14.04-amd64-vmwarefusion.box'
 BASEIMAGE_PATH        = ENV['BASEIMAGE_PATH' ] || '.'
 PASSENGER_DOCKER_PATH = ENV['PASSENGER_PATH' ] || '../passenger-docker'
 DOCKERIZER_PATH       = ENV['DOCKERIZER_PATH'] || '../dockerizer'
-	# Disable automatic box update checking. If you disable this, then
+$script = <<SCRIPT
-	# boxes will only be checked for updates when the user runs
+wget -q -O - https://get.docker.io/gpg | apt-key add -
-	# `vagrant box outdated`. This is not recommended.
+echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list
-	# config.vm.box_check_update = false
+apt-get update -qq
 apt-get install -q -y --force-yes lxc-docker
 usermod -a -G docker vagrant
 docker version
 su - vagrant -c 'echo alias d=docker >> ~/.bash_aliases'
 SCRIPT
-	# Create a forwarded port mapping which allows access to a specific port
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-	# within the machine from a port on the host machine. In the example below,
+  config.vm.box = 'phusion-open-ubuntu-14.04-amd64'
-	# accessing "localhost:8080" will access port 80 on the guest machine.
+  config.vm.box_url = VAGRANT_BOX_URL
-	# config.vm.network "forwarded_port", guest: 80, host: 8080
+  config.ssh.forward_agent = true
-
+  passenger_docker_path = File.absolute_path(PASSENGER_DOCKER_PATH, ROOT)
-	# Create a private network, which allows host-only access to the machine
+  if File.directory?(passenger_docker_path)
-	# using a specific IP.
+    config.vm.synced_folder passenger_docker_path, '/vagrant/passenger-docker'
 	# config.vm.network "private_network", ip: "192.168.33.10"
 	# Create a public network, which generally matched to bridged network.
 	# Bridged networks make the machine appear as another physical device on
 	# your network.
 	# config.vm.network "public_network"
 	# Share an additional folder to the guest VM. The first argument is
 	# the path on the host to the actual folder. The second argument is
 	# the path on the guest to mount the folder. And the optional third
 	# argument is a set of non-required options.
 	# config.vm.synced_folder "../data", "/vagrant_data"
 	# Provider-specific configuration so you can fine-tune various
 	# backing providers for Vagrant. These expose provider-specific options.
 	# Example for VirtualBox:
 	#
 	# config.vm.provider "virtualbox" do |vb|
 	#   # Display the VirtualBox GUI when booting the machine
 	#   vb.gui = true
 	#
 	#   # Customize the amount of memory on the VM:
 	#   vb.memory = "1024"
 	# end
 	#
 	# View the documentation for the provider you are using for more
 	# information on available options.
 	# Define a Vagrant Push strategy for pushing to Atlas. Other push strategies
 	# such as FTP and Heroku are also available. See the documentation at
 	# https://docs.vagrantup.com/v2/push/atlas.html for more information.
 	# config.push.define "atlas" do |push|
 	#   push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME"
 	# end
 	# Enable provisioning with a shell script. Additional provisioners such as
 	# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
 	# documentation for more information about their specific syntax and use.
 	# config.vm.provision "shell", inline: <<-SHELL
 	#   apt-get update
 	#   apt-get install -y apache2
 	# SHELL
 	config.vm.provision :shell,
 	  path: "vagrant-libs/bootstrap.sh"
  end
  baseimage_path = File.absolute_path(BASEIMAGE_PATH, ROOT)
  if File.directory?(baseimage_path)
    config.vm.synced_folder baseimage_path, "/vagrant/baseimage-docker"
  end
  dockerizer_path = File.absolute_path(DOCKERIZER_PATH, ROOT)
  if File.directory?(dockerizer_path)
    config.vm.synced_folder dockerizer_path, '/vagrant/dockerizer'
  end
  config.vm.provider :vmware_fusion do |f, override|
    override.vm.box_url = VMWARE_BOX_URL
    f.vmx['displayName'] = 'baseimage-docker'
  end
  if Dir.glob("#{File.dirname(__FILE__)}/.vagrant/machines/default/*/id").empty?
    config.vm.provision :shell, :inline => $script
  end
 end
--- a/build-multiarch.sh
+++ b/build-multiarch.sh
@@ -1,22 +0,0 @@
 #!/bin/bash
 set -e
 set -x
 for arch in $ARCHS; do
    docker pull $NAME:$VERSION-${arch}
    if [[ $TAG_LATEST != 'true' ]]; then 
        docker manifest create --amend $NAME:$VERSION $NAME:$VERSION-${arch}
        docker manifest annotate $NAME:$VERSION $NAME:$VERSION-${arch} --arch ${arch}
    else
        docker manifest create --amend $NAME:latest $NAME:$VERSION-${arch}
        docker manifest annotate $NAME:latest $NAME:$VERSION-${arch} --arch ${arch}
    fi
 done
 echo "Push manifests"
 if [[ $TAG_LATEST != 'true' ]]; then 
    docker manifest push $NAME:$VERSION
 else
    docker manifest push $NAME:latest
 fi
--- a/build.sh
+++ b/build.sh
@@ -1,19 +0,0 @@
 #!/bin/bash
 set -e
 # # Prepare qemu
 # if [ '$QEMU_ARCH' != 'amd64' ]; then
 #     # docker run --rm --privileged multiarch/qemu-user-static:register --reset
 # fi
 # Get qemu package
 echo "Getting qemu package for $QEMU_ARCH"
 # Fake qemu for amd64 builds to avoid breaking COPY in Dockerfile
 if [[ $QEMU_ARCH == "amd64" ]]; then
 	touch x86_64_qemu-"$QEMU_ARCH"-static.tar.gz
 	mv x86_64_qemu-${QEMU_ARCH}-static.tar.gz image
 else
 	curl -L -o x86_64_qemu-"$QEMU_ARCH"-static.tar.gz https://github.com/multiarch/qemu-user-static/releases/download/"$QEMU_VERSION"/x86_64_qemu-"$QEMU_ARCH"-static.tar.gz
 	mv x86_64_qemu-${QEMU_ARCH}-static.tar.gz image
 fi
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -1,19 +1,16 @@
-ARG BASE_IMAGE=ubuntu:24.04
+FROM armhf/ubuntu
-FROM $BASE_IMAGE
+MAINTAINER Phusion <info@phusion.nl>
 ARG QEMU_ARCH
 #ADD x86_64_qemu-${QEMU_ARCH}-static.tar.gz /usr/bin
 COPY . /bd_build
 RUN /bd_build/prepare.sh && \
 	/bd_build/system_services.sh && \
 	/bd_build/utilities.sh && \
 	/bd_build/fix_pam_bug.sh && \
 	/bd_build/cleanup.sh
-ENV DEBIAN_FRONTEND="teletype" \
+ENV LANG en_US.UTF-8
-    LANG="en_US.UTF-8" \
+ENV LANGUAGE en_US:en
-    LANGUAGE="en_US:en" \
+ENV LC_ALL en_US.UTF-8
    LC_ALL="en_US.UTF-8"
 CMD ["/sbin/my_init"]
--- a/image/bin/install_clean
+++ b/image/bin/install_clean
@@ -1,17 +0,0 @@
 #!/bin/bash -e
 #  Apt installer helper for Docker images
 ARGS="$*"
 NO_RECOMMENDS="--no-install-recommends"
 RECOMMENDS="--install-recommends"
 if [[ $ARGS =~ "$RECOMMENDS" ]]; then
    NO_RECOMMENDS=""
    ARGS=$(sed "s/$RECOMMENDS//g" <<<"$ARGS")
 fi
 echo "Installing $ARGS"
 apt-get -q update && apt-get -qy install $NO_RECOMMENDS $ARGS \
    && apt-get -qy autoremove \
    && apt-get clean \
    && rm -r /var/lib/apt/lists/*
--- a/image/bin/my_init
+++ b/image/bin/my_init
@@ -1,420 +1,359 @@
 #!/usr/bin/python3 -u
-# -*- coding: utf-8 -*-
+import os, os.path, sys, stat, signal, errno, argparse, time, json, re
-import argparse
+KILL_PROCESS_TIMEOUT = os.environ.get('KILL_PROCESS_TIMEOUT', 5)
-import errno
+KILL_ALL_PROCESSES_TIMEOUT = os.environ.get('KILL_ALL_PROCESSES_TIMEOUT', 5)
 import json
 import os
 import os.path
 import re
 import signal
 import stat
 import sys
 import time
 ENV_INIT_DIRECTORY = os.environ.get('ENV_INIT_DIRECTORY', '/etc/my_init.d')
 KILL_PROCESS_TIMEOUT = int(os.environ.get('KILL_PROCESS_TIMEOUT', 30))
 KILL_ALL_PROCESSES_TIMEOUT = int(os.environ.get('KILL_ALL_PROCESSES_TIMEOUT', 30))
 LOG_LEVEL_ERROR = 1
-LOG_LEVEL_WARN = 1
+LOG_LEVEL_WARN  = 1
-LOG_LEVEL_INFO = 2
+LOG_LEVEL_INFO  = 2
 LOG_LEVEL_DEBUG = 3
-SHENV_NAME_WHITELIST_REGEX = re.compile(r'\W')
+SHENV_NAME_WHITELIST_REGEX = re.compile('[^\w\-_\.]')
 log_level = None
 terminated_child_processes = {}
 _find_unsafe = re.compile(r'[^\w@%+=:,./-]').search
 class AlarmException(Exception):
-    pass
+	pass
 def error(message):
-    if log_level >= LOG_LEVEL_ERROR:
+	if log_level >= LOG_LEVEL_ERROR:
-        sys.stderr.write("*** %s\n" % message)
+		sys.stderr.write("*** %s\n" % message)
 def warn(message):
-    if log_level >= LOG_LEVEL_WARN:
+	if log_level >= LOG_LEVEL_WARN:
-        sys.stderr.write("*** %s\n" % message)
+		sys.stderr.write("*** %s\n" % message)
 def info(message):
-    if log_level >= LOG_LEVEL_INFO:
+	if log_level >= LOG_LEVEL_INFO:
-        sys.stderr.write("*** %s\n" % message)
+		sys.stderr.write("*** %s\n" % message)
 def debug(message):
-    if log_level >= LOG_LEVEL_DEBUG:
+	if log_level >= LOG_LEVEL_DEBUG:
-        sys.stderr.write("*** %s\n" % message)
+		sys.stderr.write("*** %s\n" % message)
 def ignore_signals_and_raise_keyboard_interrupt(signame):
-    signal.signal(signal.SIGTERM, signal.SIG_IGN)
+	signal.signal(signal.SIGTERM, signal.SIG_IGN)
-    signal.signal(signal.SIGINT, signal.SIG_IGN)
+	signal.signal(signal.SIGINT, signal.SIG_IGN)
-    raise KeyboardInterrupt(signame)
+	raise KeyboardInterrupt(signame)
 def raise_alarm_exception():
-    raise AlarmException('Alarm')
+	raise AlarmException('Alarm')
 def listdir(path):
-    try:
+	try:
-        result = os.stat(path)
+		result = os.stat(path)
-    except OSError:
+	except OSError:
-        return []
+		return []
-    if stat.S_ISDIR(result.st_mode):
+	if stat.S_ISDIR(result.st_mode):
-        return sorted(os.listdir(path))
+		return sorted(os.listdir(path))
-    else:
+	else:
-        return []
+		return []
 def is_exe(path):
-    try:
+	try:
-        return os.path.isfile(path) and os.access(path, os.X_OK)
+		return os.path.isfile(path) and os.access(path, os.X_OK)
-    except OSError:
+	except OSError:
-        return False
+		return False
 def import_envvars(clear_existing_environment = True, override_existing_environment = True):
 	if not os.path.exists("/etc/container_environment"):
 		return
 	new_env = {}
 	for envfile in listdir("/etc/container_environment"):
 		name = os.path.basename(envfile)
 		with open("/etc/container_environment/" + envfile, "r") as f:
 			# Text files often end with a trailing newline, which we
 			# don't want to include in the env variable value. See
 			# https://github.com/phusion/baseimage-docker/pull/49
 			value = re.sub('\n\Z', '', f.read())
 		new_env[name] = value
 	if clear_existing_environment:
 		os.environ.clear()
 	for name, value in new_env.items():
 		if override_existing_environment or not name in os.environ:
 			os.environ[name] = value
-def import_envvars(clear_existing_environment=True, override_existing_environment=True):
+def export_envvars(to_dir = True):
-    if not os.path.exists("/etc/container_environment"):
+	if not os.path.exists("/etc/container_environment"):
-        return
+		return
-    new_env = {}
+	shell_dump = ""
-    for envfile in listdir("/etc/container_environment"):
+	for name, value in os.environ.items():
-        name = os.path.basename(envfile)
+		if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
-        with open("/etc/container_environment/" + envfile, "r") as f:
+			continue
-            # Text files often end with a trailing newline, which we
+		if to_dir:
-            # don't want to include in the env variable value. See
+			with open("/etc/container_environment/" + name, "w") as f:
-            # https://github.com/phusion/baseimage-docker/pull/49
+				f.write(value)
-            value = re.sub('\n\\Z', '', f.read())
+		shell_dump += "export " + sanitize_shenvname(name) + "=" + shquote(value) + "\n"
-        new_env[name] = value
+	with open("/etc/container_environment.sh", "w") as f:
-    if clear_existing_environment:
+		f.write(shell_dump)
-        os.environ.clear()
+	with open("/etc/container_environment.json", "w") as f:
-    for name, value in new_env.items():
+		f.write(json.dumps(dict(os.environ)))
        if override_existing_environment or name not in os.environ:
            os.environ[name] = value
 def export_envvars(to_dir=True):
    if not os.path.exists("/etc/container_environment"):
        return
    shell_dump = ""
    for name, value in os.environ.items():
        if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
            continue
        if to_dir:
            with open("/etc/container_environment/" + name, "w") as f:
                f.write(value)
        shell_dump += "export " + sanitize_shenvname(name) + "=" + shquote(value) + "\n"
    with open("/etc/container_environment.sh", "w") as f:
        f.write(shell_dump)
    with open("/etc/container_environment.json", "w") as f:
        f.write(json.dumps(dict(os.environ)))
 _find_unsafe = re.compile(r'[^\w@%+=:,./-]').search
 def shquote(s):
-    """Return a shell-escaped version of the string *s*."""
+	"""Return a shell-escaped version of the string *s*."""
-    if not s:
+	if not s:
-        return "''"
+		return "''"
-    if _find_unsafe(s) is None:
+	if _find_unsafe(s) is None:
-        return s
+		return s
    # use single quotes, and put single quotes into double quotes
    # the string $'b is then quoted as '$'"'"'b'
    return "'" + s.replace("'", "'\"'\"'") + "'"
 	# use single quotes, and put single quotes into double quotes
 	# the string $'b is then quoted as '$'"'"'b'
 	return "'" + s.replace("'", "'\"'\"'") + "'"
 def sanitize_shenvname(s):
-    """Return string with [0-9a-zA-Z_] characters"""
+	return re.sub(SHENV_NAME_WHITELIST_REGEX, "_", s)
    return re.sub(SHENV_NAME_WHITELIST_REGEX, "_", s)
 # Waits for the child process with the given PID, while at the same time
 # reaping any other child processes that have exited (e.g. adopted child
 # processes that have terminated).
 def waitpid_reap_other_children(pid):
-    global terminated_child_processes
+	global terminated_child_processes
-    status = terminated_child_processes.get(pid)
+	status = terminated_child_processes.get(pid)
-    if status:
+	if status:
-        # A previous call to waitpid_reap_other_children(),
+		# A previous call to waitpid_reap_other_children(),
-        # with an argument not equal to the current argument,
+		# with an argument not equal to the current argument,
-        # already waited for this process. Return the status
+		# already waited for this process. Return the status
-        # that was obtained back then.
+		# that was obtained back then.
-        del terminated_child_processes[pid]
+		del terminated_child_processes[pid]
-        return status
+		return status
-    done = False
+	done = False
-    status = None
+	status = None
-    while not done:
+	while not done:
-        try:
+		try:
-            # https://github.com/phusion/baseimage-docker/issues/151#issuecomment-92660569
+			# https://github.com/phusion/baseimage-docker/issues/151#issuecomment-92660569
-            this_pid, status = os.waitpid(pid, os.WNOHANG)
+			this_pid, status = os.waitpid(pid, os.WNOHANG)
-            if this_pid == 0:
+			if this_pid == 0:
-                this_pid, status = os.waitpid(-1, 0)
+				this_pid, status = os.waitpid(-1, 0)
-            if this_pid == pid:
+			if this_pid == pid:
-                done = True
+				done = True
-            else:
+			else:
-                # Save status for later.
+				# Save status for later.
-                terminated_child_processes[this_pid] = status
+				terminated_child_processes[this_pid] = status
-        except OSError as e:
+		except OSError as e:
-            if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
+			if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
-                return None
+				return None
-            else:
+			else:
-                raise
+				raise
-    return status
+	return status
 def stop_child_process(name, pid, signo=signal.SIGTERM, time_limit=KILL_PROCESS_TIMEOUT):
    info("Shutting down %s (PID %d)..." % (name, pid))
    try:
        os.kill(pid, signo)
    except OSError:
        pass
    signal.alarm(time_limit)
    try:
        try:
            waitpid_reap_other_children(pid)
        except OSError:
            pass
    except AlarmException:
        warn("%s (PID %d) did not shut down in time. Forcing it to exit." % (name, pid))
        try:
            os.kill(pid, signal.SIGKILL)
        except OSError:
            pass
        try:
            waitpid_reap_other_children(pid)
        except OSError:
            pass
    finally:
        signal.alarm(0)
 def stop_child_process(name, pid, signo = signal.SIGTERM, time_limit = KILL_PROCESS_TIMEOUT):
 	info("Shutting down %s (PID %d)..." % (name, pid))
 	try:
 		os.kill(pid, signo)
 	except OSError:
 		pass
 	signal.alarm(time_limit)
 	try:
 		try:
 			waitpid_reap_other_children(pid)
 		except OSError:
 			pass
 	except AlarmException:
 		warn("%s (PID %d) did not shut down in time. Forcing it to exit." % (name, pid))
 		try:
 			os.kill(pid, signal.SIGKILL)
 		except OSError:
 			pass
 		try:
 			waitpid_reap_other_children(pid)
 		except OSError:
 			pass
 	finally:
 		signal.alarm(0)
 def run_command_killable(*argv):
-    filename = argv[0]
+	filename = argv[0]
-    status = None
+	status = None
-    pid = os.spawnvp(os.P_NOWAIT, filename, argv)
+	pid = os.spawnvp(os.P_NOWAIT, filename, argv)
-    try:
+	try:
-        status = waitpid_reap_other_children(pid)
+		status = waitpid_reap_other_children(pid)
-    except BaseException:
+	except BaseException as s:
-        warn("An error occurred. Aborting.")
+		warn("An error occurred. Aborting.")
-        stop_child_process(filename, pid)
+		stop_child_process(filename, pid)
-        raise
+		raise
-    if status != 0:
+	if status != 0:
-        if status is None:
+		if status is None:
-            error("%s exited with unknown status\n" % filename)
+			error("%s exited with unknown status\n" % filename)
-        else:
+		else:
-            error("%s failed with status %d\n" % (filename, os.WEXITSTATUS(status)))
+			error("%s failed with status %d\n" % (filename, os.WEXITSTATUS(status)))
-        sys.exit(1)
+		sys.exit(1)
 def run_command_killable_and_import_envvars(*argv):
-    run_command_killable(*argv)
+	run_command_killable(*argv)
-    import_envvars()
+	import_envvars()
-    export_envvars(False)
+	export_envvars(False)
 def kill_all_processes(time_limit):
-    info("Killing all processes...")
+	info("Killing all processes...")
-    try:
+	try:
-        os.kill(-1, signal.SIGTERM)
+		os.kill(-1, signal.SIGTERM)
-    except OSError:
+	except OSError:
-        pass
+		pass
-    signal.alarm(time_limit)
+	signal.alarm(time_limit)
-    try:
+	try:
-        # Wait until no more child processes exist.
+		# Wait until no more child processes exist.
-        done = False
+		done = False
-        while not done:
+		while not done:
-            try:
+			try:
-                os.waitpid(-1, 0)
+				os.waitpid(-1, 0)
-            except OSError as e:
+			except OSError as e:
-                if e.errno == errno.ECHILD:
+				if e.errno == errno.ECHILD:
-                    done = True
+					done = True
-                else:
+				else:
-                    raise
+					raise
-    except AlarmException:
+	except AlarmException:
-        warn("Not all processes have exited in time. Forcing them to exit.")
+		warn("Not all processes have exited in time. Forcing them to exit.")
-        try:
+		try:
-            os.kill(-1, signal.SIGKILL)
+			os.kill(-1, signal.SIGKILL)
-        except OSError:
+		except OSError:
-            pass
+			pass
-    finally:
+	finally:
-        signal.alarm(0)
+		signal.alarm(0)
 def run_startup_files():
-    # Run ENV_INIT_DIRECTORY/*
+	# Run /etc/my_init.d/*
-    for name in listdir(ENV_INIT_DIRECTORY):
+	for name in listdir("/etc/my_init.d"):
-        filename = os.path.join(ENV_INIT_DIRECTORY, name)
+		filename = "/etc/my_init.d/" + name
-        if is_exe(filename):
+		if is_exe(filename):
-            info("Running %s..." % filename)
+			info("Running %s..." % filename)
-            run_command_killable_and_import_envvars(filename)
+			run_command_killable_and_import_envvars(filename)
    # Run /etc/rc.local.
    if is_exe("/etc/rc.local"):
        info("Running /etc/rc.local...")
        run_command_killable_and_import_envvars("/etc/rc.local")
 def run_pre_shutdown_scripts():
    debug("Running pre-shutdown scripts...")
    # Run /etc/my_init.pre_shutdown.d/*
    for name in listdir("/etc/my_init.pre_shutdown.d"):
        filename = "/etc/my_init.pre_shutdown.d/" + name
        if is_exe(filename):
            info("Running %s..." % filename)
            run_command_killable(filename)
 def run_post_shutdown_scripts():
    debug("Running post-shutdown scripts...")
    # Run /etc/my_init.post_shutdown.d/*
    for name in listdir("/etc/my_init.post_shutdown.d"):
        filename = "/etc/my_init.post_shutdown.d/" + name
        if is_exe(filename):
            info("Running %s..." % filename)
            run_command_killable(filename)
 	# Run /etc/rc.local.
 	if is_exe("/etc/rc.local"):
 		info("Running /etc/rc.local...")
 		run_command_killable_and_import_envvars("/etc/rc.local")
 def start_runit():
-    info("Booting runit daemon...")
+	info("Booting runit daemon...")
-    pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
+	pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
-                    "-P", "/etc/service")
+		"-P", "/etc/service")
-    info("Runit started as PID %d" % pid)
+	info("Runit started as PID %d" % pid)
-    return pid
+	return pid
 def wait_for_runit_or_interrupt(pid):
-	status = waitpid_reap_other_children(pid)
+	try:
-	return (True, status)
+		status = waitpid_reap_other_children(pid)
-
+		return (True, status)
-
+	except KeyboardInterrupt:
-def shutdown_runit_services(quiet=False):
+		return (False, None)
    if not quiet:
        debug("Begin shutting down runit services...")
    os.system("/usr/bin/sv -w %d force-stop /etc/service/* > /dev/null" % KILL_PROCESS_TIMEOUT)
 def shutdown_runit_services(quiet = False):
 	if not quiet:
 		debug("Begin shutting down runit services...")
 	os.system("/usr/bin/sv down /etc/service/*")
 def wait_for_runit_services():
-    debug("Waiting for runit services to exit...")
+	debug("Waiting for runit services to exit...")
-    done = False
+	done = False
-    while not done:
+	while not done:
-        done = os.system("/usr/bin/sv status /etc/service/* | grep -q '^run:'") != 0
+		done = os.system("/usr/bin/sv status /etc/service/* | grep -q '^run:'") != 0
-        if not done:
+		if not done:
-            time.sleep(0.1)
+			time.sleep(0.1)
-            # According to https://github.com/phusion/baseimage-docker/issues/315
+			# According to https://github.com/phusion/baseimage-docker/issues/315
-            # there is a bug or race condition in Runit, causing it
+			# there is a bug or race condition in Runit, causing it
-            # not to shutdown services that are already being started.
+			# not to shutdown services that are already being started.
-            # So during shutdown we repeatedly instruct Runit to shutdown
+			# So during shutdown we repeatedly instruct Runit to shutdown
-            # services.
+			# services.
-            shutdown_runit_services(True)
+			shutdown_runit_services(True)
 def install_insecure_key():
-    info("Installing insecure SSH key for user root")
+	info("Installing insecure SSH key for user root")
-    run_command_killable("/usr/sbin/enable_insecure_key")
+	run_command_killable("/usr/sbin/enable_insecure_key")
 def main(args):
-    import_envvars(False, False)
+	import_envvars(False, False)
-    export_envvars()
+	export_envvars()
-    if args.enable_insecure_key:
+	if args.enable_insecure_key:
-        install_insecure_key()
+		install_insecure_key()
-    if not args.skip_startup_files:
+	if not args.skip_startup_files:
-        run_startup_files()
+		run_startup_files()
-    runit_exited = False
+	runit_exited = False
-    exit_code = None
+	exit_code = None
-    if not args.skip_runit:
+	if not args.skip_runit:
-        runit_pid = start_runit()
+		runit_pid = start_runit()
-    try:
+	try:
-        exit_status = None
+		exit_status = None
-        if len(args.main_command) == 0:
+		if len(args.main_command) == 0:
-            runit_exited, exit_code = wait_for_runit_or_interrupt(runit_pid)
+			runit_exited, exit_code = wait_for_runit_or_interrupt(runit_pid)
-            if runit_exited:
+			if runit_exited:
-                if exit_code is None:
+				if exit_code is None:
-                    info("Runit exited with unknown status")
+					info("Runit exited with unknown status")
-                    exit_status = 1
+					exit_status = 1
-                else:
+				else:
-                    exit_status = os.WEXITSTATUS(exit_code)
+					exit_status = os.WEXITSTATUS(exit_code)
-                    info("Runit exited with status %d" % exit_status)
+					info("Runit exited with status %d" % exit_status)
-        else:
+		else:
-            info("Running %s..." % " ".join(args.main_command))
+			info("Running %s..." % " ".join(args.main_command))
-            pid = os.spawnvp(os.P_NOWAIT, args.main_command[0], args.main_command)
+			pid = os.spawnvp(os.P_NOWAIT, args.main_command[0], args.main_command)
-            try:
+			try:
-                exit_code = waitpid_reap_other_children(pid)
+				exit_code = waitpid_reap_other_children(pid)
-                if exit_code is None:
+				if exit_code is None:
-                    info("%s exited with unknown status." % args.main_command[0])
+					info("%s exited with unknown status." % args.main_command[0])
-                    exit_status = 1
+					exit_status = 1
-                else:
+				else:
-                    exit_status = os.WEXITSTATUS(exit_code)
+					exit_status = os.WEXITSTATUS(exit_code)
-                    info("%s exited with status %d." % (args.main_command[0], exit_status))
+					info("%s exited with status %d." % (args.main_command[0], exit_status))
-            except KeyboardInterrupt:
+			except KeyboardInterrupt:
-                stop_child_process(args.main_command[0], pid)
+				stop_child_process(args.main_command[0], pid)
-                raise
+				raise
-            except BaseException:
+			except BaseException as s:
-                warn("An error occurred. Aborting.")
+				warn("An error occurred. Aborting.")
-                stop_child_process(args.main_command[0], pid)
+				stop_child_process(args.main_command[0], pid)
-                raise
+				raise
-        sys.exit(exit_status)
+		sys.exit(exit_status)
-    finally:
+	finally:
-        if not args.skip_runit:
+		if not args.skip_runit:
-            run_pre_shutdown_scripts()
+			shutdown_runit_services()
-            shutdown_runit_services()
+			if not runit_exited:
-            if not runit_exited:
+				stop_child_process("runit daemon", runit_pid)
-                stop_child_process("runit daemon", runit_pid)
+			wait_for_runit_services()
            wait_for_runit_services()
            run_post_shutdown_scripts()
 # Parse options.
-parser = argparse.ArgumentParser(description='Initialize the system.')
+parser = argparse.ArgumentParser(description = 'Initialize the system.')
-parser.add_argument('main_command', metavar='MAIN_COMMAND', type=str, nargs='*',
+parser.add_argument('main_command', metavar = 'MAIN_COMMAND', type = str, nargs = '*',
-                    help='The main command to run. (default: runit)')
+	help = 'The main command to run. (default: runit)')
-parser.add_argument('--enable-insecure-key', dest='enable_insecure_key',
+parser.add_argument('--enable-insecure-key', dest = 'enable_insecure_key',
-                    action='store_const', const=True, default=False,
+	action = 'store_const', const = True, default = False,
-                    help='Install the insecure SSH key')
+	help = 'Install the insecure SSH key')
-parser.add_argument('--skip-startup-files', dest='skip_startup_files',
+parser.add_argument('--skip-startup-files', dest = 'skip_startup_files',
-                    action='store_const', const=True, default=False,
+	action = 'store_const', const = True, default = False,
-                    help='Skip running /etc/my_init.d/* and /etc/rc.local')
+	help = 'Skip running /etc/my_init.d/* and /etc/rc.local')
-parser.add_argument('--skip-runit', dest='skip_runit',
+parser.add_argument('--skip-runit', dest = 'skip_runit',
-                    action='store_const', const=True, default=False,
+	action = 'store_const', const = True, default = False,
-                    help='Do not run runit services')
+	help = 'Do not run runit services')
-parser.add_argument('--no-kill-all-on-exit', dest='kill_all_on_exit',
+parser.add_argument('--no-kill-all-on-exit', dest = 'kill_all_on_exit',
-                    action='store_const', const=False, default=True,
+	action = 'store_const', const = False, default = True,
-                    help='Don\'t kill all processes on the system upon exiting')
+	help = 'Don\'t kill all processes on the system upon exiting')
-parser.add_argument('--quiet', dest='log_level',
+parser.add_argument('--quiet', dest = 'log_level',
-                    action='store_const', const=LOG_LEVEL_WARN, default=LOG_LEVEL_INFO,
+	action = 'store_const', const = LOG_LEVEL_WARN, default = LOG_LEVEL_INFO,
-                    help='Only print warnings and errors')
+	help = 'Only print warnings and errors')
 args = parser.parse_args()
 log_level = args.log_level
 if args.skip_runit and len(args.main_command) == 0:
-    error("When --skip-runit is given, you must also pass a main command.")
+	error("When --skip-runit is given, you must also pass a main command.")
-    sys.exit(1)
+	sys.exit(1)
 # Run main function.
 signal.signal(signal.SIGTERM, lambda signum, frame: ignore_signals_and_raise_keyboard_interrupt('SIGTERM'))
 signal.signal(signal.SIGINT, lambda signum, frame: ignore_signals_and_raise_keyboard_interrupt('SIGINT'))
 signal.signal(signal.SIGALRM, lambda signum, frame: raise_alarm_exception())
 try:
-    main(args)
+	main(args)
 except KeyboardInterrupt:
-    warn("Init system aborted.")
+	warn("Init system aborted.")
-    exit(2)
+	exit(2)
 finally:
-    if args.kill_all_on_exit:
+	if args.kill_all_on_exit:
-        kill_all_processes(KILL_ALL_PROCESSES_TIMEOUT)
+		kill_all_processes(KILL_ALL_PROCESSES_TIMEOUT)
--- a/image/bin/setuser
+++ b/image/bin/setuser
@@ -1,5 +1,4 @@
 #!/usr/bin/python3
 '''
 Copyright (c) 2013-2015 Phusion Holding B.V.
--- a/image/cleanup.sh
+++ b/image/cleanup.sh
@@ -4,12 +4,8 @@ source /bd_build/buildconfig
 set -x
 apt-get clean
-find /bd_build/ -not \( -name 'bd_build' -or -name 'buildconfig' -or -name 'cleanup.sh' \) -delete
+ls -d -1 /bd_build/**/* | grep -v "cleanup.sh" | grep -v "buildconfig" | xargs rm -f
 rm -rf /tmp/* /var/tmp/*
 rm -rf /var/lib/apt/lists/*
 # clean up python bytecode
 find / -mount -name *.pyc -delete
 find / -mount -name *__pycache__* -delete
 rm -f /etc/ssh/ssh_host_*
--- a/image/fix_pam_bug.sh
+++ b/image/fix_pam_bug.sh
@@ -0,0 +1,33 @@
 #!/bin/bash
 set -e
 source /bd_build/buildconfig
 set -x
 # Fixes https://github.com/docker/docker/issues/6345
 # The Github is closed, but some apps such as pbuilder still triggers it.
 export CONFIGURE_OPTS=--disable-audit
 cd /tmp
 $minimal_apt_get_install gdebi-core
 apt-get build-dep -y --no-install-recommends pam
 apt-get source -y -b pam
 gdebi -n libpam-doc*.deb libpam-modules*.deb libpam-runtime*.deb libpam0g*.deb
 rm -rf *.deb *.gz *.dsc *.changes pam-*
 # Unfortunately there is no way to automatically remove build deps, so we do this manually.
 apt-get remove -y gdebi-core autoconf automake autopoint autotools-dev binutils bsdmainutils \
 	build-essential bzip2 cpp cpp-5 debhelper dh-autoreconf dh-strip-nondeterminism \
 	diffstat docbook-xml docbook-xsl dpkg-dev flex g++ g++-5 gcc gcc-5 gettext gettext-base \
 	groff-base intltool-debian libarchive-zip-perl libasan2 libasprintf0v5 libatomic1 \
 	libaudit-dev libc-dev-bin libc6-dev libcc1-0 libcrack2 libcrack2-dev libcroco3 \
 	libdb-dev libdb5.3-dev libdpkg-perl libfile-stripnondeterminism-perl libfl-dev libgc1c2 \
 	libgcc-5-dev libgdbm3 libgomp1 libgpm2 libicu55 libisl15 libmpc3 \
 	libmpfr4 libpcre16-3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libperl5.22 \
 	libpipeline1 libselinux1-dev libsepol1-dev libsigsegv2 libstdc++-5-dev \
 	libtimedate-perl libtool libubsan0 libunistring0 libxml2 libxml2-utils \
 	libxslt1.1 linux-libc-dev m4 make man-db patch perl perl-modules-5.22 pkg-config \
 	po-debconf quilt sgml-base sgml-data w3m xml-core xsltproc xz-utils
 apt-get remove -y gdebi-core
 apt-get autoremove -y
--- a/image/prepare.sh
+++ b/image/prepare.sh
@@ -10,13 +10,9 @@ export INITRD=no
 mkdir -p /etc/container_environment
 echo -n no > /etc/container_environment/INITRD
-## Enable Ubuntu Universe, Multiverse, and deb-src for main.
+## Enable Ubuntu Universe and Multiverse.
-if grep -E '^ID=' /etc/os-release | grep -q ubuntu; then
+sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
-  sed -i 's/^#\s*\(deb.*main restricted\)$/\1/g' /etc/apt/sources.list
+sed -i 's/^#\s*\(deb.*multiverse\)$/\1/g' /etc/apt/sources.list
  sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
  sed -i 's/^#\s*\(deb.*multiverse\)$/\1/g' /etc/apt/sources.list
 fi
 apt-get update
 ## Fix some issues with APT packages.
@@ -31,9 +27,6 @@ ln -sf /bin/true /sbin/initctl
 dpkg-divert --local --rename --add /usr/bin/ischroot
 ln -sf /bin/true /usr/bin/ischroot
 # apt-utils fix for Ubuntu 16.04
 $minimal_apt_get_install apt-utils
 ## Install HTTPS support for APT.
 $minimal_apt_get_install apt-transport-https ca-certificates
@@ -41,20 +34,10 @@ $minimal_apt_get_install apt-transport-https ca-certificates
 $minimal_apt_get_install software-properties-common
 ## Upgrade all packages.
-apt-get dist-upgrade -y --no-install-recommends -o Dpkg::Options::="--force-confold"
+apt-get dist-upgrade -y --no-install-recommends
 ## Fix locale.
-case $(lsb_release -is) in
+$minimal_apt_get_install language-pack-en
  Ubuntu)
    $minimal_apt_get_install language-pack-en
    ;;
  Debian)
    $minimal_apt_get_install locales locales-all
    echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
    ;;
  *)
    ;;
 esac
 locale-gen en_US
 update-locale LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8
 echo -n en_US.UTF-8 > /etc/container_environment/LANG
--- a/image/services/cron/cron.runit
+++ b/image/services/cron/cron.runit
@@ -1,8 +1,2 @@
 #!/bin/sh
 # Touch cron files to fix 'NUMBER OF HARD LINKS > 1' issue. See  https://github.com/phusion/baseimage-docker/issues/198
 touch -c /var/spool/cron/crontabs/*
 touch -c /etc/crontab
 touch -c /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*
 exec /usr/sbin/cron -f
--- a/image/services/cron/cron.sh
+++ b/image/services/cron/cron.sh
@@ -17,4 +17,3 @@ rm -f /etc/cron.daily/upstart
 rm -f /etc/cron.daily/dpkg
 rm -f /etc/cron.daily/password
 rm -f /etc/cron.weekly/fstrim
 rm -f /etc/cron.d/e2scrub_all
--- a/image/services/syslog-ng/logrotate.conf
+++ b/image/services/syslog-ng/logrotate.conf
@@ -18,4 +18,19 @@ create
 # packages drop log rotation information into this directory
 include /etc/logrotate.d
 # no packages own wtmp, or btmp -- we'll rotate them here
 /var/log/wtmp {
    missingok
    monthly
    create 0664 root utmp
    rotate 1
 }
 /var/log/btmp {
    missingok
    monthly
    create 0660 root utmp
    rotate 1
 }
 # system-specific logs may be configured here
--- a/image/services/syslog-ng/logrotate_syslogng
+++ b/image/services/syslog-ng/logrotate_syslogng
@@ -1,4 +1,5 @@
-/var/log/syslog {
+/var/log/syslog
 {
 	rotate 7
 	daily
 	missingok
@@ -6,9 +7,8 @@
 	delaycompress
 	compress
 	postrotate
-		if [ -f /var/run/syslog-ng.pid ]; then
+		sv reload syslog-ng > /dev/null
-			kill -HUP `cat /var/run/syslog-ng.pid`
+		sv restart syslog-forwarder > /dev/null
 		fi
 	endscript
 }
@@ -23,7 +23,8 @@
 /var/log/lpr.log
 /var/log/cron.log
 /var/log/debug
-/var/log/messages {
+/var/log/messages
 {
 	rotate 4
 	weekly
 	missingok
@@ -32,8 +33,7 @@
 	delaycompress
 	sharedscripts
 	postrotate
-		if [ -f /var/run/syslog-ng.pid ]; then
+		sv reload syslog-ng > /dev/null
-			kill -HUP `cat /var/run/syslog-ng.pid`
+		sv restart syslog-forwarder > /dev/null
 		fi
 	endscript
 }
--- a/image/services/syslog-ng/smart-multi-line.fsm
+++ b/image/services/syslog-ng/smart-multi-line.fsm
@@ -1,83 +0,0 @@
 #
 # Copyright 2023 Balazs Scheidler
 # Copyright 2016 Google Inc. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # The regular expressions were extracted from
 # https://github.com/GoogleCloudPlatform/fluent-plugin-detect-exceptions
 # and converted into a TSV format by Balazs Scheidler.
 #
 # List of tab separated fields
 #
 # comma-separated-states /regexp/ new_state
 #
 # java
 start_state,java_start_exception	/(?:Exception|Error|Throwable|V8 errors stack trace)[:\r\n]/	java_after_exception
 java_after_exception	/^[\t ]*nested exception is:[\t ]*/	java_start_exception
 java_after_exception	/^[\r\n]*$/	java_after_exception
 java_after_exception,java	/^[\t ]+(?:eval )?at /	java
 java_after_exception,java	/^[\t ]+--- End of inner exception stack trace ---$/	java
 java_after_exception,java	/^--- End of stack trace from previous location where exception was thrown ---$/	java
 java_after_exception,java	/^[\t ]*(?:Caused by|Suppressed):/	java_after_exception
 java_after_exception,java	/^[\t ]*... \d+ (?:more|common frames omitted)/	java
 # python
 start_state	/^Traceback \(most recent call last\):$/	python
 python	/^[\t ]*File /	python_code
 python_code	/[^\t ]/	python
 python	/^(?:[^\s.():]+\.)*[^\s.():]+:/	start_state
 # PHP
 start_state	/(?:PHP\ (?:Notice|Parse\ error|Fatal\ error|Warning):)|(?:exception\ '[^']+'\ with\ message\ ')/	php_stack_begin
 php_stack_begin	/^Stack trace:/	php_stack_frames
 php_stack_frames	/^#\d/	php_stack_frames
 php_stack_frames	/^\s+thrown in /	start_state
 # Go
 start_state	/\bpanic: /	go_after_panic
 start_state	/http: panic serving/	go_goroutine
 go_after_panic,go_after_signal,go_frame_1	/^$/	go_goroutine
 go_after_panic	/^\[signal /	go_after_signal
 go_goroutine	/^goroutine \d+ \[[^\]]+\]:$/	go_frame_1
 go_frame_1	/^(?:[^\s.:]+\.)*[^\s.():]+\(|^created by /	go_frame_2
 go_frame_2	/^\s/	go_frame_1
 # Ruby
 start_state	/Error \(.*\):$/	ruby_before_rails_trace
 ruby_before_rails_trace	/^  $/	ruby
 ruby_before_rails_trace	/^[\t ]+.*?\.rb:\d+:in `/	ruby
 ruby	/^[\t ]+.*?\.rb:\d+:in `/	ruby
 # Dart
 start_state	/^Unhandled exception:$/	dart_exc
 dart_exc	/^(Instance of)|(Exception)|(Bad state)|(IntegerDivisionByZeroException)|(Invalid argument)|(RangeError)|(Assertion failed)|(Cannot instantiate)|(Reading static variable)|(UnimplementedError)|(Unsupported operation)|(Concurrent modification)|(Out of Memory)|(Stack Overflow)/	dart_stack
 dart_exc	/^'.+?':.+?$/	dart_type_err_1
 dart_type_err_1	/^#\d+\s+.+?\(.+?\)$/	dart_stack
 dart_type_err_1	/^.+?$/	dart_type_err_2
 dart_type_err_2	/^.*?\^.*?$/	dart_type_err_3
 dart_type_err_3	/^$/	dart_type_err_4
 dart_type_err_4	/^$/	dart_stack
 dart_exc	/^FormatException/	dart_format_err_1
 dart_format_err_1	/^#\d+\s+.+?\(.+?\)$/	dart_stack
 dart_format_err_1	/^./	dart_format_err_2
 dart_format_err_2	/^.*?\^/	dart_format_err_3
 dart_format_err_3	/^$/	dart_stack
 dart_exc	/^NoSuchMethodError:/	dart_method_err_1
 dart_method_err_1	/^Receiver:/	dart_method_err_2
 dart_method_err_2	/^Tried calling:/	dart_method_err_3
 dart_method_err_3	/^Found:/	dart_stack
 dart_method_err_3	/^#\d+\s+.+?\(.+?\)$/	dart_stack
 dart_stack	/^#\d+\s+.+?\(.+?\)$/	dart_stack
 dart_stack	/^<asynchronous suspension>$/	dart_stack
--- a/image/services/syslog-ng/syslog-forwarder.runit
+++ b/image/services/syslog-ng/syslog-forwarder.runit
@@ -0,0 +1,2 @@
 #!/bin/sh
 exec tail -F -n 0 /var/log/syslog
--- a/image/services/syslog-ng/syslog-ng.conf
+++ b/image/services/syslog-ng/syslog-ng.conf
@@ -1,13 +1,14 @@
-@version: 4.3
+@version: 3.5
@include "scl.conf"
@include "`scl-root`/system/tty10.conf"
 # Syslog-ng configuration file, compatible with default Debian syslogd
 # installation.
 # First, set some global options.
 options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
-	  dns_cache(no); owner("root"); group("adm"); perm(0640);
+	  owner("root"); group("adm"); perm(0640); stats_freq(0);
-	  stats(freq(0)); bad_hostname("^gconfd$");
+	  bad_hostname("^gconfd$");
 };
 ########################
@@ -17,7 +18,7 @@ options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
 # Logs may come from unix stream, but not from another machine.
 #
 source s_src {
-       unix-dgram("/dev/log");
+       unix-stream("/dev/log");
       internal();
 };
@@ -53,7 +54,7 @@ destination d_newscrit { file("/var/log/news/news.crit"); };
 destination d_newserr { file("/var/log/news/news.err"); };
 destination d_newsnotice { file("/var/log/news/news.notice"); };
-# Some 'catch-all' logfiles.
+# Some `catch-all' logfiles.
 #
 destination d_debug { file("/var/log/debug"); };
 destination d_error { file("/var/log/error"); };
@@ -73,13 +74,10 @@ destination d_xconsole { pipe("/dev/xconsole"); };
 # Debian only
 destination d_ppp { file("/var/log/ppp.log"); };
 # stdout for docker
 destination d_stdout { ##SYSLOG_OUTPUT_MODE_DEV_STDOUT##("/dev/stdout"); };
 ########################
 # Filters
 ########################
-# Here's come the filter options. With this rules, we can set which
+# Here's come the filter options. With this rules, we can set which 
 # message go where.
 filter f_dbg { level(debug); };
@@ -91,7 +89,7 @@ filter f_crit { level(crit .. emerg); };
 filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
 filter f_error { level(err .. emerg) ; };
-filter f_messages { level(info,notice,warn) and
+filter f_messages { level(info,notice,warn) and 
                    not facility(auth,authpriv,cron,daemon,mail,news); };
 filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
@@ -121,7 +119,7 @@ log { source(s_src); filter(f_cron); destination(d_cron); };
 log { source(s_src); filter(f_daemon); destination(d_daemon); };
 log { source(s_src); filter(f_kern); destination(d_kern); };
 log { source(s_src); filter(f_lpr); destination(d_lpr); };
-log { source(s_src); filter(f_syslog3); destination(d_syslog); destination(d_stdout); };
+log { source(s_src); filter(f_syslog3); destination(d_syslog); };
 log { source(s_src); filter(f_user); destination(d_user); };
 log { source(s_src); filter(f_uucp); destination(d_uucp); };
@@ -133,8 +131,6 @@ log { source(s_src); filter(f_mail); destination(d_mail); };
 log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
 log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
 log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
 #log { source(s_src); filter(f_cnews); destination(d_console_all); };
 #log { source(s_src); filter(f_cother); destination(d_console_all); };
 #log { source(s_src); filter(f_ppp); destination(d_ppp); };
--- a/image/services/syslog-ng/syslog-ng.init
+++ b/image/services/syslog-ng/syslog-ng.init
@@ -1,45 +0,0 @@
 #!/bin/bash
 set -em
 # If /dev/log is either a named pipe or it was placed there accidentally,
 # e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
 # then we remove it.
 if [ ! -S /dev/log ]; then rm -f /dev/log; fi
 if [ ! -S /var/lib/syslog-ng/syslog-ng.ctl ]; then rm -f /var/lib/syslog-ng/syslog-ng.ctl; fi
 # determine output mode on /dev/stdout because of the issue documented at https://github.com/phusion/baseimage-docker/issues/468
 if [ -p /dev/stdout ]; then
  sed -i 's/##SYSLOG_OUTPUT_MODE_DEV_STDOUT##/pipe/' /etc/syslog-ng/syslog-ng.conf
 else
  sed -i 's/##SYSLOG_OUTPUT_MODE_DEV_STDOUT##/file/' /etc/syslog-ng/syslog-ng.conf
 fi
 # If /var/log is writable by another user logrotate will fail
 /bin/chown root:root /var/log
 /bin/chmod 0755 /var/log
 PIDFILE="/var/run/syslog-ng.pid"
 SYSLOGNG_OPTS=""
 [ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng
 syslogng_wait() {
    if [ "$2" -ne 0 ]; then
        return 1
    fi
    RET=1
    for i in $(seq 1 30); do
        status=0
        syslog-ng-ctl stats >/dev/null 2>&1 || status=$?
        if [ "$status" != "$1" ]; then
            RET=0
            break
        fi
        sleep 1s
    done
    return $RET
 }
 /usr/sbin/syslog-ng --pidfile "$PIDFILE" -F $SYSLOGNG_OPTS &
 syslogng_wait 1 $?
--- a/image/services/syslog-ng/syslog-ng.runit
+++ b/image/services/syslog-ng/syslog-ng.runit
@@ -0,0 +1,32 @@
 #!/bin/sh
 set -e
 # If /dev/log is either a named pipe or it was placed there accidentally,
 # e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
 # then we remove it.
 if [ ! -S /dev/log ]; then rm -f /dev/log; fi
 if [ ! -S /var/lib/syslog-ng/syslog-ng.ctl ]; then rm -f /var/lib/syslog-ng/syslog-ng.ctl; fi
 SYSLOGNG_OPTS=""
 [ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng
 case "x$CONSOLE_LOG_LEVEL" in
  x[1-8])
    dmesg -n $CONSOLE_LOG_LEVEL
    ;;
  x)
    ;;
  *)
    echo "CONSOLE_LOG_LEVEL is of unaccepted value."
    ;;
 esac
 if [ ! -e /dev/xconsole ]
 then
  mknod -m 640 /dev/xconsole p
  chown root:adm /dev/xconsole
  [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
 fi
 exec syslog-ng -F -p /var/run/syslog-ng.pid $SYSLOGNG_OPTS
--- a/image/services/syslog-ng/syslog-ng.sh
+++ b/image/services/syslog-ng/syslog-ng.sh
@@ -7,15 +7,18 @@ SYSLOG_NG_BUILD_PATH=/bd_build/services/syslog-ng
 ## Install a syslog daemon.
 $minimal_apt_get_install syslog-ng-core
-cp $SYSLOG_NG_BUILD_PATH/syslog-ng.init /etc/my_init.d/10_syslog-ng.init
+mkdir /etc/service/syslog-ng
-cp $SYSLOG_NG_BUILD_PATH/syslog-ng.shutdown /etc/my_init.post_shutdown.d/10_syslog-ng.shutdown
+cp $SYSLOG_NG_BUILD_PATH/syslog-ng.runit /etc/service/syslog-ng/run
 cp $SYSLOG_NG_BUILD_PATH/smart-multi-line.fsm /usr/share/syslog-ng/smart-multi-line.fsm
 mkdir -p /var/lib/syslog-ng
 cp $SYSLOG_NG_BUILD_PATH/syslog_ng_default /etc/default/syslog-ng
 touch /var/log/syslog
 chmod u=rw,g=r,o= /var/log/syslog
 cp $SYSLOG_NG_BUILD_PATH/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
 ## Install syslog to "docker logs" forwarder.
 mkdir /etc/service/syslog-forwarder
 cp $SYSLOG_NG_BUILD_PATH/syslog-forwarder.runit /etc/service/syslog-forwarder/run
 ## Install logrotate.
 $minimal_apt_get_install logrotate
 cp $SYSLOG_NG_BUILD_PATH/logrotate.conf /etc/logrotate.conf
--- a/image/services/syslog-ng/syslog-ng.shutdown
+++ b/image/services/syslog-ng/syslog-ng.shutdown
@@ -1,27 +0,0 @@
 #!/bin/bash
 PIDFILE="/var/run/syslog-ng.pid"
 syslogng_wait() {
    if [ "$2" -ne 0 ]; then
        return 1
    fi
    RET=1
    for i in $(seq 1 30); do
        status=0
        syslog-ng-ctl stats >/dev/null 2>&1 || status=$?
        if [ "$status" != "$1" ]; then
            RET=0
            break
        fi
        sleep 1s
    done
    return $RET
 }
 if [ -f "$PIDFILE" ]; then
    kill $(cat "$PIDFILE")
 fi
 syslogng_wait 0 $?
--- a/image/system_services.sh
+++ b/image/system_services.sh
@@ -6,8 +6,6 @@ set -x
 ## Install init process.
 cp /bd_build/bin/my_init /sbin/
 mkdir -p /etc/my_init.d
 mkdir -p /etc/my_init.pre_shutdown.d
 mkdir -p /etc/my_init.post_shutdown.d
 mkdir -p /etc/container_environment
 touch /etc/container_environment.sh
 touch /etc/container_environment.json
--- a/image/utilities.sh
+++ b/image/utilities.sh
@@ -4,11 +4,8 @@ source /bd_build/buildconfig
 set -x
 ## Often used tools.
-$minimal_apt_get_install curl less vim-tiny psmisc gpg-agent dirmngr
+$minimal_apt_get_install curl less vim-tiny psmisc
 ln -s /usr/bin/vim.tiny /usr/bin/vim
 ## This tool runs a command as another user and sets $HOME.
 cp /bd_build/bin/setuser /sbin/setuser
 ## This tool allows installation of apt packages with automatic cache cleanup.
 cp /bd_build/bin/install_clean /sbin/install_clean
--- a/test/runner.sh
+++ b/test/runner.sh
@@ -14,25 +14,29 @@ function cleanup()
 	docker rm $ID >/dev/null
 }
 PWD=`pwd`
 echo " --> Starting insecure container"
-ID=`docker run -d -p 22 $NAME:$VERSION /sbin/my_init --enable-insecure-key`
+ID=`docker run -d -v $PWD/test:/test $NAME:$VERSION /sbin/my_init --enable-insecure-key`
 sleep 1
-echo " --> Obtaining SSH port number"
+echo " --> Obtaining IP"
-SSHPORT=`docker inspect --format='{{(index (index .NetworkSettings.Ports "22/tcp") 0).HostPort}}' "$ID"`
+IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$ID"`
-if [[ "$SSHPORT" = "" ]]; then
+if [[ "$IP" = "" ]]; then
-	abort "Unable to obtain container SSH port number"
+	abort "Unable to obtain container IP"
 fi
 trap cleanup EXIT
 echo " --> Enabling SSH in the container"
-docker exec $ID /etc/my_init.d/00_regen_ssh_host_keys.sh -f
+docker exec -t -i $ID /etc/my_init.d/00_regen_ssh_host_keys.sh -f
-docker exec $ID rm /etc/service/sshd/down
+docker exec -t -i $ID rm /etc/service/sshd/down
-docker exec $ID sv start /etc/service/sshd
+docker exec -t -i $ID sv start /etc/service/sshd
 sleep 1
 echo " --> Logging into container and running tests"
 cp image/services/sshd/keys/insecure_key /tmp/insecure_key
 chmod 600 /tmp/insecure_key
 sleep 1 # Give container some more time to start up.
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/insecure_key root@$IP \
-tools/docker-ssh $ID bash < test/test.sh
+	/bin/bash /test/test.sh
--- a/tools/docker-ssh
+++ b/tools/docker-ssh
@@ -58,13 +58,6 @@ fi
 KNOWN_HOSTS_FILE=`mktemp /tmp/docker-ssh.XXXXXXXXX`
 IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
 PORT=`docker inspect -f '{{(index (index .NetworkSettings.Ports "22/tcp") 0).HostPort}}' "$CONTAINER_ID"`
 if test "`uname`" = "Darwin"; then
    IP="127.0.0.1"
 else
    PORT=22
 fi
 echo "SSHing into $IP:$PORT"
 # Prevent SSH from warning about adding a host to the known_hosts file.
 ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
@@ -75,7 +68,6 @@ if ! ssh -i ~/.baseimage_docker_insecure_key \
 	-o PasswordAuthentication=no \
 	-o KbdInteractiveAuthentication=no \
 	-o ChallengeResponseAuthentication=no \
 	-p $PORT \
 	"root@$IP" "$@"
 then
 	STATUS=$?
--- a/vagrant-libs/bootstrap.sh
+++ b/vagrant-libs/bootstrap.sh
@@ -1,31 +0,0 @@
 #!/usr/bin/env bash
 set -eux
 # Update Packages
 sudo apt-get update
 # sudo apt-get -y upgrade
 # sudo apt-get -y dist-upgrade
 # Install Packages
 sudo apt-get install -y build-essential checkinstall libreadline-gplv2-dev \
    libncursesw5-dev libssl-dev libsqlite3-dev tk-dev libgdbm-dev libc6-dev \
    libbz2-dev libffi-dev python3-pip unzip lsb-release software-properties-common \
    curl wget git rsync # python-dev python3-venv
 # Install Docker
 sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
 sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
 sudo apt-get update
 sudo apt-cache policy docker-ce
 sudo apt-get install -y docker-ce docker-compose
 # Re-install docker-compose to side-step a bug
 # docker build -t terraform-azure-vm . >> "free(): invalid pointer"
 # https://github.com/docker/for-linux/issues/563
 sudo apt-get remove -y golang-docker-credential-helpers
 sudo curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 echo '{"experimental": true}' > /etc/docker/daemon.json
 service docker restart
 # Add vagrant user to docker group
 sudo usermod -aG docker vagrant
Author	SHA1	Message	Date
Travis Rowland	f374c49424	Merge pull request #373 from phusion/next Update README.md regarding ignored env vars.	2017-03-20 21:00:45 -07:00
Travis Rowland	c375506f23	Merge pull request #370 from phusion/next Updating README.md Fixes #228	2017-03-20 20:50:22 -07:00
Travis Rowland	19170b8d38	Merge pull request #368 from kobotoolbox/armhf `armhf` support.	2017-03-20 12:49:11 -07:00
Esmail Fadae	5a920d2291	No need to uninstall packages not available on `armhf`.	2017-03-06 14:52:15 +00:00
Esmail Fadae	bc06300b3e	Use an `armhf` base image.	2017-03-06 14:51:22 +00:00
		`@@ -1,2 +0,0 @@`
			`github: samip5`
			`custom: https://www.buymeacoffee.com/skykrypt`
		`@@ -0,0 +1,2 @@`
							`#!/bin/sh`
							`exec tail -F -n 0 /var/log/syslog`