Note release date

Give credit to Brant Fitzsimmons
Merge pull request #98 from bfitzsimmons/patch-1
2026-03-26 20:38:58 +00:00 · 2014-06-24 16:40:22 +02:00 · 2014-06-24 16:39:56 +02:00 · 2014-06-23 19:09:11 +02:00 · 2014-06-23 12:56:26 -04:00 · 2014-06-20 13:45:36 +02:00
23 changed files with 1175 additions and 81 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,5 @@
 Hey, thanks for wanting to contribute to baseimage-docker. :)
 If you have a question, please use the [discussion forum](https://groups.google.com/d/forum/passenger-docker). The Github issue tracker is only for **bug reports and feature requests**.
 If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the image.
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,88 @@
 ## 0.9.11 (release date: 2014-06-24)
 * Introduced the `docker-bash` tool. This is a shortcut tool for logging into a container using SSH. Usage: `docker-bash <CONTAINER ID>`. See the README for details.
 * Fixed various process waiting issues in `my_init`. Closes GH-27, GH-82 and GH-83. Thanks to André Luiz dos Santos and Paul Annesley.
 * The `ca-certificates` package is now installed by default. This is because we include `apt-transport-https`, but Ubuntu 14.04 no longer installs `ca-certificates` by default anymore. Closes GH-73.
 * Output print by Runit services are now redirected to the Docker logs instead of to proctitle. Thanks to Paul Annesley.
 * Container environment variables are now made available to SSH root shells. If you login with SSH through a non-root account, then container environment variables are only made available if that user is a member of the `docker_env` group. Thanks to Bernard Potocki.
 * `add-apt-repository` is now installed by default. Closes GH-74.
 * Various minor fixes and contributions thanks to yebyen, John Eckhart, Christoffer Sawicki and Brant Fitzsimmons.
 ## 0.9.10 (release date: 2014-05-12)
 * Upgraded to Ubuntu 14.04 (Trusty). We will no longer release images based on 12.04.
   Thanks to contributions by mpeterson, Paul Jimenez, Santiago M. Mola and Kingdon Barrett.
 * Fixed a problem with my_init not correctly passing child processes' exit status. Fixes GH-45.
 * When reading environment variables from /etc/container_environment, the trailing newline (if any) is ignored. This makes commands like this work, without unintentially adding a newline to the environment variable value:
        echo my_value > /etc/container_environment/FOO
   If you intended on adding a newline to the value, ensure you have *two* trailing newlines:
        echo -e "my_value\n" > /etc/container_environment/FOO
 * It was not possible to use `docker run -e` to override environment variables defined in /etc/container_environment. This has been fixed (GH-52). Thanks to Stuart Campbell for reporting this bug.
 ## 0.9.9 (release date: 2014-03-25)
 * Fixed a problem with rssh. (Slawomir Chodnicki)
 * The `INITRD` environment variable is now set in the container by default. This prevents updates to the `initramfs` from running grub or lilo.
 * The `ischroot` tool in Ubuntu has been modified to always return true. This prevents updates to the `initscripts` package from breaking /dev/shm.
 * Various minor bug fixes, improvements and typo corrections. (Felix Hummel, Laurent Sarrazin, Dung Quang, Amir Gur)
 ## 0.9.8 (release date: 2014-02-26)
 * Fixed a regression in `my_init` which causes it to delete environment variables passed from Docker.
 * Fixed `my_init` not properly forcing Runit to shut down if Runit appears to refuse to respond to SIGTERM.
 ## 0.9.7 (release date: 2014-02-25)
 * Improved and fixed bugs in `my_init` (Thomas LÉVEIL):
   * It is now possible to enable the insecure key by passing `--enable-insecure-key` to `my_init`. This allows users to easily enable the insecure key for convenience reasons, without having the insecure key enabled permanently in the image.
   * `my_init` now exports environment variables to the directory `/etc/container_environment` and to the files `/etc/container_environment.sh`, `/etc/container_environment.json`. This allows all applications to query what the original environment variables were. It is also possible to change the environment variables in `my_init` by modifying `/etc/container_environment`. More information can be found in the README, section "Environment variables".
   * Fixed a bug that causes it not to print messages to stdout when there is no pseudo terminal. This is because Python buffers stdout by default.
   * Fixed an incorrectly printed message.
 * The insecure key is now also available in PuTTY format. (Thomas LÉVEIL)
 * Fixed `enable_insecure_key` removing already installed SSH keys. (Thomas LÉVEIL)
 * The baseimage-docker image no longer EXPOSEs any ports by default. The EXPOSE entries were originally there to enable some default guest-to-host port forwarding entries, but in recent Docker versions they changed the meaning of EXPOSE, and now EXPOSE is used for linking containers. As such, we no longer have a reason to EXPOSE any ports by default. Fixes GH-15.
 * Fixed syslog-ng not being able to start because of a missing afsql module. Fixes the issue described in [pull request 7](https://github.com/phusion/baseimage-docker/pull/7).
 * Removed some default Ubuntu cron jobs which are not useful in Docker containers.
 * Added the logrotate service. Fixes GH-22.
 * Fixed some warnings in `/etc/my_init.d/00_regen_ssh_host_keys.sh`.
 * Fixed some typos in the documentation. (Dr Nic Williams, Tomer Cohen)
 ## 0.9.6 (release date: 2014-02-17)
 * Fixed a bug in `my_init`: child processes that have been adopted during execution of init scripts are now properly reaped.
 * Much improved `my_init`:
   * It is now possible to run and watch a custom command, possibly in addition to running runit. See "Running a one-shot command in the container" in the README.
   * It is now possible to skip running startup files such as /etc/rc.local.
   * Shutdown is now much faster. It previously took a few seconds, but it is now almost instantaneous.
   * It ensures that all processes in the container are properly shut down with SIGTERM, even those that are not direct child processes of `my_init`.
 * `setuser` now also sets auxilliary groups, as well as more environment variables such as `USER` and `UID`.
 ## 0.9.5 (release date: 2014-02-06)
 * Environment variables are now no longer reset by runit. This is achieved by running `runsvdir` directly instead of through Debian's `runsvdir-start`.
 * The insecure SSH key is now disabled by default. You have to explicitly opt-in to use it.
 ## 0.9.4 (release date: 2014-02-03)
 * Fixed syslog-ng startup problem.
 ## 0.9.3 (release date: 2014-01-31)
 * It looks like Docker changed their Ubuntu 12.04 base image, thereby breaking our Dockerfile. This has been fixed.
 * The init system (`/sbin/my_init`) now supports running scripts during startup. You can put startup scripts `/etc/my_init.d`. `/etc/rc.local` is also run during startup.
 * To improve security, the base image no longer contains pregenerated SSH host keys. Instead, users of the base image are encouraged to regenerate one in their Dockerfile. If the user does not do that, then random SSH host keys are generated during container boot.
 ## 0.9.2 (release date: 2013-12-11)
 * Fixed SFTP support. Thanks Joris van de Donk!
 ## 0.9.1 (release date: 2013-11-12)
 * Improved init process script (`/sbin/my_init`): it now handles shutdown correctly. Previously, `docker stop` would not have any effect on `my_init`, causing the whole container to be killed with SIGKILL. The new init process script gracefully shuts down all runit services, then exits.
 ## 0.9.0 (release date: 2013-11-12)
 * Initial release
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -0,0 +1,19 @@
 Copyright (c) 2013-2014 Phusion
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in
 all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
--- a/20
+++ b/20
@@ -1,16 +1,28 @@
 NAME = phusion/baseimage
-VERSION = 0.9.0
+VERSION = 0.9.11
-.PHONY: all build tag_latest release
+.PHONY: all build test tag_latest release ssh
 all: build
 build:
-	docker build -t $(NAME):$(VERSION) -rm image
+	docker build -t $(NAME):$(VERSION) --rm image
 test:
 	env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
 tag_latest:
 	docker tag $(NAME):$(VERSION) $(NAME):latest
-release: tag_latest
+release: test tag_latest
 	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
 	docker push $(NAME)
 	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
 ssh:
 	chmod 600 image/insecure_key
 	@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
 		if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
 		IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \
 		echo "SSHing into $$IP" && \
 		ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/insecure_key root@$$IP
--- a/README.md
+++ b/README.md
@@ -1,56 +1,107 @@
-# A minimal Docker base image with a correct and usable system
+# A minimal Ubuntu base image modified for Docker-friendliness
-Baseimage-docker is a [Docker](http://www.docker.io) image meant to serve as a good base for any other Docker container. It contains a minimal base system with the most important things already installed and set up correctly.
+Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus modifications for Docker-friendliness. You can use it as a base for your own Docker images.
- * **Github**: https://github.com/phusion/baseimage-docker
+Baseimage-docker is available for pulling from [the Docker registry](https://index.docker.io/u/phusion/baseimage/)!
 * **Discussion forum**: https://groups.google.com/d/forum/passenger-docker
 * **Twitter**: https://twitter.com/phusion_nl
 * **Blog**: http://blog.phusion.nl/
 ### What are the problems with the stock Ubuntu base image?
 Ubuntu is not designed to be run inside docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
 Baseimage-docker gets everything right. The "Contents" section describes all the things that it modifies.
 <a name="why_use"></a>
 ### Why use baseimage-docker?
-Why use baseimage-docker instead of doing everything yourself in Dockerfile?
+You can configure the stock `ubuntu` image yourself from your Dockerfile, so why bother using baseimage-docker?
 * Configuring the base system for Docker-friendliness is no easy task. As stated before, there are many corner cases. By the time that you've gotten all that right, you've reinvented baseimage-docker. Using baseimage-docker will save you from this effort.
 * It reduces the time needed to write a correct Dockerfile. You won't have to worry about the base system and can focus on your stack and your app.
 * It sets up the base system **correctly**. It's very easy to get the base system wrong, but this image does everything correctly.
 * It reduces the time needed to run `docker build`, allowing you to iterate your Dockerfile more quickly.
 * It reduces download time during redeploys. Docker only needs to download the base image once: during the first deploy. On every subsequent deploys, only the changes you make on top of the base image are downloaded.
-## Contents
+-----------------------------------------
 **Related resources**:
  [Website](http://phusion.github.io/baseimage-docker/) |
  [Github](https://github.com/phusion/baseimage-docker) |
  [Docker registry](https://index.docker.io/u/phusion/baseimage/) |
  [Discussion forum](https://groups.google.com/d/forum/passenger-docker) |
  [Twitter](https://twitter.com/phusion_nl) |
  [Blog](http://blog.phusion.nl/)
 **Table of contents**
 * [What's inside the image?](#whats_inside)
   * [Overview](#whats_inside_overview)
   * [Wait, I thought Docker is about running a single process in a container?](#docker_single_process)
 * [Inspecting baseimage-docker](#inspecting)
 * [Using baseimage-docker as base image](#using)
   * [Getting started](#getting_started)
   * [Adding additional daemons](#adding_additional_daemons)
   * [Running scripts during container startup](#running_startup_scripts)
   * [Running a one-shot command in the container](#oneshot)
   * [Environment variables](#environment_variables)
     * [Centrally defining your own environment variables](#envvar_central_definition)
     * [Environment variable dumps](#envvar_dumps)
     * [Modifying environment variables](#modifying_envvars)
     * [Security](#envvar_security)
   * [Login to the container via SSH](#login)
     * [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only)
     * [Enabling the insecure key permanently](#enabling_the_insecure_key_permanently)
     * [Using your own key](#using_your_own_key)
     * [The `docker-bash` tool](#docker_bash)
   * [Disabling SSH](#disabling_ssh)
 * [Building the image yourself](#building)
 * [Conclusion](#conclusion)
 -----------------------------------------
 <a name="whats_inside"></a>
 ## What's inside the image?
 <a name="whats_inside_overview"></a>
 ### Overview
 *Looking for a more complete base image, one that is ideal for Ruby, Python, Node.js and Meteor web apps? Take a look at [passenger-docker](https://github.com/phusion/passenger-docker).*
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
-| Ubuntu 12.04 LTS | The base system. |
+| Ubuntu 14.04 LTS | The base system. |
-| A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherit all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. Baseimage-docker comes with an init process `/sbin/my_init` that performs reaping correctly. |
+| A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
-| ssh server | Allows you to easily login to your container to inspect or administer things. <br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br>It allows an predefined key by default to make debugging easy. You should replace this ASAP. See instructions. |
+| logrotate | Rotates and compresses logs on a regular basis. |
 | ssh server | Allows you to easily login to your container to inspect or administer things. <br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. |
 | cron | The cron daemon must be running for cron jobs to work. |
-| [runit](http://smarden.org/runit/) | For service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
+| [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
 | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. |
-Baseimage-docker is very lightweight: it only consumes 4 MB of memory.
+Baseimage-docker is very lightweight: it only consumes 6 MB of memory.
 <a name="docker_single_process"></a>
 ### Wait, I thought Docker is about running a single process in a container?
 Absolutely not true. Docker runs fine with multiple processes in a container. In fact, there is no technical reason why you should limit yourself to one process - it only makes things harder for you and breaks all kinds of essential system functionality, e.g. syslog.
 Baseimage-docker *encourages* multiple processes through the use of runit.
 <a name="inspecting"></a>
 ## Inspecting baseimage-docker
 To look around in the image, run:
-    docker run -rm -t -i phusion/baseimage bash -l
+    docker run --rm -t -i phusion/baseimage /sbin/my_init -- bash -l
 You don't have to download anything manually. The above command will automatically pull the baseimage-docker image from the Docker registry.
 <a name="using"></a>
 ## Using baseimage-docker as base image
-The image is called `phusion/baseimage`, and is available on the Docker registry.
+<a name="getting_started"></a>
 ### Getting started
-By default, it allows SSH access for the key in `image/insecure_key`. This makes it easy for you to login to the container, but you should replace this key as soon as possible.
+The image is called `phusion/baseimage`, and is available on the Docker registry.
    # Use phusion/baseimage as base image. To make your builds reproducible, make
    # sure you lock down to a specific version, not to `latest`!
@@ -60,38 +111,279 @@ By default, it allows SSH access for the key in `image/insecure_key`. This makes
    # Set correct environment variables.
    ENV HOME /root
    # Remove authentication rights for insecure_key.
    RUN rm -f /root/.ssh/authorized_keys /home/*/.ssh/authorized_keys
-    # Use baseimage-docker's init process.
+    # Regenerate SSH host keys. baseimage-docker does not contain any, so you
    # have to do that yourself. You may also comment out this instruction; the
    # init system will auto-generate one during boot.
    RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
    # Use baseimage-docker's init system.
    CMD ["/sbin/my_init"]
-    # ...put other build instructions here...
+    # ...put your own build instructions here...
    # Clean up APT when done.
    RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 <a name="adding_additional_daemons"></a>
 ### Adding additional daemons
-You can add additional daemons to the image by creating runit entries. You only have to write a small shell script which runs your daemon, and runit will keep it up and running for you, restarting it when it crashes, etc.
+You can add additional daemons (e.g. your own app) to the image by creating runit entries. You only have to write a small shell script which runs your daemon, and runit will keep it up and running for you, restarting it when it crashes, etc.
-The shell script must be called `run`, must be executable, and is to be placed in the directory `/etc/services/<NAME>`.
+The shell script must be called `run`, must be executable, and is to be placed in the directory `/etc/service/<NAME>`.
-Here's an example showing you how to a memached server runit entry can be made.
+Here's an example showing you how a memached server runit entry can be made.
    ### In memcached.sh (make sure this file is chmod +x):
    #!/bin/sh
-    # `chpst` is part of running. `chpst -u memcache` runs the given command
+    # `/sbin/setuser memcache` runs the given command as the user `memcache`.
-    # as the user `memcache`. If you omit this, the command will be run as root.
+    # If you omit that part, the command will be run as root.
-    exec chpst -u memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
+    exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
    ### In Dockerfile:
-    RUN mkdir /etc/services/memcached
+    RUN mkdir /etc/service/memcached
-    ADD redis.sh /etc/services/memcached/run
+    ADD memcached.sh /etc/service/memcached/run
 Note that the shell script must run the daemon **without letting it daemonize/fork it**. Usually, daemons provide a command line flag or a config file option for that.
 <a name="running_startup_scripts"></a>
 ### Running scripts during container startup
 The baseimage-docker init system, `/sbin/my_init`, runs the following scripts during startup, in the following order:
 * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run in lexicographic order.
 * The script `/etc/rc.local`, if this file exists.
 All scripts must exit correctly, e.g. with exit code 0. If any script exits with a non-zero exit code, the booting will fail.
 The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt.
    ### In logtime.sh (make sure this file is chmod +x):
    #!/bin/sh
    date > /tmp/boottime.txt
    ### In Dockerfile:
    RUN mkdir -p /etc/my_init.d
    ADD logtime.sh /etc/my_init.d/logtime.sh
 <a name="oneshot"></a>
 ### Running a one-shot command in the container
 Normally, when you want to run a single command in a container, and exit immediately after the command, you invoke Docker like this:
    docker run YOUR_IMAGE COMMAND ARGUMENTS...
 However the downside of this approach is that the init system is not started. That is, while invoking `COMMAND`, important daemons such as cron and syslog are not running. Also, orphaned child processes are not properly reaped, because `COMMAND` is PID 1.
 Baseimage-docker provides a facility to run a single one-shot command, while solving all of the aforementioned problems. Run a single command in the following manner:
    docker run YOUR_IMAGE /sbin/my_init -- COMMAND ARGUMENTS ...
 This will perform the following:
 * Runs all system startup files, such as /etc/my_init.d/* and /etc/rc.local.
 * Starts all runit services.
 * Runs the specified command.
 * When the specified command exits, stops all runit services.
 For example:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init -- ls
    *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
    No SSH host key available. Generating one...
    Creating SSH2 RSA key; this may take some time ...
    Creating SSH2 DSA key; this may take some time ...
    Creating SSH2 ECDSA key; this may take some time ...
    *** Running /etc/rc.local...
    *** Booting runit daemon...
    *** Runit started as PID 80
    *** Running ls...
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
    *** ls exited with exit code 0.
    *** Shutting down runit daemon (PID 80)...
    *** Killing all processes...
 You may find that the default invocation is too noisy. Or perhaps you don't want to run the startup files. You can customize all this by passing arguments to `my_init`. Invoke `docker run YOUR_IMAGE /sbin/my_init --help` for more information.
 The following example runs `ls` without running the startup files and with less messages, while running all runit services:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init --skip-startup-files --quiet -- ls
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
 <a name="environment_variables"></a>
 ### Environment variables
 If you use `/sbin/my_init` as the main container command, then any environment variables set with `docker run --env` or with the `ENV` command in the Dockerfile, will be picked up by `my_init`. These variables will also be passed to all child processes, including `/etc/my_init.d` startup scripts, Runit and Runit-managed services. There are however a few caveats you should be aware of:
 * Environment variables on Unix are inherited on a per-process basis. This means that it is generally not possible for a child process to change the environment variables of other processes.
 * Because of the aforementioned point, there is no good central place for defining environment variables for all applications and services. Debian has the `/etc/environment` file but it only works in some situations.
 * Some services change environment variables for child processes. Nginx is one such example: it removes all environment variables unless you explicitly instruct it to retain them through the `env` configuration option. If you host any applications on Nginx (e.g. using the [passenger-docker](https://github.com/phusion/passenger-docker) image, or using Phusion Passenger in your own image) then they will not see the environment variables that were originally passed by Docker.
 `my_init` provides a solution for all these caveats.
 <a name="envvar_central_definition"></a>
 #### Centrally defining your own environment variables
 During startup, before running any [startup scripts](#running_startup_scripts), `my_init` imports environment variables from the directory `/etc/container_environment`. This directory contains files who are named after the environment variable names. The file contents contain the environment variable values. This directory is therefore a good place to centrally define your own environment variables, which will be inherited by all startup scripts and Runit services.
 For example, here's how you can define an environment variable from your Dockerfile:
    RUN echo Apachai Hopachai > /etc/container_environment/MY_NAME
 You can verify that it works, as follows:
    $ docker run -t -i <YOUR_NAME_IMAGE> /sbin/my_init -- bash -l
    ...
    *** Running bash -l...
    # echo $MY_NAME
    Apachai Hopachai
 **Handling newlines**
 If you've looked carefully, you'll notice that the 'echo' command actually prints a newline. Why does $MY_NAME not contain a newline then? It's because `my_init` strips the trailing newline, if any. If you intended on the value having a newline, you should add *another* newline, like this:
    RUN echo -e "Apachai Hopachai\n" > /etc/container_environment/MY_NAME
 <a name="envvar_dumps"></a>
 #### Environment variable dumps
 While the previously mentioned mechanism is good for centrally defining environment variables, it by itself does not prevent services (e.g. Nginx) from changing and resetting environment variables from child processes. However, the `my_init` mechanism does make it easy for you to query what the original environment variables are.
 During startup, right after importing environment variables from `/etc/container_environment`, `my_init` will dump all its environment variables (that is, all variables imported from `container_environment`, as well as all variables it picked up from `docker run --env`) to the following locations, in the following formats:
 * `/etc/container_environment`
 * `/etc/container_environment.sh` - a dump of the environment variables in Bash format. You can source the file directly from a Bash shell script.
 * `/etc/container_environment.json` - a dump of the environment variables in JSON format.
 The multiple formats makes it easy for you to query the original environment variables no matter which language your scripts/apps are written in.
 Here is an example shell session showing you how the dumps look like:
    $ docker run -t -i \
      --env FOO=bar --env HELLO='my beautiful world' \
      phusion/baseimage:<VERSION> /sbin/my_init -- \
      bash -l
    ...
    *** Running bash -l...
    # ls /etc/container_environment
    FOO  HELLO  HOME  HOSTNAME  PATH  TERM  container
    # cat /etc/container_environment/HELLO; echo
    my beautiful world
    # cat /etc/container_environment.json; echo
    {"TERM": "xterm", "container": "lxc", "HOSTNAME": "f45449f06950", "HOME": "/root", "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "FOO": "bar", "HELLO": "my beautiful world"}
    # source /etc/container_environment.sh
    # echo $HELLO
    my beautiful world
 <a name="modifying_envvars"></a>
 #### Modifying environment variables
 It is even possible to modify the environment variables in `my_init` (and therefore the environment variables in all child processes that are spawned after that point in time), by altering the files in `/etc/container_environment`. After each time `my_init` runs a [startup script](#running_startup_scripts), it resets its own environment variables to the state in `/etc/container_environment`, and re-dumps the new environment variables to `container_environment.sh` and `container_environment.json`.
 But note that:
 * modifying `container_environment.sh` and `container_environment.json` has no effect.
 * Runit services cannot modify the environment like that. `my_init` only activates changes in `/etc/container_environment` when running startup scripts.
 <a name="envvar_security"></a>
 #### Security
 Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only by the `docker_env` group (so that any user added this group will have these variables automatically loaded).
 If you are sure that your environment variables don't contain sensitive data, then you can also relax the permissions on that directory and those files by making them world-readable:
    RUN chmod 755 /etc/container_environment
    RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
 <a name="login"></a>
 ### Login to the container via SSH
 You can use SSH to login to any container that is based on baseimage-docker.
 The first thing that you need to do is to ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so you can't login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
 <a name="using_the_insecure_key_for_one_container_only"></a>
 #### Using the insecure key for one container only
 You can temporarily enable the insecure key for one container only. This means that the insecure key is installed at container boot. If you `docker stop` and `docker start` the container, the insecure key will still be there, but if you use `docker run` to start a new container then that container will not contain the insecure key.
 Start a container with `--enable-insecure-key`:
    docker run YOUR_IMAGE /sbin/my_init --enable-insecure-key
 Find out the ID of the container that you just ran:
    docker ps
 Once you have the ID, look for its IP address with:
    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 Now SSH into the container as follows:
    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
    chmod 600 insecure_key
    ssh -i insecure_key root@<IP address>
 <a name="enabling_the_insecure_key_permanently"></a>
 #### Enabling the insecure key permanently
 It is also possible to enable the insecure key in the image permanently. This is not generally recommended, but it suitable for e.g. temporary development or demo environments where security does not matter.
 Edit your Dockerfile to install the insecure key permanently:
    RUN /usr/sbin/enable_insecure_key
 Instructions for logging in the container is the same as in section [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only).
 <a name="using_your_own_key"></a>
 #### Using your own key
 Edit your Dockerfile to install an SSH key:
    ## Install an SSH of your choice.
    ADD your_key /tmp/your_key
    RUN cat /tmp/your_key >> /root/.ssh/authorized_keys && rm -f /tmp/your_key
 Then rebuild your image. Once you have that, start a container based on that image:
    docker run your-image-name
 Find out the ID of the container that you just ran:
    docker ps
 Once you have the ID, look for its IP address with:
    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 Now SSH into the container as follows:
    ssh -i /path-to/your_key root@<IP address>
 <a name="docker_bash"></a>
 #### The `docker-bash` tool
 Looking up the IP of a container and running an SSH command quickly becomes tedious. Luckily, we provide the `docker-bash` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
 First, install the tool on the Docker host:
    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
    tar xzf master.tar.gz && \
    sudo ./baseimage-docker-master/install-tools.sh
 Then run the tool as follows to login to a container using SSH:
    docker-bash YOUR-CONTAINER-ID
 You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
 By default, `docker-bash` will open a Bash session. You can also tell it to run a command, and then exit:
    docker-bash YOUR-CONTAINER-ID echo hello world
 <a name="building"></a>
 ## Building the image yourself
 If for whatever reason you want to build the image yourself instead of downloading it from the Docker registry, follow these instructions.
@@ -115,10 +407,18 @@ If you want to call the resulting image something else, pass the NAME variable,
    make build NAME=joe/baseimage
 <a name="disabling_ssh"></a>
 ### Disabling SSH
 In case you do not want to enable SSH, here's how you can disable it:
    RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
 <a name="conclusion"></a>
 ## Conclusion
 * Using baseimage-docker? [Tweet about us](https://twitter.com/share) or [follow us on Twitter](https://twitter.com/phusion_nl).
- * Having problems? Please post a message at [the discussion forum](https://groups.google.com/d/forum/passenger-docker).
+ * Having problems? Want to participate in development? Please post a message at [the discussion forum](https://groups.google.com/d/forum/passenger-docker).
 * Looking for a more complete base image, one that is ideal for Ruby, Python, Node.js and Meteor web apps? Take a look at [passenger-docker](https://github.com/phusion/passenger-docker).
 [<img src="http://www.phusion.nl/assets/logo.png">](http://www.phusion.nl/)
--- a/55
+++ b/55
@@ -1,31 +1,54 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
-ROOT = File.dirname(File.expand_path(__FILE__))
+ROOT = File.dirname(File.absolute_path(__FILE__))
 # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
-VAGRANTFILE_API_VERSION = "2"
+VAGRANTFILE_API_VERSION = '2'
 # Default env properties which can be overridden
 # Example overrides:
 #   echo "ENV['PASSENGER_DOCKER_PATH'] ||= '../../phusion/passenger-docker'   " >> ~/.vagrant.d/Vagrantfile
 #   echo "ENV['BASE_BOX_URL']          ||= 'd\:/dev/vm/vagrant/boxes/phusion/'" >> ~/.vagrant.d/Vagrantfile
 BASE_BOX_URL          = ENV['BASE_BOX_URL']    || 'https://oss-binaries.phusionpassenger.com/vagrant/boxes/latest/'
 VAGRANT_BOX_URL       = ENV['VAGRANT_BOX_URL'] || BASE_BOX_URL + 'ubuntu-14.04-amd64-vbox.box'
 VMWARE_BOX_URL        = ENV['VMWARE_BOX_URL']  || BASE_BOX_URL + 'ubuntu-14.04-amd64-vmwarefusion.box'
 BASEIMAGE_PATH        = ENV['BASEIMAGE_PATH' ] || '.'
 PASSENGER_DOCKER_PATH = ENV['PASSENGER_PATH' ] || '../passenger-docker'
 DOCKERIZER_PATH       = ENV['DOCKERIZER_PATH'] || '../dockerizer'
 $script = <<SCRIPT
 wget -q -O - https://get.docker.io/gpg | apt-key add -
 echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list
 apt-get update -qq
 apt-get install -q -y --force-yes lxc-docker
 usermod -a -G docker vagrant
 docker version
 su - vagrant -c 'echo alias d=docker >> ~/.bash_aliases'
 SCRIPT
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = "phusion-open-ubuntu-12.04-amd64"
+  config.vm.box = 'phusion-open-ubuntu-14.04-amd64'
-  config.vm.box_url = "https://oss-binaries.phusionpassenger.com/vagrant/boxes/ubuntu-12.04.3-amd64-vbox.box"
+  config.vm.box_url = VAGRANT_BOX_URL
  config.ssh.forward_agent = true
-  if File.directory?("#{ROOT}/passenger-docker")
+  passenger_docker_path = File.absolute_path(PASSENGER_DOCKER_PATH, ROOT)
-    config.vm.synced_folder File.expand_path("#{ROOT}/../passenger-docker"),
+  if File.directory?(passenger_docker_path)
-      "/vagrant/passenger-docker"
+    config.vm.synced_folder passenger_docker_path, '/vagrant/passenger-docker'
  end
  baseimage_path = File.absolute_path(BASEIMAGE_PATH, ROOT)
  if File.directory?(baseimage_path)
    config.vm.synced_folder baseimage_path, "/vagrant/baseimage-docker"
  end
  dockerizer_path = File.absolute_path(DOCKERIZER_PATH, ROOT)
  if File.directory?(dockerizer_path)
    config.vm.synced_folder dockerizer_path, '/vagrant/dockerizer'
  end
  config.vm.provider :vmware_fusion do |f, override|
-    override.vm.box_url = "https://oss-binaries.phusionpassenger.com/vagrant/boxes/ubuntu-12.04.3-amd64-vmwarefusion.box"
+    override.vm.box_url = VMWARE_BOX_URL
-    f.vmx["displayName"] = "baseimage-docker"
+    f.vmx['displayName'] = 'baseimage-docker'
  end
  if Dir.glob("#{File.dirname(__FILE__)}/.vagrant/machines/default/*/id").empty?
-    # Add lxc-docker package
+    config.vm.provision :shell, :inline => $script
    pkg_cmd = "wget -q -O - https://get.docker.io/gpg | apt-key add -;" \
      "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list;" \
      "apt-get update -qq; apt-get install -q -y --force-yes lxc-docker; "
    # Add vagrant user to the docker group
    pkg_cmd << "usermod -a -G docker vagrant; "
    config.vm.provision :shell, :inline => pkg_cmd
  end
 end
--- a/image/00_regen_ssh_host_keys.sh
+++ b/image/00_regen_ssh_host_keys.sh
@@ -0,0 +1,8 @@
 #!/bin/bash
 set -e
 if [[ ! -e /etc/ssh/ssh_host_rsa_key ]]; then
 	echo "No SSH host key available. Generating one..."
 	export LC_ALL=C
 	export DEBIAN_FRONTEND=noninteractive
 	dpkg-reconfigure openssh-server
 fi
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:12.04
+FROM ubuntu:14.04
 MAINTAINER Phusion <info@phusion.nl>
 ENV HOME /root
@@ -11,4 +11,3 @@ RUN /build/prepare.sh && \
 	/build/cleanup.sh
 CMD ["/sbin/my_init"]
 EXPOSE 22 80 443
--- a/image/cleanup.sh
+++ b/image/cleanup.sh
@@ -6,3 +6,7 @@ set -x
 apt-get clean
 rm -rf /build
 rm -rf /tmp/* /var/tmp/*
 rm -rf /var/lib/apt/lists/*
 rm -f /etc/dpkg/dpkg.cfg.d/02apt-speedup
 rm -f /etc/ssh/ssh_host_*
--- a/image/config/sshd_config
+++ b/image/config/sshd_config
@@ -123,7 +123,7 @@ ChallengeResponseAuthentication no
 #Banner none
 # override default of no subsystems
-Subsystem	sftp	/usr/libexec/sftp-server
+Subsystem	sftp	/usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
--- a/image/config/syslog_ng_default
+++ b/image/config/syslog_ng_default
@@ -0,0 +1,12 @@
 # If a variable is not set here, then the corresponding
 # parameter will not be changed.
 # If a variables is set, then every invocation of
 # syslog-ng's init script will set them using dmesg.
 # log level of messages which should go to console
 # see syslog(3) for details
 #
 #CONSOLE_LOG_LEVEL=1
 # Command line options to syslog-ng
 SYSLOGNG_OPTS="--no-caps"
--- a/image/enable_insecure_key
+++ b/image/enable_insecure_key
@@ -0,0 +1,30 @@
 #!/bin/bash
 set -e
 AUTHORIZED_KEYS=/root/.ssh/authorized_keys
 if [[ -e "$AUTHORIZED_KEYS" ]] && grep -q baseimage-docker-insecure-key "$AUTHORIZED_KEYS"; then
 	echo "Insecure key has already been added to $AUTHORIZED_KEYS."
 else
 	DIR=`dirname "$AUTHORIZED_KEYS"`
 	echo "Creating directory $DIR..."
 	mkdir -p "$DIR"
 	chmod 700 "$DIR"
 	chown root:root "$DIR"
 	echo "Editing $AUTHORIZED_KEYS..."
 	cat /etc/insecure_key.pub >> "$AUTHORIZED_KEYS"
 	echo "Success: insecure key has been added to $AUTHORIZED_KEYS"
 	cat <<-EOF
 		+------------------------------------------------------------------------------+
 		| Insecure SSH key installed                                                   |
 		|                                                                              |
 		| DO NOT expose port 22 on the Internet unless you know what you are doing!    |
 		|                                                                              |
 		| Use the private key below to connect with user root                         |
 		+------------------------------------------------------------------------------+
 	EOF
 	cat /etc/insecure_key
 	echo -e "\n\n"
 fi
--- a/image/insecure_key.ppk
+++ b/image/insecure_key.ppk
@@ -0,0 +1,26 @@
 PuTTY-User-Key-File-2: ssh-rsa
 Encryption: none
 Comment: imported-openssh-key
 Public-Lines: 6
 AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87Vf
 aPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbji
 TSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1u
 p0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3
 S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWh
 iDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb
 Private-Lines: 14
 AAABAQCjROxgtX2Gft7yIx8Ol9IXmK6HLCI2XZt7ovb3hFWGGzHy0qMBql2P2Tzo
 ed1o038Hq+woe9n+uTnEdtQ6rD6PByzgyW2VSsWTjCOdeJ5HH9Qw7ItXDZZWHBkh
 fYHOkXI4e2oI3qshGAtYNLALn7KVhioJriCyyaSM2KOLx5khcY+EJ1inQfwQJKqP
 GsdKc72liz07T8ifRj+mNLKtwrxlK3IXYfIdgLp/1pCKdrC80DhprMsD4xvNgq4p
 CR9jd4FoqM9t/Up5ppTm+p6A/bDwdIPh6cFFeyMP+G3+bTlW1Gg7RLoNCc6qh53W
 WVgEOQqdLHcQ8Ge4RLmbwLUmnRuRAAAAgQD312H46T2YvKzyEKbsddwbO8WktfxW
 vVqqxH6z6bRXVFR3hQhmPKjlFXsD74h3W7NJwe9WJ5Pf3vemoBWIo0Hak0M1Z6WC
 OIvBohpOYDzIgdlGHifx2ZiAd47Vsn+mfxjtISdWupl9Fw98yRjahWosKmmIHTtR
 cIfYHB9ztpR8owAAAIEA3KNMYMFgenE+7q4pwat4t3RKA7rU8SPto5I1+sEHY8rz
 cD7ONkIVlEhaqN+uTEYbr5rZa4dsQe4Ia+7ZXmO4djFsAP/fyJX+VCX/bHK83V5H
 9toTdRLTqqfqJ3GOeZ41kPIN6UDHVEa4S8tfVM0DMNPEHBjLMfdbZGkoBQAPXWkA
 AACBAJV/Bxr1jJohvmURQf/9y6MvO2wcRpTdKVLQhEnGm2cXQdh5CPVae2K+u0CG
 d8u0/PDIZMGpueCQo4lft02W0skTDo5Kn+1IUwmQuoRzanVJ5ab+GyVnlouRLp/J
 bWMQZ3pjXNkBsQOK/igrKYvqUb1jRsy9zxVQRl4i7JjjLpe/
 Private-MAC: ef1e472b5254ae2c5319a522d39ad31d432dde75
--- a/image/insecure_key.pub
+++ b/image/insecure_key.pub
@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87VfaPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbjiTSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1up0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWhiDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb hongli@asuna-3939
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87VfaPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbjiTSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1up0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWhiDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb baseimage-docker-insecure-key
--- a/image/my_init
+++ b/image/my_init
@@ -1,5 +1,339 @@
-#!/bin/bash
+#!/usr/bin/python3 -u
-set -e
+import os, os.path, sys, stat, signal, errno, argparse, time, json, re
-# No exec. We want bash to be the init process so that it can kill
+
-# zombie processes.
+KILL_PROCESS_TIMEOUT = 5
-/usr/sbin/runsvdir-start
+KILL_ALL_PROCESSES_TIMEOUT = 5
 LOG_LEVEL_ERROR = 1
 LOG_LEVEL_WARN  = 1
 LOG_LEVEL_INFO  = 2
 LOG_LEVEL_DEBUG = 3
 log_level = None
 terminated_child_processes = {}
 class AlarmException(Exception):
 	pass
 def error(message):
 	if log_level >= LOG_LEVEL_ERROR:
 		sys.stderr.write("*** %s\n" % message)
 def warn(message):
 	if log_level >= LOG_LEVEL_WARN:
 		print("*** %s" % message)
 def info(message):
 	if log_level >= LOG_LEVEL_INFO:
 		print("*** %s" % message)
 def debug(message):
 	if log_level >= LOG_LEVEL_DEBUG:
 		print("*** %s" % message)
 def ignore_signals_and_raise_keyboard_interrupt(signame):
 	signal.signal(signal.SIGTERM, signal.SIG_IGN)
 	signal.signal(signal.SIGINT, signal.SIG_IGN)
 	raise KeyboardInterrupt(signame)
 def raise_alarm_exception():
 	raise AlarmException('Alarm')
 def listdir(path):
 	try:
 		result = os.stat(path)
 	except OSError:
 		return []
 	if stat.S_ISDIR(result.st_mode):
 		return sorted(os.listdir(path))
 	else:
 		return []
 def is_exe(path):
 	try:
 		return os.path.isfile(path) and os.access(path, os.X_OK)
 	except OSError:
 		return False
 def import_envvars(clear_existing_environment = True, override_existing_environment = True):
 	new_env = {}
 	for envfile in listdir("/etc/container_environment"):
 		name = os.path.basename(envfile)
 		with open("/etc/container_environment/" + envfile, "r") as f:
 			# Text files often end with a trailing newline, which we
 			# don't want to include in the env variable value. See
 			# https://github.com/phusion/baseimage-docker/pull/49
 			value = re.sub('\n\Z', '', f.read())
 		new_env[name] = value
 	if clear_existing_environment:
 		os.environ.clear()
 	for name, value in new_env.items():
 		if override_existing_environment or not name in os.environ:
 			os.environ[name] = value
 def export_envvars(to_dir = True):
 	shell_dump = ""
 	for name, value in os.environ.items():
 		if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
 			continue
 		if to_dir:
 			with open("/etc/container_environment/" + name, "w") as f:
 				f.write(value)
 		shell_dump += "export " + shquote(name) + "=" + shquote(value) + "\n"
 	with open("/etc/container_environment.sh", "w") as f:
 		f.write(shell_dump)
 	with open("/etc/container_environment.json", "w") as f:
 		f.write(json.dumps(dict(os.environ)))
 _find_unsafe = re.compile(r'[^\w@%+=:,./-]').search
 def shquote(s):
 	"""Return a shell-escaped version of the string *s*."""
 	if not s:
 		return "''"
 	if _find_unsafe(s) is None:
 		return s
 	# use single quotes, and put single quotes into double quotes
 	# the string $'b is then quoted as '$'"'"'b'
 	return "'" + s.replace("'", "'\"'\"'") + "'"
 # Waits for the child process with the given PID, while at the same time
 # reaping any other child processes that have exited (e.g. adopted child
 # processes that have terminated).
 def waitpid_reap_other_children(pid):
 	global terminated_child_processes
 	status = terminated_child_processes.get(pid)
 	if status:
 		# A previous call to waitpid_reap_other_children(),
 		# with an argument not equal to the current argument,
 		# already waited for this process. Return the status
 		# that was obtained back then.
 		del terminated_child_processes[pid]
 		return status
 	done = False
 	status = None
 	while not done:
 		try:
 			this_pid, status = os.waitpid(-1, 0)
 			if this_pid == pid:
 				done = True
 			else:
 				# Save status for later.
 				terminated_child_processes[this_pid] = status
 		except OSError as e:
 			if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
 				return None
 			else:
 				raise
 	return status
 def stop_child_process(name, pid, signo = signal.SIGTERM, time_limit = KILL_PROCESS_TIMEOUT):
 	info("Shutting down %s (PID %d)..." % (name, pid))
 	try:
 		os.kill(pid, signo)
 	except OSError:
 		pass
 	signal.alarm(time_limit)
 	try:
 		try:
 			waitpid_reap_other_children(pid)
 		except OSError:
 			pass
 	except AlarmException:
 		warn("%s (PID %d) did not shut down in time. Forcing it to exit." % (name, pid))
 		try:
 			os.kill(pid, signal.SIGKILL)
 		except OSError:
 			pass
 		try:
 			waitpid_reap_other_children(pid)
 		except OSError:
 			pass
 	finally:
 		signal.alarm(0)
 def run_command_killable(*argv):
 	filename = argv[0]
 	status = None
 	pid = os.spawnvp(os.P_NOWAIT, filename, argv)
 	try:
 		status = waitpid_reap_other_children(pid)
 	except BaseException as s:
 		warn("An error occurred. Aborting.")
 		stop_child_process(filename, pid)
 		raise
 	if status != 0:
 		if status is None:
 			error("%s exited with unknown status\n" % filename)
 		else:
 			error("%s failed with status %d\n" % (filename, os.WEXITSTATUS(status)))
 		sys.exit(1)
 def run_command_killable_and_import_envvars(*argv):
 	run_command_killable(*argv)
 	import_envvars()
 	export_envvars(False)
 def kill_all_processes(time_limit):
 	info("Killing all processes...")
 	try:
 		os.kill(-1, signal.SIGTERM)
 	except OSError:
 		pass
 	signal.alarm(time_limit)
 	try:
 		# Wait until no more child processes exist.
 		done = False
 		while not done:
 			try:
 				os.waitpid(-1, 0)
 			except OSError as e:
 				if e.errno == errno.ECHILD:
 					done = True
 				else:
 					raise
 	except AlarmException:
 		warn("Not all processes have exited in time. Forcing them to exit.")
 		try:
 			os.kill(-1, signal.SIGKILL)
 		except OSError:
 			pass
 	finally:
 		signal.alarm(0)
 def run_startup_files():
 	# Run /etc/my_init.d/*
 	for name in listdir("/etc/my_init.d"):
 		filename = "/etc/my_init.d/" + name
 		if is_exe(filename):
 			info("Running %s..." % filename)
 			run_command_killable_and_import_envvars(filename)
 	# Run /etc/rc.local.
 	if is_exe("/etc/rc.local"):
 		info("Running /etc/rc.local...")
 		run_command_killable_and_import_envvars("/etc/rc.local")
 def start_runit():
 	info("Booting runit daemon...")
 	pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
 		"-P", "/etc/service")
 	info("Runit started as PID %d" % pid)
 	return pid
 def wait_for_runit_or_interrupt(pid):
 	try:
 		status = waitpid_reap_other_children(pid)
 		return (True, status)
 	except KeyboardInterrupt:
 		return (False, None)
 def shutdown_runit_services():
 	debug("Begin shutting down runit services...")
 	os.system("/usr/bin/sv down /etc/service/*")
 def wait_for_runit_services():
 	debug("Waiting for runit services to exit...")
 	done = False
 	while not done:
 		done = os.system("/usr/bin/sv status /etc/service/* | grep -q '^run:'") != 0
 		if not done:
 			time.sleep(0.1)
 def install_insecure_key():
 	info("Installing insecure SSH key for user root")
 	run_command_killable("/usr/sbin/enable_insecure_key")
 def main(args):
 	import_envvars(False, False)
 	export_envvars()
 	if args.enable_insecure_key:
 		install_insecure_key()
 	if not args.skip_startup_files:
 		run_startup_files()
 	runit_exited = False
 	exit_code = None
 	if not args.skip_runit:
 		runit_pid = start_runit()
 	try:
 		exit_status = None
 		if len(args.main_command) == 0:
 			runit_exited, exit_code = wait_for_runit_or_interrupt(runit_pid)
 			if runit_exited:
 				if exit_code is None:
 					info("Runit exited with unknown status")
 					exit_status = 1
 				else:
 					exit_status = os.WEXITSTATUS(exit_code)
 					info("Runit exited with status %d" % exit_status)
 		else:
 			info("Running %s..." % " ".join(args.main_command))
 			pid = os.spawnvp(os.P_NOWAIT, args.main_command[0], args.main_command)
 			try:
 				exit_code = waitpid_reap_other_children(pid)
 				if exit_code is None:
 					info("%s exited with unknown status." % args.main_command[0])
 					exit_status = 1
 				else:
 					exit_status = os.WEXITSTATUS(exit_code)
 					info("%s exited with status %d." % (args.main_command[0], exit_status))
 			except KeyboardInterrupt:
 				stop_child_process(args.main_command[0], pid)
 			except BaseException as s:
 				warn("An error occurred. Aborting.")
 				stop_child_process(args.main_command[0], pid)
 				raise
 		sys.exit(exit_status)
 	finally:
 		if not args.skip_runit:
 			shutdown_runit_services()
 			if not runit_exited:
 				stop_child_process("runit daemon", runit_pid)
 			wait_for_runit_services()
 # Parse options.
 parser = argparse.ArgumentParser(description = 'Initialize the system.')
 parser.add_argument('main_command', metavar = 'MAIN_COMMAND', type = str, nargs = '*',
 	help = 'The main command to run. (default: runit)')
 parser.add_argument('--enable-insecure-key', dest = 'enable_insecure_key',
 	action = 'store_const', const = True, default = False,
 	help = 'Install the insecure SSH key')
 parser.add_argument('--skip-startup-files', dest = 'skip_startup_files',
 	action = 'store_const', const = True, default = False,
 	help = 'Skip running /etc/my_init.d/* and /etc/rc.local')
 parser.add_argument('--skip-runit', dest = 'skip_runit',
 	action = 'store_const', const = True, default = False,
 	help = 'Do not run runit services')
 parser.add_argument('--no-kill-all-on-exit', dest = 'kill_all_on_exit',
 	action = 'store_const', const = False, default = True,
 	help = 'Don\'t kill all processes on the system upon exiting')
 parser.add_argument('--quiet', dest = 'log_level',
 	action = 'store_const', const = LOG_LEVEL_WARN, default = LOG_LEVEL_INFO,
 	help = 'Only print warnings and errors')
 args = parser.parse_args()
 log_level = args.log_level
 if args.skip_runit and len(args.main_command) == 0:
 	error("When --skip-runit is given, you must also pass a main command.")
 	sys.exit(1)
 # Run main function.
 signal.signal(signal.SIGTERM, lambda signum, frame: ignore_signals_and_raise_keyboard_interrupt('SIGTERM'))
 signal.signal(signal.SIGINT, lambda signum, frame: ignore_signals_and_raise_keyboard_interrupt('SIGINT'))
 signal.signal(signal.SIGALRM, lambda signum, frame: raise_alarm_exception())
 try:
 	main(args)
 except KeyboardInterrupt:
 	warn("Init system aborted.")
 	exit(2)
 finally:
 	if args.kill_all_on_exit:
 		kill_all_processes(KILL_ALL_PROCESSES_TIMEOUT)
--- a/image/prepare.sh
+++ b/image/prepare.sh
@@ -3,22 +3,41 @@ set -e
 source /build/buildconfig
 set -x
-## Enable Ubuntu Universe.
+## Temporarily disable dpkg fsync to make building faster.
-echo deb http://archive.ubuntu.com/ubuntu precise main universe > /etc/apt/sources.list
+echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02apt-speedup
 echo deb http://archive.ubuntu.com/ubuntu precise-updates main universe >> /etc/apt/sources.list
 apt-get update
-## Install HTTPS support for APT.
+## Prevent initramfs updates from trying to run grub and lilo.
-$minimal_apt_get_install apt-transport-https
+## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
 ## http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594189
 export INITRD=no
 mkdir -p /etc/container_environment
 echo -n no > /etc/container_environment/INITRD
 ## Enable Ubuntu Universe and Multiverse.
 sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
 sed -i 's/^#\s*\(deb.*multiverse\)$/\1/g' /etc/apt/sources.list
 apt-get update
 ## Fix some issues with APT packages.
 ## See https://github.com/dotcloud/docker/issues/1024
 dpkg-divert --local --rename --add /sbin/initctl
-ln -s /bin/true /sbin/initctl
+ln -sf /bin/true /sbin/initctl
 ## Replace the 'ischroot' tool to make it always return true.
 ## Prevent initscripts updates from breaking /dev/shm.
 ## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
 ## https://bugs.launchpad.net/launchpad/+bug/974584
 dpkg-divert --local --rename --add /usr/bin/ischroot
 ln -sf /bin/true /usr/bin/ischroot
 ## Install HTTPS support for APT.
 $minimal_apt_get_install apt-transport-https ca-certificates
 ## Install add-apt-repository
 $minimal_apt_get_install software-properties-common
 ## Upgrade all packages.
-echo "initscripts hold" | dpkg --set-selections
+apt-get dist-upgrade -y --no-install-recommends
 apt-get upgrade -y --no-install-recommends
 ## Fix locale.
 $minimal_apt_get_install language-pack-en
--- a/image/runit/syslog-ng
+++ b/image/runit/syslog-ng
@@ -1,3 +1,31 @@
 #!/bin/sh
 set -e
-exec syslog-ng -F -p /var/run/syslog-ng.pid
+
 # If /dev/log is either a named pipe or it was placed there accidentally,
 # e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
 # then we remove it.
 if [ ! -S /dev/log ]; then rm -f /dev/log; fi
 SYSLOGNG_OPTS=""
 [ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng
 case "x$CONSOLE_LOG_LEVEL" in
  x[1-8])
    dmesg -n $CONSOLE_LOG_LEVEL
    ;;
  x)
    ;;
  *)
    echo "CONSOLE_LOG_LEVEL is of unaccepted value."
    ;;
 esac
 if [ ! -e /dev/xconsole ]
 then
  mknod -m 640 /dev/xconsole p
  chown root:adm /dev/xconsole
  [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
 fi
 exec syslog-ng -F -p /var/run/syslog-ng.pid $SYSLOGNG_OPTS
--- a/image/setuser
+++ b/image/setuser
@@ -1,12 +1,26 @@
-#!/bin/bash
+#!/usr/bin/python3
-set -e
+import sys, os, pwd
-user="$1"
+if len(sys.argv) < 3:
-shift
+	sys.stderr.write("Usage: /sbin/setuser USERNAME COMMAND [args..]\n")
 	sys.exit(1)
-if [[ "$user" == "root" ]]; then
+def abort(message):
-	export HOME=/root
+	sys.stderr.write("setuser: %s\n" % message)
-else
+	sys.exit(1)
-	export HOME=/home/$user
+
-fi
+username = sys.argv[1]
-exec chpst -u "$user" "$@"
+try:
 	user = pwd.getpwnam(username)
 except KeyError:
 	abort("user %s not found" % username)
 os.initgroups(username, user.pw_gid)
 os.setgid(user.pw_gid)
 os.setuid(user.pw_uid)
 os.environ['USER'] = username
 os.environ['HOME'] = user.pw_dir
 os.environ['UID']  = str(user.pw_uid)
 try:
 	os.execvp(sys.argv[2], sys.argv[2:])
 except OSError as e:
 	abort("cannot execute %s: %s" % (sys.argv[2], str(e)))
--- a/image/system_services.sh
+++ b/image/system_services.sh
@@ -5,6 +5,16 @@ set -x
 ## Install init process.
 cp /build/my_init /sbin/
 mkdir -p /etc/my_init.d
 mkdir -p /etc/container_environment
 touch /etc/container_environment.sh
 touch /etc/container_environment.json
 chmod 700 /etc/container_environment
 groupadd docker_env
 chown :docker_env /etc/container_environment.sh /etc/container_environment.json
 chmod 640 /etc/container_environment.sh /etc/container_environment.json
 ln -s /etc/container_environment.sh /etc/profile.d/
 ## Install runit.
 $minimal_apt_get_install runit
@@ -13,6 +23,14 @@ $minimal_apt_get_install runit
 $minimal_apt_get_install syslog-ng-core
 mkdir /etc/service/syslog-ng
 cp /build/runit/syslog-ng /etc/service/syslog-ng/run
 mkdir -p /var/lib/syslog-ng
 cp /build/config/syslog_ng_default /etc/default/syslog-ng
 # Replace the system() source because inside Docker we
 # can't access /proc/kmsg.
 sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
 ## Install logrotate.
 $minimal_apt_get_install logrotate
 ## Install the SSH server.
 $minimal_apt_get_install openssh-server
@@ -20,14 +38,23 @@ mkdir /var/run/sshd
 mkdir /etc/service/sshd
 cp /build/runit/sshd /etc/service/sshd/run
 cp /build/config/sshd_config /etc/ssh/sshd_config
 cp /build/00_regen_ssh_host_keys.sh /etc/my_init.d/
 ## Install default SSH key for root and app.
 mkdir -p /root/.ssh
 chmod 700 /root/.ssh
 chown root:root /root/.ssh
-cat /build/insecure_key.pub > /root/.ssh/authorized_keys
+cp /build/insecure_key.pub /etc/insecure_key.pub
 cp /build/insecure_key /etc/insecure_key
 chmod 644 /etc/insecure_key*
 chown root:root /etc/insecure_key*
 cp /build/enable_insecure_key /usr/sbin/
 ## Install cron daemon.
 $minimal_apt_get_install cron
 mkdir /etc/service/cron
 cp /build/runit/cron /etc/service/cron/run
 ## Remove useless cron entries.
 # Checks for lost+found and scans for mtab.
 rm -f /etc/cron.daily/standard
--- a/install-tools.sh
+++ b/install-tools.sh
@@ -0,0 +1,10 @@
 #!/bin/bash
 set -e
 dir=`dirname "$0"`
 cd "$dir"
 set -x
 cp tools/* /usr/local/bin/
 mkdir -p /usr/local/share/baseimage-docker
 cp image/insecure_key /usr/local/share/baseimage-docker/
 chmod 644 /usr/local/share/baseimage-docker/insecure_key
--- a/test/runner.sh
+++ b/test/runner.sh
@@ -0,0 +1,35 @@
 #!/bin/bash
 set -e
 function abort()
 {
 	echo "$@"
 	exit 1
 }
 function cleanup()
 {
 	echo " --> Stopping container"
 	docker stop $ID >/dev/null
 	docker rm $ID >/dev/null
 }
 PWD=`pwd`
 echo " --> Starting insecure container"
 ID=`docker run -d -v $PWD/test:/test $NAME:$VERSION /sbin/my_init --enable-insecure-key`
 sleep 1
 echo " --> Obtaining IP"
 IP=`docker inspect $ID | grep IPAddress | sed -e 's/.*: "//; s/".*//'`
 if [[ "$IP" = "" ]]; then
 	abort "Unable to obtain container IP"
 fi
 trap cleanup EXIT
 echo " --> Logging into container and running tests"
 chmod 600 image/insecure_key
 sleep 1 # Give container some more time to start up.
 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/insecure_key root@$IP \
 	/bin/bash /test/test.sh
--- a/test/test.sh
+++ b/test/test.sh
@@ -0,0 +1,22 @@
 #!/bin/bash
 set -o pipefail
 function ok()
 {
 	echo "  OK"
 }
 function fail()
 {
 	echo "  FAIL"
 	exit 1
 }
 echo "Checking whether all services are running..."
 services=`sv status /etc/service/*`
 status=$?
 if [[ "$status" != 0 || "$services" = "" || "$services" =~ down ]]; then
 	fail
 else
 	ok
 fi
--- a/tools/docker-bash
+++ b/tools/docker-bash
@@ -0,0 +1,82 @@
 #!/bin/bash
 set -e
 set -o pipefail
 KNOWN_HOSTS_FILE=
 IP=
 function usage()
 {
 	echo "Usage: docker-bash <CONTAINER_ID> [COMMAND...]"
 	echo "Login to a Baseimage-based Docker container using SSH."
 	echo "If COMMAND is not given, opens an interactive shell."
 	echo "Otherwise, runs COMMAND inside the container."
 }
 function cleanup()
 {
 	local pids=`jobs -p`
 	if [[ "$pids" != "" ]]; then
 		kill $pids
 	fi
 	if [[ "$KNOWN_HOSTS_FILE" != "" ]]; then
 		rm -f "$KNOWN_HOSTS_FILE"
 	fi
 }
 if [[ $# = 0 ]]; then
 	usage
 	exit
 fi
 CONTAINER_ID="$1"
 shift
 trap cleanup EXIT
 if ! [[ -e ~/.baseimage_docker_insecure_key ]]; then
 	if [[ -e /usr/local/share/baseimage-docker/insecure_key ]]; then
 		cp /usr/local/share/baseimage-docker/insecure_key ~/.baseimage_docker_insecure_key
 	else
 		dir=`dirname "$0"`
 		dir=`cd "$dir/.." && pwd`
 		if [[ -e "$dir/image/insecure_key" ]]; then
 			cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key
 		else
 			echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
 			echo "You probably didn't install docker-bash properly. Please reinstall it:" >&2
 			echo "" >&2
 			echo "  curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \\" >&2
 			echo "  tar xzf master.tar.gz && \\" >&2
 			echo "  sudo ./baseimage-docker-master/install-tools.sh" >&2
 			exit 1
 		fi
 	fi
 	chown "`whoami`": ~/.baseimage_docker_insecure_key
 	chmod 600 ~/.baseimage_docker_insecure_key
 fi
 KNOWN_HOSTS_FILE=`mktemp /tmp/docker-bash.XXXXXXXXX`
 IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
 # Prevent SSH from warning about adding a host to the known_hosts file.
 ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
 if ! ssh -i ~/.baseimage_docker_insecure_key \
 	-o UserKnownHostsFile="$KNOWN_HOSTS_FILE" \
 	-o StrictHostKeyChecking=no \
 	-o PasswordAuthentication=no \
 	-o KbdInteractiveAuthentication=no \
 	-o ChallengeResponseAuthentication=no \
 	"root@$IP" "$@"
 then
 	STATUS=$?
 	if [[ $# = 0 ]]; then
 		echo "----------------"
 		echo "It appears that login to the Docker container failed. This could be caused by the following reasons:"
 		echo "- The Docker container you're trying to login to is not based on Baseimage-docker. The docker-bash tool only works with Baseimage-docker-based containers."
 		echo "- You did not enable the the insecure key inside the container. Please read https://github.com/phusion/baseimage-docker/blob/master/README.md#login to learn how to enable the insecure key."
 	fi
 	exit $STATUS
 fi
`@@ -1 +1 @@`
	`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87VfaPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbjiTSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1up0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWhiDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb hongli@asuna-3939`	`ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87VfaPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbjiTSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1up0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWhiDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb baseimage-docker-insecure-key`