Note release date

Fixed typo.

CONTRIBUTING.md

@@ -0,0 +1,5 @@
+Hey, thanks for wanting to contribute to baseimage-docker. :)
+
+If you have a question, please use the [discussion forum](https://groups.google.com/d/forum/passenger-docker). The Github issue tracker is only for **bug reports and feature requests**.
+
+If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the image.

Changelog.md

@@ -1,3 +1,13 @@
+## 0.9.11 (release date: 2014-06-24)
+
+ * Introduced the `docker-bash` tool. This is a shortcut tool for logging into a container using SSH. Usage: `docker-bash <CONTAINER ID>`. See the README for details.
+ * Fixed various process waiting issues in `my_init`. Closes GH-27, GH-82 and GH-83. Thanks to André Luiz dos Santos and Paul Annesley.
+ * The `ca-certificates` package is now installed by default. This is because we include `apt-transport-https`, but Ubuntu 14.04 no longer installs `ca-certificates` by default anymore. Closes GH-73.
+ * Output print by Runit services are now redirected to the Docker logs instead of to proctitle. Thanks to Paul Annesley.
+ * Container environment variables are now made available to SSH root shells. If you login with SSH through a non-root account, then container environment variables are only made available if that user is a member of the `docker_env` group. Thanks to Bernard Potocki.
+ * `add-apt-repository` is now installed by default. Closes GH-74.
+ * Various minor fixes and contributions thanks to yebyen, John Eckhart, Christoffer Sawicki and Brant Fitzsimmons.
+
 ## 0.9.10 (release date: 2014-05-12)
 
  * Upgraded to Ubuntu 14.04 (Trusty). We will no longer release images based on 12.04.

Makefile

@@ -1,5 +1,5 @@
 NAME = phusion/baseimage
-VERSION = 0.9.10
+VERSION = 0.9.11
 
 .PHONY: all build test tag_latest release ssh
 
@@ -20,7 +20,7 @@ release: test tag_latest
 	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
 
 ssh:
-	chmod 600 image/insecure_key.pub
+	chmod 600 image/insecure_key
 	@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
 		if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
 		IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \

README.md

@@ -50,6 +50,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
      * [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only)
      * [Enabling the insecure key permanently](#enabling_the_insecure_key_permanently)
      * [Using your own key](#using_your_own_key)
+     * [The `docker-bash` tool](#docker_bash)
    * [Disabling SSH](#disabling_ssh)
  * [Building the image yourself](#building)
  * [Conclusion](#conclusion)
@@ -150,7 +151,7 @@ Note that the shell script must run the daemon **without letting it daemonize/fo
 
 The baseimage-docker init system, `/sbin/my_init`, runs the following scripts during startup, in the following order:
 
- * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run during in lexicographic order.
+ * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run in lexicographic order.
  * The script `/etc/rc.local`, if this file exists.
 
 All scripts must exit correctly, e.g. with exit code 0. If any script exits with a non-zero exit code, the booting will fail.
@@ -287,7 +288,9 @@ But note that:
 <a name="envvar_security"></a>
 #### Security
 
-Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and root-accessible only. If you are sure that your environment variables don't contain sensitive data, then you can relax the permissions on that directory and those files by making them world-readable:
+Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only by the `docker_env` group (so that any user added this group will have these variables automatically loaded).
+
+If you are sure that your environment variables don't contain sensitive data, then you can also relax the permissions on that directory and those files by making them world-readable:
 
     RUN chmod 755 /etc/container_environment
     RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
@@ -314,7 +317,7 @@ Find out the ID of the container that you just ran:
 
 Once you have the ID, look for its IP address with:
 
-    docker inspect <ID> | grep IPAddress
+    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 
 Now SSH into the container as follows:
 
@@ -352,12 +355,33 @@ Find out the ID of the container that you just ran:
 
 Once you have the ID, look for its IP address with:
 
-    docker inspect <ID> | grep IPAddress
+    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 
 Now SSH into the container as follows:
 
     ssh -i /path-to/your_key root@<IP address>
 
+<a name="docker_bash"></a>
+#### The `docker-bash` tool
+
+Looking up the IP of a container and running an SSH command quickly becomes tedious. Luckily, we provide the `docker-bash` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
+
+First, install the tool on the Docker host:
+
+    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
+    tar xzf master.tar.gz && \
+    sudo ./baseimage-docker-master/install-tools.sh
+
+Then run the tool as follows to login to a container using SSH:
+
+    docker-bash YOUR-CONTAINER-ID
+
+You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
+
+By default, `docker-bash` will open a Bash session. You can also tell it to run a command, and then exit:
+
+    docker-bash YOUR-CONTAINER-ID echo hello world
+
 
 <a name="building"></a>
 ## Building the image yourself

image/my_init

@@ -11,6 +11,8 @@ LOG_LEVEL_DEBUG = 3
 
 log_level = None
 
+terminated_child_processes = {}
+
 class AlarmException(Exception):
 	pass
 
@@ -73,6 +75,8 @@ def import_envvars(clear_existing_environment = True, override_existing_environm
 def export_envvars(to_dir = True):
 	shell_dump = ""
 	for name, value in os.environ.items():
+		if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
+			continue
 		if to_dir:
 			with open("/etc/container_environment/" + name, "w") as f:
 				f.write(value)
@@ -95,19 +99,36 @@ def shquote(s):
 	# the string $'b is then quoted as '$'"'"'b'
 	return "'" + s.replace("'", "'\"'\"'") + "'"
 
+# Waits for the child process with the given PID, while at the same time
+# reaping any other child processes that have exited (e.g. adopted child
+# processes that have terminated).
 def waitpid_reap_other_children(pid):
+	global terminated_child_processes
+
+	status = terminated_child_processes.get(pid)
+	if status:
+		# A previous call to waitpid_reap_other_children(),
+		# with an argument not equal to the current argument,
+		# already waited for this process. Return the status
+		# that was obtained back then.
+		del terminated_child_processes[pid]
+		return status
+
 	done = False
 	status = None
-	try:
-		this_pid, status = os.waitpid(pid, os.WNOHANG)
-	except OSError as e:
-		if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
-			return None
-		else:
-			raise
 	while not done:
-		this_pid, status = os.waitpid(-1, 0)
-		done = this_pid == pid
+		try:
+			this_pid, status = os.waitpid(-1, 0)
+			if this_pid == pid:
+				done = True
+			else:
+				# Save status for later.
+				terminated_child_processes[this_pid] = status
+		except OSError as e:
+			if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
+				return None
+			else:
+				raise
 	return status
 
 def stop_child_process(name, pid, signo = signal.SIGTERM, time_limit = KILL_PROCESS_TIMEOUT):
@@ -200,7 +221,7 @@ def run_startup_files():
 def start_runit():
 	info("Booting runit daemon...")
 	pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
-		"-P", "/etc/service", "log: %s" % ('.' * 395))
+		"-P", "/etc/service")
 	info("Runit started as PID %d" % pid)
 	return pid
 

image/prepare.sh

@@ -31,7 +31,10 @@ dpkg-divert --local --rename --add /usr/bin/ischroot
 ln -sf /bin/true /usr/bin/ischroot
 
 ## Install HTTPS support for APT.
-$minimal_apt_get_install apt-transport-https
+$minimal_apt_get_install apt-transport-https ca-certificates
+
+## Install add-apt-repository
+$minimal_apt_get_install software-properties-common
 
 ## Upgrade all packages.
 apt-get dist-upgrade -y --no-install-recommends

image/runit/syslog-ng

@@ -24,7 +24,7 @@ esac
 if [ ! -e /dev/xconsole ]
 then
   mknod -m 640 /dev/xconsole p
-  chown root:adm
+  chown root:adm /dev/xconsole
   [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
 fi
 

image/system_services.sh

@@ -10,7 +10,11 @@ mkdir -p /etc/container_environment
 touch /etc/container_environment.sh
 touch /etc/container_environment.json
 chmod 700 /etc/container_environment
-chmod 600 /etc/container_environment.sh /etc/container_environment.json
+
+groupadd docker_env
+chown :docker_env /etc/container_environment.sh /etc/container_environment.json
+chmod 640 /etc/container_environment.sh /etc/container_environment.json
+ln -s /etc/container_environment.sh /etc/profile.d/
 
 ## Install runit.
 $minimal_apt_get_install runit

install-tools.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+dir=`dirname "$0"`
+cd "$dir"
+
+set -x
+cp tools/* /usr/local/bin/
+mkdir -p /usr/local/share/baseimage-docker
+cp image/insecure_key /usr/local/share/baseimage-docker/
+chmod 644 /usr/local/share/baseimage-docker/insecure_key

tools/docker-bash

@@ -0,0 +1,82 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+KNOWN_HOSTS_FILE=
+IP=
+
+function usage()
+{
+	echo "Usage: docker-bash <CONTAINER_ID> [COMMAND...]"
+	echo "Login to a Baseimage-based Docker container using SSH."
+	echo "If COMMAND is not given, opens an interactive shell."
+	echo "Otherwise, runs COMMAND inside the container."
+}
+
+function cleanup()
+{
+	local pids=`jobs -p`
+	if [[ "$pids" != "" ]]; then
+		kill $pids
+	fi
+
+	if [[ "$KNOWN_HOSTS_FILE" != "" ]]; then
+		rm -f "$KNOWN_HOSTS_FILE"
+	fi
+}
+
+if [[ $# = 0 ]]; then
+	usage
+	exit
+fi
+
+CONTAINER_ID="$1"
+shift
+
+trap cleanup EXIT
+
+if ! [[ -e ~/.baseimage_docker_insecure_key ]]; then
+	if [[ -e /usr/local/share/baseimage-docker/insecure_key ]]; then
+		cp /usr/local/share/baseimage-docker/insecure_key ~/.baseimage_docker_insecure_key
+	else
+		dir=`dirname "$0"`
+		dir=`cd "$dir/.." && pwd`
+		if [[ -e "$dir/image/insecure_key" ]]; then
+			cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key
+		else
+			echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
+			echo "You probably didn't install docker-bash properly. Please reinstall it:" >&2
+			echo "" >&2
+			echo "  curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \\" >&2
+			echo "  tar xzf master.tar.gz && \\" >&2
+			echo "  sudo ./baseimage-docker-master/install-tools.sh" >&2
+			exit 1
+		fi
+	fi
+	chown "`whoami`": ~/.baseimage_docker_insecure_key
+	chmod 600 ~/.baseimage_docker_insecure_key
+fi
+
+KNOWN_HOSTS_FILE=`mktemp /tmp/docker-bash.XXXXXXXXX`
+IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
+
+# Prevent SSH from warning about adding a host to the known_hosts file.
+ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
+
+if ! ssh -i ~/.baseimage_docker_insecure_key \
+	-o UserKnownHostsFile="$KNOWN_HOSTS_FILE" \
+	-o StrictHostKeyChecking=no \
+	-o PasswordAuthentication=no \
+	-o KbdInteractiveAuthentication=no \
+	-o ChallengeResponseAuthentication=no \
+	"root@$IP" "$@"
+then
+	STATUS=$?
+	if [[ $# = 0 ]]; then
+		echo "----------------"
+		echo "It appears that login to the Docker container failed. This could be caused by the following reasons:"
+		echo "- The Docker container you're trying to login to is not based on Baseimage-docker. The docker-bash tool only works with Baseimage-docker-based containers."
+		echo "- You did not enable the the insecure key inside the container. Please read https://github.com/phusion/baseimage-docker/blob/master/README.md#login to learn how to enable the insecure key."
+	fi
+	exit $STATUS
+fi