Note 0.9.16 release date

When uploading new release, run 'docker tag' with '-f'
Update documentation
2026-03-26 04:18:46 +00:00 · 2015-01-20 11:40:15 +01:00 · 2015-01-20 11:39:50 +01:00 · 2015-01-20 11:14:53 +01:00 · 2015-01-20 11:04:49 +01:00 · 2015-01-20 10:52:48 +01:00
23 changed files with 967 additions and 173 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,4 +2,6 @@ Hey, thanks for wanting to contribute to baseimage-docker. :)
 If you have a question, please use the [discussion forum](https://groups.google.com/d/forum/passenger-docker). The Github issue tracker is only for **bug reports and feature requests**.
-If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the image.
+If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the Docker image.
 All development happens on the `next` branch. The `master` branch is supposed to point to the latest stable release, because users read documentation from the `master` branch.
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,38 @@
 ## 0.9.16 (release date: 2015-01-20)
 * `docker exec` is now the default and recommended mechanism for running commands in the container. SSH is now disabled by default, but is still supported for those cases where "docker exec" is not appropriate. Closes GH-168.
 * All syslog output is now forwarded to `docker logs`. Closes GH-123.
 * The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream. Closes GH-155.
 * Logrotate now reloads syslog-ng properly. Closes GH-167.
 * Fixed some locale issues. Closes GH-178. Thanks to David J. M. Karlsen.
 * Fixed problems with cron. Closes GH-115.
 * Contribution by Bryan Bishop.
 ## 0.9.15 (release date: 2014-10-03)
 * Fixed the setuid bit on /usr/bin/sudo. This problem was caused by Docker bug #6828.
 ## 0.9.14 (release date: 2014-10-01)
 * Installed all the latest Ubuntu security updates. This patches Shellshock, among other things.
 * Some documentation updates by andreamtp.
 ## 0.9.13 (release date: 2014-08-22)
 * Fixed `my_init` not properly exiting with a non-zero exit status when Ctrl-C is pressed.
 * The GID of the `docker_env` group has been changed from 1000 to 8377, in order to avoid GID conflicts with any groups that you might want to introduce inside the container.
 * The syslog-ng socket is now deleted before starting the syslog-ng daemon, to avoid the daemon from failing to start due to garbage on the filesystem. Thanks to Kingdon Barrett. Closes GH-129.
 * Typo fixes by Arkadi Shishlov.
 ## 0.9.12 (release date: 2014-07-24)
 * We now officially support `nsenter` as an alternative way to login to the container. With official support, we mean that we've provided extensive documentation on how to use `nsenter`, as well as related convenience tools. However, because `nsenter` has various issues, and for backward compatibility reasons, we still support SSH. Please refer to the README for details about `nsenter`, and what the pros and cons are compared to SSH.
   * The `docker-bash` tool has been modified to use `nsenter` instead of SSH.
   * What was previously the `docker-bash` tool, has now been renamed to `docker-ssh`. It now also works on a regular sh shell too, instead of bash specifically.
 * Added a workaround for Docker's inability to modify /etc/hosts in the container ([Docker bug 2267](https://github.com/dotcloud/docker/issues/2267)). Please refer to the README for details.
 * Fixed an issue with SSH X11 forwarding. Thanks to Anatoly Bubenkov. Closes GH-105.
 * The init system now prints its own log messages to stderr. Thanks to mephi42. Closes GH-106.
 ## 0.9.11 (release date: 2014-06-24)
 * Introduced the `docker-bash` tool. This is a shortcut tool for logging into a container using SSH. Usage: `docker-bash <CONTAINER ID>`. See the README for details.
--- a/5
+++ b/5
@@ -1,5 +1,5 @@
 NAME = phusion/baseimage
-VERSION = 0.9.11
+VERSION = 0.9.16
 .PHONY: all build test tag_latest release ssh
@@ -12,10 +12,11 @@ test:
 	env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
 tag_latest:
-	docker tag $(NAME):$(VERSION) $(NAME):latest
+	docker tag -f $(NAME):$(VERSION) $(NAME):latest
 release: test tag_latest
 	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
 	@if ! head -n 1 Changelog.md | grep -q 'release date'; then echo 'Please note the release date in Changelog.md.' && false; fi
 	docker push $(NAME)
 	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
--- a/README.md
+++ b/README.md
@@ -1,12 +1,18 @@
 # A minimal Ubuntu base image modified for Docker-friendliness
-Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus modifications for Docker-friendliness. You can use it as a base for your own Docker images.
+Baseimage-docker is a special [Docker](https://www.docker.com) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
-Baseimage-docker is available for pulling from [the Docker registry](https://index.docker.io/u/phusion/baseimage/)!
+ * Modifications for Docker-friendliness.
 * Administration tools that are especially useful in the context of Docker.
 * Mechanisms for easily running multiple processes, [without violating the Docker philosophy](#docker_single_process).
 You can use it as a base for your own Docker images.
 Baseimage-docker is available for pulling from [the Docker registry](https://registry.hub.docker.com/u/phusion/baseimage/)!
 ### What are the problems with the stock Ubuntu base image?
-Ubuntu is not designed to be run inside docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
+Ubuntu is not designed to be run inside Docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
 Baseimage-docker gets everything right. The "Contents" section describes all the things that it modifies.
@@ -35,23 +41,29 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 * [What's inside the image?](#whats_inside)
   * [Overview](#whats_inside_overview)
   * [Wait, I thought Docker is about running a single process in a container?](#docker_single_process)
   * [Does Baseimage-docker advocate "fat containers" or "treating containers as VMs"?](#fat_containers)
 * [Inspecting baseimage-docker](#inspecting)
 * [Using baseimage-docker as base image](#using)
   * [Getting started](#getting_started)
   * [Adding additional daemons](#adding_additional_daemons)
   * [Running scripts during container startup](#running_startup_scripts)
   * [Running a one-shot command in the container](#oneshot)
   * [Environment variables](#environment_variables)
     * [Centrally defining your own environment variables](#envvar_central_definition)
     * [Environment variable dumps](#envvar_dumps)
     * [Modifying environment variables](#modifying_envvars)
     * [Security](#envvar_security)
-   * [Login to the container via SSH](#login)
+ * [Container administration](#container_administration)
   * [Running a one-shot command in a new container](#oneshot)
   * [Running a command in an existing, running container](#run_inside_existing_container)
   * [Login to the container via `docker exec`](#login_docker_exec)
     * [Usage](#docker_exec)
   * [Login to the container via SSH](#login_ssh)
     * [Enabling SSH](#enabling_ssh)
     * [About SSH keys](#ssh_keys)
     * [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only)
     * [Enabling the insecure key permanently](#enabling_the_insecure_key_permanently)
     * [Using your own key](#using_your_own_key)
-     * [The `docker-bash` tool](#docker_bash)
+     * [The `docker-ssh` tool](#docker_ssh)
   * [Disabling SSH](#disabling_ssh)
 * [Building the image yourself](#building)
 * [Conclusion](#conclusion)
@@ -70,9 +82,9 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | Ubuntu 14.04 LTS | The base system. |
 | A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
-| syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
+| syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs". |
 | logrotate | Rotates and compresses logs on a regular basis. |
-| ssh server | Allows you to easily login to your container to inspect or administer things. <br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. |
+| SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is **disabled by default** and is only one of the methods provided by baseimage-docker for this purpose. The other method is through [docker exec](#login_docker_exec). SSH is also provided as an alternative because `docker exec` comes with several caveats._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed. |
 | cron | The cron daemon must be running for cron jobs to work. |
 | [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
 | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. |
@@ -82,16 +94,31 @@ Baseimage-docker is very lightweight: it only consumes 6 MB of memory.
 <a name="docker_single_process"></a>
 ### Wait, I thought Docker is about running a single process in a container?
-Absolutely not true. Docker runs fine with multiple processes in a container. In fact, there is no technical reason why you should limit yourself to one process - it only makes things harder for you and breaks all kinds of essential system functionality, e.g. syslog.
+The Docker developers advocate the philosophy of running a single *logical service* per container. A logical service can consist of multiple OS processes.
-Baseimage-docker *encourages* multiple processes through the use of runit.
+Baseimage-docker only advocates running multiple OS processes inside a single container. We believe this makes sense because at the very least it would solve [the PID 1 problem](#whats_inside_overview) and the "syslog blackhole" problem. By running multiple processes, we solve very real Unix OS-level problems, with minimal overhead and without turning the container into multiple logical services.
 Splitting your logical service into multiple OS processes also makes sense from a security standpoint. By running processes as different users, you can limit the impact of vulnerabilities. Baseimage-docker provides tools to encourage running processes as different users, e.g. the `setuser` tool.
 Do we advocate running multiple *logical services* in a single container? Not necessarily, but we do not prohibit it either. While the Docker developers are very opinionated and have very rigid philosophies about how containers *should* be built, Baseimage-docker is completely unopinionated. We believe in freedom: sometimes it makes sense to run multiple services in a single container, and sometimes it doesn't. It is up to you to decide what makes sense, not the Docker developers.
 <a name="fat_containers"></a>
 ### Does Baseimage-docker advocate "fat containers" or "treating containers as VMs"?
 There are people who are under the impression that Baseimage-docker advocates treating containers as VMs, because of the fact that Baseimage-docker advocates the use of multiple processes. Therefore they are also under the impression that Baseimage-docker does not follow the Docker philosophy. Neither of these impressions are true.
 The Docker developers advocate running multiple *logical services* inside a single container. But we are not disputing that. Baseimage-docker advocates running multiple *OS processes* inside a single container, and a single logical service can consist of multiple OS processes.
 It follows from this that Baseimage-docker also does not deny the Docker philosophy. In fact, many of the modifications we introduce are explicitly in line with the Docker philosophy. For example, using environment variables to pass parameters to containers is very much the "Docker way", and provide [a mechanism to easily work with environment variables](#environment_variables) in the presence of multiple processes that may run as different users.
 <a name="inspecting"></a>
 ## Inspecting baseimage-docker
 To look around in the image, run:
-    docker run --rm -t -i phusion/baseimage /sbin/my_init -- bash -l
+    docker run --rm -t -i phusion/baseimage:<VERSION> /sbin/my_init -- bash -l
 where `<VERSION>` is [one of the baseimage-docker version numbers](https://github.com/phusion/baseimage-docker/blob/master/Changelog.md).
 You don't have to download anything manually. The above command will automatically pull the baseimage-docker image from the Docker registry.
@@ -112,11 +139,6 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
    # Set correct environment variables.
    ENV HOME /root
    # Regenerate SSH host keys. baseimage-docker does not contain any, so you
    # have to do that yourself. You may also comment out this instruction; the
    # init system will auto-generate one during boot.
    RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
    # Use baseimage-docker's init system.
    CMD ["/sbin/my_init"]
@@ -132,7 +154,7 @@ You can add additional daemons (e.g. your own app) to the image by creating runi
 The shell script must be called `run`, must be executable, and is to be placed in the directory `/etc/service/<NAME>`.
-Here's an example showing you how a memached server runit entry can be made.
+Here's an example showing you how a memcached server runit entry can be made.
    ### In memcached.sh (make sure this file is chmod +x):
    #!/bin/sh
@@ -166,50 +188,6 @@ The following example shows how you can add a startup script. This script simply
    RUN mkdir -p /etc/my_init.d
    ADD logtime.sh /etc/my_init.d/logtime.sh
 <a name="oneshot"></a>
 ### Running a one-shot command in the container
 Normally, when you want to run a single command in a container, and exit immediately after the command, you invoke Docker like this:
    docker run YOUR_IMAGE COMMAND ARGUMENTS...
 However the downside of this approach is that the init system is not started. That is, while invoking `COMMAND`, important daemons such as cron and syslog are not running. Also, orphaned child processes are not properly reaped, because `COMMAND` is PID 1.
 Baseimage-docker provides a facility to run a single one-shot command, while solving all of the aforementioned problems. Run a single command in the following manner:
    docker run YOUR_IMAGE /sbin/my_init -- COMMAND ARGUMENTS ...
 This will perform the following:
 * Runs all system startup files, such as /etc/my_init.d/* and /etc/rc.local.
 * Starts all runit services.
 * Runs the specified command.
 * When the specified command exits, stops all runit services.
 For example:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init -- ls
    *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
    No SSH host key available. Generating one...
    Creating SSH2 RSA key; this may take some time ...
    Creating SSH2 DSA key; this may take some time ...
    Creating SSH2 ECDSA key; this may take some time ...
    *** Running /etc/rc.local...
    *** Booting runit daemon...
    *** Runit started as PID 80
    *** Running ls...
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
    *** ls exited with exit code 0.
    *** Shutting down runit daemon (PID 80)...
    *** Killing all processes...
 You may find that the default invocation is too noisy. Or perhaps you don't want to run the startup files. You can customize all this by passing arguments to `my_init`. Invoke `docker run YOUR_IMAGE /sbin/my_init --help` for more information.
 The following example runs `ls` without running the startup files and with less messages, while running all runit services:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init --skip-startup-files --quiet -- ls
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
 <a name="environment_variables"></a>
 ### Environment variables
@@ -295,12 +273,126 @@ If you are sure that your environment variables don't contain sensitive data, th
    RUN chmod 755 /etc/container_environment
    RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
-<a name="login"></a>
+<a name="container_administration"></a>
-### Login to the container via SSH
+## Container administration
-You can use SSH to login to any container that is based on baseimage-docker.
+One of the ideas behind Docker is that containers should be stateless, easily restartable, and behave like a black box. However, you may occasionally encounter situations where you want to login to a container, or to run a command inside a container, for development, inspection and debugging purposes. This section describes how you can administer the container for those purposes.
-The first thing that you need to do is to ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so you can't login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
+<a name="oneshot"></a>
 ### Running a one-shot command in a new container
 _**Note:** This section describes how to run a command insider a -new- container. To run a command inside an existing running container, see [Running a command in an existing, running container](#run_inside_existing_container)._
 Normally, when you want to create a new container in order to run a single command inside it, and immediately exit after the command exits, you invoke Docker like this:
    docker run YOUR_IMAGE COMMAND ARGUMENTS...
 However the downside of this approach is that the init system is not started. That is, while invoking `COMMAND`, important daemons such as cron and syslog are not running. Also, orphaned child processes are not properly reaped, because `COMMAND` is PID 1.
 Baseimage-docker provides a facility to run a single one-shot command, while solving all of the aforementioned problems. Run a single command in the following manner:
    docker run YOUR_IMAGE /sbin/my_init -- COMMAND ARGUMENTS ...
 This will perform the following:
 * Runs all system startup files, such as /etc/my_init.d/* and /etc/rc.local.
 * Starts all runit services.
 * Runs the specified command.
 * When the specified command exits, stops all runit services.
 For example:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init -- ls
    *** Running /etc/rc.local...
    *** Booting runit daemon...
    *** Runit started as PID 80
    *** Running ls...
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
    *** ls exited with exit code 0.
    *** Shutting down runit daemon (PID 80)...
    *** Killing all processes...
 You may find that the default invocation is too noisy. Or perhaps you don't want to run the startup files. You can customize all this by passing arguments to `my_init`. Invoke `docker run YOUR_IMAGE /sbin/my_init --help` for more information.
 The following example runs `ls` without running the startup files and with less messages, while running all runit services:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init --skip-startup-files --quiet -- ls
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
 <a name="run_inside_existing_container"></a>
 ### Running a command in an existing, running container
 There are two ways to run a command inside an existing, running container.
 * Through the `docker exec` tool. This is builtin Docker tool, available since Docker 1.4. Internally, it uses Linux kernel system calls in order to execute a command within the context of a container. Learn more in [Login to the container, or running a command inside it, via `docker exec`](#login_docker_exec).
 * Through SSH. This approach requires running an SSH daemon inside the container, and requires you to setup SSH keys. Learn more in [Login to the container, or running a command inside it, via SSH](#login_ssh).
 Both way have their own pros and cons, which you can learn in their respective subsections.
 <a name="login_docker_exec"></a>
 ### Login to the container, or running a command inside it, via `docker exec`
 You can use the `docker exec` tool on the Docker host OS to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container. `docker exec` works by using Linux kernel system calls.
 Here's how it compares to [using SSH to login to the container or to run a command inside it](#login_ssh):
 * Pros
   * Does not require running an SSH daemon inside the container.
   * Does not require setting up SSH keys.
   * Works on any container, even containers not based on baseimage-docker.
 * Cons
   * If the `docker exec` process on the host is terminated by a signal (e.g. with the `kill` command or even with Ctrl-C), then the command that is executed by `docker exec` is *not* killed and cleaned up. You will either have to do that manually, or you have to run `docker exec` with `-t -i`.
   * Requires privileges on the Docker host to be able to access the Docker daemon. Note that anybody who can access the Docker daemon effectively has root access.
   * Not possible to allow users to login to the container without also letting them login to the Docker host.
 <a name="docker_exec_usage"></a>
 #### Usage
 Start a container:
    docker run YOUR_IMAGE
 Find out the ID of the container that you just ran:
    docker ps
 Now that you have the ID, you can use `docker exec` to run arbitrary commands in the container. For example, to run `echo hello world`:
    docker exec YOUR-CONTAINER-ID echo hello world
 To open a bash session inside the container, you must pass `-t -i` so that a terminal is available:
    docker exec -t -i YOUR-CONTAINER-ID bash -l
 <a name="login_ssh"></a>
 ### Login to the container, or running a command inside it, via SSH
 You can use SSH to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container.
 Here's how it compares to [using `docker exec` to login to the container or to run a command inside it](#login_docker_exec):
 * Pros
   * Does not require root privileges on the Docker host.
   * Allows you to let users login to the container, without letting them login to the Docker host. However, this is not enabled by default because baseimage-docker does not expose the SSH server to the public Internet by default.
 * Cons
   * Requires setting up SSH keys. However, baseimage-docker makes this easy for many cases through a pregenerated, insecure key. Read on to learn more.
 <a name="enabling_ssh"></a>
 #### Enabling SSH
 Baseimage-docker disables the SSH server by default. Add the following to your Dockerfile to enable it:
    RUN rm -f /etc/service/sshd/down
    # Regenerate SSH host keys. baseimage-docker does not contain any, so you
    # have to do that yourself. You may also comment out this instruction; the
    # init system will auto-generate one during boot.
    RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
 <a name="ssh_keys"></a>
 #### About SSH keys
 First, you must ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so nobody can login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
 <a name="using_the_insecure_key_for_one_container_only"></a>
 #### Using the insecure key for one container only
@@ -319,16 +411,22 @@ Once you have the ID, look for its IP address with:
    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
-Now SSH into the container as follows:
+Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it:
    # Download the insecure private key
    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
    chmod 600 insecure_key
    # Login to the container
    ssh -i insecure_key root@<IP address>
    # Running a command inside the container
    ssh -i insecure_key root@<IP address> echo hello world
 <a name="enabling_the_insecure_key_permanently"></a>
 #### Enabling the insecure key permanently
-It is also possible to enable the insecure key in the image permanently. This is not generally recommended, but it suitable for e.g. temporary development or demo environments where security does not matter.
+It is also possible to enable the insecure key in the image permanently. This is not generally recommended, but is suitable for e.g. temporary development or demo environments where security does not matter.
 Edit your Dockerfile to install the insecure key permanently:
@@ -339,11 +437,11 @@ Instructions for logging in the container is the same as in section [Using the i
 <a name="using_your_own_key"></a>
 #### Using your own key
-Edit your Dockerfile to install an SSH key:
+Edit your Dockerfile to install an SSH public key:
    ## Install an SSH of your choice.
-    ADD your_key /tmp/your_key
+    ADD your_key.pub /tmp/your_key.pub
-    RUN cat /tmp/your_key >> /root/.ssh/authorized_keys && rm -f /tmp/your_key
+    RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
 Then rebuild your image. Once you have that, start a container based on that image:
@@ -357,14 +455,18 @@ Once you have the ID, look for its IP address with:
    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
-Now SSH into the container as follows:
+Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it:
    # Login to the container
    ssh -i /path-to/your_key root@<IP address>
-<a name="docker_bash"></a>
+    # Running a command inside the container
-#### The `docker-bash` tool
+    ssh -i /path-to/your_key root@<IP address> echo hello world
-Looking up the IP of a container and running an SSH command quickly becomes tedious. Luckily, we provide the `docker-bash` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
+<a name="docker_ssh"></a>
 #### The `docker-ssh` tool
 Looking up the IP of a container and running an SSH command quickly becomes tedious. Luckily, we provide the `docker-ssh` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
 First, install the tool on the Docker host:
@@ -374,13 +476,13 @@ First, install the tool on the Docker host:
 Then run the tool as follows to login to a container using SSH:
-    docker-bash YOUR-CONTAINER-ID
+    docker-ssh YOUR-CONTAINER-ID
 You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
-By default, `docker-bash` will open a Bash session. You can also tell it to run a command, and then exit:
+By default, `docker-ssh` will open a Bash session. You can also tell it to run a command, and then exit:
-    docker-bash YOUR-CONTAINER-ID echo hello world
+    docker-ssh YOUR-CONTAINER-ID echo hello world
 <a name="building"></a>
@@ -407,12 +509,6 @@ If you want to call the resulting image something else, pass the NAME variable,
    make build NAME=joe/baseimage
 <a name="disabling_ssh"></a>
 ### Disabling SSH
 In case you do not want to enable SSH, here's how you can disable it:
    RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
 <a name="conclusion"></a>
 ## Conclusion
--- a/README_ZH_cn_.md
+++ b/README_ZH_cn_.md
@@ -0,0 +1,570 @@
 # 小巧玲珑的ubuntu镜像
 **This translation was last updated October 24, 2014.**
 Baseimage-docker是一个特殊的 [Docker](https://www.docker.com) 镜像，可以很优雅的将它用于docker镜像。相对于 Ubuntu, 有这些新增：
 * 修改之后，可以很友好的使用docker
 * 修复了一些docker的bug [some Docker bugs](#workaroud_modifying_etc_hosts).
 * 很有用的管理员工具
 你可以用它作为你自己的基础docker镜像。
 Baseimage-docker 可以从[the Docker registry](https://registry.hub.docker.com/u/phusion/baseimage/)获取到!
 ### 原生的ubuntu基础镜像有什么问题呢？
 原生ubuntu不是设计为运行docker的。它是假设运行到真实硬件或者虚拟硬件上的，但不是docker容器。你运行docker容器，不需要一个完整的系统，你需要一个小巧的系统。如果你不熟悉unix系统，那么配制出来的精简系统会有很奇怪的问题。这样就可以导致很多奇奇怪怪的问题。
 Baseimage-docker 将错误都修正了。在"内容"部分,可以看到哪些内容修改过了.
 <a name="why_use"></a>
 ### 为什么使用 baseimage-docker?
 你可以用原生`ubuntu`镜像作为你的Dockerfile,那为什么又麻烦的使用baseimage-docker呢?
 * 配置一个友好的基础镜像不是一个简单的任务.正如之前提到的,会很有的坑在里面.当你处理那些坑之后,你又重复造了一个baseimage-docker.使用baseimage-docker会拯救你的努力.
 * 它减少了一个写正确Dockerfile文件的时间.你不用担心基础系统,你可以专注你的业务和你的项目.
 * 它减少了运行`docker build`的时间,让你更快的迭代Dockerfile.
 * 它减少了多次下载的时间.Docker只需要下载一次基础镜像:在第一次部署的时候.在之后的部署中,只需要对你最近的基础镜像进行修改.
 -----------------------------------------
 **相关资源**
  [Website](http://phusion.github.io/baseimage-docker/) |
  [Github](https://github.com/phusion/baseimage-docker) |
  [Docker registry](https://index.docker.io/u/phusion/baseimage/) |
  [Discussion forum](https://groups.google.com/d/forum/passenger-docker) |
  [Twitter](https://twitter.com/phusion_nl) |
  [Blog](http://blog.phusion.nl/)
 **Table of contents**
 **目录**
 * [镜像里面包含什么?](#whats_inside)
   * [概述](#whats_inside_overview)
   * [等等,我认为docker在一个容器中只能允许一个进程?](#docker_single_process)
 * [细细看看baseimage-docker](#inspecting)
 * [用baseimage-docker作为基础镜像](#using)
   * [开始](#getting_started)
   * [增加后台进行](#adding_additional_daemons)
   * [在启动容器过程中允许脚本](#running_startup_scripts)
   * [环境变量](#environment_variables)
     * [集中定义你自己的环境变量](#envvar_central_definition)
     * [保存环境变量](#envvar_dumps)
     * [修改环境变量](#modifying_envvars)
     * [安全性](#envvar_security)
   * [解决docker没有办法修改/etc/hosts的问题](#workaroud_modifying_etc_hosts)
   * [禁用ssh](#disabling_ssh)
 * [容器管理](#container_administration)
   * [在一个新容器中运行单条命令](#oneshot)
   * [在正在运行的的容器中运行命令](#run_inside_existing_container)
   * [通过nsenter登录容器](#login_nsenter)
     * [用法](#nsenter_usage)
     * [`docker-bash`工具](#docker_bash)
   * [使用ssh登录容器](#login_ssh)
     * [在容器中使用不安全的key](#using_the_insecure_key_for_one_container_only)
     * [支持长久不变的不安全的key](#enabling_the_insecure_key_permanently)
     * [使用你自己的key](#using_your_own_key)
     * [`docker-ssh`工具](#docker_ssh)
 * [构建你自己的镜像](#building)
 * [总结](#conclusion)
 -----------------------------------------
 <a name="whats_inside"></a>
 ## 镜像里面包含什么?
 <a name="whats_inside_overview"></a>
 ### 概述
 *想看一个完整的基础镜像?这里有一个包含Ruby,Python Node.js and Meteor的.可以看看[passenger-docker](https://github.com/phusion/passenger-docker).*
 | 模块        | 包含什么 / 备注 |
 | ---------------- | ------------------- |
 | Ubuntu 14.04 LTS | 基础系统. |
 | 一个**正确**的初始化进程  | 根据Unix进程模型,[初始化进程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 继承了所有[孤立的子进行],并且必须[监控他们](https://en.wikipedia.org/wiki/Wait_(system_call)).大多数Docker容器没有一个正确的初始化进程,结果是他们的容器就出现了大量的[僵尸进程](https://en.wikipedia.org/wiki/Zombie_process).<br><br>此外,`docker stop`发送终止信号给初始化进程,然后停止所有的服务进程.不幸的是,由于他们主机关闭了容器,大多初始系统没有正确运行.<br><br>Baseimage-docker包含了一个初始进程`/sbin/my_init`,来正确的执行这些任务. |
 | 修复了APT 与docker不兼容的问题 | See https://github.com/dotcloud/docker/issues/1024. |
 | 修复某些Docker bugs | [Learn more.](#workaroud_modifying_etc_hosts) |
 | syslog-ng | 必须要有一个监控很多服务的系统日志进程,包括内核本身,以便可以正确的输出日志到/var/log/syslog.如果没有后台日志进程,那么很多重要的信息就会丢失了.<br><br>只监听本地服务. |
 | logrotate | logrotate 程序是一个日志文件管理工具,可以定期转存和压缩日志. |
 | SSH server | 允许你可以很容易的登录到你的容器中进行[管理](#login_ssh).<br><br>_baseimage-docker提供了一个SSH的方法.还有其他方法,比如通过[nsenter](#login_nsenter).SSH提供了一个方法,因为nsenter还有很多的问题._<br><br>通过密码和challenge-response的方式,默认是禁用的.只有通过key认证的方式是允许的.<br><br>如果你想禁用SSH访问的方式,禁用也是很容易的.可以阅读下面的说明. |
 | cron | 定时任务进程保证定时任务的运行. |
 | [runit](http://smarden.org/runit/) | 替代Ubuntu的Upstart. 用于监控服务和管理.比SysV init更容易使用,同时支持当有服务挂掉之后,重启这些服务.比Upstart更易使用,也更加的轻量级. |
 | `setuser` |使用另一个用户运行命令的工具,比`su`更容易使用,减少使用`sudo`的安全性,不像使用`chpst`,需要正确的设置`$HOME`.`/sbin/setuser`这样使用就可以了. |
 Baseimage-docker is very lightweight: it only consumes 6 MB of memory.
 Baseimage-docker是非常轻量级的:仅仅小号6MB内存.
 <a name="docker_single_process"></a>
 ### 等等,我认为Docker在一个容器中就运行一个进程吗?
 绝对不是这样的. 在一个docker容器中,运行多个进程也是很好的. 事实上,没有什么技术原因限制你只运行一个进程,运行很多的进程,只会把容器中系统的基本功能搞的更乱,比如syslog.
 Baseimage-docker *鼓励* 通过runit来运行多进程.
 <a name="inspecting"></a>
 ## 检测一下baseimage-docker
 要检测镜像,执行下面的命令:
    docker run --rm -t -i phusion/baseimage:<VERSION> /sbin/my_init -- bash -l
 `<VERSION>` 是[baseimage-docker的版本号](https://github.com/phusion/baseimage-docker/blob/master/Changelog.md).
 你不用手动去下载任何文件.上面的命令会自动从docker仓库下载baseimage-docker镜像.
 <a name="using"></a>
 ## 使用baseimage-docker作为基础镜像
 <a name="getting_started"></a>
 ### 入门指南
 The image is called `phusion/baseimage`, and is available on the Docker registry.
 镜像名字叫`phusion/baseimage`,在Docker仓库上也是可用的.
 下面的这个是一个Dockerfile的模板.
 	# 使用phusion/baseimage作为基础镜像,去构建你自己的镜像,需要下载一个明确的版本,千万不要使用`latest`.
 	# 查看https://github.com/phusion/baseimage-docker/blob/master/Changelog.md,可用看到版本的列表.
 	FROM phusion/baseimage:<VERSION>
 	# 设置正确的环境变量.
 	ENV HOME /root
 	# 生成SSH keys,baseimage-docker不包含任何的key,所以需要你自己生成.你也可以注释掉这句命令,系统在启动过程中,会生成一个.
 	RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
 	# 初始化baseimage-docker系统
 	CMD ["/sbin/my_init"]
 	# 这里可以放置你自己需要构建的命令
 	# 当完成后,清除APT.
 	RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 <a name="adding_additional_daemons"></a>
 ### 增加后台进程
 你可以通过runit工具向你的镜像中添加后台进程(例如:你自己的某些应用).你需要编写一个运行你需要的后台进程的脚步就可以了,runit工具会保证它的正常运行,如果进程死掉,runit也会重启它的.
 脚本的名称必须是`run`,必须是可以运行的,它需要放到`/etc/service/<NAME>`.
 这里有一个例子,向你展示如果运行memcached服务的.
 	### memcached.sh(确定文件的权限是chmod +x):
 	#!/bin/sh
 	# `/sbin/setuser memcache` 指定一个`memcache`用户来运行命令.如果你忽略了这部分,就会使用root用户执行.
 	exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
 	### 在Dockerfile中:
    RUN mkdir /etc/service/memcached
    ADD memcached.sh /etc/service/memcached/run
 注意脚本必须运行在后台的,**不能让他们进程进行daemonize/fork**.通常,后台进程会提供一个标志位或者配置文件.
 <a name="running_startup_scripts"></a>
 ### 在容器启动的时候,运行脚本.
 baseimage-docker的初始化脚本 `/sbin/my_init`,在启动的时候进程运行,按照下面的顺序:
 * 如果`/etc/my_init.d`存在,则按照字母顺序执行脚本.
 * 如果`/etc/rc.local`存在,则执行里面的脚本.
 所有的脚本都是正确退出的,例如:退出的code是0.如果有任何脚本以非0的code退出,启动就会失败.
 下面的例子向你展示了怎么添加一个启动脚本.这个脚本很简单的记录的一个系统启动时间,将启动时间记录到/tmp/boottime.txt.
    ### 在 logtime.sh (文件权限chmod +x):
    #!/bin/sh
    date > /tmp/boottime.txt
    ### 在 Dockerfile中:
    RUN mkdir -p /etc/my_init.d
    ADD logtime.sh /etc/my_init.d/logtime.sh
 <a name="environment_variables"></a>
 ### 环境变量
 如果你使用`/sbin/my_init`作为主容器命令,那么通过`docker run --env`或者在Dockerfile文件中设置的`ENV`环境变量,都会被`my_init`读取.
 * 在Unix系统中,环境变量都会被子进程给继承.这就意味着,子进程不可能修改环境变量或者修改其他进程的环境变量.
 * 由于上面提到的一点,这里没有一个可以为所有应用和服务集中定义环境的地方.Debian提供了一个`/etc/environment` 文件,解决一些问题.
 * 某些服务更改环境变量是为了给子进程使用.Nginx有这样的一个例子:它移除了所有的环境变量,除非你通过`env`进行了配置,明确了某些是保留的.如果你部署了任何应用在Nginx镜像(例如:使用[passenger-docker](https://github.com/phusion/passenger-docker)镜像或者使用Phusion Passenger作为你的镜像.),那么你通过Docker,你不会看到任何环境变量.
 `my_init`提供了一个办法来解决这些问题.
 <a name="envvar_central_definition"></a>
 #### 集中定义你的环境变量
 在启动的时候,在执行[startup scripts](#running_startup_scripts),`my_init`会从`/etc/container_environment`导入环境变量.这个文件夹下面,包含的文件,文件被命名为环境变量的名字.文件内容就是环境变量的值.这个文件夹是因此是一个集中定义你的环境变量的好地方,它会继承到所有启动项目和Runit管理的服务中.
 给个例子,在你的dockerfile如何定义一个环境变量:
    RUN echo Apachai Hopachai > /etc/container_environment/MY_NAME
 你可以按照下面这样验证:
    $ docker run -t -i <YOUR_NAME_IMAGE> /sbin/my_init -- bash -l
    ...
    *** Running bash -l...
    # echo $MY_NAME
    Apachai Hopachai
 **换行处理**
 如果你观察仔细一点,你会注意到'echo'命令,实际上在它是在新行打印出来的.为什么$MY_NAME没有包含在一行呢? 因为`my_init`在尾部有个换行字符.如果你打算让你的值包含一个新行,你需要增*另外*一个新字符,像这样:
    RUN echo -e "Apachai Hopachai\n" > /etc/container_environment/MY_NAME
 <a name="envvar_dumps"></a>
 #### 环境变量存储
 上面提到集中定义环境变量,它不会从子服务进程改变父服务进程或者重置环境变量.而且,`my_init`也会很容易的让你查询到原始的环境变量是什么.
 在启动的时候,`/etc/container_environment`, `my_init`中的变量会存储起来,并且导入到环境变量中,例如一下的格式:
 * `/etc/container_environment`
 * `/etc/container_environment.sh`- 一个bash存储的环境变量格式.你可以从这个命令中得到base格式的文件.
 * `/etc/container_environment.json` - 一个json格式存储的环境变量格式.
 多种格式可以让你不管采用什么语言/apps都可以很容易使用环境变量.
 这里有个例子,展示怎么使用:
    $ docker run -t -i \
      --env FOO=bar --env HELLO='my beautiful world' \
      phusion/baseimage:<VERSION> /sbin/my_init -- \
      bash -l
    ...
    *** Running bash -l...
    # ls /etc/container_environment
    FOO  HELLO  HOME  HOSTNAME  PATH  TERM  container
    # cat /etc/container_environment/HELLO; echo
    my beautiful world
    # cat /etc/container_environment.json; echo
    {"TERM": "xterm", "container": "lxc", "HOSTNAME": "f45449f06950", "HOME": "/root", "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "FOO": "bar", "HELLO": "my beautiful world"}
    # source /etc/container_environment.sh
    # echo $HELLO
    my beautiful world
 <a name="modifying_envvars"></a>
 #### 修改环境变量
 通过修改`/etc/container_environment`这个文件,很有可能修改了`my_init`中的环境变量.之后,每次`my_init`启动[启动脚本](#running_startup_scripts),就会重置掉我们自己`/etc/container_environment`中的环境变量,也就会导致`container_environment.sh`和`container_environment.json`重新存储.
 但是记住这些:
 * 修改`container_environment.sh` 和 `container_environment.json`是没有效果的.
 * Runit 的服务是不能像这样修改环境变量的.`my_init`运行的时候,只对`/etc/container_environment`中的修改是生效的.
 <a name="envvar_security"></a>
 #### 安全
 因为环境变量可能包含敏感信息, `/etc/container_environment`和它的bash文件和JSON文件,默认都是root,都是可以被`docker_env`群组可以访问的(所以任何用户只要添加到群组中,都可以自动的获取这些信息).
 如果你确定你的环境变量中没有什么敏感信息,那么你可以放松管理权限,将文件夹和文件分配下面的权限:
    RUN chmod 755 /etc/container_environment
    RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
 <a name="workaroud_modifying_etc_hosts"></a>
 ### 解决Docker没有办法解决的/etc/hosts的问题
 当前是没有办法在docker容器中修改`/etc/hosts`,这个是因为[Docker bug 2267](https://github.com/dotcloud/docker/issues/2267).Baseimage-docker包含了解决这个问题的办法,你必须明白是怎么修改的.
 修改的办法包含在系统库中的` libnss_files.so.2`文件,这个文件使用`/etc/workaround-docker-2267/hosts`来代替系统使用`/etc/hosts`.如果需要修改`/etc/hosts`,你只要修改`/etc/workaround-docker-2267/hosts`就可以了.
 增加这个修改到你的Dockerfile.下面的命令修改了文件`libnss_files.so.2`.
    RUN /usr/bin/workaround-docker-2267
 (其实你不用在Dockerfile文件中运行这个命令,你可以在容器中运行一个shell就可以了.)
 验证一下它是否生效了,[在你的容器中打开一个shell](#inspecting),修改`/etc/workaround-docker-2267/hosts`,检查一下是否生效了:
    bash# echo 127.0.0.1 my-test-domain.com >> /etc/workaround-docker-2267/hosts
    bash# ping my-test-domain.com
    ...should ping 127.0.0.1...
 **注意apt-get升级:** 如果Ubuntu升级,就有可能将`libnss_files.so.2`覆盖掉,那么修改就会失效.你必须重新运行`/usr/bin/workaround-docker-2267`.为了安全一点,你应该在运行`apt-get upgrade`之后,运行一下这个命令.
 <a name="disabling_ssh"></a>
 ### 禁用SSH
 Baseimage-docker默认是支持SSH的,所以可以[使用SSH](#login_ssh)来[管理你的容器](#container_administration).万一你不想支持SSH,你可以只要禁用它:
    RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
 <a name="container_administration"></a>
 ## 容器管理
 一个优秀的docker想法,就是docker是一个无状态的,容易启动的容器,就想一个黑盒子.然而,你可能遇到某种情况,需要登录到容器,或者运行命令在容器中.或者为了开发,需要查看或者debug的目的.这章就给你讲解怎么管理容器.
 <a name="oneshot"></a>
 ### 在一个新容器中运行一个一闪而过的命令
 _**备注:** 这章讲解怎么在一个-新-容器中运行命令.要在一个存在的容器中运行命令,请查看[在一个存在的容器中,运行一个命令](#run_inside_existing_container)._
 正常情况下,当你创建了一个新容器,为了在容器中运行一个单独的命令,而且在运行之后会立即退出的,你会这样调用docker命令:
    docker run YOUR_IMAGE COMMAND ARGUMENTS...
 然而下面的方法初始化系统的进行是不会启动.它是这样的,当调用`COMMAND`的时候,重要的后台进程,例如定时任务和系统日志都是不运行的.同样,子进程也是不会出现的,因为`COMMAND`的pid是1.
 Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,同时也解决了上述所说的问题.以一下的方式运行一条命令:
    docker run YOUR_IMAGE /sbin/my_init -- COMMAND ARGUMENTS ...
 他们会按照下面的流程执行:
 * 运行所有的启动文件,例如 /etc/my_init.d/* and /etc/rc.local.
 * 运行所有的runit服务
 * 运行指定的命令
 * 运行指定的命令结束之后,结束所有runit服务.
 例如:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init -- ls
    *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
    No SSH host key available. Generating one...
    Creating SSH2 RSA key; this may take some time ...
    Creating SSH2 DSA key; this may take some time ...
    Creating SSH2 ECDSA key; this may take some time ...
    *** Running /etc/rc.local...
    *** Booting runit daemon...
    *** Runit started as PID 80
    *** Running ls...
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
    *** ls exited with exit code 0.
    *** Shutting down runit daemon (PID 80)...
    *** Killing all processes...
 你会发现默认的启动的流程太负责.或者你不希望执行启动文件.你可以自定义所有通过给`my_init`增加参数.调用`docker run YOUR_IMAGE /sbin/my_init --help`可以看到帮助信息.
 例如上面运行`ls`命令,同时要求不运行启动脚本,减少信息打印,运行runit所有命令.
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init --skip-startup-files --quiet -- ls
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
 <a name="run_inside_existing_container"></a>
 ### 在一个已经运行的容器中,运行一条命令
 这里有两种办法去在一个已经运行的容器中运行命令.
 * 通过`nseneter`工具.这个工具用于Linux内核调用在内嵌容器中运行命令.可以查看[通过`nsenter`,登录容器或者在容器内执行命令](#login_nsenter).
 * 通过SSH.这种办法需要在容器中运行ssh服务,而且需要你创建自己的sshkey.可以查看[通过`ssh`,登录容器或者在容器内执行命令](#login_ssh).
 两种方法都是他们各自的优点和确定,你可以学习他们各自的章节来了他们.
 <a name="login_nsenter"></a>
 ### 通过`nsenter`,登录容器或者在容器内执行命令
 你可以使用在docker主机上面的`nsenter`工具,来登录任何基于baseimage-docker的docker容器.你可以使用它在你的容器中运行命令.
 这里有个和[通过`ssh`,登录容器或者在容器内执行命令](#login_ssh)的优缺点的比较:
 * 优点
   * 不需要在容器中运行ssh服务.
   * 不需要ssh key.
   * 运行在任何容器上,甚至不是基于baseimage-docker的容器.
 * 缺点
   * 通过`nsenter`运行的进程会和正常运行稍微有不同.例如,他们不同结束掉在容器中正常运行的进程.这适用于所有的子进程.
   * 如果`nsenter`进程被其他命令(如`kill`命令)给终止,然后由nsenter所执行的命令,是*不会*被结束的.你将不得不手动清理.(备注:终端控制命令像Ctrl-C *会* 清理所有的子进程,因为终端信号被发送到所有流程的终端会话)
   * 需要学习新工具.
   * 需要在docker主机上面提供root权限.
   * 需要在docker主机上面是可用的.在写这篇文字的时候(2014年7月),大多数linux发行版没有加载它.然而,baseimage-docker提供了预编译的二进制文件,允许你通过[docker-bash](#docker_bash)工具,来很容易的使用它.
   * 不可能没有登录到docker主机,就登录到docker容器中.(也就是说,你必须登录到docker主机,通过docker主机登录到容器.)
 <a name="nsenter_usage"></a>
 #### 用例
 第一,确定`nsenter`已经安装了.在写这篇文字的时候(2014年7月),大多数linux发行版没有加载它.然而,baseimage-docker提供了预编译的二进制文件,允许你通过[docker-bash](#docker_bash)工具,让任何人都可以使用.
 接着,启动一个容器.
    docker run YOUR_IMAGE
 找出你刚才运行容器的`ID`.
    docker ps
 一旦拥有容器的id,找到运行容器的主要进程额`PID`.
    docker inspect -f "{{ .State.Pid }}" <ID>
 现在你有的容器的主进程的PID,就可以使用`nsenter`来登录容器,或者在容器里面执行命令:
    # 登录容器
    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid bash -l
    # 在容器中执行命令
    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid -- echo hello world
 <a name="docker_bash"></a>
 #### `docker-bash`工具
 查找一个容器的主要进程的PID和输入这么长的nsenter命令很快会变得乏味无论.幸运的是,我们提供了一个`docker-bash` 工具,它可以自动完成只要的工具.这个工具是运行在*docker主机*上面,不是在docker容器中.
 该工具还附带了一个预编译的二进制`nsenter`,这样你不需要自己安装`nsenter`了.`docker-bash`是很简单的使用的.
 首先,在docker主机上安装这个工具:
    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
    tar xzf master.tar.gz && \
    sudo ./baseimage-docker-master/install-tools.sh
 运行这个工具登录到容器中:
    docker-bash YOUR-CONTAINER-ID
 你可以通过`docker ps`来查找你的容器ID.
 默认,`docker-bash`会打开一个bash 回话.你可以告诉运行什么命令,之后就会自动退出:
    docker-bash YOUR-CONTAINER-ID echo hello world
 <a name="login_ssh"></a>
 ### 通过`ssh`,登录容器或者在容器内执行命令
 你可以使用ssh来登录任何基于baseimage-docker的容器.你可以使用它在容器中执行命令.
 这里有个和[通过`nsenter`,登录容器或者在容器内执行命令](#login_nsenter)的优缺点的比较:
 * 优点
   * 不像`nsenter`一样,运行在docker主机上面.几乎每个人都会安装一个ssh客户端.
   * 不想使用`nsenter`,运行的进程和正在的进程会不一样.
   * 不需要docker主机提供root权限.
   * 运行你让用户登录到容器,而不需要登录到docker主机.然而,默认这是不启用的,因为baseimage-docker默认不是开放ssh服务的.
 *　缺点
   * 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容器.阅读更多信息.
 第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全行,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.**
 <a name="using_the_insecure_key_for_one_container_only"></a>
 #### 在容器中使用key
 你可以临时的使用key仅仅作为容器使用.这就以为这key是安装在容器上的.如果你使用`docker stop`和`docker start`控制容器,那么key是在容器中,但是如果你使用`docker run`开启一个新容器,那么这个容器是不包含key的.
 启动新容器包含key`--enable-insecure-key`:
    docker run YOUR_IMAGE /sbin/my_init --enable-insecure-key
 找出你的刚才运行的容器的ID:
    docker ps
 一旦你拥有容器的ID,就能找到容器使用的IP地址:
    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 现在你有得了IP地址,你就看通过SSH来登录容器,或者在容器中执行命令了:
    # 下载key
    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
    chmod 600 insecure_key
    # 登录容器
    ssh -i insecure_key root@<IP address>
    # 在容器中执行命令
    ssh -i insecure_key root@<IP address> echo hello world
 <a name="enabling_the_insecure_key_permanently"></a>
 #### 支持一个长久的key
 在一个长久存在的镜像中支持一个key是很可能的.一般是不推荐这么做,但是对于临时开始或者做demo演示,对安全要求不高,还是很合适的.
 编辑你的dockerfile,来安装永久的key:
    RUN /usr/sbin/enable_insecure_key
 在容器中怎么使用,同[在容器中使用key](#using_the_insecure_key_for_one_container_only)的章节说的一样.
 <a name="using_your_own_key"></a>
 #### 使用你自己的key
 编辑你的dockerfile,来安装ssh public key:
    ## 安装你自己的public key.
    ADD your_key.pub /tmp/your_key.pub
    RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
 重新创建你的镜像.一旦你创建成功,启动基于这个镜像的容器.
    docker run your-image-name
 找出你的刚才运行的容器的ID:
    docker ps
 一旦你拥有容器的ID,就能找到容器使用的IP地址:
    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 现在你有得了IP地址,你就看通过SSH来登录容器,或者在容器中执行命令了:
    # 登录容器
    ssh -i /path-to/your_key root@<IP address>
    # 在容器中执行命令
    ssh -i /path-to/your_key root@<IP address> echo hello world
 <a name="docker_ssh"></a>
 #### `docker-ssh`工具
 找到容器的IP,运行ssh命令,很快会变得乏味无聊.幸运的是,我们提供了一个`docker-ssh`,可以自动完成这些事情.这个工具是运行在*Docker 主机*上的,不是安装在docker容器中的.
 首先,在docker主机上面安装这个工具.
    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
    tar xzf master.tar.gz && \
    sudo ./baseimage-docker-master/install-tools.sh
 使用这个工具通过ssh登录容器:
    docker-ssh YOUR-CONTAINER-ID
 你可以使用`docker ps`找到`YOUR-CONTAINER-ID`.
 默认,`docker-bash`会打开一个bash 回话.你可以告诉运行什么命令,之后就会自动退出:
    docker-ssh YOUR-CONTAINER-ID echo hello world
 <a name="building"></a>
 ## 创建你自己的镜像
 如果某些原因,你需要创建你自己的镜像,来替代从docker仓库下载镜像,可以按照的说明.
 克隆仓库:
    git clone https://github.com/phusion/baseimage-docker.git
    cd baseimage-docker
 创建一个包含docker在的虚拟机.你可以使用我们提供的Vagrantfile.
    vagrant up
    vagrant ssh
    cd /vagrant
 编译镜像:
    make build
 如果你想把创建的镜像名字,叫其他名字,通过`NAME`变量可以设置:
    make build NAME=joe/baseimage
 <a name="conclusion"></a>
 ## 总结
 * Using baseimage-docker? [Tweet about us](https://twitter.com/share) or [follow us on Twitter](https://twitter.com/phusion_nl).
 * Having problems? Want to participate in development? Please post a message at [the discussion forum](https://groups.google.com/d/forum/passenger-docker).
 * Looking for a more complete base image, one that is ideal for Ruby, Python, Node.js and Meteor web apps? Take a look at [passenger-docker](https://github.com/phusion/passenger-docker).
 [<img src="http://www.phusion.nl/assets/logo.png">](http://www.phusion.nl/)
 Please enjoy baseimage-docker, a product by [Phusion](http://www.phusion.nl/). :-)
--- a/image/00_regen_ssh_host_keys.sh
+++ b/image/00_regen_ssh_host_keys.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-if [[ ! -e /etc/ssh/ssh_host_rsa_key ]]; then
+if [[ ! -e /etc/service/sshd/down && ! -e /etc/ssh/ssh_host_rsa_key ]] || [[ "$1" == "-f" ]]; then
 	echo "No SSH host key available. Generating one..."
 	export LC_ALL=C
 	export DEBIAN_FRONTEND=noninteractive
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -2,7 +2,6 @@ FROM ubuntu:14.04
 MAINTAINER Phusion <info@phusion.nl>
 ENV HOME /root
 RUN mkdir /build
 ADD . /build
 RUN /build/prepare.sh && \
--- a/image/bin/enable_insecure_key
+++ b/image/bin/enable_insecure_key
--- a/image/bin/my_init
+++ b/image/bin/my_init
@@ -22,15 +22,15 @@ def error(message):
 def warn(message):
 	if log_level >= LOG_LEVEL_WARN:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 def info(message):
 	if log_level >= LOG_LEVEL_INFO:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 def debug(message):
 	if log_level >= LOG_LEVEL_DEBUG:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 def ignore_signals_and_raise_keyboard_interrupt(signame):
 	signal.signal(signal.SIGTERM, signal.SIG_IGN)
@@ -287,6 +287,7 @@ def main(args):
 					info("%s exited with status %d." % (args.main_command[0], exit_status))
 			except KeyboardInterrupt:
 				stop_child_process(args.main_command[0], pid)
 				raise
 			except BaseException as s:
 				warn("An error occurred. Aborting.")
 				stop_child_process(args.main_command[0], pid)
--- a/image/bin/setuser
+++ b/image/bin/setuser
--- a/image/config/logrotate_syslogng
+++ b/image/config/logrotate_syslogng
@@ -0,0 +1,38 @@
 /var/log/syslog
 {
 	rotate 7
 	daily
 	missingok
 	notifempty
 	delaycompress
 	compress
 	postrotate
 		sv reload syslog-ng > /dev/null
 	endscript
 }
 /var/log/mail.info
 /var/log/mail.warn
 /var/log/mail.err
 /var/log/mail.log
 /var/log/daemon.log
 /var/log/kern.log
 /var/log/auth.log
 /var/log/user.log
 /var/log/lpr.log
 /var/log/cron.log
 /var/log/debug
 /var/log/messages
 {
 	rotate 4
 	weekly
 	missingok
 	notifempty
 	compress
 	delaycompress
 	sharedscripts
 	postrotate
 		sv reload syslog-ng > /dev/null
 		sv restart cron-log-forwarder > /dev/null
 	endscript
 }
--- a/image/config/sshd_config
+++ b/image/config/sshd_config
@@ -84,8 +84,8 @@ ChallengeResponseAuthentication no
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
-# Set this to 'yes' to enable PAM authentication, account processing, 
+# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will 
+# and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
@@ -101,7 +101,7 @@ ChallengeResponseAuthentication no
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
@@ -130,6 +130,3 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 # XAuthLocation added by XQuartz (http://xquartz.macosforge.org)
 XAuthLocation /opt/X11/bin/xauth
--- a/image/prepare.sh
+++ b/image/prepare.sh
@@ -4,7 +4,9 @@ source /build/buildconfig
 set -x
 ## Temporarily disable dpkg fsync to make building faster.
-echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02apt-speedup
+if [[ ! -e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup ]]; then
 	echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup
 fi
 ## Prevent initramfs updates from trying to run grub and lilo.
 ## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
@@ -42,3 +44,6 @@ apt-get dist-upgrade -y --no-install-recommends
 ## Fix locale.
 $minimal_apt_get_install language-pack-en
 locale-gen en_US
 update-locale LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8
 echo -n en_US.UTF-8 > /etc/container_environment/LANG
 echo -n en_US.UTF-8 > /etc/container_environment/LC_CTYPE
--- a/image/runit/syslog-forwarder
+++ b/image/runit/syslog-forwarder
@@ -0,0 +1,2 @@
 #!/bin/sh
 exec tail -f -n 0 /var/log/syslog
--- a/image/runit/syslog-ng
+++ b/image/runit/syslog-ng
@@ -5,6 +5,7 @@ set -e
 # e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
 # then we remove it.
 if [ ! -S /dev/log ]; then rm -f /dev/log; fi
 if [ ! -S /var/lib/syslog-ng/syslog-ng.ctl ]; then rm -f /var/lib/syslog-ng/syslog-ng.ctl; fi
 SYSLOGNG_OPTS=""
--- a/image/system_services.sh
+++ b/image/system_services.sh
@@ -4,14 +4,14 @@ source /build/buildconfig
 set -x
 ## Install init process.
-cp /build/my_init /sbin/
+cp /build/bin/my_init /sbin/
 mkdir -p /etc/my_init.d
 mkdir -p /etc/container_environment
 touch /etc/container_environment.sh
 touch /etc/container_environment.json
 chmod 700 /etc/container_environment
-groupadd docker_env
+groupadd -g 8377 docker_env
 chown :docker_env /etc/container_environment.sh /etc/container_environment.json
 chmod 640 /etc/container_environment.sh /etc/container_environment.json
 ln -s /etc/container_environment.sh /etc/profile.d/
@@ -25,17 +25,25 @@ mkdir /etc/service/syslog-ng
 cp /build/runit/syslog-ng /etc/service/syslog-ng/run
 mkdir -p /var/lib/syslog-ng
 cp /build/config/syslog_ng_default /etc/default/syslog-ng
 touch /var/log/syslog
 chmod u=rw,g=r,o= /var/log/syslog
 # Replace the system() source because inside Docker we
 # can't access /proc/kmsg.
 sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
 ## Install syslog to "docker logs" forwarder.
 mkdir /etc/service/syslog-forwarder
 cp /build/runit/syslog-forwarder /etc/service/syslog-forwarder/run
 ## Install logrotate.
 $minimal_apt_get_install logrotate
 cp /build/config/logrotate_syslogng /etc/logrotate.d/syslog-ng
 ## Install the SSH server.
 $minimal_apt_get_install openssh-server
 mkdir /var/run/sshd
 mkdir /etc/service/sshd
 touch /etc/service/sshd/down
 cp /build/runit/sshd /etc/service/sshd/run
 cp /build/config/sshd_config /etc/ssh/sshd_config
 cp /build/00_regen_ssh_host_keys.sh /etc/my_init.d/
@@ -48,11 +56,12 @@ cp /build/insecure_key.pub /etc/insecure_key.pub
 cp /build/insecure_key /etc/insecure_key
 chmod 644 /etc/insecure_key*
 chown root:root /etc/insecure_key*
-cp /build/enable_insecure_key /usr/sbin/
+cp /build/bin/enable_insecure_key /usr/sbin/
 ## Install cron daemon.
 $minimal_apt_get_install cron
 mkdir /etc/service/cron
 chmod 600 /etc/crontab
 cp /build/runit/cron /etc/service/cron/run
 ## Remove useless cron entries.
--- a/image/utilities.sh
+++ b/image/utilities.sh
@@ -7,4 +7,4 @@ set -x
 $minimal_apt_get_install curl less nano vim psmisc
 ## This tool runs a command as another user and sets $HOME.
-cp /build/setuser /sbin/setuser
+cp /build/bin/setuser /sbin/setuser
--- a/install-tools.sh
+++ b/install-tools.sh
@@ -1,10 +1,12 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 dir=`dirname "$0"`
 cd "$dir"
 set -x
-cp tools/* /usr/local/bin/
+cp tools/docker-bash /usr/local/bin/
 cp tools/docker-ssh /usr/local/bin/
 cp tools/baseimage-docker-nsenter /usr/local/bin/
 mkdir -p /usr/local/share/baseimage-docker
 cp image/insecure_key /usr/local/share/baseimage-docker/
 chmod 644 /usr/local/share/baseimage-docker/insecure_key
--- a/test/runner.sh
+++ b/test/runner.sh
@@ -28,8 +28,15 @@ fi
 trap cleanup EXIT
 echo " --> Enabling SSH in the container"
 docker exec -t -i $ID /etc/my_init.d/00_regen_ssh_host_keys.sh -f
 docker exec -t -i $ID rm /etc/service/sshd/down
 docker exec -t -i $ID sv start /etc/service/sshd
 sleep 1
 echo " --> Logging into container and running tests"
-chmod 600 image/insecure_key
+cp image/insecure_key /tmp/insecure_key
 chmod 600 /tmp/insecure_key
 sleep 1 # Give container some more time to start up.
-ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/insecure_key root@$IP \
+ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/insecure_key root@$IP \
 	/bin/bash /test/test.sh
--- a/tools/README.md
+++ b/tools/README.md
@@ -0,0 +1 @@
 baseimage-docker-nsenter is the nsenter tool taken from https://github.com/jpetazzo/nsenter, commit 10ce18a7a32. It has been stripped in order to make it smaller.
--- a/tools/baseimage-docker-nsenter
+++ b/tools/baseimage-docker-nsenter
--- a/tools/docker-bash
+++ b/tools/docker-bash
@@ -1,31 +1,18 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 set -o pipefail
-KNOWN_HOSTS_FILE=
+SELFDIR=`dirname "$0"`
-IP=
+SELFDIR=`cd "$SELFDIR" && pwd`
-function usage()
+usage()
 {
 	echo "Usage: docker-bash <CONTAINER_ID> [COMMAND...]"
-	echo "Login to a Baseimage-based Docker container using SSH."
+	echo "Login to a Baseimage-based Docker container using nsenter." \
-	echo "If COMMAND is not given, opens an interactive shell."
+		"If COMMAND is not given, opens an interactive shell." \
-	echo "Otherwise, runs COMMAND inside the container."
+		"Otherwise, runs COMMAND inside the container."
 }
-function cleanup()
+if test $# = 0; then
 {
 	local pids=`jobs -p`
 	if [[ "$pids" != "" ]]; then
 		kill $pids
 	fi
 	if [[ "$KNOWN_HOSTS_FILE" != "" ]]; then
 		rm -f "$KNOWN_HOSTS_FILE"
 	fi
 }
 if [[ $# = 0 ]]; then
 	usage
 	exit
 fi
@@ -33,50 +20,10 @@ fi
 CONTAINER_ID="$1"
 shift
-trap cleanup EXIT
+PID=`docker inspect -f "{{ .State.Pid }}" "$CONTAINER_ID"`
-
+if test $# = 0; then
-if ! [[ -e ~/.baseimage_docker_insecure_key ]]; then
+	exec "$SELFDIR/baseimage-docker-nsenter" --target "$PID" --mount --uts --ipc --net --pid -- /bin/bash -l
-	if [[ -e /usr/local/share/baseimage-docker/insecure_key ]]; then
+else
-		cp /usr/local/share/baseimage-docker/insecure_key ~/.baseimage_docker_insecure_key
+	exec "$SELFDIR/baseimage-docker-nsenter" --target "$PID" --mount --uts --ipc --net --pid -- "$@"
 	else
 		dir=`dirname "$0"`
 		dir=`cd "$dir/.." && pwd`
 		if [[ -e "$dir/image/insecure_key" ]]; then
 			cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key
 		else
 			echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
 			echo "You probably didn't install docker-bash properly. Please reinstall it:" >&2
 			echo "" >&2
 			echo "  curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \\" >&2
 			echo "  tar xzf master.tar.gz && \\" >&2
 			echo "  sudo ./baseimage-docker-master/install-tools.sh" >&2
 			exit 1
 		fi
 	fi
 	chown "`whoami`": ~/.baseimage_docker_insecure_key
 	chmod 600 ~/.baseimage_docker_insecure_key
 fi
 KNOWN_HOSTS_FILE=`mktemp /tmp/docker-bash.XXXXXXXXX`
 IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
 # Prevent SSH from warning about adding a host to the known_hosts file.
 ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
 if ! ssh -i ~/.baseimage_docker_insecure_key \
 	-o UserKnownHostsFile="$KNOWN_HOSTS_FILE" \
 	-o StrictHostKeyChecking=no \
 	-o PasswordAuthentication=no \
 	-o KbdInteractiveAuthentication=no \
 	-o ChallengeResponseAuthentication=no \
 	"root@$IP" "$@"
 then
 	STATUS=$?
 	if [[ $# = 0 ]]; then
 		echo "----------------"
 		echo "It appears that login to the Docker container failed. This could be caused by the following reasons:"
 		echo "- The Docker container you're trying to login to is not based on Baseimage-docker. The docker-bash tool only works with Baseimage-docker-based containers."
 		echo "- You did not enable the the insecure key inside the container. Please read https://github.com/phusion/baseimage-docker/blob/master/README.md#login to learn how to enable the insecure key."
 	fi
 	exit $STATUS
 fi
--- a/tools/docker-ssh
+++ b/tools/docker-ssh
@@ -0,0 +1,81 @@
 #!/bin/sh
 set -e
 KNOWN_HOSTS_FILE=
 IP=
 usage()
 {
 	echo "Usage: docker-ssh <CONTAINER_ID> [COMMAND...]"
 	echo "Login to a Baseimage-based Docker container using SSH." \
 		"If COMMAND is not given, opens an interactive shell." \
 		"Otherwise, runs COMMAND inside the container."
 }
 cleanup()
 {
 	local pids=`jobs -p`
 	if test "$pids" != ""; then
 		kill $pids
 	fi
 	if test "$KNOWN_HOSTS_FILE" != ""; then
 		rm -f "$KNOWN_HOSTS_FILE"
 	fi
 }
 if test $# = 0; then
 	usage
 	exit
 fi
 CONTAINER_ID="$1"
 shift
 trap cleanup EXIT
 if ! test -e ~/.baseimage_docker_insecure_key; then
 	if test -e /usr/local/share/baseimage-docker/insecure_key; then
 		cp /usr/local/share/baseimage-docker/insecure_key ~/.baseimage_docker_insecure_key
 	else
 		dir=`dirname "$0"`
 		dir=`cd "$dir/.." && pwd`
 		if test -e "$dir/image/insecure_key"; then
 			cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key
 		else
 			echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
 			echo "You probably didn't install docker-ssh properly. Please reinstall it:" >&2
 			echo "" >&2
 			echo "  curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \\" >&2
 			echo "  tar xzf master.tar.gz && \\" >&2
 			echo "  sudo ./baseimage-docker-master/install-tools.sh" >&2
 			exit 1
 		fi
 	fi
 	chown "`whoami`": ~/.baseimage_docker_insecure_key
 	chmod 600 ~/.baseimage_docker_insecure_key
 fi
 KNOWN_HOSTS_FILE=`mktemp /tmp/docker-ssh.XXXXXXXXX`
 IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
 # Prevent SSH from warning about adding a host to the known_hosts file.
 ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
 if ! ssh -i ~/.baseimage_docker_insecure_key \
 	-o UserKnownHostsFile="$KNOWN_HOSTS_FILE" \
 	-o StrictHostKeyChecking=no \
 	-o PasswordAuthentication=no \
 	-o KbdInteractiveAuthentication=no \
 	-o ChallengeResponseAuthentication=no \
 	"root@$IP" "$@"
 then
 	STATUS=$?
 	if test $# = 0; then
 		echo "----------------"
 		echo "It appears that login to the Docker container failed. This could be caused by the following reasons:"
 		echo "- The Docker container you're trying to login to is not based on Baseimage-docker. The docker-ssh tool only works with Baseimage-docker-based containers."
 		echo "- You did not enable the the insecure key inside the container. Please read https://github.com/phusion/baseimage-docker/blob/master/README.md#login to learn how to enable the insecure key."
 	fi
 	exit $STATUS
 fi
Author	SHA1	Message	Date
Hongli Lai (Phusion)	1812fbf093	Note 0.9.16 release date	2015-01-20 11:40:15 +01:00
Hongli Lai (Phusion)	65e212f235	When uploading new release, run 'docker tag' with '-f'	2015-01-20 11:39:50 +01:00
Hongli Lai (Phusion)	bc40f72c84	Update documentation	2015-01-20 11:14:53 +01:00
Hongli Lai (Phusion)	4a41a00697	Merge branch 'reduce-dockerfile-steps' of git://github.com/kanzure/baseimage-docker into kanzure-reduce-dockerfile-steps	2015-01-20 11:04:49 +01:00
Hongli Lai (Phusion)	d85b76dfd9	Update URLs in the README, add translation note	2015-01-20 10:52:48 +01:00
Hongli Lai (Phusion)	a0e2a13b0a	Merge branch 'master' into next	2015-01-20 10:50:13 +01:00
Hongli Lai	c1c5e70dd5	Merge pull request #156 from zhaopengme/master Add Chinese translation of the README	2015-01-20 10:49:23 +01:00
Hongli Lai (Phusion)	6e55e3d515	Redirect syslog to 'docker logs' and fix cron Closes GH-123. Closes GH-115.	2015-01-19 18:07:15 +01:00
Hongli Lai (Phusion)	0b2de757f5	Fixed some locale issues Closes GH-178. Thanks to David J. M. Karlsen.	2015-01-19 17:32:05 +01:00
Hongli Lai (Phusion)	9b08ea9cd4	Logrotate now reloads syslog-ng properly Closes GH-167.	2015-01-19 16:55:09 +01:00
Hongli Lai (Phusion)	2640bc7b03	Make 'docker exec' the default and disable SSH by default Closes GH-168.	2015-01-19 16:40:17 +01:00
Hongli Lai (Phusion)	a0a48d8fd3	Merge branch 'remove_etc_hosts_workaround' into next	2015-01-19 16:01:53 +01:00
Hongli Lai (Phusion)	d9023071e4	Bump version to 0.9.16	2015-01-19 16:00:13 +01:00
Hongli Lai (Phusion)	8f2877c806	Do not set APT's force-unsafe-io option because the latest ubuntu image already does that	2015-01-17 14:32:41 +01:00
Hongli Lai (Phusion)	19c2df66b3	Remove workaround for Docker bug #2267 now that Docker has fixed this Closes GH-155.	2015-01-16 16:50:39 +01:00
Hongli Lai (Phusion)	ea56d35011	Update README	2015-01-16 14:29:19 +01:00
Hongli Lai (Phusion)	e77d34aedf	Clarify our stand point on running multiple processes and fat containers	2015-01-16 14:27:24 +01:00
Bryan Bishop	81af926a78	remove Dockerfile step for mkdir /build The ADD command will create /build automatically, so the RUN mkdir step can be safely removed. Also, this has the benefit of reducing the number of steps in the Dockerfile which is helpful for not as quickly hitting the 127 layer limit.	2014-11-24 10:56:23 -06:00
mikey.zhaopeng	c4385735af	add the Chinese translation	2014-10-24 08:53:28 +08:00
Hongli Lai (Phusion)	e54a443cca	Fix setuid bit on /usr/bin/sudo, bump version to 0.9.15. Closes GH-148.	2014-10-03 12:37:00 +02:00
Hongli Lai (Phusion)	4db83076bd	Bump version to 0.9.14	2014-10-01 11:00:21 +02:00
Hongli Lai (Phusion)	fc74a85e5d	Update Changelog	2014-10-01 11:00:04 +02:00
Hongli Lai	04173bb162	Merge pull request #142 from andreamtp/patch-1 Update README.md	2014-09-20 14:47:39 +02:00
andreamtp	715a6eebde	Update README.md updated link to the Changelog of the master branch instead of nsenter	2014-09-20 14:42:09 +02:00
Hongli Lai (Phusion)	2d2c13b519	Note 0.9.13 release date	2014-08-22 18:10:34 +02:00
Hongli Lai (Phusion)	2135d2192e	Update Changelog	2014-08-22 18:03:35 +02:00
Hongli Lai	ae652517e8	Merge pull request #129 from kingdonb/master syslog-ng.ctl left around after commit	2014-08-22 16:49:00 +02:00
Kingdon Barrett	212e080b58	syslog-ng.ctl left around after commit For phusion/baseimage#128	2014-08-07 15:15:07 -04:00
Hongli Lai	97e256cc61	Merge pull request #124 from arkadijs/master Correct typo	2014-08-04 15:06:34 +02:00
Arkadi Shishlov	f0514872ea	Correct typo	2014-08-04 14:51:28 +03:00
Hongli Lai (Phusion)	0de8640bac	Change the `docker_env` group ID from 1000 to 8377.	2014-07-25 14:49:06 +02:00
Hongli Lai (Phusion)	5e5794c528	Bump version to 0.9.13	2014-07-25 14:38:01 +02:00
Hongli Lai (Phusion)	9be2ee2916	Fix `my_init` not properly exiting with a non-zero exit status when Ctrl-C is pressed.	2014-07-25 14:37:03 +02:00
Hongli Lai (Phusion)	a0d4877272	When releasing, throw an error if the release date isn't noted in Changelog.md	2014-07-17 10:16:23 +02:00
Hongli Lai (Phusion)	a06da035d0	Note 0.9.12 release date	2014-07-17 10:14:01 +02:00
Hongli Lai (Phusion)	d55fa363bf	Update changelog	2014-07-16 21:07:59 +02:00
Hongli Lai (Phusion)	eb189e7864	Officially support nsenter	2014-07-16 21:07:49 +02:00
Hongli Lai (Phusion)	7fd667bc1f	Update Changelog	2014-07-13 23:59:40 +02:00
Hongli Lai	5106ffd4b1	Merge pull request #105 from bubenkoff/patch-1 Allow X11 forwarding and remove invalid xauth location	2014-07-13 23:58:19 +02:00
Hongli Lai (Phusion)	3526928ad9	Update README	2014-07-13 23:09:52 +02:00
Hongli Lai (Phusion)	9cf192ca02	Fix mistake in changelog	2014-07-13 23:06:05 +02:00
Hongli Lai (Phusion)	25e8b1c535	Make docker-bash work on a regular sh shell instead of bash. Closes GH-103.	2014-07-13 12:50:16 +02:00
Hongli Lai (Phusion)	2fa47a225b	Update Readme	2014-07-13 01:31:14 +02:00
Hongli Lai (Phusion)	b9d75d899d	Fix documentation order	2014-07-13 01:12:04 +02:00
Hongli Lai (Phusion)	1f38e2226e	Added a workaround for Docker's inability to modify /etc/hosts in the container. See Docker bug 2267: https://github.com/dotcloud/docker/issues/2267	2014-07-13 00:49:05 +02:00
Hongli Lai (Phusion)	291b9aae02	Bump version to 0.9.12	2014-07-13 00:49:05 +02:00
Hongli Lai (Phusion)	75902437c9	Move scripts into bin directory	2014-07-13 00:49:04 +02:00
Hongli Lai	73d900dece	Merge pull request #106 from mephi42/master my_init: use stderr for all logs Useful when you want to run tar within the container and pipe the archive to host.	2014-07-03 11:36:04 +02:00
mephi42	669435158f	my_init: use stderr for all logs Useful when you want to run tar within the container and pipe the archive to host.	2014-07-02 19:12:42 -04:00
Anatoly Bubenkov	a32cbb7808	remove explicit xauth location Change allows to connect by ssh using X11 forwarding from linux host, otherwise you get debug1: Remote: No xauth program; cannot forward with spoofing.	2014-07-02 16:04:37 +02:00
Hongli Lai	070245feb8	Merge pull request #97 from dgoujard/master Update doc with more informations in ssh section	2014-06-24 17:07:46 +02:00
Damien Goujard	7d2bdfe67e	Update doc with more informations in ssh section	2014-06-22 09:39:59 +02:00
		`@@ -0,0 +1,2 @@`
							`#!/bin/sh`
							`exec tail -f -n 0 /var/log/syslog`
		`@@ -0,0 +1 @@`
							`baseimage-docker-nsenter is the nsenter tool taken from https://github.com/jpetazzo/nsenter, commit 10ce18a7a32. It has been stripped in order to make it smaller.`