Prepare for 0.9.19 release

Closes GH-292.

Changelog.md

@@ -1,6 +1,15 @@
+## 0.9.19 (release date: 2017-07-08)
+
+ * Upgraded to Ubuntu 16.04. Thanks to Pierre Jacomet for submitting this patch.
+ * During shutdown, repeatedly tell Runit to shutdown services in order to workaround a potential race condition in Runit itself. Closes GH-315. Thanks to Chris Kite for submitting this patch.
+ * Fixed a problem in PAM which may cause chpasswd and related tools to fail. This is caused by Docker bug 6345 which is already closed, but for some reason the problem still persists. Closes GH-181. Thanks to Michael Zedeler for submitting the patch.
+ * Fixed the syslog-ng logrotate script to correctly restart the syslog-to-Docker-logs forwarder. Closes GH-292. Thanks to Ernestas Lukoševičius for submitting the patch.
+
+
 ## 0.9.18 (release date: 2015-12-08)
 
  * The latest OpenSSL updates have been pulled in. This fixes [CVE-2015-3193](https://www.openssl.org/news/secadv/20151203.txt) and a few others. Upgrading is strongly recommended.
+ * Fixes disabling all services. Thanks to Enderson Maia.
 
 
 ## 0.9.17 (release date: 2015-07-15)

Makefile

@@ -1,5 +1,5 @@
 NAME = phusion/baseimage
-VERSION = 0.9.18
+VERSION = 0.9.19
 
 .PHONY: all build test tag_latest release ssh
 

README.md

@@ -2,6 +2,8 @@
 
 [![](https://badge.imagelayers.io/phusion/baseimage:0.9.17.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io')
 
+_Baseimage-docker only consumes 6 MB RAM and is much powerful than Busybox or Alpine. See why below._
+
 Baseimage-docker is a special [Docker](https://www.docker.com) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
 
  * Modifications for Docker-friendliness.
@@ -83,7 +85,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
-| Ubuntu 14.04 LTS | The base system. |
+| Ubuntu 16.04 LTS | The base system. |
 | A **correct** init process | _Main article: [Docker and the PID 1 zombie reaping problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)._ <br><br>According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs". |
@@ -281,7 +283,7 @@ If you are sure that your environment variables don't contain sensitive data, th
 <a name="upgrading_os"></a>
 ### Upgrading the operating system inside the container
 
-Baseimage-docker images contain an Ubuntu 14.04 operating system. You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
+Baseimage-docker images contain an Ubuntu 16.04 operating system. You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
 
 While we release Baseimage-docker images with the latest OS updates from time to time, you do not have to rely on us. You can update the OS inside Baseimage-docker images yourself, and it is recommend that you do this instead of waiting for us.
 

README_ZH_cn_.md

@@ -82,7 +82,7 @@ Baseimage-docker让这一切完美。在"内容"部分描述了所有这些修
 
 | 模块        | 为什么包含这些？以及备注 |
 | ---------------- | ------------------- |
-| Ubuntu 14.04 LTS | 基础系统。 |
+| Ubuntu 16.04 LTS | 基础系统。 |
 | 一个**正确**的初始化进程  | *主要文章：[Docker和PID 1 僵尸进程回收问题](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)*<br/><br/>根据Unix进程模型，[初始化进程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 继承了所有[孤立的子进程](https://en.wikipedia.org/wiki/Orphan_process)，并且必须[进行回收](https://en.wikipedia.org/wiki/Wait_(system_call))。大多数Docker容器没有一个初始化进程可以正确的完成此操作，随着时间的推移会导致他们的容器出现了大量的[僵尸进程](https://en.wikipedia.org/wiki/Zombie_process)。<br/><br/>而且，`docker stop`发送SIGTERM信号给初始化进程，照理说此信号应该可以停止所有服务。不幸的是由于它们对硬件进行了关闭操作，导致Docker内的大多数初始化系统没有正确执行。这会导致进程强行被SIGKILL信号关闭，从而丧失了一个正确取消初始化设置的机会。这会导致文件损坏。<br/><br/>Baseimage-docker配有一个名为`/sbin/my_init`的初始化进程来同时正确的完成这些任务。 |
 | 修复了APT与Docker不兼容的问题 | 详情参见：https://github.com/dotcloud/docker/issues/1024 。 |
 | syslog-ng | 对于很多服务－包括kernel自身，都需要一个syslog后台进程，以便可以正确的将log输出到/var/log/syslog中。如果没有运行syslog后台进程，很多重要的信息就会默默的丢失了。<br/><br/>只对本地进行监听。所有syslog信息会被转发给“docker logs”。 |
@@ -116,7 +116,6 @@ Baseimage-docker *鼓励* 通过runit来运行多进程.
 <a name="getting_started"></a>
 ### 入门指南
 
-The image is called `phusion/baseimage`, and is available on the Docker registry.
 镜像名字叫`phusion/baseimage`,在Docker仓库上也是可用的.
 
 下面的这个是一个Dockerfile的模板.

README_zh_tw.md

@@ -82,7 +82,7 @@ Baseimage-docker讓這一切完美。在"內容"部分描述了所有這些修
 
 | 模塊        | 爲什麼包含這些？以及備註 |
 | ---------------- | ------------------- |
-| Ubuntu 14.04 LTS | 基礎系統。 |
+| Ubuntu 16.04 LTS | 基礎系統。 |
 | 一個**正確**的初始化行程  | *主要文章：[Docker和PID 1 殭屍行程回收問題](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)*<br/><br/>根據Unix行程模型，[初始化行程](https://en.wikipedia.org/wiki/Init) -- PID 1 -- 繼承了所有[孤立的子行程](https://en.wikipedia.org/wiki/Orphan_process)，並且必須[進行回收](https://en.wikipedia.org/wiki/Wait_(system_call))。大多數Docker容器沒有一個初始化行程可以正確的完成此操作，隨着時間的推移會導致他們的容器出現了大量的[殭屍行程](https://en.wikipedia.org/wiki/Zombie_process)。<br/><br/>而且，`docker stop`發送SIGTERM信號給初始化行程，照理說此信號應該可以停止所有服務。不幸的是由於它們對硬體進行了關閉操作，導致Docker內的大多數初始化系統沒有正確執行。這會導致行程強行被SIGKILL信號關閉，從而喪失了一個正確取消初始化設置的機會。這會導致文件損壞。<br/><br/>Baseimage-docker配有一個名爲`/sbin/my_init`的初始化行程來同時正確的完成這些任務。 |
 | 修復了APT與Docker不兼容的問題 | 詳情參見：https://github.com/dotcloud/docker/issues/1024 。 |
 | syslog-ng | 對於很多服務－包括kernel自身，都需要一個syslog後臺行程，以便可以正確的將log輸出到/var/log/syslog中。如果沒有運行syslog後臺行程，很多重要的信息就會默默的丟失了。<br/><br/>只對本地進行監聽。所有syslog信息會被轉發給“docker logs”。 |

image/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:14.04
+FROM ubuntu:16.04
 MAINTAINER Phusion <info@phusion.nl>
 
 ADD . /bd_build
@@ -6,6 +6,7 @@ ADD . /bd_build
 RUN /bd_build/prepare.sh && \
 	/bd_build/system_services.sh && \
 	/bd_build/utilities.sh && \
+	/bd_build/fix_pam_bug.sh && \
 	/bd_build/cleanup.sh
 
 CMD ["/sbin/my_init"]

image/bin/my_init

@@ -244,7 +244,8 @@ def wait_for_runit_or_interrupt(pid):
 	except KeyboardInterrupt:
 		return (False, None)
 
-def shutdown_runit_services():
+def shutdown_runit_services(quiet = False):
+	if not quiet:
 		debug("Begin shutting down runit services...")
 	os.system("/usr/bin/sv down /etc/service/*")
 
@@ -255,6 +256,12 @@ def wait_for_runit_services():
 		done = os.system("/usr/bin/sv status /etc/service/* | grep -q '^run:'") != 0
 		if not done:
 			time.sleep(0.1)
+			# According to https://github.com/phusion/baseimage-docker/issues/315
+			# there is a bug or race condition in Runit, causing it
+			# not to shutdown services that are already being started.
+			# So during shutdown we repeatedly instruct Runit to shutdown
+			# services.
+			shutdown_runit_services(True)
 
 def install_insecure_key():
 	info("Installing insecure SSH key for user root")

image/cleanup.sh

@@ -7,6 +7,5 @@ apt-get clean
 rm -rf /bd_build
 rm -rf /tmp/* /var/tmp/*
 rm -rf /var/lib/apt/lists/*
-rm -f /etc/dpkg/dpkg.cfg.d/02apt-speedup
 
 rm -f /etc/ssh/ssh_host_*

image/fix_pam_bug.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+source /bd_build/buildconfig
+set -x
+
+# Fixes https://github.com/docker/docker/issues/6345
+# The Github is closed, but some apps such as pbuilder still triggers it.
+
+export CONFIGURE_OPTS=--disable-audit
+cd /tmp
+
+$minimal_apt_get_install gdebi-core
+apt-get build-dep -y --no-install-recommends pam
+apt-get source -y -b pam
+gdebi -n libpam-doc*.deb libpam-modules*.deb libpam-runtime*.deb libpam0g*.deb
+rm -rf *.deb *.gz *.dsc *.changes pam-*
+
+# Unfortunately there is no way to automatically remove build deps, so we do this manually.
+apt-get remove -y gdebi-core autoconf automake autopoint autotools-dev binutils bsdmainutils \
+	build-essential bzip2 cpp cpp-5 debhelper dh-autoreconf dh-strip-nondeterminism \
+	diffstat docbook-xml docbook-xsl dpkg-dev flex g++ g++-5 gcc gcc-5 gettext gettext-base \
+	groff-base intltool-debian libarchive-zip-perl libasan2 libasprintf0v5 libatomic1 \
+	libaudit-dev libc-dev-bin libc6-dev libcc1-0 libcilkrts5 libcrack2 libcrack2-dev libcroco3 \
+	libdb-dev libdb5.3-dev libdpkg-perl libfile-stripnondeterminism-perl libfl-dev libgc1c2 \
+	libgcc-5-dev libgdbm3 libgomp1 libgpm2 libicu55 libisl15 libitm1 liblsan0 libmpc3 \
+	libmpfr4 libmpx0 libpcre16-3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libperl5.22 \
+	libpipeline1 libquadmath0 libselinux1-dev libsepol1-dev libsigsegv2 libstdc++-5-dev \
+	libtimedate-perl libtool libtsan0 libubsan0 libunistring0 libxml2 libxml2-utils \
+	libxslt1.1 linux-libc-dev m4 make man-db patch perl perl-modules-5.22 pkg-config \
+	po-debconf quilt sgml-base sgml-data w3m xml-core xsltproc xz-utils
+
+apt-get remove -y gdebi-core
+apt-get autoremove -y

image/prepare.sh

@@ -3,11 +3,6 @@ set -e
 source /bd_build/buildconfig
 set -x
 
-## Temporarily disable dpkg fsync to make building faster.
-if [[ ! -e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup ]]; then
-	echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup
-fi
-
 ## Prevent initramfs updates from trying to run grub and lilo.
 ## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
 ## http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594189

image/services/syslog-ng/logrotate_syslogng

@@ -8,6 +8,7 @@
 	compress
 	postrotate
 		sv reload syslog-ng > /dev/null
+		sv restart syslog-forwarder > /dev/null
 	endscript
 }
 
@@ -33,6 +34,6 @@
 	sharedscripts
 	postrotate
 		sv reload syslog-ng > /dev/null
-		sv restart cron-log-forwarder > /dev/null
+		sv restart syslog-forwarder > /dev/null
 	endscript
 }