Update Changelog

Bypass runsvdir-start in order to preserve env

Changelog.md

@@ -1,3 +1,8 @@
+## 0.9.5 (release date: 2014-02-06)
+
+ * Environment variables are now no longer reset by runit. This is achieved by running `runsvdir` directly instead of through Debian's `runsvdir-start`.
+ * The insecure SSH key is now disabled by default. You have to explicitly opt-in to use it.
+
 ## 0.9.4 (release date: 2014-02-03)
 
  * Fixed syslog-ng startup problem.

Makefile

@@ -1,5 +1,5 @@
 NAME = phusion/baseimage
-VERSION = 0.9.4
+VERSION = 0.9.5
 
 .PHONY: all build test tag_latest release
 

README.md

@@ -40,7 +40,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
    * [Getting started](#getting_started)
    * [Adding additional daemons](#adding_additional_daemons)
    * [Running scripts during container startup](#running_startup_scripts)
-   * [Login to the container](#login)
+   * [Login to the container via SSH](#login)
  * [Building the image yourself](#building)
  * [Conclusion](#conclusion)
 
@@ -91,8 +91,6 @@ You don't have to download anything manually. The above command will automatical
 
 The image is called `phusion/baseimage`, and is available on the Docker registry.
 
-By default, it allows SSH access for the key in `image/insecure_key`. This makes it easy for you to login to the container, but you should replace this key as soon as possible.
-
     # Use phusion/baseimage as base image. To make your builds reproducible, make
     # sure you lock down to a specific version, not to `latest`!
     # See https://github.com/phusion/baseimage-docker/blob/master/Changelog.md for
@@ -102,9 +100,6 @@ By default, it allows SSH access for the key in `image/insecure_key`. This makes
     # Set correct environment variables.
     ENV HOME /root
     
-    # Remove authentication rights for insecure_key.
-    RUN rm -f /root/.ssh/authorized_keys /home/*/.ssh/authorized_keys
-    
     # Regenerate SSH host keys. baseimage-docker does not contain any, so you
     # have to do that yourself. You may also comment out this instruction; the
     # init system will auto-generate one during boot.
@@ -121,7 +116,7 @@ By default, it allows SSH access for the key in `image/insecure_key`. This makes
 <a name="adding_additional_daemons"></a>
 ### Adding additional daemons
 
-You can add additional daemons to the image by creating runit entries. You only have to write a small shell script which runs your daemon, and runit will keep it up and running for you, restarting it when it crashes, etc.
+You can add additional daemons (e.g. your own app) to the image by creating runit entries. You only have to write a small shell script which runs your daemon, and runit will keep it up and running for you, restarting it when it crashes, etc.
 
 The shell script must be called `run`, must be executable, and is to be placed in the directory `/etc/service/<NAME>`.
 
@@ -129,9 +124,9 @@ Here's an example showing you how to a memached server runit entry can be made.
 
     ### In memcached.sh (make sure this file is chmod +x):
     #!/bin/sh
-    # `chpst` is part of running. `chpst -u memcache` runs the given command
+    # `/sbin/setuser memcache` runs the given command as the user `memcache`.
-    # as the user `memcache`. If you omit this, the command will be run as root.
+    # If you omit that part, the command will be run as root.
-    exec chpst -u memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
+    exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
 
     ### In Dockerfile:
     RUN mkdir /etc/service/memcached
@@ -160,13 +155,26 @@ The following example shows how you can add a startup script. This script simply
     ADD logtime.sh /etc/my_init.d/logtime.sh
 
 <a name="login"></a>
-### Login to the container
+### Login to the container via SSH
 
 You can use SSH to login to any container that is based on baseimage-docker.
 
-Start a container based on baseimage-docker (or a container based on an image based on baseimage-docker):
+The first thing that you need to do is to ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so you can't login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) that you easily enable. However, please be aware that using this key is for convenience only. It does not provide any insecurity because this key (both the public and the private side) are publicly available. In production environments, you should use your own keys.
 
-    docker run phusion/baseimage
+Edit your Dockerfile to install an SSH key:
+
+    ## Install an SSH of your choice.
+    ADD your_key /tmp/your_key
+    RUN cat /tmp/your_key >> /root/.ssh/authorized_keys && rm -f /tmp/your_key
+
+    ## -OR-
+
+    ## Uncomment this to enable the insecure key.
+    # RUN /usr/sbin/enable_insecure_key
+
+Then rebuild your image. Once you have that, start a container based on that image:
+
+    docker run your-image-name
 
 Find out the ID of the container that you just ran:
 
@@ -176,8 +184,16 @@ Once you have the ID, look for its IP address with:
 
     docker inspect <ID> | grep IPAddress
 
-Now SSH into the container. In this example we're using [the default insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key), but if you're followed the instructions well then you've already replaced that with your own key. You did replace the key, didn't you?
+Now SSH into the container as follows:
 
+    ssh -i /path-to/your_key root@<IP address>
+
+    # -OR-
+
+    # If you're using the insecure key, download it and SSH
+    # into the container using that key.
+    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
+    chmod 700 insecure_key
     ssh -i insecure_key root@<IP address>
 
 <a name="building"></a>

image/enable_insecure_key

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+
+AUTHORIZED_KEYS=/root/.ssh/authorized_keys
+
+if [[ -e "$AUTHORIZED_KEYS" ]] && grep -q baseimage-docker-insecure-key "$AUTHORIZED_KEYS"; then
+	echo "Insecure key has already been added to $AUTHORIZED_KEYS."
+else
+	DIR=`dirname "$AUTHORIZED_KEYS"`
+	echo "Creating directory $DIR..."
+	mkdir -p "$DIR"
+	chmod 700 "$DIR"
+	chown root:root "$DIR"
+	echo "Editing $AUTHORIZED_KEYS..."
+	cat /etc/insecure_key.pub > "$AUTHORIZED_KEYS"
+	echo "Success: insecure key has been added to $AUTHORIZED_KEYS"
+fi

image/insecure_key.pub

@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87VfaPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbjiTSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1up0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWhiDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb hongli@asuna-3939
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87VfaPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbjiTSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1up0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWhiDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb baseimage-docker-insecure-key

image/my_init

@@ -72,7 +72,7 @@ if is_exe("/etc/rc.local"):
 # Start runit.
 signal.signal(signal.SIGCHLD, reap_child)
 print("*** Booting runit...")
-pid = os.spawnl(os.P_NOWAIT, "/usr/sbin/runsvdir-start", "/usr/sbin/runsvdir-start")
+pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir", "-P", "/etc/service", "log: %s" % ('.' * 395))
 print("*** Runit started as PID %d" % pid)
 signal.signal(signal.SIGTERM, lambda signum, frame: stop_child_process("runit"))
 

image/system_services.sh

@@ -28,7 +28,10 @@ cp /build/00_regen_ssh_host_keys.sh /etc/my_init.d/
 mkdir -p /root/.ssh
 chmod 700 /root/.ssh
 chown root:root /root/.ssh
-cat /build/insecure_key.pub > /root/.ssh/authorized_keys
+cp /build/insecure_key.pub /etc/insecure_key.pub
+chmod 644 /etc/insecure_key.pub
+chown root:root /etc/insecure_key.pub
+cp /build/enable_insecure_key /usr/sbin/
 
 ## Install cron daemon.
 $minimal_apt_get_install cron

test/runner.sh

@@ -12,11 +12,19 @@ function cleanup()
 	echo " --> Stopping container"
 	docker stop $ID >/dev/null
 	docker rm $ID >/dev/null
+	docker rmi baseimage_test >/dev/null 2>/dev/null
 }
 
-echo " --> Starting container"
 PWD=`pwd`
-ID=`docker run -d -v $PWD/test:/test $NAME:$VERSION`
+
+echo " --> Preparing container"
+ID=`docker run -d $NAME:$VERSION enable_insecure_key`
+docker wait $ID >/dev/null
+docker commit $ID baseimage_test >/dev/null
+docker rm $ID >/dev/null
+
+echo " --> Starting container"
+ID=`docker run -d -v $PWD/test:/test baseimage_test /sbin/my_init`
 sleep 1
 
 echo " --> Obtaining IP"