Note 0.9.13 release date

syslog-ng.ctl left around after commit

CONTRIBUTING.md

@@ -0,0 +1,5 @@
+Hey, thanks for wanting to contribute to baseimage-docker. :)
+
+If you have a question, please use the [discussion forum](https://groups.google.com/d/forum/passenger-docker). The Github issue tracker is only for **bug reports and feature requests**.
+
+If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the image.

Changelog.md

@@ -1,10 +1,78 @@
+## 0.9.13 (release date: 2014-08-22)
+
+ * Fixed `my_init` not properly exiting with a non-zero exit status when Ctrl-C is pressed.
+ * The GID of the `docker_env` group has been changed from 1000 to 8377, in order to avoid GID conflicts with any groups that you might want to introduce inside the container.
+ * The syslog-ng socket is now deleted before starting the syslog-ng daemon, to avoid the daemon from failing to start due to garbage on the filesystem. Thanks to Kingdon Barrett. Closes GH-129.
+ * Typo fixes by Arkadi Shishlov.
+
+## 0.9.12 (release date: 2014-07-24)
+
+ * We now officially support `nsenter` as an alternative way to login to the container. With official support, we mean that we've provided extensive documentation on how to use `nsenter`, as well as related convenience tools. However, because `nsenter` has various issues, and for backward compatibility reasons, we still support SSH. Please refer to the README for details about `nsenter`, and what the pros and cons are compared to SSH.
+   * The `docker-bash` tool has been modified to use `nsenter` instead of SSH.
+   * What was previously the `docker-bash` tool, has now been renamed to `docker-ssh`. It now also works on a regular sh shell too, instead of bash specifically.
+ * Added a workaround for Docker's inability to modify /etc/hosts in the container ([Docker bug 2267](https://github.com/dotcloud/docker/issues/2267)). Please refer to the README for details.
+ * Fixed an issue with SSH X11 forwarding. Thanks to Anatoly Bubenkov. Closes GH-105.
+ * The init system now prints its own log messages to stderr. Thanks to mephi42. Closes GH-106.
+
+## 0.9.11 (release date: 2014-06-24)
+
+ * Introduced the `docker-bash` tool. This is a shortcut tool for logging into a container using SSH. Usage: `docker-bash <CONTAINER ID>`. See the README for details.
+ * Fixed various process waiting issues in `my_init`. Closes GH-27, GH-82 and GH-83. Thanks to André Luiz dos Santos and Paul Annesley.
+ * The `ca-certificates` package is now installed by default. This is because we include `apt-transport-https`, but Ubuntu 14.04 no longer installs `ca-certificates` by default anymore. Closes GH-73.
+ * Output print by Runit services are now redirected to the Docker logs instead of to proctitle. Thanks to Paul Annesley.
+ * Container environment variables are now made available to SSH root shells. If you login with SSH through a non-root account, then container environment variables are only made available if that user is a member of the `docker_env` group. Thanks to Bernard Potocki.
+ * `add-apt-repository` is now installed by default. Closes GH-74.
+ * Various minor fixes and contributions thanks to yebyen, John Eckhart, Christoffer Sawicki and Brant Fitzsimmons.
+
+## 0.9.10 (release date: 2014-05-12)
+
+ * Upgraded to Ubuntu 14.04 (Trusty). We will no longer release images based on 12.04.
+   Thanks to contributions by mpeterson, Paul Jimenez, Santiago M. Mola and Kingdon Barrett.
+ * Fixed a problem with my_init not correctly passing child processes' exit status. Fixes GH-45.
+ * When reading environment variables from /etc/container_environment, the trailing newline (if any) is ignored. This makes commands like this work, without unintentially adding a newline to the environment variable value:
+
+        echo my_value > /etc/container_environment/FOO
+
+   If you intended on adding a newline to the value, ensure you have *two* trailing newlines:
+
+        echo -e "my_value\n" > /etc/container_environment/FOO
+ * It was not possible to use `docker run -e` to override environment variables defined in /etc/container_environment. This has been fixed (GH-52). Thanks to Stuart Campbell for reporting this bug.
+
+## 0.9.9 (release date: 2014-03-25)
+
+ * Fixed a problem with rssh. (Slawomir Chodnicki)
+ * The `INITRD` environment variable is now set in the container by default. This prevents updates to the `initramfs` from running grub or lilo.
+ * The `ischroot` tool in Ubuntu has been modified to always return true. This prevents updates to the `initscripts` package from breaking /dev/shm.
+ * Various minor bug fixes, improvements and typo corrections. (Felix Hummel, Laurent Sarrazin, Dung Quang, Amir Gur)
+
+## 0.9.8 (release date: 2014-02-26)
+
+ * Fixed a regression in `my_init` which causes it to delete environment variables passed from Docker.
+ * Fixed `my_init` not properly forcing Runit to shut down if Runit appears to refuse to respond to SIGTERM.
+
+## 0.9.7 (release date: 2014-02-25)
+
+ * Improved and fixed bugs in `my_init` (Thomas LÉVEIL):
+   * It is now possible to enable the insecure key by passing `--enable-insecure-key` to `my_init`. This allows users to easily enable the insecure key for convenience reasons, without having the insecure key enabled permanently in the image.
+   * `my_init` now exports environment variables to the directory `/etc/container_environment` and to the files `/etc/container_environment.sh`, `/etc/container_environment.json`. This allows all applications to query what the original environment variables were. It is also possible to change the environment variables in `my_init` by modifying `/etc/container_environment`. More information can be found in the README, section "Environment variables".
+   * Fixed a bug that causes it not to print messages to stdout when there is no pseudo terminal. This is because Python buffers stdout by default.
+   * Fixed an incorrectly printed message.
+ * The insecure key is now also available in PuTTY format. (Thomas LÉVEIL)
+ * Fixed `enable_insecure_key` removing already installed SSH keys. (Thomas LÉVEIL)
+ * The baseimage-docker image no longer EXPOSEs any ports by default. The EXPOSE entries were originally there to enable some default guest-to-host port forwarding entries, but in recent Docker versions they changed the meaning of EXPOSE, and now EXPOSE is used for linking containers. As such, we no longer have a reason to EXPOSE any ports by default. Fixes GH-15.
+ * Fixed syslog-ng not being able to start because of a missing afsql module. Fixes the issue described in [pull request 7](https://github.com/phusion/baseimage-docker/pull/7).
+ * Removed some default Ubuntu cron jobs which are not useful in Docker containers.
+ * Added the logrotate service. Fixes GH-22.
+ * Fixed some warnings in `/etc/my_init.d/00_regen_ssh_host_keys.sh`.
+ * Fixed some typos in the documentation. (Dr Nic Williams, Tomer Cohen)
+
 ## 0.9.6 (release date: 2014-02-17)
 
  * Fixed a bug in `my_init`: child processes that have been adopted during execution of init scripts are now properly reaped.
  * Much improved `my_init`:
    * It is now possible to run and watch a custom command, possibly in addition to running runit. See "Running a one-shot command in the container" in the README.
    * It is now possible to skip running startup files such as /etc/rc.local.
-   * Shutdown is not much faster. It previously took a few seconds, but it is now almost instantaneous.
+   * Shutdown is now much faster. It previously took a few seconds, but it is now almost instantaneous.
    * It ensures that all processes in the container are properly shut down with SIGTERM, even those that are not direct child processes of `my_init`.
  * `setuser` now also sets auxilliary groups, as well as more environment variables such as `USER` and `UID`.
 

Makefile

@@ -1,12 +1,12 @@
 NAME = phusion/baseimage
-VERSION = 0.9.6
+VERSION = 0.9.13
 
 .PHONY: all build test tag_latest release ssh
 
 all: build
 
 build:
-	docker build -t $(NAME):$(VERSION) -rm image
+	docker build -t $(NAME):$(VERSION) --rm image
 
 test:
 	env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
@@ -15,12 +15,13 @@ tag_latest:
 	docker tag $(NAME):$(VERSION) $(NAME):latest
 
 release: test tag_latest
-	@if ! docker images phusion/baseimage | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
+	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
+	@if ! head -n 1 Changelog.md | grep -q 'release date'; then echo 'Please note the release date in Changelog.md.' && false; fi
 	docker push $(NAME)
 	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
 
 ssh:
-	chmod 600 image/insecure_key.pub
+	chmod 600 image/insecure_key
 	@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
 		if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
 		IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \

README.md

@@ -1,12 +1,18 @@
 # A minimal Ubuntu base image modified for Docker-friendliness
 
-Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus modifications for Docker-friendliness. You can use it as a base for your own Docker images.
+Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
+
+ * Modifications for Docker-friendliness.
+ * Workarounds for [some Docker bugs](#workaroud_modifying_etc_hosts).
+ * Useful administration tools.
+
+You can use it as a base for your own Docker images.
 
 Baseimage-docker is available for pulling from [the Docker registry](https://index.docker.io/u/phusion/baseimage/)!
 
 ### What are the problems with the stock Ubuntu base image?
 
-Ubuntu is not designed to be run inside docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
+Ubuntu is not designed to be run inside Docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
 
 Baseimage-docker gets everything right. The "Contents" section describes all the things that it modifies.
 
@@ -40,8 +46,24 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
    * [Getting started](#getting_started)
    * [Adding additional daemons](#adding_additional_daemons)
    * [Running scripts during container startup](#running_startup_scripts)
-   * [Running a one-shot command in the container](#oneshot)
+   * [Environment variables](#environment_variables)
-   * [Login to the container via SSH](#login)
+     * [Centrally defining your own environment variables](#envvar_central_definition)
+     * [Environment variable dumps](#envvar_dumps)
+     * [Modifying environment variables](#modifying_envvars)
+     * [Security](#envvar_security)
+   * [Working around Docker's inability to modify /etc/hosts](#workaroud_modifying_etc_hosts)
+   * [Disabling SSH](#disabling_ssh)
+ * [Container administration](#container_administration)
+   * [Running a one-shot command in a new container](#oneshot)
+   * [Running a command in an existing, running container](#run_inside_existing_container)
+   * [Login to the container via nsenter](#login_nsenter)
+     * [Usage](#nsenter_usage)
+     * [The `docker-bash` tool](#docker_bash)
+   * [Login to the container via SSH](#login_ssh)
+     * [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only)
+     * [Enabling the insecure key permanently](#enabling_the_insecure_key_permanently)
+     * [Using your own key](#using_your_own_key)
+     * [The `docker-ssh` tool](#docker_ssh)
  * [Building the image yourself](#building)
  * [Conclusion](#conclusion)
 
@@ -57,11 +79,13 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
-| Ubuntu 12.04 LTS | The base system. |
+| Ubuntu 14.04 LTS | The base system. |
-| A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
+| A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
+| Workarounds for Docker bugs | [Learn more.](#workaroud_modifying_etc_hosts) |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
-| ssh server | Allows you to easily login to your container to inspect or administer things. <br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br>By default, it allows a predefined key, in order to make debugging easy. You should replace this ASAP. See instructions. |
+| logrotate | Rotates and compresses logs on a regular basis. |
+| SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is only one of the methods provided by baseimage-docker for this purpose. The other method is through [the nsenter tool](#login_nsenter). SSH is also provided as an option because nsenter has many issues._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. |
 | cron | The cron daemon must be running for cron jobs to work. |
 | [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
 | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. |
@@ -80,7 +104,9 @@ Baseimage-docker *encourages* multiple processes through the use of runit.
 
 To look around in the image, run:
 
-    docker run -rm -t -i phusion/baseimage bash -l
+    docker run --rm -t -i phusion/baseimage:<VERSION> /sbin/my_init -- bash -l
+
+where `<VERSION>` is [one of the baseimage-docker version numbers](https://github.com/phusion/baseimage-docker/blob/nsenter/Changelog.md).
 
 You don't have to download anything manually. The above command will automatically pull the baseimage-docker image from the Docker registry.
 
@@ -121,7 +147,7 @@ You can add additional daemons (e.g. your own app) to the image by creating runi
 
 The shell script must be called `run`, must be executable, and is to be placed in the directory `/etc/service/<NAME>`.
 
-Here's an example showing you how to a memached server runit entry can be made.
+Here's an example showing you how a memcached server runit entry can be made.
 
     ### In memcached.sh (make sure this file is chmod +x):
     #!/bin/sh
@@ -140,7 +166,7 @@ Note that the shell script must run the daemon **without letting it daemonize/fo
 
 The baseimage-docker init system, `/sbin/my_init`, runs the following scripts during startup, in the following order:
 
- * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run during in lexicographic order.
+ * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run in lexicographic order.
  * The script `/etc/rc.local`, if this file exists.
 
 All scripts must exit correctly, e.g. with exit code 0. If any script exits with a non-zero exit code, the booting will fail.
@@ -155,10 +181,130 @@ The following example shows how you can add a startup script. This script simply
     RUN mkdir -p /etc/my_init.d
     ADD logtime.sh /etc/my_init.d/logtime.sh
 
-<a name="oneshot"></a>
+<a name="environment_variables"></a>
-### Running a one-shot command in the container
+### Environment variables
 
-Normally, when you want to run a single command in a container, and exit immediately after the command, you invoke Docker like this:
+If you use `/sbin/my_init` as the main container command, then any environment variables set with `docker run --env` or with the `ENV` command in the Dockerfile, will be picked up by `my_init`. These variables will also be passed to all child processes, including `/etc/my_init.d` startup scripts, Runit and Runit-managed services. There are however a few caveats you should be aware of:
+
+ * Environment variables on Unix are inherited on a per-process basis. This means that it is generally not possible for a child process to change the environment variables of other processes.
+ * Because of the aforementioned point, there is no good central place for defining environment variables for all applications and services. Debian has the `/etc/environment` file but it only works in some situations.
+ * Some services change environment variables for child processes. Nginx is one such example: it removes all environment variables unless you explicitly instruct it to retain them through the `env` configuration option. If you host any applications on Nginx (e.g. using the [passenger-docker](https://github.com/phusion/passenger-docker) image, or using Phusion Passenger in your own image) then they will not see the environment variables that were originally passed by Docker.
+
+`my_init` provides a solution for all these caveats.
+
+<a name="envvar_central_definition"></a>
+#### Centrally defining your own environment variables
+
+During startup, before running any [startup scripts](#running_startup_scripts), `my_init` imports environment variables from the directory `/etc/container_environment`. This directory contains files who are named after the environment variable names. The file contents contain the environment variable values. This directory is therefore a good place to centrally define your own environment variables, which will be inherited by all startup scripts and Runit services.
+
+For example, here's how you can define an environment variable from your Dockerfile:
+
+    RUN echo Apachai Hopachai > /etc/container_environment/MY_NAME
+
+You can verify that it works, as follows:
+
+    $ docker run -t -i <YOUR_NAME_IMAGE> /sbin/my_init -- bash -l
+    ...
+    *** Running bash -l...
+    # echo $MY_NAME
+    Apachai Hopachai
+
+**Handling newlines**
+
+If you've looked carefully, you'll notice that the 'echo' command actually prints a newline. Why does $MY_NAME not contain a newline then? It's because `my_init` strips the trailing newline, if any. If you intended on the value having a newline, you should add *another* newline, like this:
+
+    RUN echo -e "Apachai Hopachai\n" > /etc/container_environment/MY_NAME
+
+<a name="envvar_dumps"></a>
+#### Environment variable dumps
+
+While the previously mentioned mechanism is good for centrally defining environment variables, it by itself does not prevent services (e.g. Nginx) from changing and resetting environment variables from child processes. However, the `my_init` mechanism does make it easy for you to query what the original environment variables are.
+
+During startup, right after importing environment variables from `/etc/container_environment`, `my_init` will dump all its environment variables (that is, all variables imported from `container_environment`, as well as all variables it picked up from `docker run --env`) to the following locations, in the following formats:
+
+ * `/etc/container_environment`
+ * `/etc/container_environment.sh` - a dump of the environment variables in Bash format. You can source the file directly from a Bash shell script.
+ * `/etc/container_environment.json` - a dump of the environment variables in JSON format.
+
+The multiple formats makes it easy for you to query the original environment variables no matter which language your scripts/apps are written in.
+
+Here is an example shell session showing you how the dumps look like:
+
+    $ docker run -t -i \
+      --env FOO=bar --env HELLO='my beautiful world' \
+      phusion/baseimage:<VERSION> /sbin/my_init -- \
+      bash -l
+    ...
+    *** Running bash -l...
+    # ls /etc/container_environment
+    FOO  HELLO  HOME  HOSTNAME  PATH  TERM  container
+    # cat /etc/container_environment/HELLO; echo
+    my beautiful world
+    # cat /etc/container_environment.json; echo
+    {"TERM": "xterm", "container": "lxc", "HOSTNAME": "f45449f06950", "HOME": "/root", "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "FOO": "bar", "HELLO": "my beautiful world"}
+    # source /etc/container_environment.sh
+    # echo $HELLO
+    my beautiful world
+
+<a name="modifying_envvars"></a>
+#### Modifying environment variables
+
+It is even possible to modify the environment variables in `my_init` (and therefore the environment variables in all child processes that are spawned after that point in time), by altering the files in `/etc/container_environment`. After each time `my_init` runs a [startup script](#running_startup_scripts), it resets its own environment variables to the state in `/etc/container_environment`, and re-dumps the new environment variables to `container_environment.sh` and `container_environment.json`.
+
+But note that:
+
+ * modifying `container_environment.sh` and `container_environment.json` has no effect.
+ * Runit services cannot modify the environment like that. `my_init` only activates changes in `/etc/container_environment` when running startup scripts.
+
+<a name="envvar_security"></a>
+#### Security
+
+Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only by the `docker_env` group (so that any user added this group will have these variables automatically loaded).
+
+If you are sure that your environment variables don't contain sensitive data, then you can also relax the permissions on that directory and those files by making them world-readable:
+
+    RUN chmod 755 /etc/container_environment
+    RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
+
+<a name="workaroud_modifying_etc_hosts"></a>
+### Working around Docker's inability to modify /etc/hosts
+
+It is currently not possible to modify /etc/hosts inside a Docker container because of [Docker bug 2267](https://github.com/dotcloud/docker/issues/2267). Baseimage-docker includes a workaround for this. You have to be explicitly opt-in for the workaround.
+
+The workaround involves modifying a system library, libnss_files.so.2, so that it looks for the host file in /etc/workaround-docker-2267/hosts instead of /etc/hosts. Instead of modifying /etc/hosts, you modify /etc/workaround-docker-2267/hosts instead.
+
+Add this to your Dockerfile to opt-in for the workaround. This command modifies libnss_files.so.2 as described above.
+
+    RUN /usr/bin/workaround-docker-2267
+
+(You don't necessarily have to run this command from the Dockerfile. You can also run it from a shell inside the container.)
+
+To verify that it works, [open a bash shell in your container](#inspecting), modify /etc/workaround-docker-2267/hosts, and check whether it had any effect:
+
+    bash# echo 127.0.0.1 my-test-domain.com >> /etc/workaround-docker-2267/hosts
+    bash# ping my-test-domain.com
+    ...should ping 127.0.0.1...
+
+**Note on apt-get upgrading:** if any Ubuntu updates overwrite libnss_files.so.2, then the workaround is removed. You have to re-enable it by running `/usr/bin/workaround-docker-2267`. To be safe, you should run this command every time after running `apt-get upgrade`.
+
+<a name="disabling_ssh"></a>
+### Disabling SSH
+
+Baseimage-docker enables an SSH server by default, so that you can [use SSH](#login_ssh) to [administer your container](#container_administration). In case you do not want to enable SSH, here's how you can disable it:
+
+    RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
+
+<a name="container_administration"></a>
+## Container administration
+
+One of the ideas behind Docker is that containers should be stateless, easily restartable, and behave like a black box. However, you may occasionally encounter situations where you want to login to a container, or to run a command inside a container, for development, inspection and debugging purposes. This section describes how you can administer the container for those purposes.
+
+<a name="oneshot"></a>
+### Running a one-shot command in a new container
+
+_**Note:** This section describes how to run a command insider a -new- container. To run a command inside an existing running container, see [Running a command in an existing, running container](#run_inside_existing_container)._
+
+Normally, when you want to create a new container in order to run a single command inside it, and immediately exit after the command exits, you invoke Docker like this:
 
     docker run YOUR_IMAGE COMMAND ARGUMENTS...
 
@@ -199,23 +345,148 @@ The following example runs `ls` without running the startup files and with less
     $ docker run phusion/baseimage:<VERSION> /sbin/my_init --skip-startup-files --quiet -- ls
     bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
 
-<a name="login"></a>
+<a name="run_inside_existing_container"></a>
-### Login to the container via SSH
+### Running a command in an existing, running container
 
-You can use SSH to login to any container that is based on baseimage-docker.
+There are two ways to run a command inside an existing, running container.
 
-The first thing that you need to do is to ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so you can't login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) that you easily enable. However, please be aware that using this key is for convenience only. It does not provide any insecurity because this key (both the public and the private side) are publicly available. In production environments, you should use your own keys.
+ * Through the `nsenter` tool. This tool uses Linux kernel system calls in order to execute a command within the context of a container. Learn more in [Login to the container, or running a command inside it, via nsenter](#login_nsenter).
+ * Through SSH. This approach requires running an SSH daemon inside the container, and requires you to setup SSH keys. Learn more in [Login to the container, or running a command inside it, via SSH](#login_ssh).
 
-Edit your Dockerfile to install an SSH key:
+Both way have their own pros and cons, which you can learn in their respective subsections.
+
+<a name="login_nsenter"></a>
+### Login to the container, or running a command inside it, via nsenter
+
+You can use the `nsenter` tool on the Docker host OS to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container. `nsenter` works by using Linux kernel system calls.
+
+Here's how it compares to [using SSH to login to the container or to run a command inside it](#login_ssh):
+
+ * Pros
+   * Does not require running an SSH daemon inside the container.
+   * Does not require setting up SSH keys.
+   * Works on any container, even containers not based on baseimage-docker.
+ * Cons
+   * Processes executed by `nsenter` behave in a slightly different manner than normal. For example, they cannot be killed by any normal processes inside the container. This applies to all child processes as well.
+   * If the `nsenter` process is terminated by a signal (e.g. with the `kill` command), then the command that is executed by nsenter is *not* killed and cleaned up. You will have to do that manually. (Note that terminal control commands like Ctrl-C *do* clean up all child processes, because terminal signals are sent to all processes in the terminal session.)
+   * Requires learning another tool.
+   * Requires root privileges on the Docker host.
+   * Requires the `nsenter` tool to be available on the Docker host. At the time of writing (July 2014), most Linux distributions do not ship it. However, baseimage-docker provides a precompiled binary, and allows you to easily use it, through its [docker-bash](#docker_bash) tool.
+   * Not possible to allow users to login to the container without also letting them login to the Docker host.
+
+<a name="nsenter_usage"></a>
+#### Usage
+
+First, ensure that `nsenter` is installed. At the time of writing (July 2014), almost no Linux distribution ships the `nsenter` tool. However, we provide [a precompiled binary](#docker_bash) that anybody can use.
+
+Anyway, start a container:
+
+    docker run YOUR_IMAGE
+
+Find out the ID of the container that you just ran:
+
+    docker ps
+
+Once you have the ID, look for the PID of the main process inside the container.
+
+    docker inspect -f "{{ .State.Pid }}" <ID>
+
+Now that you have the container's main process PID, you can use `nsenter` to login to the container, or to execute a command inside it:
+
+    # Login to the container
+    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid bash -l
+
+    # Running a command inside the container
+    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid -- echo hello world
+
+<a name="docker_bash"></a>
+#### The `docker-bash` tool
+
+Looking up the main process PID of a container and typing the long nsenter command quickly becomes tedious. Luckily, we provide the `docker-bash` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
+
+This tool also comes with a precompiled `nsenter` binary, so that you don't have to install `nsenter` yourself. `docker-bash` works out-of-the-box!
+
+First, install the tool on the Docker host:
+
+    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
+    tar xzf master.tar.gz && \
+    sudo ./baseimage-docker-master/install-tools.sh
+
+Then run the tool as follows to login to a container:
+
+    docker-bash YOUR-CONTAINER-ID
+
+You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
+
+By default, `docker-bash` will open a Bash session. You can also tell it to run a command, and then exit:
+
+    docker-bash YOUR-CONTAINER-ID echo hello world
+
+<a name="login_ssh"></a>
+### Login to the container, or running a command inside it, via SSH
+
+You can use SSH to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container.
+
+Here's how it compares to [using nsenter to login to the container or to run a command inside it](#login_nsenter):
+
+ * Pros
+   * Does not require a tool like `nsenter` to be available on the Docker host. Virtually everybody already has an SSH client installed.
+   * There no surprises with processes behaving slightly differently than normal, as is the case when using `nsenter`.
+   * Does not require root privileges on the Docker host.
+   * Allows you to let users login to the container, without letting them login to the Docker host. However, this is not enabled by default because baseimage-docker does not expose the SSH server to the public Internet by default.
+ * Cons
+   * Requires setting up SSH keys. However, baseimage-docker makes this easy for many cases through a pregenerated, insecure key. Read on to learn more.
+
+The first thing that you need to do is to ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so you can't login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
+
+<a name="using_the_insecure_key_for_one_container_only"></a>
+#### Using the insecure key for one container only
+
+You can temporarily enable the insecure key for one container only. This means that the insecure key is installed at container boot. If you `docker stop` and `docker start` the container, the insecure key will still be there, but if you use `docker run` to start a new container then that container will not contain the insecure key.
+
+Start a container with `--enable-insecure-key`:
+
+    docker run YOUR_IMAGE /sbin/my_init --enable-insecure-key
+
+Find out the ID of the container that you just ran:
+
+    docker ps
+
+Once you have the ID, look for its IP address with:
+
+    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
+
+Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it:
+
+    # Download the insecure private key
+    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
+    chmod 600 insecure_key
+
+    # Login to the container
+    ssh -i insecure_key root@<IP address>
+
+    # Running a command inside the container
+    ssh -i insecure_key root@<IP address> echo hello world
+
+<a name="enabling_the_insecure_key_permanently"></a>
+#### Enabling the insecure key permanently
+
+It is also possible to enable the insecure key in the image permanently. This is not generally recommended, but it suitable for e.g. temporary development or demo environments where security does not matter.
+
+Edit your Dockerfile to install the insecure key permanently:
+
+    RUN /usr/sbin/enable_insecure_key
+
+Instructions for logging in the container is the same as in section [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only).
+
+<a name="using_your_own_key"></a>
+#### Using your own key
+
+Edit your Dockerfile to install an SSH public key:
 
     ## Install an SSH of your choice.
-    ADD your_key /tmp/your_key
+    ADD your_key.pub /tmp/your_key.pub
-    RUN cat /tmp/your_key >> /root/.ssh/authorized_keys && rm -f /tmp/your_key
+    RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
-
-    ## -OR-
-
-    ## Uncomment this to enable the insecure key.
-    # RUN /usr/sbin/enable_insecure_key
 
 Then rebuild your image. Once you have that, start a container based on that image:
 
@@ -227,19 +498,37 @@ Find out the ID of the container that you just ran:
 
 Once you have the ID, look for its IP address with:
 
-    docker inspect <ID> | grep IPAddress
+    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 
-Now SSH into the container as follows:
+Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it:
 
+    # Login to the container
     ssh -i /path-to/your_key root@<IP address>
 
-    # -OR-
+    # Running a command inside the container
+    ssh -i /path-to/your_key root@<IP address> echo hello world
+
+<a name="docker_ssh"></a>
+#### The `docker-ssh` tool
+
+Looking up the IP of a container and running an SSH command quickly becomes tedious. Luckily, we provide the `docker-ssh` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
+
+First, install the tool on the Docker host:
+
+    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
+    tar xzf master.tar.gz && \
+    sudo ./baseimage-docker-master/install-tools.sh
+
+Then run the tool as follows to login to a container using SSH:
+
+    docker-ssh YOUR-CONTAINER-ID
+
+You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
+
+By default, `docker-ssh` will open a Bash session. You can also tell it to run a command, and then exit:
+
+    docker-ssh YOUR-CONTAINER-ID echo hello world
 
-    # If you're using the insecure key, download it and SSH
-    # into the container using that key.
-    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
-    chmod 700 insecure_key
-    ssh -i insecure_key root@<IP address>
 
 <a name="building"></a>
 ## Building the image yourself
@@ -265,6 +554,7 @@ If you want to call the resulting image something else, pass the NAME variable,
 
     make build NAME=joe/baseimage
 
+
 <a name="conclusion"></a>
 ## Conclusion
 

Vagrantfile

@@ -1,31 +1,54 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
-ROOT = File.dirname(File.expand_path(__FILE__))
+ROOT = File.dirname(File.absolute_path(__FILE__))
 
 # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
-VAGRANTFILE_API_VERSION = "2"
+VAGRANTFILE_API_VERSION = '2'
+
+# Default env properties which can be overridden
+# Example overrides:
+#   echo "ENV['PASSENGER_DOCKER_PATH'] ||= '../../phusion/passenger-docker'   " >> ~/.vagrant.d/Vagrantfile
+#   echo "ENV['BASE_BOX_URL']          ||= 'd\:/dev/vm/vagrant/boxes/phusion/'" >> ~/.vagrant.d/Vagrantfile
+BASE_BOX_URL          = ENV['BASE_BOX_URL']    || 'https://oss-binaries.phusionpassenger.com/vagrant/boxes/latest/'
+VAGRANT_BOX_URL       = ENV['VAGRANT_BOX_URL'] || BASE_BOX_URL + 'ubuntu-14.04-amd64-vbox.box'
+VMWARE_BOX_URL        = ENV['VMWARE_BOX_URL']  || BASE_BOX_URL + 'ubuntu-14.04-amd64-vmwarefusion.box'
+BASEIMAGE_PATH        = ENV['BASEIMAGE_PATH' ] || '.'
+PASSENGER_DOCKER_PATH = ENV['PASSENGER_PATH' ] || '../passenger-docker'
+DOCKERIZER_PATH       = ENV['DOCKERIZER_PATH'] || '../dockerizer'
+
+$script = <<SCRIPT
+wget -q -O - https://get.docker.io/gpg | apt-key add -
+echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list
+apt-get update -qq
+apt-get install -q -y --force-yes lxc-docker
+usermod -a -G docker vagrant
+docker version
+su - vagrant -c 'echo alias d=docker >> ~/.bash_aliases'
+SCRIPT
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = "phusion-open-ubuntu-12.04-amd64"
+  config.vm.box = 'phusion-open-ubuntu-14.04-amd64'
-  config.vm.box_url = "https://oss-binaries.phusionpassenger.com/vagrant/boxes/ubuntu-12.04.3-amd64-vbox.box"
+  config.vm.box_url = VAGRANT_BOX_URL
   config.ssh.forward_agent = true
-  if File.directory?("#{ROOT}/../passenger-docker")
+  passenger_docker_path = File.absolute_path(PASSENGER_DOCKER_PATH, ROOT)
-    config.vm.synced_folder File.expand_path("#{ROOT}/../passenger-docker"),
+  if File.directory?(passenger_docker_path)
-      "/vagrant/passenger-docker"
+    config.vm.synced_folder passenger_docker_path, '/vagrant/passenger-docker'
+  end
+  baseimage_path = File.absolute_path(BASEIMAGE_PATH, ROOT)
+  if File.directory?(baseimage_path)
+    config.vm.synced_folder baseimage_path, "/vagrant/baseimage-docker"
+  end
+  dockerizer_path = File.absolute_path(DOCKERIZER_PATH, ROOT)
+  if File.directory?(dockerizer_path)
+    config.vm.synced_folder dockerizer_path, '/vagrant/dockerizer'
   end
 
   config.vm.provider :vmware_fusion do |f, override|
-    override.vm.box_url = "https://oss-binaries.phusionpassenger.com/vagrant/boxes/ubuntu-12.04.3-amd64-vmwarefusion.box"
+    override.vm.box_url = VMWARE_BOX_URL
-    f.vmx["displayName"] = "baseimage-docker"
+    f.vmx['displayName'] = 'baseimage-docker'
   end
 
   if Dir.glob("#{File.dirname(__FILE__)}/.vagrant/machines/default/*/id").empty?
-    # Add lxc-docker package
+    config.vm.provision :shell, :inline => $script
-    pkg_cmd = "wget -q -O - https://get.docker.io/gpg | apt-key add -;" \
-      "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list;" \
-      "apt-get update -qq; apt-get install -q -y --force-yes lxc-docker; "
-    # Add vagrant user to the docker group
-    pkg_cmd << "usermod -a -G docker vagrant; "
-    config.vm.provision :shell, :inline => pkg_cmd
   end
 end

image/00_regen_ssh_host_keys.sh

@@ -2,5 +2,7 @@
 set -e
 if [[ ! -e /etc/ssh/ssh_host_rsa_key ]]; then
 	echo "No SSH host key available. Generating one..."
+	export LC_ALL=C
+	export DEBIAN_FRONTEND=noninteractive
 	dpkg-reconfigure openssh-server
 fi

image/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:12.04
+FROM ubuntu:14.04
 MAINTAINER Phusion <info@phusion.nl>
 
 ENV HOME /root
@@ -11,4 +11,3 @@ RUN /build/prepare.sh && \
 	/build/cleanup.sh
 
 CMD ["/sbin/my_init"]
-EXPOSE 22 80 443

image/bin/enable_insecure_key

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+
+AUTHORIZED_KEYS=/root/.ssh/authorized_keys
+
+if [[ -e "$AUTHORIZED_KEYS" ]] && grep -q baseimage-docker-insecure-key "$AUTHORIZED_KEYS"; then
+	echo "Insecure key has already been added to $AUTHORIZED_KEYS."
+else
+	DIR=`dirname "$AUTHORIZED_KEYS"`
+	echo "Creating directory $DIR..."
+	mkdir -p "$DIR"
+	chmod 700 "$DIR"
+	chown root:root "$DIR"
+	echo "Editing $AUTHORIZED_KEYS..."
+	cat /etc/insecure_key.pub >> "$AUTHORIZED_KEYS"
+	echo "Success: insecure key has been added to $AUTHORIZED_KEYS"
+	cat <<-EOF
+
+		+------------------------------------------------------------------------------+
+		| Insecure SSH key installed                                                   |
+		|                                                                              |
+		| DO NOT expose port 22 on the Internet unless you know what you are doing!    |
+		|                                                                              |
+		| Use the private key below to connect with user root                         |
+		+------------------------------------------------------------------------------+
+
+	EOF
+	cat /etc/insecure_key
+	echo -e "\n\n"
+fi

image/bin/my_init

@@ -1,5 +1,5 @@
-#!/usr/bin/python2
+#!/usr/bin/python3 -u
-import os, sys, stat, signal, errno, argparse, time
+import os, os.path, sys, stat, signal, errno, argparse, time, json, re
 
 KILL_PROCESS_TIMEOUT = 5
 KILL_ALL_PROCESSES_TIMEOUT = 5
@@ -11,6 +11,8 @@ LOG_LEVEL_DEBUG = 3
 
 log_level = None
 
+terminated_child_processes = {}
+
 class AlarmException(Exception):
 	pass
 
@@ -20,15 +22,15 @@ def error(message):
 
 def warn(message):
 	if log_level >= LOG_LEVEL_WARN:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 
 def info(message):
 	if log_level >= LOG_LEVEL_INFO:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 
 def debug(message):
 	if log_level >= LOG_LEVEL_DEBUG:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 
 def ignore_signals_and_raise_keyboard_interrupt(signame):
 	signal.signal(signal.SIGTERM, signal.SIG_IGN)
@@ -54,12 +56,82 @@ def is_exe(path):
 	except OSError:
 		return False
 
+def create_hosts_file():
+	run_command_killable("/bin/cp", "/etc/hosts", "/etc/workaround-docker-2267/")
+
+def import_envvars(clear_existing_environment = True, override_existing_environment = True):
+	new_env = {}
+	for envfile in listdir("/etc/container_environment"):
+		name = os.path.basename(envfile)
+		with open("/etc/container_environment/" + envfile, "r") as f:
+			# Text files often end with a trailing newline, which we
+			# don't want to include in the env variable value. See
+			# https://github.com/phusion/baseimage-docker/pull/49
+			value = re.sub('\n\Z', '', f.read())
+		new_env[name] = value
+	if clear_existing_environment:
+		os.environ.clear()
+	for name, value in new_env.items():
+		if override_existing_environment or not name in os.environ:
+			os.environ[name] = value
+
+def export_envvars(to_dir = True):
+	shell_dump = ""
+	for name, value in os.environ.items():
+		if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
+			continue
+		if to_dir:
+			with open("/etc/container_environment/" + name, "w") as f:
+				f.write(value)
+		shell_dump += "export " + shquote(name) + "=" + shquote(value) + "\n"
+	with open("/etc/container_environment.sh", "w") as f:
+		f.write(shell_dump)
+	with open("/etc/container_environment.json", "w") as f:
+		f.write(json.dumps(dict(os.environ)))
+
+_find_unsafe = re.compile(r'[^\w@%+=:,./-]').search
+
+def shquote(s):
+	"""Return a shell-escaped version of the string *s*."""
+	if not s:
+		return "''"
+	if _find_unsafe(s) is None:
+		return s
+
+	# use single quotes, and put single quotes into double quotes
+	# the string $'b is then quoted as '$'"'"'b'
+	return "'" + s.replace("'", "'\"'\"'") + "'"
+
+# Waits for the child process with the given PID, while at the same time
+# reaping any other child processes that have exited (e.g. adopted child
+# processes that have terminated).
 def waitpid_reap_other_children(pid):
+	global terminated_child_processes
+
+	status = terminated_child_processes.get(pid)
+	if status:
+		# A previous call to waitpid_reap_other_children(),
+		# with an argument not equal to the current argument,
+		# already waited for this process. Return the status
+		# that was obtained back then.
+		del terminated_child_processes[pid]
+		return status
+
 	done = False
 	status = None
 	while not done:
-		this_pid, status = os.waitpid(-1, 0)
+		try:
-		done = this_pid == pid
+			this_pid, status = os.waitpid(-1, 0)
+			if this_pid == pid:
+				done = True
+			else:
+				# Save status for later.
+				terminated_child_processes[this_pid] = status
+		except OSError as e:
+			if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
+				return None
+			else:
+				raise
 	return status
 
 def stop_child_process(name, pid, signo = signal.SIGTERM, time_limit = KILL_PROCESS_TIMEOUT):
@@ -75,7 +147,7 @@ def stop_child_process(name, pid, signo = signal.SIGTERM, time_limit = KILL_PROC
 		except OSError:
 			pass
 	except AlarmException:
-		warn("%s (PID %d) did not shut down in time. Forcing it to exit.")
+		warn("%s (PID %d) did not shut down in time. Forcing it to exit." % (name, pid))
 		try:
 			os.kill(pid, signal.SIGKILL)
 		except OSError:
@@ -98,9 +170,17 @@ def run_command_killable(*argv):
 		stop_child_process(filename, pid)
 		raise
 	if status != 0:
-		error("%s failed with exit code %d\n" % (filename, status))
+		if status is None:
+			error("%s exited with unknown status\n" % filename)
+		else:
+			error("%s failed with status %d\n" % (filename, os.WEXITSTATUS(status)))
 		sys.exit(1)
 
+def run_command_killable_and_import_envvars(*argv):
+	run_command_killable(*argv)
+	import_envvars()
+	export_envvars(False)
+
 def kill_all_processes(time_limit):
 	info("Killing all processes...")
 	try:
@@ -134,17 +214,17 @@ def run_startup_files():
 		filename = "/etc/my_init.d/" + name
 		if is_exe(filename):
 			info("Running %s..." % filename)
-			run_command_killable(filename)
+			run_command_killable_and_import_envvars(filename)
 
 	# Run /etc/rc.local.
 	if is_exe("/etc/rc.local"):
 		info("Running /etc/rc.local...")
-		run_command_killable("/etc/rc.local")
+		run_command_killable_and_import_envvars("/etc/rc.local")
 
 def start_runit():
 	info("Booting runit daemon...")
 	pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
-		"-P", "/etc/service", "log: %s" % ('.' * 395))
+		"-P", "/etc/service")
 	info("Runit started as PID %d" % pid)
 	return pid
 
@@ -167,7 +247,18 @@ def wait_for_runit_services():
 		if not done:
 			time.sleep(0.1)
 
+def install_insecure_key():
+	info("Installing insecure SSH key for user root")
+	run_command_killable("/usr/sbin/enable_insecure_key")
+
 def main(args):
+	create_hosts_file()
+	import_envvars(False, False)
+	export_envvars()
+
+	if args.enable_insecure_key:
+		install_insecure_key()
+
 	if not args.skip_startup_files:
 		run_startup_files()
 	
@@ -177,23 +268,35 @@ def main(args):
 	if not args.skip_runit:
 		runit_pid = start_runit()
 	try:
+		exit_status = None
 		if len(args.main_command) == 0:
 			runit_exited, exit_code = wait_for_runit_or_interrupt(runit_pid)
 			if runit_exited:
-				info("Runit exited with code %d" % exit_code)
+				if exit_code is None:
+					info("Runit exited with unknown status")
+					exit_status = 1
+				else:
+					exit_status = os.WEXITSTATUS(exit_code)
+					info("Runit exited with status %d" % exit_status)
 		else:
 			info("Running %s..." % " ".join(args.main_command))
 			pid = os.spawnvp(os.P_NOWAIT, args.main_command[0], args.main_command)
 			try:
 				exit_code = waitpid_reap_other_children(pid)
-				info("%s exited with exit code %d." % (args.main_command[0], exit_code))
+				if exit_code is None:
+					info("%s exited with unknown status." % args.main_command[0])
+					exit_status = 1
+				else:
+					exit_status = os.WEXITSTATUS(exit_code)
+					info("%s exited with status %d." % (args.main_command[0], exit_status))
 			except KeyboardInterrupt:
 				stop_child_process(args.main_command[0], pid)
+				raise
 			except BaseException as s:
 				warn("An error occurred. Aborting.")
 				stop_child_process(args.main_command[0], pid)
 				raise
-		sys.exit(exit_code)
+		sys.exit(exit_status)
 	finally:
 		if not args.skip_runit:
 			shutdown_runit_services()
@@ -205,6 +308,9 @@ def main(args):
 parser = argparse.ArgumentParser(description = 'Initialize the system.')
 parser.add_argument('main_command', metavar = 'MAIN_COMMAND', type = str, nargs = '*',
 	help = 'The main command to run. (default: runit)')
+parser.add_argument('--enable-insecure-key', dest = 'enable_insecure_key',
+	action = 'store_const', const = True, default = False,
+	help = 'Install the insecure SSH key')
 parser.add_argument('--skip-startup-files', dest = 'skip_startup_files',
 	action = 'store_const', const = True, default = False,
 	help = 'Skip running /etc/my_init.d/* and /etc/rc.local')

image/bin/setuser

@@ -1,4 +1,4 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
 import sys, os, pwd
 
 if len(sys.argv) < 3:

image/bin/workaround-docker-2267

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/perl -pi -e 's:/etc/hosts:/cte/hosts:g' /lib/x86_64-linux-gnu/libnss_files.so.2

image/cleanup.sh

@@ -6,5 +6,7 @@ set -x
 apt-get clean
 rm -rf /build
 rm -rf /tmp/* /var/tmp/*
+rm -rf /var/lib/apt/lists/*
+rm -f /etc/dpkg/dpkg.cfg.d/02apt-speedup
 
 rm -f /etc/ssh/ssh_host_*

image/config/sshd_config

@@ -101,7 +101,7 @@ ChallengeResponseAuthentication no
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
@@ -123,13 +123,10 @@ ChallengeResponseAuthentication no
 #Banner none
 
 # override default of no subsystems
-Subsystem	sftp	/usr/lib/sftp-server
+Subsystem	sftp	/usr/lib/openssh/sftp-server
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
-
-# XAuthLocation added by XQuartz (http://xquartz.macosforge.org)
-XAuthLocation /opt/X11/bin/xauth

image/config/syslog_ng_default

@@ -0,0 +1,12 @@
+# If a variable is not set here, then the corresponding
+# parameter will not be changed.
+# If a variables is set, then every invocation of
+# syslog-ng's init script will set them using dmesg.
+
+# log level of messages which should go to console
+# see syslog(3) for details
+#
+#CONSOLE_LOG_LEVEL=1
+
+# Command line options to syslog-ng
+SYSLOGNG_OPTS="--no-caps"

image/enable_insecure_key

@@ -1,17 +0,0 @@
-#!/bin/bash
-set -e
-
-AUTHORIZED_KEYS=/root/.ssh/authorized_keys
-
-if [[ -e "$AUTHORIZED_KEYS" ]] && grep -q baseimage-docker-insecure-key "$AUTHORIZED_KEYS"; then
-	echo "Insecure key has already been added to $AUTHORIZED_KEYS."
-else
-	DIR=`dirname "$AUTHORIZED_KEYS"`
-	echo "Creating directory $DIR..."
-	mkdir -p "$DIR"
-	chmod 700 "$DIR"
-	chown root:root "$DIR"
-	echo "Editing $AUTHORIZED_KEYS..."
-	cat /etc/insecure_key.pub > "$AUTHORIZED_KEYS"
-	echo "Success: insecure key has been added to $AUTHORIZED_KEYS"
-fi

image/insecure_key.ppk

@@ -0,0 +1,26 @@
+PuTTY-User-Key-File-2: ssh-rsa
+Encryption: none
+Comment: imported-openssh-key
+Public-Lines: 6
+AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87Vf
+aPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbji
+TSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1u
+p0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3
+S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWh
+iDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb
+Private-Lines: 14
+AAABAQCjROxgtX2Gft7yIx8Ol9IXmK6HLCI2XZt7ovb3hFWGGzHy0qMBql2P2Tzo
+ed1o038Hq+woe9n+uTnEdtQ6rD6PByzgyW2VSsWTjCOdeJ5HH9Qw7ItXDZZWHBkh
+fYHOkXI4e2oI3qshGAtYNLALn7KVhioJriCyyaSM2KOLx5khcY+EJ1inQfwQJKqP
+GsdKc72liz07T8ifRj+mNLKtwrxlK3IXYfIdgLp/1pCKdrC80DhprMsD4xvNgq4p
+CR9jd4FoqM9t/Up5ppTm+p6A/bDwdIPh6cFFeyMP+G3+bTlW1Gg7RLoNCc6qh53W
+WVgEOQqdLHcQ8Ge4RLmbwLUmnRuRAAAAgQD312H46T2YvKzyEKbsddwbO8WktfxW
+vVqqxH6z6bRXVFR3hQhmPKjlFXsD74h3W7NJwe9WJ5Pf3vemoBWIo0Hak0M1Z6WC
+OIvBohpOYDzIgdlGHifx2ZiAd47Vsn+mfxjtISdWupl9Fw98yRjahWosKmmIHTtR
+cIfYHB9ztpR8owAAAIEA3KNMYMFgenE+7q4pwat4t3RKA7rU8SPto5I1+sEHY8rz
+cD7ONkIVlEhaqN+uTEYbr5rZa4dsQe4Ia+7ZXmO4djFsAP/fyJX+VCX/bHK83V5H
+9toTdRLTqqfqJ3GOeZ41kPIN6UDHVEa4S8tfVM0DMNPEHBjLMfdbZGkoBQAPXWkA
+AACBAJV/Bxr1jJohvmURQf/9y6MvO2wcRpTdKVLQhEnGm2cXQdh5CPVae2K+u0CG
+d8u0/PDIZMGpueCQo4lft02W0skTDo5Kn+1IUwmQuoRzanVJ5ab+GyVnlouRLp/J
+bWMQZ3pjXNkBsQOK/igrKYvqUb1jRsy9zxVQRl4i7JjjLpe/
+Private-MAC: ef1e472b5254ae2c5319a522d39ad31d432dde75

image/prepare.sh

@@ -3,22 +3,47 @@ set -e
 source /build/buildconfig
 set -x
 
-## Enable Ubuntu Universe.
+## Temporarily disable dpkg fsync to make building faster.
-echo deb http://archive.ubuntu.com/ubuntu precise main universe > /etc/apt/sources.list
+echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02apt-speedup
-echo deb http://archive.ubuntu.com/ubuntu precise-updates main universe >> /etc/apt/sources.list
-apt-get update
 
-## Install HTTPS support for APT.
+## Prevent initramfs updates from trying to run grub and lilo.
-$minimal_apt_get_install apt-transport-https
+## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
+## http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594189
+export INITRD=no
+mkdir -p /etc/container_environment
+echo -n no > /etc/container_environment/INITRD
+
+## Enable Ubuntu Universe and Multiverse.
+sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
+sed -i 's/^#\s*\(deb.*multiverse\)$/\1/g' /etc/apt/sources.list
+apt-get update
 
 ## Fix some issues with APT packages.
 ## See https://github.com/dotcloud/docker/issues/1024
 dpkg-divert --local --rename --add /sbin/initctl
 ln -sf /bin/true /sbin/initctl
 
+## Replace the 'ischroot' tool to make it always return true.
+## Prevent initscripts updates from breaking /dev/shm.
+## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
+## https://bugs.launchpad.net/launchpad/+bug/974584
+dpkg-divert --local --rename --add /usr/bin/ischroot
+ln -sf /bin/true /usr/bin/ischroot
+
+## Workaround https://github.com/dotcloud/docker/issues/2267,
+## not being able to modify /etc/hosts.
+mkdir -p /etc/workaround-docker-2267
+ln -s /etc/workaround-docker-2267 /cte
+cp /build/bin/workaround-docker-2267 /usr/bin/
+
+## Install HTTPS support for APT.
+$minimal_apt_get_install apt-transport-https ca-certificates
+
+## Install add-apt-repository
+$minimal_apt_get_install software-properties-common
+
 ## Upgrade all packages.
-echo "initscripts hold" | dpkg --set-selections
+apt-get dist-upgrade -y --no-install-recommends
-apt-get upgrade -y --no-install-recommends
 
 ## Fix locale.
 $minimal_apt_get_install language-pack-en

image/runit/syslog-ng

@@ -1,3 +1,32 @@
 #!/bin/sh
 set -e
-exec syslog-ng -F -p /var/run/syslog-ng.pid
+
+# If /dev/log is either a named pipe or it was placed there accidentally,
+# e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
+# then we remove it.
+if [ ! -S /dev/log ]; then rm -f /dev/log; fi
+if [ ! -S /var/lib/syslog-ng/syslog-ng.ctl ]; then rm -f /var/lib/syslog-ng/syslog-ng.ctl; fi
+
+SYSLOGNG_OPTS=""
+
+[ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng
+
+case "x$CONSOLE_LOG_LEVEL" in
+  x[1-8])
+    dmesg -n $CONSOLE_LOG_LEVEL
+    ;;
+  x)
+    ;;
+  *)
+    echo "CONSOLE_LOG_LEVEL is of unaccepted value."
+    ;;
+esac
+
+if [ ! -e /dev/xconsole ]
+then
+  mknod -m 640 /dev/xconsole p
+  chown root:adm /dev/xconsole
+  [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
+fi
+
+exec syslog-ng -F -p /var/run/syslog-ng.pid $SYSLOGNG_OPTS

image/system_services.sh

@@ -4,8 +4,17 @@ source /build/buildconfig
 set -x
 
 ## Install init process.
-cp /build/my_init /sbin/
+cp /build/bin/my_init /sbin/
 mkdir -p /etc/my_init.d
+mkdir -p /etc/container_environment
+touch /etc/container_environment.sh
+touch /etc/container_environment.json
+chmod 700 /etc/container_environment
+
+groupadd -g 8377 docker_env
+chown :docker_env /etc/container_environment.sh /etc/container_environment.json
+chmod 640 /etc/container_environment.sh /etc/container_environment.json
+ln -s /etc/container_environment.sh /etc/profile.d/
 
 ## Install runit.
 $minimal_apt_get_install runit
@@ -15,6 +24,13 @@ $minimal_apt_get_install syslog-ng-core
 mkdir /etc/service/syslog-ng
 cp /build/runit/syslog-ng /etc/service/syslog-ng/run
 mkdir -p /var/lib/syslog-ng
+cp /build/config/syslog_ng_default /etc/default/syslog-ng
+# Replace the system() source because inside Docker we
+# can't access /proc/kmsg.
+sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
+
+## Install logrotate.
+$minimal_apt_get_install logrotate
 
 ## Install the SSH server.
 $minimal_apt_get_install openssh-server
@@ -29,11 +45,16 @@ mkdir -p /root/.ssh
 chmod 700 /root/.ssh
 chown root:root /root/.ssh
 cp /build/insecure_key.pub /etc/insecure_key.pub
-chmod 644 /etc/insecure_key.pub
+cp /build/insecure_key /etc/insecure_key
-chown root:root /etc/insecure_key.pub
+chmod 644 /etc/insecure_key*
-cp /build/enable_insecure_key /usr/sbin/
+chown root:root /etc/insecure_key*
+cp /build/bin/enable_insecure_key /usr/sbin/
 
 ## Install cron daemon.
 $minimal_apt_get_install cron
 mkdir /etc/service/cron
 cp /build/runit/cron /etc/service/cron/run
+
+## Remove useless cron entries.
+# Checks for lost+found and scans for mtab.
+rm -f /etc/cron.daily/standard

image/utilities.sh

@@ -7,4 +7,4 @@ set -x
 $minimal_apt_get_install curl less nano vim psmisc
 
 ## This tool runs a command as another user and sets $HOME.
-cp /build/setuser /sbin/setuser
+cp /build/bin/setuser /sbin/setuser

install-tools.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+dir=`dirname "$0"`
+cd "$dir"
+
+set -x
+cp tools/docker-bash /usr/local/bin/
+cp tools/docker-ssh /usr/local/bin/
+cp tools/baseimage-docker-nsenter /usr/local/bin/
+mkdir -p /usr/local/share/baseimage-docker
+cp image/insecure_key /usr/local/share/baseimage-docker/
+chmod 644 /usr/local/share/baseimage-docker/insecure_key

test/runner.sh

@@ -12,19 +12,12 @@ function cleanup()
 	echo " --> Stopping container"
 	docker stop $ID >/dev/null
 	docker rm $ID >/dev/null
-	docker rmi baseimage_test >/dev/null 2>/dev/null
 }
 
 PWD=`pwd`
 
-echo " --> Preparing container"
+echo " --> Starting insecure container"
-ID=`docker run -d $NAME:$VERSION enable_insecure_key`
+ID=`docker run -d -v $PWD/test:/test $NAME:$VERSION /sbin/my_init --enable-insecure-key`
-docker wait $ID >/dev/null
-docker commit $ID baseimage_test >/dev/null
-docker rm $ID >/dev/null
-
-echo " --> Starting container"
-ID=`docker run -d -v $PWD/test:/test baseimage_test /sbin/my_init`
 sleep 1
 
 echo " --> Obtaining IP"

tools/README.md

@@ -0,0 +1 @@
+baseimage-docker-nsenter is the nsenter tool taken from https://github.com/jpetazzo/nsenter, commit 10ce18a7a32. It has been stripped in order to make it smaller.

tools/docker-bash

@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+SELFDIR=`dirname "$0"`
+SELFDIR=`cd "$SELFDIR" && pwd`
+
+usage()
+{
+	echo "Usage: docker-bash <CONTAINER_ID> [COMMAND...]"
+	echo "Login to a Baseimage-based Docker container using nsenter." \
+		"If COMMAND is not given, opens an interactive shell." \
+		"Otherwise, runs COMMAND inside the container."
+}
+
+if test $# = 0; then
+	usage
+	exit
+fi
+
+CONTAINER_ID="$1"
+shift
+
+PID=`docker inspect -f "{{ .State.Pid }}" "$CONTAINER_ID"`
+if test $# = 0; then
+	exec "$SELFDIR/baseimage-docker-nsenter" --target "$PID" --mount --uts --ipc --net --pid -- /bin/bash -l
+else
+	exec "$SELFDIR/baseimage-docker-nsenter" --target "$PID" --mount --uts --ipc --net --pid -- "$@"
+fi
+

tools/docker-ssh

@@ -0,0 +1,81 @@
+#!/bin/sh
+set -e
+
+KNOWN_HOSTS_FILE=
+IP=
+
+usage()
+{
+	echo "Usage: docker-ssh <CONTAINER_ID> [COMMAND...]"
+	echo "Login to a Baseimage-based Docker container using SSH." \
+		"If COMMAND is not given, opens an interactive shell." \
+		"Otherwise, runs COMMAND inside the container."
+}
+
+cleanup()
+{
+	local pids=`jobs -p`
+	if test "$pids" != ""; then
+		kill $pids
+	fi
+
+	if test "$KNOWN_HOSTS_FILE" != ""; then
+		rm -f "$KNOWN_HOSTS_FILE"
+	fi
+}
+
+if test $# = 0; then
+	usage
+	exit
+fi
+
+CONTAINER_ID="$1"
+shift
+
+trap cleanup EXIT
+
+if ! test -e ~/.baseimage_docker_insecure_key; then
+	if test -e /usr/local/share/baseimage-docker/insecure_key; then
+		cp /usr/local/share/baseimage-docker/insecure_key ~/.baseimage_docker_insecure_key
+	else
+		dir=`dirname "$0"`
+		dir=`cd "$dir/.." && pwd`
+		if test -e "$dir/image/insecure_key"; then
+			cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key
+		else
+			echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
+			echo "You probably didn't install docker-ssh properly. Please reinstall it:" >&2
+			echo "" >&2
+			echo "  curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \\" >&2
+			echo "  tar xzf master.tar.gz && \\" >&2
+			echo "  sudo ./baseimage-docker-master/install-tools.sh" >&2
+			exit 1
+		fi
+	fi
+	chown "`whoami`": ~/.baseimage_docker_insecure_key
+	chmod 600 ~/.baseimage_docker_insecure_key
+fi
+
+KNOWN_HOSTS_FILE=`mktemp /tmp/docker-ssh.XXXXXXXXX`
+IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
+
+# Prevent SSH from warning about adding a host to the known_hosts file.
+ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
+
+if ! ssh -i ~/.baseimage_docker_insecure_key \
+	-o UserKnownHostsFile="$KNOWN_HOSTS_FILE" \
+	-o StrictHostKeyChecking=no \
+	-o PasswordAuthentication=no \
+	-o KbdInteractiveAuthentication=no \
+	-o ChallengeResponseAuthentication=no \
+	"root@$IP" "$@"
+then
+	STATUS=$?
+	if test $# = 0; then
+		echo "----------------"
+		echo "It appears that login to the Docker container failed. This could be caused by the following reasons:"
+		echo "- The Docker container you're trying to login to is not based on Baseimage-docker. The docker-ssh tool only works with Baseimage-docker-based containers."
+		echo "- You did not enable the the insecure key inside the container. Please read https://github.com/phusion/baseimage-docker/blob/master/README.md#login to learn how to enable the insecure key."
+	fi
+	exit $STATUS
+fi