Update changelog

Officially support nsenter
Update Changelog
2026-03-26 12:29:07 +00:00 · 2014-07-16 21:07:59 +02:00 · 2014-07-16 21:07:49 +02:00 · 2014-07-13 23:59:40 +02:00 · 2014-07-13 23:58:19 +02:00 · 2014-07-13 23:09:52 +02:00
22 changed files with 578 additions and 145 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,5 @@
 Hey, thanks for wanting to contribute to baseimage-docker. :)
 If you have a question, please use the [discussion forum](https://groups.google.com/d/forum/passenger-docker). The Github issue tracker is only for **bug reports and feature requests**.
 If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the image.
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,43 @@
 ## 0.9.12 (not yet released)
 * We now officially support `nsenter` as an alternative way to login to the container. With official support, we mean that we've provided extensive documentation on how to use `nsenter`, as well as related convenience tools. However, because `nsenter` has various issues, and for backward compatibility reasons, we still support SSH. Please refer to the README for details about `nsenter`, and what the pros and cons are compared to SSH.
   * The `docker-bash` tool has been modified to use `nsenter` instead of SSH.
   * What was previously the `docker-bash` tool, has now been renamed to `docker-ssh`. It now also works on a regular sh shell too, instead of bash specifically.
 * Added a workaround for Docker's inability to modify /etc/hosts in the container ([Docker bug 2267](https://github.com/dotcloud/docker/issues/2267)). Please refer to the README for details.
 * Fixed an issue with SSH X11 forwarding. Thanks to Anatoly Bubenkov. Closes GH-105.
 * The init system now prints its own log messages to stderr. Thanks to mephi42. Closes GH-106.
 ## 0.9.11 (release date: 2014-06-24)
 * Introduced the `docker-bash` tool. This is a shortcut tool for logging into a container using SSH. Usage: `docker-bash <CONTAINER ID>`. See the README for details.
 * Fixed various process waiting issues in `my_init`. Closes GH-27, GH-82 and GH-83. Thanks to André Luiz dos Santos and Paul Annesley.
 * The `ca-certificates` package is now installed by default. This is because we include `apt-transport-https`, but Ubuntu 14.04 no longer installs `ca-certificates` by default anymore. Closes GH-73.
 * Output print by Runit services are now redirected to the Docker logs instead of to proctitle. Thanks to Paul Annesley.
 * Container environment variables are now made available to SSH root shells. If you login with SSH through a non-root account, then container environment variables are only made available if that user is a member of the `docker_env` group. Thanks to Bernard Potocki.
 * `add-apt-repository` is now installed by default. Closes GH-74.
 * Various minor fixes and contributions thanks to yebyen, John Eckhart, Christoffer Sawicki and Brant Fitzsimmons.
 ## 0.9.10 (release date: 2014-05-12)
 * Upgraded to Ubuntu 14.04 (Trusty). We will no longer release images based on 12.04.
   Thanks to contributions by mpeterson, Paul Jimenez, Santiago M. Mola and Kingdon Barrett.
 * Fixed a problem with my_init not correctly passing child processes' exit status. Fixes GH-45.
 * When reading environment variables from /etc/container_environment, the trailing newline (if any) is ignored. This makes commands like this work, without unintentially adding a newline to the environment variable value:
        echo my_value > /etc/container_environment/FOO
   If you intended on adding a newline to the value, ensure you have *two* trailing newlines:
        echo -e "my_value\n" > /etc/container_environment/FOO
 * It was not possible to use `docker run -e` to override environment variables defined in /etc/container_environment. This has been fixed (GH-52). Thanks to Stuart Campbell for reporting this bug.
 ## 0.9.9 (release date: 2014-03-25)
 * Fixed a problem with rssh. (Slawomir Chodnicki)
 * The `INITRD` environment variable is now set in the container by default. This prevents updates to the `initramfs` from running grub or lilo.
 * The `ischroot` tool in Ubuntu has been modified to always return true. This prevents updates to the `initscripts` package from breaking /dev/shm.
 * Various minor bug fixes, improvements and typo corrections. (Felix Hummel, Laurent Sarrazin, Dung Quang, Amir Gur)
 ## 0.9.8 (release date: 2014-02-26)
 * Fixed a regression in `my_init` which causes it to delete environment variables passed from Docker.
--- a/8
+++ b/8
@@ -1,12 +1,12 @@
 NAME = phusion/baseimage
-VERSION = 0.9.8
+VERSION = 0.9.12
 .PHONY: all build test tag_latest release ssh
 all: build
 build:
-	docker build -t $(NAME):$(VERSION) -rm image
+	docker build -t $(NAME):$(VERSION) --rm image
 test:
 	env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
@@ -15,12 +15,12 @@ tag_latest:
 	docker tag $(NAME):$(VERSION) $(NAME):latest
 release: test tag_latest
-	@if ! docker images phusion/baseimage | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
+	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
 	docker push $(NAME)
 	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
 ssh:
-	chmod 600 image/insecure_key.pub
+	chmod 600 image/insecure_key
 	@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
 		if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
 		IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \
--- a/README.md
+++ b/README.md
@@ -1,12 +1,18 @@
 # A minimal Ubuntu base image modified for Docker-friendliness
-Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus modifications for Docker-friendliness. You can use it as a base for your own Docker images.
+Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
 * Modifications for Docker-friendliness.
 * Workarounds for [some Docker bugs](#workaroud_modifying_etc_hosts).
 * Useful administration tools.
 You can use it as a base for your own Docker images.
 Baseimage-docker is available for pulling from [the Docker registry](https://index.docker.io/u/phusion/baseimage/)!
 ### What are the problems with the stock Ubuntu base image?
-Ubuntu is not designed to be run inside docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
+Ubuntu is not designed to be run inside Docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
 Baseimage-docker gets everything right. The "Contents" section describes all the things that it modifies.
@@ -40,17 +46,24 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
   * [Getting started](#getting_started)
   * [Adding additional daemons](#adding_additional_daemons)
   * [Running scripts during container startup](#running_startup_scripts)
   * [Running a one-shot command in the container](#oneshot)
   * [Environment variables](#environment_variables)
     * [Centrally defining your own environment variables](#envvar_central_definition)
     * [Environment variable dumps](#envvar_dumps)
     * [Modifying environment variables](#modifying_envvars)
     * [Security](#envvar_security)
-   * [Login to the container via SSH](#login)
+   * [Working around Docker's inability to modify /etc/hosts](#workaroud_modifying_etc_hosts)
   * [Disabling SSH](#disabling_ssh)
 * [Container administration](#container_administration)
   * [Running a one-shot command in a new container](#oneshot)
   * [Running a command in an existing, running container](#run_inside_existing_container)
   * [Login to the container via nsenter](#login_nsenter)
     * [Usage](#nsenter_usage)
     * [The `docker-bash` tool](#docker_bash)
   * [Login to the container via SSH](#login_ssh)
     * [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only)
     * [Enabling the insecure key permanently](#enabling_the_insecure_key_permanently)
     * [Using your own key](#using_your_own_key)
-   * [Disabling SSH](#disabling_ssh)
+     * [The `docker-ssh` tool](#docker_ssh)
 * [Building the image yourself](#building)
 * [Conclusion](#conclusion)
@@ -66,12 +79,13 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
-| Ubuntu 12.04 LTS | The base system. |
+| Ubuntu 14.04 LTS | The base system. |
 | A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
 | Workarounds for Docker bugs | [Learn more.](#workaroud_modifying_etc_hosts) |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
 | logrotate | Rotates and compresses logs on a regular basis. |
-| ssh server | Allows you to easily login to your container to inspect or administer things. <br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. |
+| SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is only one of the methods provided by baseimage-docker for this purpose. The other method is through [the nsenter tool](#login_nsenter). SSH is also provided as an option because nsenter has many issues._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. |
 | cron | The cron daemon must be running for cron jobs to work. |
 | [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
 | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. |
@@ -90,7 +104,9 @@ Baseimage-docker *encourages* multiple processes through the use of runit.
 To look around in the image, run:
-    docker run -rm -t -i phusion/baseimage /sbin/my_init -- bash -l
+    docker run --rm -t -i phusion/baseimage:<VERSION> /sbin/my_init -- bash -l
 where `<VERSION>` is [one of the baseimage-docker version numbers](https://github.com/phusion/baseimage-docker/blob/nsenter/Changelog.md).
 You don't have to download anything manually. The above command will automatically pull the baseimage-docker image from the Docker registry.
@@ -131,7 +147,7 @@ You can add additional daemons (e.g. your own app) to the image by creating runi
 The shell script must be called `run`, must be executable, and is to be placed in the directory `/etc/service/<NAME>`.
-Here's an example showing you how to a memached server runit entry can be made.
+Here's an example showing you how a memached server runit entry can be made.
    ### In memcached.sh (make sure this file is chmod +x):
    #!/bin/sh
@@ -150,7 +166,7 @@ Note that the shell script must run the daemon **without letting it daemonize/fo
 The baseimage-docker init system, `/sbin/my_init`, runs the following scripts during startup, in the following order:
- * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run during in lexicographic order.
+ * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run in lexicographic order.
 * The script `/etc/rc.local`, if this file exists.
 All scripts must exit correctly, e.g. with exit code 0. If any script exits with a non-zero exit code, the booting will fail.
@@ -165,50 +181,6 @@ The following example shows how you can add a startup script. This script simply
    RUN mkdir -p /etc/my_init.d
    ADD logtime.sh /etc/my_init.d/logtime.sh
 <a name="oneshot"></a>
 ### Running a one-shot command in the container
 Normally, when you want to run a single command in a container, and exit immediately after the command, you invoke Docker like this:
    docker run YOUR_IMAGE COMMAND ARGUMENTS...
 However the downside of this approach is that the init system is not started. That is, while invoking `COMMAND`, important daemons such as cron and syslog are not running. Also, orphaned child processes are not properly reaped, because `COMMAND` is PID 1.
 Baseimage-docker provides a facility to run a single one-shot command, while solving all of the aforementioned problems. Run a single command in the following manner:
    docker run YOUR_IMAGE /sbin/my_init -- COMMAND ARGUMENTS ...
 This will perform the following:
 * Runs all system startup files, such as /etc/my_init.d/* and /etc/rc.local.
 * Starts all runit services.
 * Runs the specified command.
 * When the specified command exits, stops all runit services.
 For example:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init -- ls
    *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
    No SSH host key available. Generating one...
    Creating SSH2 RSA key; this may take some time ...
    Creating SSH2 DSA key; this may take some time ...
    Creating SSH2 ECDSA key; this may take some time ...
    *** Running /etc/rc.local...
    *** Booting runit daemon...
    *** Runit started as PID 80
    *** Running ls...
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
    *** ls exited with exit code 0.
    *** Shutting down runit daemon (PID 80)...
    *** Killing all processes...
 You may find that the default invocation is too noisy. Or perhaps you don't want to run the startup files. You can customize all this by passing arguments to `my_init`. Invoke `docker run YOUR_IMAGE /sbin/my_init --help` for more information.
 The following example runs `ls` without running the startup files and with less messages, while running all runit services:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init --skip-startup-files --quiet -- ls
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
 <a name="environment_variables"></a>
 ### Environment variables
@@ -227,7 +199,7 @@ During startup, before running any [startup scripts](#running_startup_scripts),
 For example, here's how you can define an environment variable from your Dockerfile:
-    RUN echo -n Apachai Hopachai > /etc/container_environment/MY_NAME
+    RUN echo Apachai Hopachai > /etc/container_environment/MY_NAME
 You can verify that it works, as follows:
@@ -237,6 +209,12 @@ You can verify that it works, as follows:
    # echo $MY_NAME
    Apachai Hopachai
 **Handling newlines**
 If you've looked carefully, you'll notice that the 'echo' command actually prints a newline. Why does $MY_NAME not contain a newline then? It's because `my_init` strips the trailing newline, if any. If you intended on the value having a newline, you should add *another* newline, like this:
    RUN echo -e "Apachai Hopachai\n" > /etc/container_environment/MY_NAME
 <a name="envvar_dumps"></a>
 #### Environment variable dumps
@@ -281,15 +259,183 @@ But note that:
 <a name="envvar_security"></a>
 #### Security
-Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and root-accessible only. If you are sure that your environment variables don't contain sensitive data, then you can relax the permissions on that directory and those files by making them world-readable:
+Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only by the `docker_env` group (so that any user added this group will have these variables automatically loaded).
 If you are sure that your environment variables don't contain sensitive data, then you can also relax the permissions on that directory and those files by making them world-readable:
    RUN chmod 755 /etc/container_environment
    RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
-<a name="login"></a>
+<a name="workaroud_modifying_etc_hosts"></a>
-### Login to the container via SSH
+### Working around Docker's inability to modify /etc/hosts
-You can use SSH to login to any container that is based on baseimage-docker.
+It is currently not possible to modify /etc/hosts inside a Docker container because of [Docker bug 2267](https://github.com/dotcloud/docker/issues/2267). Baseimage-docker includes a workaround for this. You have to be explicitly opt-in for the workaround.
 The workaround involves modifying a system library, libnss_files.so.2, so that it looks for the host file in /etc/workaround-docker-2267/hosts instead of /etc/hosts. Instead of modifying /etc/hosts, you modify /etc/workaround-docker-2267/hosts instead.
 Add this to your Dockerfile to opt-in for the workaround. This command modifies libnss_files.so.2 as described above.
    RUN /usr/bin/workaround-docker-2267
 (You don't necessarily have to run this command from the Dockerfile. You can also run it from a shell inside the container.)
 To verify that it works, [open a bash shell in your container](#inspecting), modify /etc/workaround-docker-2267/hosts, and check whether it had any effect:
    bash# echo 127.0.0.1 my-test-domain.com >> /etc/workaround-docker-2267/hosts
    bash# ping my-test-domain.com
    ...should ping 127.0.0.1...
 **Note on apt-get upgrading:** if any Ubuntu updates overwrite libnss_files.so.2, then the workaround is removed. You have to re-enable it by running `/usr/bin/workaround-docker-2267`. To be safe, you should run this command every time after running `apt-get upgrade`.
 <a name="disabling_ssh"></a>
 ### Disabling SSH
 Baseimage-docker enables an SSH server by default, so that you can [use SSH](#login_ssh) to [administer your container](#container_administration). In case you do not want to enable SSH, here's how you can disable it:
    RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
 <a name="container_administration"></a>
 ## Container administration
 One of the ideas behind Docker is that containers should be stateless, easily restartable, and behave like a black box. However, you may occasionally encounter situations where you want to login to a container, or to run a command inside a container, for development, inspection and debugging purposes. This section describes how you can administer the container for those purposes.
 <a name="oneshot"></a>
 ### Running a one-shot command in a new container
 _**Note:** This section describes how to run a command insider a -new- container. To run a command inside an existing running container, see [Running a command in an existing, running container](#run_inside_existing_container)._
 Normally, when you want to create a new container in order to run a single command inside it, and immediately exit after the command exits, you invoke Docker like this:
    docker run YOUR_IMAGE COMMAND ARGUMENTS...
 However the downside of this approach is that the init system is not started. That is, while invoking `COMMAND`, important daemons such as cron and syslog are not running. Also, orphaned child processes are not properly reaped, because `COMMAND` is PID 1.
 Baseimage-docker provides a facility to run a single one-shot command, while solving all of the aforementioned problems. Run a single command in the following manner:
    docker run YOUR_IMAGE /sbin/my_init -- COMMAND ARGUMENTS ...
 This will perform the following:
 * Runs all system startup files, such as /etc/my_init.d/* and /etc/rc.local.
 * Starts all runit services.
 * Runs the specified command.
 * When the specified command exits, stops all runit services.
 For example:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init -- ls
    *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
    No SSH host key available. Generating one...
    Creating SSH2 RSA key; this may take some time ...
    Creating SSH2 DSA key; this may take some time ...
    Creating SSH2 ECDSA key; this may take some time ...
    *** Running /etc/rc.local...
    *** Booting runit daemon...
    *** Runit started as PID 80
    *** Running ls...
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
    *** ls exited with exit code 0.
    *** Shutting down runit daemon (PID 80)...
    *** Killing all processes...
 You may find that the default invocation is too noisy. Or perhaps you don't want to run the startup files. You can customize all this by passing arguments to `my_init`. Invoke `docker run YOUR_IMAGE /sbin/my_init --help` for more information.
 The following example runs `ls` without running the startup files and with less messages, while running all runit services:
    $ docker run phusion/baseimage:<VERSION> /sbin/my_init --skip-startup-files --quiet -- ls
    bin  boot  dev  etc  home  image  lib  lib64  media  mnt  opt  proc  root  run  sbin  selinux  srv  sys  tmp  usr  var
 <a name="run_inside_existing_container"></a>
 ### Running a command in an existing, running container
 There are two ways to run a command inside an existing, running container.
 * Through the `nsenter` tool. This tool uses Linux kernel system calls in order to execute a command within the context of a container. Learn more in [Login to the container, or running a command inside it, via nsenter](#login_nsenter).
 * Through SSH. This approach requires running an SSH daemon inside the container, and requires you to setup SSH keys. Learn more in [Login to the container, or running a command inside it, via SSH](#login_ssh).
 Both way have their own pros and cons, which you can learn in their respective subsections.
 <a name="login_nsenter"></a>
 ### Login to the container, or running a command inside it, via nsenter
 You can use the `nsenter` tool on the Docker host OS to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container. `nsenter` works by using Linux kernel system calls.
 Here's how it compares to [using SSH to login to the container or to run a command inside it](#login_ssh):
 * Pros
   * Does not require running an SSH daemon inside the container.
   * Does not require setting up SSH keys.
   * Works on any container, even containers not based on baseimage-docker.
 * Cons
   * Processes executed by `nsenter` behave in a slightly different manner than normal. For example, they cannot be killed by any normal processes inside the container. This applies to all child processes as well.
   * If the `nsenter` process is terminated by a signal (e.g. with the `kill` command), then the command that is executed by nsenter is *not* killed and cleaned up. You will have to do that manually. (Note that terminal control commands like Ctrl-C *do* clean up all child processes, because terminal signals are sent to all processes in the terminal session.)
   * Requires learning another tool.
   * Requires root privileges on the Docker host.
   * Requires the `nsenter` tool to be available on the Docker host. At the time of writing (July 2014), most Linux distributions do not ship it. However, baseimage-docker provides a precompiled binary, and allows you to easily use it, through its [docker-bash](#docker_bash) tool.
   * Not possible to allow users to login to the container without also letting them login to the Docker host.
 <a name="nsenter_usage"></a>
 #### Usage
 First, ensure that `nsenter` is installed. At the time of writing (July 2014), almost no Linux distribution ships the `nsenter` tool. However, we provide [a precompiled binary](#docker_bash) that anybody can use.
 Anyway, start a container:
    docker run YOUR_IMAGE
 Find out the ID of the container that you just ran:
    docker ps
 Once you have the ID, look for the PID of the main process inside the container.
    docker inspect -f "{{ .State.Pid }}" <ID>
 Now that you have the container's main process PID, you can use `nsenter` to login to the container, or to execute a command inside it:
    # Login to the container
    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid bash -l
    # Running a command inside the container
    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid -- echo hello world
 <a name="docker_bash"></a>
 #### The `docker-bash` tool
 Looking up the main process PID of a container and typing the long nsenter command quickly becomes tedious. Luckily, we provide the `docker-bash` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
 This tool also comes with a precompiled `nsenter` binary, so that you don't have to install `nsenter` yourself. `docker-bash` works out-of-the-box!
 First, install the tool on the Docker host:
    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
    tar xzf master.tar.gz && \
    sudo ./baseimage-docker-master/install-tools.sh
 Then run the tool as follows to login to a container:
    docker-bash YOUR-CONTAINER-ID
 You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
 By default, `docker-bash` will open a Bash session. You can also tell it to run a command, and then exit:
    docker-bash YOUR-CONTAINER-ID echo hello world
 <a name="login_ssh"></a>
 ### Login to the container, or running a command inside it, via SSH
 You can use SSH to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container.
 Here's how it compares to [using nsenter to login to the container or to run a command inside it](#login_nsenter):
 * Pros
   * Does not require a tool like `nsenter` to be available on the Docker host. Virtually everybody already has an SSH client installed.
   * There no surprises with processes behaving slightly differently than normal, as is the case when using `nsenter`.
   * Does not require root privileges on the Docker host.
   * Allows you to let users login to the container, without letting them login to the Docker host. However, this is not enabled by default because baseimage-docker does not expose the SSH server to the public Internet by default.
 * Cons
   * Requires setting up SSH keys. However, baseimage-docker makes this easy for many cases through a pregenerated, insecure key. Read on to learn more.
 The first thing that you need to do is to ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so you can't login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
@@ -308,14 +454,20 @@ Find out the ID of the container that you just ran:
 Once you have the ID, look for its IP address with:
-    docker inspect <ID> | grep IPAddress
+    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
-Now SSH into the container as follows:
+Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it:
    # Download the insecure private key
    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
-    chmod 700 insecure_key
+    chmod 600 insecure_key
    # Login to the container
    ssh -i insecure_key root@<IP address>
    # Running a command inside the container
    ssh -i insecure_key root@<IP address> echo hello world
 <a name="enabling_the_insecure_key_permanently"></a>
 #### Enabling the insecure key permanently
@@ -330,11 +482,11 @@ Instructions for logging in the container is the same as in section [Using the i
 <a name="using_your_own_key"></a>
 #### Using your own key
-Edit your Dockerfile to install an SSH key:
+Edit your Dockerfile to install an SSH public key:
    ## Install an SSH of your choice.
-    ADD your_key /tmp/your_key
+    ADD your_key.pub /tmp/your_key.pub
-    RUN cat /tmp/your_key >> /root/.ssh/authorized_keys && rm -f /tmp/your_key
+    RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
 Then rebuild your image. Once you have that, start a container based on that image:
@@ -346,12 +498,37 @@ Find out the ID of the container that you just ran:
 Once you have the ID, look for its IP address with:
-    docker inspect <ID> | grep IPAddress
+    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
-Now SSH into the container as follows:
+Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it:
    # Login to the container
    ssh -i /path-to/your_key root@<IP address>
    # Running a command inside the container
    ssh -i /path-to/your_key root@<IP address> echo hello world
 <a name="docker_ssh"></a>
 #### The `docker-ssh` tool
 Looking up the IP of a container and running an SSH command quickly becomes tedious. Luckily, we provide the `docker-ssh` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
 First, install the tool on the Docker host:
    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
    tar xzf master.tar.gz && \
    sudo ./baseimage-docker-master/install-tools.sh
 Then run the tool as follows to login to a container using SSH:
    docker-ssh YOUR-CONTAINER-ID
 You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
 By default, `docker-ssh` will open a Bash session. You can also tell it to run a command, and then exit:
    docker-ssh YOUR-CONTAINER-ID echo hello world
 <a name="building"></a>
 ## Building the image yourself
@@ -377,12 +554,6 @@ If you want to call the resulting image something else, pass the NAME variable,
    make build NAME=joe/baseimage
 <a name="disabling_ssh"></a>
 ### Disabling SSH
 In case you do not want to enable SSH, here's how you can disable it:
    RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
 <a name="conclusion"></a>
 ## Conclusion
--- a/55
+++ b/55
@@ -1,31 +1,54 @@
 # -*- mode: ruby -*-
 # vi: set ft=ruby :
-ROOT = File.dirname(File.expand_path(__FILE__))
+ROOT = File.dirname(File.absolute_path(__FILE__))
 # Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
-VAGRANTFILE_API_VERSION = "2"
+VAGRANTFILE_API_VERSION = '2'
 # Default env properties which can be overridden
 # Example overrides:
 #   echo "ENV['PASSENGER_DOCKER_PATH'] ||= '../../phusion/passenger-docker'   " >> ~/.vagrant.d/Vagrantfile
 #   echo "ENV['BASE_BOX_URL']          ||= 'd\:/dev/vm/vagrant/boxes/phusion/'" >> ~/.vagrant.d/Vagrantfile
 BASE_BOX_URL          = ENV['BASE_BOX_URL']    || 'https://oss-binaries.phusionpassenger.com/vagrant/boxes/latest/'
 VAGRANT_BOX_URL       = ENV['VAGRANT_BOX_URL'] || BASE_BOX_URL + 'ubuntu-14.04-amd64-vbox.box'
 VMWARE_BOX_URL        = ENV['VMWARE_BOX_URL']  || BASE_BOX_URL + 'ubuntu-14.04-amd64-vmwarefusion.box'
 BASEIMAGE_PATH        = ENV['BASEIMAGE_PATH' ] || '.'
 PASSENGER_DOCKER_PATH = ENV['PASSENGER_PATH' ] || '../passenger-docker'
 DOCKERIZER_PATH       = ENV['DOCKERIZER_PATH'] || '../dockerizer'
 $script = <<SCRIPT
 wget -q -O - https://get.docker.io/gpg | apt-key add -
 echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list
 apt-get update -qq
 apt-get install -q -y --force-yes lxc-docker
 usermod -a -G docker vagrant
 docker version
 su - vagrant -c 'echo alias d=docker >> ~/.bash_aliases'
 SCRIPT
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = "phusion-open-ubuntu-12.04-amd64"
+  config.vm.box = 'phusion-open-ubuntu-14.04-amd64'
-  config.vm.box_url = "https://oss-binaries.phusionpassenger.com/vagrant/boxes/ubuntu-12.04.3-amd64-vbox.box"
+  config.vm.box_url = VAGRANT_BOX_URL
  config.ssh.forward_agent = true
-  if File.directory?("#{ROOT}/../passenger-docker")
+  passenger_docker_path = File.absolute_path(PASSENGER_DOCKER_PATH, ROOT)
-    config.vm.synced_folder File.expand_path("#{ROOT}/../passenger-docker"),
+  if File.directory?(passenger_docker_path)
-      "/vagrant/passenger-docker"
+    config.vm.synced_folder passenger_docker_path, '/vagrant/passenger-docker'
  end
  baseimage_path = File.absolute_path(BASEIMAGE_PATH, ROOT)
  if File.directory?(baseimage_path)
    config.vm.synced_folder baseimage_path, "/vagrant/baseimage-docker"
  end
  dockerizer_path = File.absolute_path(DOCKERIZER_PATH, ROOT)
  if File.directory?(dockerizer_path)
    config.vm.synced_folder dockerizer_path, '/vagrant/dockerizer'
  end
  config.vm.provider :vmware_fusion do |f, override|
-    override.vm.box_url = "https://oss-binaries.phusionpassenger.com/vagrant/boxes/ubuntu-12.04.3-amd64-vmwarefusion.box"
+    override.vm.box_url = VMWARE_BOX_URL
-    f.vmx["displayName"] = "baseimage-docker"
+    f.vmx['displayName'] = 'baseimage-docker'
  end
  if Dir.glob("#{File.dirname(__FILE__)}/.vagrant/machines/default/*/id").empty?
-    # Add lxc-docker package
+    config.vm.provision :shell, :inline => $script
    pkg_cmd = "wget -q -O - https://get.docker.io/gpg | apt-key add -;" \
      "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list;" \
      "apt-get update -qq; apt-get install -q -y --force-yes lxc-docker; "
    # Add vagrant user to the docker group
    pkg_cmd << "usermod -a -G docker vagrant; "
    config.vm.provision :shell, :inline => pkg_cmd
  end
 end
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:12.04
+FROM ubuntu:14.04
 MAINTAINER Phusion <info@phusion.nl>
 ENV HOME /root
--- a/image/bin/enable_insecure_key
+++ b/image/bin/enable_insecure_key
@@ -21,7 +21,7 @@ else
 		|                                                                              |
 		| DO NOT expose port 22 on the Internet unless you know what you are doing!    |
 		|                                                                              |
-		| Use the private key bellow to connect with user root                         |
+		| Use the private key below to connect with user root                         |
 		+------------------------------------------------------------------------------+
 	EOF
--- a/image/bin/my_init
+++ b/image/bin/my_init
@@ -1,5 +1,5 @@
-#!/usr/bin/python2 -u
+#!/usr/bin/python3 -u
-import os, os.path, sys, stat, signal, errno, argparse, time, json, re, posixfile
+import os, os.path, sys, stat, signal, errno, argparse, time, json, re
 KILL_PROCESS_TIMEOUT = 5
 KILL_ALL_PROCESSES_TIMEOUT = 5
@@ -11,6 +11,8 @@ LOG_LEVEL_DEBUG = 3
 log_level = None
 terminated_child_processes = {}
 class AlarmException(Exception):
 	pass
@@ -20,15 +22,15 @@ def error(message):
 def warn(message):
 	if log_level >= LOG_LEVEL_WARN:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 def info(message):
 	if log_level >= LOG_LEVEL_INFO:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 def debug(message):
 	if log_level >= LOG_LEVEL_DEBUG:
-		print("*** %s" % message)
+		sys.stderr.write("*** %s\n" % message)
 def ignore_signals_and_raise_keyboard_interrupt(signame):
 	signal.signal(signal.SIGTERM, signal.SIG_IGN)
@@ -54,21 +56,30 @@ def is_exe(path):
 	except OSError:
 		return False
-def import_envvars(clear_existing_environment = True):
+def create_hosts_file():
 	run_command_killable("/bin/cp", "/etc/hosts", "/etc/workaround-docker-2267/")
 def import_envvars(clear_existing_environment = True, override_existing_environment = True):
 	new_env = {}
 	for envfile in listdir("/etc/container_environment"):
 		name = os.path.basename(envfile)
 		with open("/etc/container_environment/" + envfile, "r") as f:
-			value = f.read()
+			# Text files often end with a trailing newline, which we
 			# don't want to include in the env variable value. See
 			# https://github.com/phusion/baseimage-docker/pull/49
 			value = re.sub('\n\Z', '', f.read())
 		new_env[name] = value
 	if clear_existing_environment:
 		os.environ.clear()
 	for name, value in new_env.items():
-		os.environ[name] = value
+		if override_existing_environment or not name in os.environ:
 			os.environ[name] = value
 def export_envvars(to_dir = True):
 	shell_dump = ""
 	for name, value in os.environ.items():
 		if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
 			continue
 		if to_dir:
 			with open("/etc/container_environment/" + name, "w") as f:
 				f.write(value)
@@ -91,19 +102,36 @@ def shquote(s):
 	# the string $'b is then quoted as '$'"'"'b'
 	return "'" + s.replace("'", "'\"'\"'") + "'"
 # Waits for the child process with the given PID, while at the same time
 # reaping any other child processes that have exited (e.g. adopted child
 # processes that have terminated).
 def waitpid_reap_other_children(pid):
 	global terminated_child_processes
 	status = terminated_child_processes.get(pid)
 	if status:
 		# A previous call to waitpid_reap_other_children(),
 		# with an argument not equal to the current argument,
 		# already waited for this process. Return the status
 		# that was obtained back then.
 		del terminated_child_processes[pid]
 		return status
 	done = False
 	status = None
 	try:
 		this_pid, status = os.waitpid(pid, os.WNOHANG)
 	except OSError as e:
 		if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
 			return None
 		else:
 			raise
 	while not done:
-		this_pid, status = os.waitpid(-1, 0)
+		try:
-		done = this_pid == pid
+			this_pid, status = os.waitpid(-1, 0)
 			if this_pid == pid:
 				done = True
 			else:
 				# Save status for later.
 				terminated_child_processes[this_pid] = status
 		except OSError as e:
 			if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
 				return None
 			else:
 				raise
 	return status
 def stop_child_process(name, pid, signo = signal.SIGTERM, time_limit = KILL_PROCESS_TIMEOUT):
@@ -143,9 +171,9 @@ def run_command_killable(*argv):
 		raise
 	if status != 0:
 		if status is None:
-			error("%s exited with unknown exit code\n" % filename)
+			error("%s exited with unknown status\n" % filename)
 		else:
-			error("%s failed with exit code %d\n" % (filename, status))
+			error("%s failed with status %d\n" % (filename, os.WEXITSTATUS(status)))
 		sys.exit(1)
 def run_command_killable_and_import_envvars(*argv):
@@ -196,7 +224,7 @@ def run_startup_files():
 def start_runit():
 	info("Booting runit daemon...")
 	pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
-		"-P", "/etc/service", "log: %s" % ('.' * 395))
+		"-P", "/etc/service")
 	info("Runit started as PID %d" % pid)
 	return pid
@@ -224,7 +252,8 @@ def install_insecure_key():
 	run_command_killable("/usr/sbin/enable_insecure_key")
 def main(args):
-	import_envvars(False)
+	create_hosts_file()
 	import_envvars(False, False)
 	export_envvars()
 	if args.enable_insecure_key:
@@ -239,31 +268,34 @@ def main(args):
 	if not args.skip_runit:
 		runit_pid = start_runit()
 	try:
 		exit_status = None
 		if len(args.main_command) == 0:
 			runit_exited, exit_code = wait_for_runit_or_interrupt(runit_pid)
 			if runit_exited:
 				if exit_code is None:
-					info("Runit exited with unknown exit code")
+					info("Runit exited with unknown status")
-					exit_code = 1
+					exit_status = 1
 				else:
-					info("Runit exited with code %d" % exit_code)
+					exit_status = os.WEXITSTATUS(exit_code)
 					info("Runit exited with status %d" % exit_status)
 		else:
 			info("Running %s..." % " ".join(args.main_command))
 			pid = os.spawnvp(os.P_NOWAIT, args.main_command[0], args.main_command)
 			try:
 				exit_code = waitpid_reap_other_children(pid)
 				if exit_code is None:
-					info("%s exited with unknown exit code." % args.main_command[0])
+					info("%s exited with unknown status." % args.main_command[0])
-					exit_code = 1
+					exit_status = 1
 				else:
-					info("%s exited with exit code %d." % (args.main_command[0], exit_code))
+					exit_status = os.WEXITSTATUS(exit_code)
 					info("%s exited with status %d." % (args.main_command[0], exit_status))
 			except KeyboardInterrupt:
 				stop_child_process(args.main_command[0], pid)
 			except BaseException as s:
 				warn("An error occurred. Aborting.")
 				stop_child_process(args.main_command[0], pid)
 				raise
-		sys.exit(exit_code)
+		sys.exit(exit_status)
 	finally:
 		if not args.skip_runit:
 			shutdown_runit_services()
--- a/image/bin/setuser
+++ b/image/bin/setuser
@@ -1,4 +1,4 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
 import sys, os, pwd
 if len(sys.argv) < 3:
--- a/image/bin/workaround-docker-2267
+++ b/image/bin/workaround-docker-2267
@@ -0,0 +1,2 @@
 #!/bin/sh
 exec /usr/bin/perl -pi -e 's:/etc/hosts:/cte/hosts:g' /lib/x86_64-linux-gnu/libnss_files.so.2
--- a/image/cleanup.sh
+++ b/image/cleanup.sh
@@ -6,5 +6,7 @@ set -x
 apt-get clean
 rm -rf /build
 rm -rf /tmp/* /var/tmp/*
 rm -rf /var/lib/apt/lists/*
 rm -f /etc/dpkg/dpkg.cfg.d/02apt-speedup
 rm -f /etc/ssh/ssh_host_*
--- a/image/config/sshd_config
+++ b/image/config/sshd_config
@@ -101,7 +101,7 @@ ChallengeResponseAuthentication no
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
@@ -123,13 +123,10 @@ ChallengeResponseAuthentication no
 #Banner none
 # override default of no subsystems
-Subsystem	sftp	/usr/lib/sftp-server
+Subsystem	sftp	/usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 # XAuthLocation added by XQuartz (http://xquartz.macosforge.org)
 XAuthLocation /opt/X11/bin/xauth
--- a/image/config/syslog_ng_default
+++ b/image/config/syslog_ng_default
@@ -9,5 +9,4 @@
 #CONSOLE_LOG_LEVEL=1
 # Command line options to syslog-ng
-# We set --default-modules because of https://github.com/phusion/baseimage-docker/pull/7.
+SYSLOGNG_OPTS="--no-caps"
 SYSLOGNG_OPTS="--no-caps --default-modules=affile,afprog,afsocket,afuser,basicfuncs,csvparser,dbparser,syslogformat"
--- a/image/prepare.sh
+++ b/image/prepare.sh
@@ -3,22 +3,47 @@ set -e
 source /build/buildconfig
 set -x
-## Enable Ubuntu Universe.
+## Temporarily disable dpkg fsync to make building faster.
-echo deb http://archive.ubuntu.com/ubuntu precise main universe > /etc/apt/sources.list
+echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02apt-speedup
 echo deb http://archive.ubuntu.com/ubuntu precise-updates main universe >> /etc/apt/sources.list
 apt-get update
-## Install HTTPS support for APT.
+## Prevent initramfs updates from trying to run grub and lilo.
-$minimal_apt_get_install apt-transport-https
+## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
 ## http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594189
 export INITRD=no
 mkdir -p /etc/container_environment
 echo -n no > /etc/container_environment/INITRD
 ## Enable Ubuntu Universe and Multiverse.
 sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
 sed -i 's/^#\s*\(deb.*multiverse\)$/\1/g' /etc/apt/sources.list
 apt-get update
 ## Fix some issues with APT packages.
 ## See https://github.com/dotcloud/docker/issues/1024
 dpkg-divert --local --rename --add /sbin/initctl
 ln -sf /bin/true /sbin/initctl
 ## Replace the 'ischroot' tool to make it always return true.
 ## Prevent initscripts updates from breaking /dev/shm.
 ## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
 ## https://bugs.launchpad.net/launchpad/+bug/974584
 dpkg-divert --local --rename --add /usr/bin/ischroot
 ln -sf /bin/true /usr/bin/ischroot
 ## Workaround https://github.com/dotcloud/docker/issues/2267,
 ## not being able to modify /etc/hosts.
 mkdir -p /etc/workaround-docker-2267
 ln -s /etc/workaround-docker-2267 /cte
 cp /build/bin/workaround-docker-2267 /usr/bin/
 ## Install HTTPS support for APT.
 $minimal_apt_get_install apt-transport-https ca-certificates
 ## Install add-apt-repository
 $minimal_apt_get_install software-properties-common
 ## Upgrade all packages.
-echo "initscripts hold" | dpkg --set-selections
+apt-get dist-upgrade -y --no-install-recommends
 apt-get upgrade -y --no-install-recommends
 ## Fix locale.
 $minimal_apt_get_install language-pack-en
--- a/image/runit/syslog-ng
+++ b/image/runit/syslog-ng
@@ -1,6 +1,11 @@
 #!/bin/sh
 set -e
 # If /dev/log is either a named pipe or it was placed there accidentally,
 # e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
 # then we remove it.
 if [ ! -S /dev/log ]; then rm -f /dev/log; fi
 SYSLOGNG_OPTS=""
 [ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng
@@ -19,6 +24,8 @@ esac
 if [ ! -e /dev/xconsole ]
 then
  mknod -m 640 /dev/xconsole p
  chown root:adm /dev/xconsole
  [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
 fi
 exec syslog-ng -F -p /var/run/syslog-ng.pid $SYSLOGNG_OPTS
--- a/image/system_services.sh
+++ b/image/system_services.sh
@@ -4,13 +4,17 @@ source /build/buildconfig
 set -x
 ## Install init process.
-cp /build/my_init /sbin/
+cp /build/bin/my_init /sbin/
 mkdir -p /etc/my_init.d
 mkdir -p /etc/container_environment
 touch /etc/container_environment.sh
 touch /etc/container_environment.json
 chmod 700 /etc/container_environment
-chmod 600 /etc/container_environment.sh /etc/container_environment.json
+
 groupadd docker_env
 chown :docker_env /etc/container_environment.sh /etc/container_environment.json
 chmod 640 /etc/container_environment.sh /etc/container_environment.json
 ln -s /etc/container_environment.sh /etc/profile.d/
 ## Install runit.
 $minimal_apt_get_install runit
@@ -21,6 +25,9 @@ mkdir /etc/service/syslog-ng
 cp /build/runit/syslog-ng /etc/service/syslog-ng/run
 mkdir -p /var/lib/syslog-ng
 cp /build/config/syslog_ng_default /etc/default/syslog-ng
 # Replace the system() source because inside Docker we
 # can't access /proc/kmsg.
 sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
 ## Install logrotate.
 $minimal_apt_get_install logrotate
@@ -41,7 +48,7 @@ cp /build/insecure_key.pub /etc/insecure_key.pub
 cp /build/insecure_key /etc/insecure_key
 chmod 644 /etc/insecure_key*
 chown root:root /etc/insecure_key*
-cp /build/enable_insecure_key /usr/sbin/
+cp /build/bin/enable_insecure_key /usr/sbin/
 ## Install cron daemon.
 $minimal_apt_get_install cron
--- a/image/utilities.sh
+++ b/image/utilities.sh
@@ -7,4 +7,4 @@ set -x
 $minimal_apt_get_install curl less nano vim psmisc
 ## This tool runs a command as another user and sets $HOME.
-cp /build/setuser /sbin/setuser
+cp /build/bin/setuser /sbin/setuser
--- a/install-tools.sh
+++ b/install-tools.sh
@@ -0,0 +1,12 @@
 #!/bin/sh
 set -e
 dir=`dirname "$0"`
 cd "$dir"
 set -x
 cp tools/docker-bash /usr/local/bin/
 cp tools/docker-ssh /usr/local/bin/
 cp tools/baseimage-docker-nsenter /usr/local/bin/
 mkdir -p /usr/local/share/baseimage-docker
 cp image/insecure_key /usr/local/share/baseimage-docker/
 chmod 644 /usr/local/share/baseimage-docker/insecure_key
--- a/tools/README.md
+++ b/tools/README.md
@@ -0,0 +1 @@
 baseimage-docker-nsenter is the nsenter tool taken from https://github.com/jpetazzo/nsenter, commit 10ce18a7a32. It has been stripped in order to make it smaller.
--- a/tools/baseimage-docker-nsenter
+++ b/tools/baseimage-docker-nsenter
--- a/tools/docker-bash
+++ b/tools/docker-bash
@@ -0,0 +1,29 @@
 #!/bin/sh
 set -e
 SELFDIR=`dirname "$0"`
 SELFDIR=`cd "$SELFDIR" && pwd`
 usage()
 {
 	echo "Usage: docker-bash <CONTAINER_ID> [COMMAND...]"
 	echo "Login to a Baseimage-based Docker container using nsenter." \
 		"If COMMAND is not given, opens an interactive shell." \
 		"Otherwise, runs COMMAND inside the container."
 }
 if test $# = 0; then
 	usage
 	exit
 fi
 CONTAINER_ID="$1"
 shift
 PID=`docker inspect -f "{{ .State.Pid }}" "$CONTAINER_ID"`
 if test $# = 0; then
 	exec "$SELFDIR/baseimage-docker-nsenter" --target "$PID" --mount --uts --ipc --net --pid -- /bin/bash -l
 else
 	exec "$SELFDIR/baseimage-docker-nsenter" --target "$PID" --mount --uts --ipc --net --pid -- "$@"
 fi
--- a/tools/docker-ssh
+++ b/tools/docker-ssh
@@ -0,0 +1,81 @@
 #!/bin/sh
 set -e
 KNOWN_HOSTS_FILE=
 IP=
 usage()
 {
 	echo "Usage: docker-ssh <CONTAINER_ID> [COMMAND...]"
 	echo "Login to a Baseimage-based Docker container using SSH." \
 		"If COMMAND is not given, opens an interactive shell." \
 		"Otherwise, runs COMMAND inside the container."
 }
 cleanup()
 {
 	local pids=`jobs -p`
 	if test "$pids" != ""; then
 		kill $pids
 	fi
 	if test "$KNOWN_HOSTS_FILE" != ""; then
 		rm -f "$KNOWN_HOSTS_FILE"
 	fi
 }
 if test $# = 0; then
 	usage
 	exit
 fi
 CONTAINER_ID="$1"
 shift
 trap cleanup EXIT
 if ! test -e ~/.baseimage_docker_insecure_key; then
 	if test -e /usr/local/share/baseimage-docker/insecure_key; then
 		cp /usr/local/share/baseimage-docker/insecure_key ~/.baseimage_docker_insecure_key
 	else
 		dir=`dirname "$0"`
 		dir=`cd "$dir/.." && pwd`
 		if test -e "$dir/image/insecure_key"; then
 			cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key
 		else
 			echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
 			echo "You probably didn't install docker-ssh properly. Please reinstall it:" >&2
 			echo "" >&2
 			echo "  curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \\" >&2
 			echo "  tar xzf master.tar.gz && \\" >&2
 			echo "  sudo ./baseimage-docker-master/install-tools.sh" >&2
 			exit 1
 		fi
 	fi
 	chown "`whoami`": ~/.baseimage_docker_insecure_key
 	chmod 600 ~/.baseimage_docker_insecure_key
 fi
 KNOWN_HOSTS_FILE=`mktemp /tmp/docker-ssh.XXXXXXXXX`
 IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
 # Prevent SSH from warning about adding a host to the known_hosts file.
 ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
 if ! ssh -i ~/.baseimage_docker_insecure_key \
 	-o UserKnownHostsFile="$KNOWN_HOSTS_FILE" \
 	-o StrictHostKeyChecking=no \
 	-o PasswordAuthentication=no \
 	-o KbdInteractiveAuthentication=no \
 	-o ChallengeResponseAuthentication=no \
 	"root@$IP" "$@"
 then
 	STATUS=$?
 	if test $# = 0; then
 		echo "----------------"
 		echo "It appears that login to the Docker container failed. This could be caused by the following reasons:"
 		echo "- The Docker container you're trying to login to is not based on Baseimage-docker. The docker-ssh tool only works with Baseimage-docker-based containers."
 		echo "- You did not enable the the insecure key inside the container. Please read https://github.com/phusion/baseimage-docker/blob/master/README.md#login to learn how to enable the insecure key."
 	fi
 	exit $STATUS
 fi
Author	SHA1	Message	Date
Hongli Lai (Phusion)	d55fa363bf	Update changelog	2014-07-16 21:07:59 +02:00
Hongli Lai (Phusion)	eb189e7864	Officially support nsenter	2014-07-16 21:07:49 +02:00
Hongli Lai (Phusion)	7fd667bc1f	Update Changelog	2014-07-13 23:59:40 +02:00
Hongli Lai	5106ffd4b1	Merge pull request #105 from bubenkoff/patch-1 Allow X11 forwarding and remove invalid xauth location	2014-07-13 23:58:19 +02:00
Hongli Lai (Phusion)	3526928ad9	Update README	2014-07-13 23:09:52 +02:00
Hongli Lai (Phusion)	9cf192ca02	Fix mistake in changelog	2014-07-13 23:06:05 +02:00
Hongli Lai (Phusion)	25e8b1c535	Make docker-bash work on a regular sh shell instead of bash. Closes GH-103.	2014-07-13 12:50:16 +02:00
Hongli Lai (Phusion)	2fa47a225b	Update Readme	2014-07-13 01:31:14 +02:00
Hongli Lai (Phusion)	b9d75d899d	Fix documentation order	2014-07-13 01:12:04 +02:00
Hongli Lai (Phusion)	1f38e2226e	Added a workaround for Docker's inability to modify /etc/hosts in the container. See Docker bug 2267: https://github.com/dotcloud/docker/issues/2267	2014-07-13 00:49:05 +02:00
Hongli Lai (Phusion)	291b9aae02	Bump version to 0.9.12	2014-07-13 00:49:05 +02:00
Hongli Lai (Phusion)	75902437c9	Move scripts into bin directory	2014-07-13 00:49:04 +02:00
Hongli Lai	73d900dece	Merge pull request #106 from mephi42/master my_init: use stderr for all logs Useful when you want to run tar within the container and pipe the archive to host.	2014-07-03 11:36:04 +02:00
mephi42	669435158f	my_init: use stderr for all logs Useful when you want to run tar within the container and pipe the archive to host.	2014-07-02 19:12:42 -04:00
Anatoly Bubenkov	a32cbb7808	remove explicit xauth location Change allows to connect by ssh using X11 forwarding from linux host, otherwise you get debug1: Remote: No xauth program; cannot forward with spoofing.	2014-07-02 16:04:37 +02:00
Hongli Lai	070245feb8	Merge pull request #97 from dgoujard/master Update doc with more informations in ssh section	2014-06-24 17:07:46 +02:00
Hongli Lai (Phusion)	f58282d4d3	Note release date	2014-06-24 16:40:22 +02:00
Hongli Lai (Phusion)	e6258b37b5	Give credit to Brant Fitzsimmons	2014-06-24 16:39:56 +02:00
Hongli Lai	71ce2a6d9d	Merge pull request #98 from bfitzsimmons/patch-1 Fixed typo.	2014-06-23 19:09:11 +02:00
Brant Fitzsimmons	08d5b93095	Fixed typo.	2014-06-23 12:56:26 -04:00
Damien Goujard	7d2bdfe67e	Update doc with more informations in ssh section	2014-06-22 09:39:59 +02:00
Hongli Lai	d0e63da07b	Merge pull request #86 from imanel/patch-2 Don't write HOME env variable	2014-06-20 13:45:36 +02:00
Bernard Potocki	2beb0e253e	Change break to continue	2014-06-20 12:38:17 +02:00
Hongli Lai (Phusion)	0302713554	Update documentation	2014-06-20 11:33:10 +02:00
Hongli Lai	7ac6795aa5	Merge pull request #84 from imanel/patch-1 Preserve ENV variables for SSH client	2014-06-20 11:28:27 +02:00
Hongli Lai	feab2fce75	Merge pull request #94 from pda/stderr-not-proctitle my_init: runsvdir no longer redirects stderr to proctitle.	2014-06-20 11:26:39 +02:00
Paul Annesley	3019bbf09b	my_init: runsvdir no longer redirects stderr to proctitle. As described at http://smarden.org/runit/runsvdir.8.html passing a log option to runsvdir causes stderr to be redirected to the proctitle. That prevents stderr from reaching docker logs, which is a big problem.	2014-06-18 09:38:52 -07:00
Bernard Potocki	18a7fe26ec	Add USER, GROUP, UID, GID and SHELL to restricted env variables	2014-06-18 17:29:02 +02:00
Bernard Potocki	b9d788611a	Update readme	2014-06-18 17:13:44 +02:00
Bernard Potocki	1357e9399e	Add docker_env group and make container_environment scripts group-readable	2014-06-18 17:10:35 +02:00
Hongli Lai (Phusion)	ba1e1ffbf5	Fix an anchor in the README	2014-06-17 17:41:20 +02:00
Hongli Lai (Phusion)	0b468fb61b	Introduce the `docker-bash` tool. This is a shortcut tool for logging into a container using SSH. Usage: `docker-bash <CONTAINER_ID>`.	2014-06-17 17:40:34 +02:00
Hongli Lai	9db4f43b74	Merge pull request #93 from qerub/ipaddress Use Go template instead of grep to extract container IP address	2014-06-17 14:40:05 +02:00
Hongli Lai (Phusion)	5806f51ea3	Fixed various process waiting issues in `my_init`. Closes GH-27. Closes GH-82. Closes GH-83. Thanks to André Luiz dos Santos and Paul Annesley.	2014-06-17 14:35:05 +02:00
Hongli Lai (Phusion)	c431f2d151	Update Changelog	2014-06-17 13:27:03 +02:00
Hongli Lai	76100b639a	Merge pull request #88 from jeckhart/fix-syslogng-runit-run Missing target of chown in syslog-ng runit run file	2014-06-17 13:15:20 +02:00
Hongli Lai	ecf6e6b226	Merge pull request #90 from yebyen/patch-1 needed for insecure key usage	2014-06-17 13:03:48 +02:00
Hongli Lai (Phusion)	92c2ea22ed	Install add-apt-repository. Closes GH-74.	2014-06-17 12:46:14 +02:00
Hongli Lai (Phusion)	436be20ff0	Bump version to 0.9.11	2014-06-17 12:45:24 +02:00
Christoffer Sawicki	f445cafe03	Use Go template instead of grep to extract container IP address	2014-06-16 14:20:46 +02:00
Hongli Lai	93572a5698	Update CONTRIBUTING.md Fix link	2014-06-16 12:41:42 +02:00
Hongli Lai	f5efca365c	Create CONTRIBUTING.md	2014-06-16 12:41:13 +02:00
yebyen	949bd1d89f	needed for insecure key usage `chmod 600` is for the benefit of ssh client, which will otherwise spew: ``` chmod 600 image/insecure_key.pub SSHing into 172.17.0.2 Warning: Permanently added '172.17.0.2' (ECDSA) to the list of known hosts. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0664 for 'image/insecure_key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: image/insecure_key ``` As you can see though, the wrong file is `chmod`'ed -- it's the private key that SSH will insist should be protected with a more restrictive mode. After this, `CMD ["/sbin/my_init", "--enable-insecure-key"]` works as expected.	2014-06-09 12:32:52 -04:00
John Eckhart	2b339a3344	Missing target of chown	2014-06-04 02:10:00 -04:00
Bernard Potocki	b665b78454	Make container_envoriments.sh and .json readable by other users Prevents bug when loading env variables on non-root user login.	2014-06-02 15:06:02 +02:00
Bernard Potocki	5b403fe06c	Don't write HOME env variable Loading HOME variable breaks multi-user container (i.e. logging as postgres user) if you try to load variables via `/etc/container_environment.sh`.	2014-06-02 15:03:49 +02:00
Bernard Potocki	1a6c43b8d7	Preserve ENV variables for SSH client Currently when you ssh to host you will not see ENV variables set. This was mentioned earlier in #54 and solution is tested. Additional rationale: currently you can't see docker link ENV variables inside ssh, so you need to load this file every time you connect to container. I would say that expected behavior is to preserve them in services that are provided at default (cron/ssh)	2014-06-02 00:11:24 +02:00
Hongli Lai	0325abf74e	Changelog.md now explicitly mentions that the latest version is not yet released	2014-05-16 14:17:15 +02:00
Hongli Lai (Phusion)	22c3d60d94	Install `ca-certificates` package by default. This is because we include `apt-transport-https`, but Ubuntu 14.04 no longer installs `ca-certificates` by default anymore. Closes GH-73.	2014-05-12 23:07:17 +02:00
Hongli Lai (Phusion)	b56693beb3	Fix syslog-ng. The system() source in the default syslog-ng config file does not work in Docker because it tries to access /proc/kmsg, which is not allowed due to Docker's privileges. We replace it by a source that only reads from /dev/log.	2014-05-12 17:29:45 +02:00
Hongli Lai (Phusion)	612b1504af	The syslog-ng script should restore /dev/xconsole permissions because that's what the official init script does	2014-05-12 16:43:55 +02:00
Hongli Lai (Phusion)	7bde5d9993	Document release date of 0.9.10	2014-05-12 16:15:59 +02:00
Hongli Lai (Phusion)	af11b5e7b4	Early in the my_init initialization process, do not overwrite already-defined environment variables by the ones in /etc/container_environment. Closes GH-52.	2014-05-12 16:14:47 +02:00
Hongli Lai (Phusion)	29d315891f	Use Ubuntu 14.04 as Vagrant box	2014-05-12 16:14:44 +02:00
Hongli Lai (Phusion)	5e0b1b6267	Update URLs to Vagrant boxes	2014-05-12 13:56:40 +02:00
Hongli Lai (Phusion)	e0d3f5d1a4	Bump version to 0.9.10	2014-05-12 10:32:34 +02:00
Hongli Lai (Phusion)	03adf9b696	Document the new environment variable newline handling in my_init	2014-05-12 10:32:18 +02:00
Hongli Lai (Phusion)	51748c3b1d	Update the README to say that we're on Ubuntu 14.04 now.	2014-05-12 10:24:52 +02:00
Hongli Lai (Phusion)	895b145207	Update Changelog	2014-05-12 10:24:02 +02:00
mpeterson	d3d4b6124a	modified setuser to use Python3 (default on 14.04)	2014-05-12 10:21:54 +02:00
mpeterson	5cfdd42d4b	Modify defaults for syslog_ng to function properly On 14.04 (trusty) there is nos no need to list all the modules since that was fixed. No only that, listing them causes an error and it doesn't start.	2014-05-12 10:21:54 +02:00
Kingdon Barrett	6acfd8794d	Remove /dev/log if it's a file a file. Fixes https://github.com/phusion/baseimage-docker/pull/25	2014-05-12 10:21:36 +02:00
Santiago M. Mola	90ff4682df	Migrate to Python 3 Ubuntu Trusty ships Python 3 by default, but not Python 2. Older versions already ship Python 3, so this change should be safe.	2014-05-10 12:28:23 +00:00
Paul Jimenez	17f000b744	Upgrade from Precise to Trusty Conflicts: image/sources.list	2014-05-10 12:26:34 +00:00
mpeterson	90262a0460	Better way to enable universe and multiverse Instead of copying over a hardcoded file we just uncomment the correct lines via two simple sed commands. Conflicts: image/sources.list	2014-05-10 12:24:41 +00:00
Hongli Lai	9f369b5ed7	Merge pull request #51 from nanobeep/patch-1 Use '--rm' instead of '-rm', which was deprecated in Docker 0.9	2014-04-21 16:43:35 +02:00
Matt Jaynes	2ba32b6172	Use '--rm' instead of '-rm', which was deprecated in Docker 0.9	2014-04-08 15:36:36 -06:00
Hongli Lai	c740ff2f4d	Merge pull request #49 from harto/trim-env-newlines Trim trailing newlines from file-based envs	2014-04-02 16:47:09 +02:00
Stuart Campbell	5e2ee3838d	Trim trailing newlines from file-based envs Many editors add a trailing newline to files. This can result in slightly unexpected values for environment variables read from /etc/container_environment.	2014-04-03 00:13:09 +11:00
Hongli Lai (Phusion)	8f9eefa1f6	Correctly pass child process' exit status to sys.exit(). Closes GH-45	2014-03-28 10:23:25 +01:00
Hongli Lai (Phusion)	5ae32384d5	Document 0.9.9 release date	2014-03-25 17:18:16 +01:00
Hongli Lai (Phusion)	f55fde8d99	Fix a bug in the build process	2014-03-25 17:06:53 +01:00
Hongli Lai (Phusion)	0632b4865b	Set the INITRD env variable and make 'ischroot' always return true. This prevents initramfs and initscripts updates from breaking.	2014-03-25 16:44:33 +01:00
Hongli Lai (Phusion)	7914d8ac55	Enable more Ubuntu APT repositories.	2014-03-25 16:44:29 +01:00
Hongli Lai (Phusion)	73709ed0a0	During 'docker build', temporarily disable dpkg fsync to make it faster	2014-03-25 16:22:04 +01:00
Hongli Lai (Phusion)	dfaac83527	Run 'docker build' with '--rm' instead of '-rm', the latter which has been deprecated in Docker 0.9.	2014-03-25 15:49:46 +01:00
Hongli Lai (Phusion)	e11f2b8cfd	Bump version to 0.9.9	2014-03-25 15:49:16 +01:00
Hongli Lai (Phusion)	fa3098206d	Update Changelog	2014-03-25 15:48:05 +01:00
Hongli Lai (Phusion)	ad347d91c8	Merge branch 'amirgur1-master'	2014-03-25 15:37:18 +01:00
Hongli Lai (Phusion)	55727c2f30	Cleanup Amir Gur's patch	2014-03-25 15:36:15 +01:00
Hongli Lai (Phusion)	c8e79991b7	Merge branch 'master' of https://github.com/amirgur1/baseimage-docker into amirgur1-master	2014-03-25 15:30:00 +01:00
Hongli Lai	a03b58d94d	Merge pull request #42 from rhacker/patch-1 Fix typo in Makefile	2014-03-19 10:49:41 +01:00
Dung Quang	ed89f20836	Update Makefile	2014-03-19 09:14:34 +07:00
Hongli Lai (Phusion)	fd8a1273ad	Update Changelog	2014-03-17 12:59:03 +01:00
Hongli Lai	4094d20cec	Merge pull request #38 from slawo-ch/patch-1 properly specify location of sftp-server binary	2014-03-17 12:57:51 +01:00
Slawomir Chodnicki	585932c74c	properly specify location of sftp-server binary Currently there is a symlink at /usr/lib/sftp-server to /usr/lib/openssh/sftp-server in the image. That seems to give trouble with packages like the rssh restricted shell, which will not follow a symlink to the sftp server binary for security reasons. So currently it is not possible to use this image as a basis for scp/sftp only access over ssh.	2014-03-15 18:08:28 +01:00
Hongli Lai	3366687e86	Merge pull request #35 from Laurent-Sarrazin/patch-1 Fix a typo	2014-03-14 11:54:15 +01:00
Laurent Sarrazin	b749352f1e	Fix a typo	2014-03-12 23:27:50 +01:00
Hongli Lai	25d9972c0b	Merge pull request #34 from felixhummel/typo rw is enough for the insecure_key	2014-03-11 15:12:13 +01:00
Felix Hummel	5b1b6e8364	rw is enough for the insecure_key	2014-03-11 13:15:59 +01:00
Hongli Lai	0dab5aa4c8	Merge pull request #30 from ruphin/master typo fix	2014-03-06 12:52:15 +01:00
Amir Gur	2ef5fa1659	* More Parametrization, example. * All synced_folders are included. * Vagrantfile of baseimage and passenger are nearly identical now. (I got to that when wanting to try passenger. But already had a vagrant box started from baseimage, there was no need to dup the effort, just reuse the existing single box for all. Then in end of day, may not need multiple Vagrantfiles. Passenger is a simple structure/process for managing dockers, but only needing to use baseimage once and have one VM up)	2014-03-06 02:28:27 -08:00
Goffert van Gool	17cb4cebca	typo fix	2014-03-06 02:54:37 +01:00
Amir Gur	ac7f9b0785	- Parametrized passenger-docker location	2014-03-04 14:33:57 -08:00
Amir Gur	d06b177508	- Parametrize - Print docker version - Add a d alias to docker - Cleanup	2014-03-03 18:39:28 -08:00
		`@@ -0,0 +1,2 @@`
							`#!/bin/sh`
							`exec /usr/bin/perl -pi -e 's:/etc/hosts:/cte/hosts:g' /lib/x86_64-linux-gnu/libnss_files.so.2`
		`@@ -0,0 +1 @@`
							`baseimage-docker-nsenter is the nsenter tool taken from https://github.com/jpetazzo/nsenter, commit 10ce18a7a32. It has been stripped in order to make it smaller.`