Note release date

Fixed typo.

CONTRIBUTING.md

@@ -0,0 +1,5 @@
+Hey, thanks for wanting to contribute to baseimage-docker. :)
+
+If you have a question, please use the [discussion forum](https://groups.google.com/d/forum/passenger-docker). The Github issue tracker is only for **bug reports and feature requests**.
+
+If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the image.

Changelog.md

@@ -1,3 +1,27 @@
+## 0.9.11 (release date: 2014-06-24)
+
+ * Introduced the `docker-bash` tool. This is a shortcut tool for logging into a container using SSH. Usage: `docker-bash <CONTAINER ID>`. See the README for details.
+ * Fixed various process waiting issues in `my_init`. Closes GH-27, GH-82 and GH-83. Thanks to André Luiz dos Santos and Paul Annesley.
+ * The `ca-certificates` package is now installed by default. This is because we include `apt-transport-https`, but Ubuntu 14.04 no longer installs `ca-certificates` by default anymore. Closes GH-73.
+ * Output print by Runit services are now redirected to the Docker logs instead of to proctitle. Thanks to Paul Annesley.
+ * Container environment variables are now made available to SSH root shells. If you login with SSH through a non-root account, then container environment variables are only made available if that user is a member of the `docker_env` group. Thanks to Bernard Potocki.
+ * `add-apt-repository` is now installed by default. Closes GH-74.
+ * Various minor fixes and contributions thanks to yebyen, John Eckhart, Christoffer Sawicki and Brant Fitzsimmons.
+
+## 0.9.10 (release date: 2014-05-12)
+
+ * Upgraded to Ubuntu 14.04 (Trusty). We will no longer release images based on 12.04.
+   Thanks to contributions by mpeterson, Paul Jimenez, Santiago M. Mola and Kingdon Barrett.
+ * Fixed a problem with my_init not correctly passing child processes' exit status. Fixes GH-45.
+ * When reading environment variables from /etc/container_environment, the trailing newline (if any) is ignored. This makes commands like this work, without unintentially adding a newline to the environment variable value:
+
+        echo my_value > /etc/container_environment/FOO
+
+   If you intended on adding a newline to the value, ensure you have *two* trailing newlines:
+
+        echo -e "my_value\n" > /etc/container_environment/FOO
+ * It was not possible to use `docker run -e` to override environment variables defined in /etc/container_environment. This has been fixed (GH-52). Thanks to Stuart Campbell for reporting this bug.
+
 ## 0.9.9 (release date: 2014-03-25)
 
  * Fixed a problem with rssh. (Slawomir Chodnicki)

Makefile

@@ -1,5 +1,5 @@
 NAME = phusion/baseimage
-VERSION = 0.9.9
+VERSION = 0.9.11
 
 .PHONY: all build test tag_latest release ssh
 
@@ -20,7 +20,7 @@ release: test tag_latest
 	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
 
 ssh:
-	chmod 600 image/insecure_key.pub
+	chmod 600 image/insecure_key
 	@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
 		if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
 		IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \

README.md

@@ -50,6 +50,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
      * [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only)
      * [Enabling the insecure key permanently](#enabling_the_insecure_key_permanently)
      * [Using your own key](#using_your_own_key)
+     * [The `docker-bash` tool](#docker_bash)
    * [Disabling SSH](#disabling_ssh)
  * [Building the image yourself](#building)
  * [Conclusion](#conclusion)
@@ -66,7 +67,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
-| Ubuntu 12.04 LTS | The base system. |
+| Ubuntu 14.04 LTS | The base system. |
 | A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
@@ -90,7 +91,7 @@ Baseimage-docker *encourages* multiple processes through the use of runit.
 
 To look around in the image, run:
 
-    docker run -rm -t -i phusion/baseimage /sbin/my_init -- bash -l
+    docker run --rm -t -i phusion/baseimage /sbin/my_init -- bash -l
 
 You don't have to download anything manually. The above command will automatically pull the baseimage-docker image from the Docker registry.
 
@@ -150,7 +151,7 @@ Note that the shell script must run the daemon **without letting it daemonize/fo
 
 The baseimage-docker init system, `/sbin/my_init`, runs the following scripts during startup, in the following order:
 
- * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run during in lexicographic order.
+ * All executable scripts in `/etc/my_init.d`, if this directory exists. The scripts are run in lexicographic order.
  * The script `/etc/rc.local`, if this file exists.
 
 All scripts must exit correctly, e.g. with exit code 0. If any script exits with a non-zero exit code, the booting will fail.
@@ -227,7 +228,7 @@ During startup, before running any [startup scripts](#running_startup_scripts),
 
 For example, here's how you can define an environment variable from your Dockerfile:
 
-    RUN echo -n Apachai Hopachai > /etc/container_environment/MY_NAME
+    RUN echo Apachai Hopachai > /etc/container_environment/MY_NAME
 
 You can verify that it works, as follows:
 
@@ -237,6 +238,12 @@ You can verify that it works, as follows:
     # echo $MY_NAME
     Apachai Hopachai
 
+**Handling newlines**
+
+If you've looked carefully, you'll notice that the 'echo' command actually prints a newline. Why does $MY_NAME not contain a newline then? It's because `my_init` strips the trailing newline, if any. If you intended on the value having a newline, you should add *another* newline, like this:
+
+    RUN echo -e "Apachai Hopachai\n" > /etc/container_environment/MY_NAME
+
 <a name="envvar_dumps"></a>
 #### Environment variable dumps
 
@@ -281,7 +288,9 @@ But note that:
 <a name="envvar_security"></a>
 #### Security
 
-Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and root-accessible only. If you are sure that your environment variables don't contain sensitive data, then you can relax the permissions on that directory and those files by making them world-readable:
+Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only by the `docker_env` group (so that any user added this group will have these variables automatically loaded).
+
+If you are sure that your environment variables don't contain sensitive data, then you can also relax the permissions on that directory and those files by making them world-readable:
 
     RUN chmod 755 /etc/container_environment
     RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
@@ -308,7 +317,7 @@ Find out the ID of the container that you just ran:
 
 Once you have the ID, look for its IP address with:
 
-    docker inspect <ID> | grep IPAddress
+    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 
 Now SSH into the container as follows:
 
@@ -346,12 +355,33 @@ Find out the ID of the container that you just ran:
 
 Once you have the ID, look for its IP address with:
 
-    docker inspect <ID> | grep IPAddress
+    docker inspect -f "{{ .NetworkSettings.IPAddress }}" <ID>
 
 Now SSH into the container as follows:
 
     ssh -i /path-to/your_key root@<IP address>
 
+<a name="docker_bash"></a>
+#### The `docker-bash` tool
+
+Looking up the IP of a container and running an SSH command quickly becomes tedious. Luckily, we provide the `docker-bash` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
+
+First, install the tool on the Docker host:
+
+    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
+    tar xzf master.tar.gz && \
+    sudo ./baseimage-docker-master/install-tools.sh
+
+Then run the tool as follows to login to a container using SSH:
+
+    docker-bash YOUR-CONTAINER-ID
+
+You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
+
+By default, `docker-bash` will open a Bash session. You can also tell it to run a command, and then exit:
+
+    docker-bash YOUR-CONTAINER-ID echo hello world
+
 
 <a name="building"></a>
 ## Building the image yourself

Vagrantfile

@@ -9,9 +9,9 @@ VAGRANTFILE_API_VERSION = '2'
 # Example overrides:
 #   echo "ENV['PASSENGER_DOCKER_PATH'] ||= '../../phusion/passenger-docker'   " >> ~/.vagrant.d/Vagrantfile
 #   echo "ENV['BASE_BOX_URL']          ||= 'd\:/dev/vm/vagrant/boxes/phusion/'" >> ~/.vagrant.d/Vagrantfile
-BASE_BOX_URL          = ENV['BASE_BOX_URL']    || 'https://oss-binaries.phusionpassenger.com/vagrant/boxes/'
-VAGRANT_BOX_URL       = ENV['VAGRANT_BOX_URL'] || BASE_BOX_URL + 'ubuntu-12.04.3-amd64-vbox.box'
-VMWARE_BOX_URL        = ENV['VMWARE_BOX_URL']  || BASE_BOX_URL + 'ubuntu-12.04.3-amd64-vmwarefusion.box'
+BASE_BOX_URL          = ENV['BASE_BOX_URL']    || 'https://oss-binaries.phusionpassenger.com/vagrant/boxes/latest/'
+VAGRANT_BOX_URL       = ENV['VAGRANT_BOX_URL'] || BASE_BOX_URL + 'ubuntu-14.04-amd64-vbox.box'
+VMWARE_BOX_URL        = ENV['VMWARE_BOX_URL']  || BASE_BOX_URL + 'ubuntu-14.04-amd64-vmwarefusion.box'
 BASEIMAGE_PATH        = ENV['BASEIMAGE_PATH' ] || '.'
 PASSENGER_DOCKER_PATH = ENV['PASSENGER_PATH' ] || '../passenger-docker'
 DOCKERIZER_PATH       = ENV['DOCKERIZER_PATH'] || '../dockerizer'
@@ -27,7 +27,7 @@ su - vagrant -c 'echo alias d=docker >> ~/.bash_aliases'
 SCRIPT
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
-  config.vm.box = 'phusion-open-ubuntu-12.04-amd64'
+  config.vm.box = 'phusion-open-ubuntu-14.04-amd64'
   config.vm.box_url = VAGRANT_BOX_URL
   config.ssh.forward_agent = true
   passenger_docker_path = File.absolute_path(PASSENGER_DOCKER_PATH, ROOT)

image/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:12.04
+FROM ubuntu:14.04
 MAINTAINER Phusion <info@phusion.nl>
 
 ENV HOME /root

image/config/syslog_ng_default

@@ -9,5 +9,4 @@
 #CONSOLE_LOG_LEVEL=1
 
 # Command line options to syslog-ng
-# We set --default-modules because of https://github.com/phusion/baseimage-docker/pull/7.
-SYSLOGNG_OPTS="--no-caps --default-modules=affile,afprog,afsocket,afuser,basicfuncs,csvparser,dbparser,syslogformat"
+SYSLOGNG_OPTS="--no-caps"

image/my_init

@@ -1,5 +1,5 @@
-#!/usr/bin/python2 -u
-import os, os.path, sys, stat, signal, errno, argparse, time, json, re, posixfile
+#!/usr/bin/python3 -u
+import os, os.path, sys, stat, signal, errno, argparse, time, json, re
 
 KILL_PROCESS_TIMEOUT = 5
 KILL_ALL_PROCESSES_TIMEOUT = 5
@@ -11,6 +11,8 @@ LOG_LEVEL_DEBUG = 3
 
 log_level = None
 
+terminated_child_processes = {}
+
 class AlarmException(Exception):
 	pass
 
@@ -54,21 +56,27 @@ def is_exe(path):
 	except OSError:
 		return False
 
-def import_envvars(clear_existing_environment = True):
+def import_envvars(clear_existing_environment = True, override_existing_environment = True):
 	new_env = {}
 	for envfile in listdir("/etc/container_environment"):
 		name = os.path.basename(envfile)
 		with open("/etc/container_environment/" + envfile, "r") as f:
-			value = f.read()
+			# Text files often end with a trailing newline, which we
+			# don't want to include in the env variable value. See
+			# https://github.com/phusion/baseimage-docker/pull/49
+			value = re.sub('\n\Z', '', f.read())
 		new_env[name] = value
 	if clear_existing_environment:
 		os.environ.clear()
 	for name, value in new_env.items():
-		os.environ[name] = value
+		if override_existing_environment or not name in os.environ:
+			os.environ[name] = value
 
 def export_envvars(to_dir = True):
 	shell_dump = ""
 	for name, value in os.environ.items():
+		if name in ['HOME', 'USER', 'GROUP', 'UID', 'GID', 'SHELL']:
+			continue
 		if to_dir:
 			with open("/etc/container_environment/" + name, "w") as f:
 				f.write(value)
@@ -91,19 +99,36 @@ def shquote(s):
 	# the string $'b is then quoted as '$'"'"'b'
 	return "'" + s.replace("'", "'\"'\"'") + "'"
 
+# Waits for the child process with the given PID, while at the same time
+# reaping any other child processes that have exited (e.g. adopted child
+# processes that have terminated).
 def waitpid_reap_other_children(pid):
+	global terminated_child_processes
+
+	status = terminated_child_processes.get(pid)
+	if status:
+		# A previous call to waitpid_reap_other_children(),
+		# with an argument not equal to the current argument,
+		# already waited for this process. Return the status
+		# that was obtained back then.
+		del terminated_child_processes[pid]
+		return status
+
 	done = False
 	status = None
-	try:
-		this_pid, status = os.waitpid(pid, os.WNOHANG)
-	except OSError as e:
-		if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
-			return None
-		else:
-			raise
 	while not done:
-		this_pid, status = os.waitpid(-1, 0)
-		done = this_pid == pid
+		try:
+			this_pid, status = os.waitpid(-1, 0)
+			if this_pid == pid:
+				done = True
+			else:
+				# Save status for later.
+				terminated_child_processes[this_pid] = status
+		except OSError as e:
+			if e.errno == errno.ECHILD or e.errno == errno.ESRCH:
+				return None
+			else:
+				raise
 	return status
 
 def stop_child_process(name, pid, signo = signal.SIGTERM, time_limit = KILL_PROCESS_TIMEOUT):
@@ -143,9 +168,9 @@ def run_command_killable(*argv):
 		raise
 	if status != 0:
 		if status is None:
-			error("%s exited with unknown exit code\n" % filename)
+			error("%s exited with unknown status\n" % filename)
 		else:
-			error("%s failed with exit code %d\n" % (filename, status))
+			error("%s failed with status %d\n" % (filename, os.WEXITSTATUS(status)))
 		sys.exit(1)
 
 def run_command_killable_and_import_envvars(*argv):
@@ -196,7 +221,7 @@ def run_startup_files():
 def start_runit():
 	info("Booting runit daemon...")
 	pid = os.spawnl(os.P_NOWAIT, "/usr/bin/runsvdir", "/usr/bin/runsvdir",
-		"-P", "/etc/service", "log: %s" % ('.' * 395))
+		"-P", "/etc/service")
 	info("Runit started as PID %d" % pid)
 	return pid
 
@@ -224,7 +249,7 @@ def install_insecure_key():
 	run_command_killable("/usr/sbin/enable_insecure_key")
 
 def main(args):
-	import_envvars(False)
+	import_envvars(False, False)
 	export_envvars()
 
 	if args.enable_insecure_key:
@@ -239,31 +264,34 @@ def main(args):
 	if not args.skip_runit:
 		runit_pid = start_runit()
 	try:
+		exit_status = None
 		if len(args.main_command) == 0:
 			runit_exited, exit_code = wait_for_runit_or_interrupt(runit_pid)
 			if runit_exited:
 				if exit_code is None:
-					info("Runit exited with unknown exit code")
-					exit_code = 1
+					info("Runit exited with unknown status")
+					exit_status = 1
 				else:
-					info("Runit exited with code %d" % exit_code)
+					exit_status = os.WEXITSTATUS(exit_code)
+					info("Runit exited with status %d" % exit_status)
 		else:
 			info("Running %s..." % " ".join(args.main_command))
 			pid = os.spawnvp(os.P_NOWAIT, args.main_command[0], args.main_command)
 			try:
 				exit_code = waitpid_reap_other_children(pid)
 				if exit_code is None:
-					info("%s exited with unknown exit code." % args.main_command[0])
-					exit_code = 1
+					info("%s exited with unknown status." % args.main_command[0])
+					exit_status = 1
 				else:
-					info("%s exited with exit code %d." % (args.main_command[0], exit_code))
+					exit_status = os.WEXITSTATUS(exit_code)
+					info("%s exited with status %d." % (args.main_command[0], exit_status))
 			except KeyboardInterrupt:
 				stop_child_process(args.main_command[0], pid)
 			except BaseException as s:
 				warn("An error occurred. Aborting.")
 				stop_child_process(args.main_command[0], pid)
 				raise
-		sys.exit(exit_code)
+		sys.exit(exit_status)
 	finally:
 		if not args.skip_runit:
 			shutdown_runit_services()

image/prepare.sh

@@ -14,7 +14,8 @@ mkdir -p /etc/container_environment
 echo -n no > /etc/container_environment/INITRD
 
 ## Enable Ubuntu Universe and Multiverse.
-cp /build/sources.list /etc/apt/sources.list
+sed -i 's/^#\s*\(deb.*universe\)$/\1/g' /etc/apt/sources.list
+sed -i 's/^#\s*\(deb.*multiverse\)$/\1/g' /etc/apt/sources.list
 apt-get update
 
 ## Fix some issues with APT packages.
@@ -30,7 +31,10 @@ dpkg-divert --local --rename --add /usr/bin/ischroot
 ln -sf /bin/true /usr/bin/ischroot
 
 ## Install HTTPS support for APT.
-$minimal_apt_get_install apt-transport-https
+$minimal_apt_get_install apt-transport-https ca-certificates
+
+## Install add-apt-repository
+$minimal_apt_get_install software-properties-common
 
 ## Upgrade all packages.
 apt-get dist-upgrade -y --no-install-recommends

image/runit/syslog-ng

@@ -1,6 +1,11 @@
 #!/bin/sh
 set -e
 
+# If /dev/log is either a named pipe or it was placed there accidentally,
+# e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25,
+# then we remove it.
+if [ ! -S /dev/log ]; then rm -f /dev/log; fi
+
 SYSLOGNG_OPTS=""
 
 [ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng
@@ -19,6 +24,8 @@ esac
 if [ ! -e /dev/xconsole ]
 then
   mknod -m 640 /dev/xconsole p
+  chown root:adm /dev/xconsole
+  [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE
 fi
 
 exec syslog-ng -F -p /var/run/syslog-ng.pid $SYSLOGNG_OPTS

image/setuser

@@ -1,4 +1,4 @@
-#!/usr/bin/python2
+#!/usr/bin/python3
 import sys, os, pwd
 
 if len(sys.argv) < 3:

image/sources.list

@@ -1,25 +0,0 @@
-deb http://archive.ubuntu.com/ubuntu precise main restricted
-deb-src http://archive.ubuntu.com/ubuntu precise main restricted
-
-deb http://archive.ubuntu.com/ubuntu precise-updates main restricted
-deb-src http://archive.ubuntu.com/ubuntu precise-updates main restricted
-
-deb http://archive.ubuntu.com/ubuntu precise universe
-deb-src http://archive.ubuntu.com/ubuntu precise universe
-deb http://archive.ubuntu.com/ubuntu precise-updates universe
-deb-src http://archive.ubuntu.com/ubuntu precise-updates universe
-
-deb http://archive.ubuntu.com/ubuntu precise multiverse
-deb-src http://archive.ubuntu.com/ubuntu precise multiverse
-deb http://archive.ubuntu.com/ubuntu precise-updates multiverse
-deb-src http://archive.ubuntu.com/ubuntu precise-updates multiverse
-
-deb http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse
-deb-src http://archive.ubuntu.com/ubuntu precise-backports main restricted universe multiverse
-
-deb http://archive.ubuntu.com/ubuntu precise-security main restricted
-deb-src http://archive.ubuntu.com/ubuntu precise-security main restricted
-deb http://archive.ubuntu.com/ubuntu precise-security universe
-deb-src http://archive.ubuntu.com/ubuntu precise-security universe
-deb http://archive.ubuntu.com/ubuntu precise-security multiverse
-deb-src http://archive.ubuntu.com/ubuntu precise-security multiverse

image/system_services.sh

@@ -10,7 +10,11 @@ mkdir -p /etc/container_environment
 touch /etc/container_environment.sh
 touch /etc/container_environment.json
 chmod 700 /etc/container_environment
-chmod 600 /etc/container_environment.sh /etc/container_environment.json
+
+groupadd docker_env
+chown :docker_env /etc/container_environment.sh /etc/container_environment.json
+chmod 640 /etc/container_environment.sh /etc/container_environment.json
+ln -s /etc/container_environment.sh /etc/profile.d/
 
 ## Install runit.
 $minimal_apt_get_install runit
@@ -21,6 +25,9 @@ mkdir /etc/service/syslog-ng
 cp /build/runit/syslog-ng /etc/service/syslog-ng/run
 mkdir -p /var/lib/syslog-ng
 cp /build/config/syslog_ng_default /etc/default/syslog-ng
+# Replace the system() source because inside Docker we
+# can't access /proc/kmsg.
+sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
 
 ## Install logrotate.
 $minimal_apt_get_install logrotate

install-tools.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+dir=`dirname "$0"`
+cd "$dir"
+
+set -x
+cp tools/* /usr/local/bin/
+mkdir -p /usr/local/share/baseimage-docker
+cp image/insecure_key /usr/local/share/baseimage-docker/
+chmod 644 /usr/local/share/baseimage-docker/insecure_key

tools/docker-bash

@@ -0,0 +1,82 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+KNOWN_HOSTS_FILE=
+IP=
+
+function usage()
+{
+	echo "Usage: docker-bash <CONTAINER_ID> [COMMAND...]"
+	echo "Login to a Baseimage-based Docker container using SSH."
+	echo "If COMMAND is not given, opens an interactive shell."
+	echo "Otherwise, runs COMMAND inside the container."
+}
+
+function cleanup()
+{
+	local pids=`jobs -p`
+	if [[ "$pids" != "" ]]; then
+		kill $pids
+	fi
+
+	if [[ "$KNOWN_HOSTS_FILE" != "" ]]; then
+		rm -f "$KNOWN_HOSTS_FILE"
+	fi
+}
+
+if [[ $# = 0 ]]; then
+	usage
+	exit
+fi
+
+CONTAINER_ID="$1"
+shift
+
+trap cleanup EXIT
+
+if ! [[ -e ~/.baseimage_docker_insecure_key ]]; then
+	if [[ -e /usr/local/share/baseimage-docker/insecure_key ]]; then
+		cp /usr/local/share/baseimage-docker/insecure_key ~/.baseimage_docker_insecure_key
+	else
+		dir=`dirname "$0"`
+		dir=`cd "$dir/.." && pwd`
+		if [[ -e "$dir/image/insecure_key" ]]; then
+			cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key
+		else
+			echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
+			echo "You probably didn't install docker-bash properly. Please reinstall it:" >&2
+			echo "" >&2
+			echo "  curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \\" >&2
+			echo "  tar xzf master.tar.gz && \\" >&2
+			echo "  sudo ./baseimage-docker-master/install-tools.sh" >&2
+			exit 1
+		fi
+	fi
+	chown "`whoami`": ~/.baseimage_docker_insecure_key
+	chmod 600 ~/.baseimage_docker_insecure_key
+fi
+
+KNOWN_HOSTS_FILE=`mktemp /tmp/docker-bash.XXXXXXXXX`
+IP=`docker inspect -f "{{ .NetworkSettings.IPAddress }}" "$CONTAINER_ID"`
+
+# Prevent SSH from warning about adding a host to the known_hosts file.
+ssh-keyscan "$IP" >"$KNOWN_HOSTS_FILE" 2>&1
+
+if ! ssh -i ~/.baseimage_docker_insecure_key \
+	-o UserKnownHostsFile="$KNOWN_HOSTS_FILE" \
+	-o StrictHostKeyChecking=no \
+	-o PasswordAuthentication=no \
+	-o KbdInteractiveAuthentication=no \
+	-o ChallengeResponseAuthentication=no \
+	"root@$IP" "$@"
+then
+	STATUS=$?
+	if [[ $# = 0 ]]; then
+		echo "----------------"
+		echo "It appears that login to the Docker container failed. This could be caused by the following reasons:"
+		echo "- The Docker container you're trying to login to is not based on Baseimage-docker. The docker-bash tool only works with Baseimage-docker-based containers."
+		echo "- You did not enable the the insecure key inside the container. Please read https://github.com/phusion/baseimage-docker/blob/master/README.md#login to learn how to enable the insecure key."
+	fi
+	exit $STATUS
+fi