diff --git a/.travis.yml b/.travis.yml index 448718f..09101ce 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,17 +3,20 @@ sudo: required services: - docker -script: - - make build +env: + global: + - NAME=phusion/baseimage + # - VERSION=${TRAVIS_TAG} + - VERSION=${TRAVIS_BRANCH} -deploy: - - provider: script - script: make test_release - on: - branch: master - tags: true - condition: '$TRAVIS_TAG =~ ^[0-9]+(\.[0-9]+)*$' - - provider: script - script: make test_master - on: - branch: master +script: + - docker build -t ${NAME}:${VERSION} --rm image + - env NAME=${NAME} VERSION=${VERSION} ./test/runner.sh + +after_success: + - docker login -u "${DOCKER_USERNAME}" -p "${DOCKER_PASSWORD}"; + docker push ${NAME}:${VERSION}; + # - if [ "${TRAVIS_BRANCH}" == "master" ]; then + # docker tag ${NAME}:${VERSION} ${NAME}:latest + # docker push ${NAME}:latest; + # fi diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..f4d10c8 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,46 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at info@phusion.nl. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ diff --git a/Makefile b/Makefile index ce7031e..1ff9dcb 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ NAME = phusion/baseimage -VERSION = 0.9.22 +VERSION = 0.10.0 .PHONY: all build test tag_latest release ssh diff --git a/README.md b/README.md index 200b715..e450887 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # A minimal Ubuntu base image modified for Docker-friendliness -[![](https://badge.imagelayers.io/phusion/baseimage:0.9.17.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io') +[![](https://badge.imagelayers.io/phusion/baseimage:latest.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io') [![Travis](https://img.shields.io/travis/phusion/baseimage-docker.svg)](https://travis-ci.org/phusion/baseimage-docker) -_Baseimage-docker only consumes 6 MB RAM and is much powerful than Busybox or Alpine. See why below._ +_Baseimage-docker only consumes 6 MB RAM and is much more powerful than Busybox or Alpine. See why below._ Baseimage-docker is a special [Docker](https://www.docker.com) image that is configured for correct use within Docker containers. It is Ubuntu, plus: @@ -57,6 +57,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why * [Environment variable dumps](#envvar_dumps) * [Modifying environment variables](#modifying_envvars) * [Security](#envvar_security) + * [System logging](#logging) * [Upgrading the operating system inside the container](#upgrading_os) * [Container administration](#container_administration) * [Running a one-shot command in a new container](#oneshot) @@ -95,6 +96,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why | cron | The cron daemon must be running for cron jobs to work. | | [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. | | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. | +| `install_clean` | A tool for installing `apt` packages that automatically cleans up after itself. All arguments are passed to `apt-get -y install --no-install-recommends` and after installation the apt caches are cleared. To include recommended packages, add `--install-recommends`. | Baseimage-docker is very lightweight: it only consumes 6 MB of memory. @@ -302,6 +304,14 @@ If you are sure that your environment variables don't contain sensitive data, th RUN chmod 755 /etc/container_environment RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json + +### System logging + +Baseimage-docker uses syslog-ng to provide a syslog facility to the container. Syslog-ng is not managed as an runit service (see below). Syslog messages are forwarded to the console via the service at /etc/service/syslog-forwarder. + +#### Log startup/shutdown sequence +In order to ensure that all application log messages are captured by syslog-ng, syslog-ng is started separately before the runit supervisor process, and shutdown after runit exits. This uses the [startup script facility](#running_startup_scripts) provided by this image. This avoids a race condition which would exist if syslog-ng were managed as an runit service, where runit kills syslog-ng in parallel with the container's other services, causing log messages to be dropped during a graceful shutdown if syslog-ng exits while logs are still being produced by other services. + ### Upgrading the operating system inside the container @@ -485,7 +495,7 @@ Edit your Dockerfile to install the insecure key permanently: RUN /usr/sbin/enable_insecure_key -Instructions for logging in the container is the same as in section [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only). +Instructions for logging into the container is the same as in section [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only). #### Using your own key diff --git a/image/bin/install_clean b/image/bin/install_clean new file mode 100755 index 0000000..3f829bc --- /dev/null +++ b/image/bin/install_clean @@ -0,0 +1,17 @@ +#!/bin/bash -e +# Apt installer helper for Docker images + +ARGS="$*" +NO_RECOMMENDS="--no-install-recommends" +RECOMMENDS="--install-recommends" +if [[ $ARGS =~ "$RECOMMENDS" ]]; then + NO_RECOMMENDS="" + ARGS=$(sed "s/$RECOMMENDS//g" <<<"$ARGS") +fi + +echo "Installing $ARGS" + +apt-get -q update && apt-get -qy install $NO_RECOMMENDS $ARGS \ + && apt-get -qy autoremove \ + && apt-get clean \ + && rm -r /var/lib/apt/lists/* diff --git a/image/services/syslog-ng/logrotate_syslogng b/image/services/syslog-ng/logrotate_syslogng index 114cb09..38ad512 100644 --- a/image/services/syslog-ng/logrotate_syslogng +++ b/image/services/syslog-ng/logrotate_syslogng @@ -8,7 +8,6 @@ compress postrotate sv reload syslog-ng > /dev/null - sv restart syslog-forwarder > /dev/null endscript } @@ -34,6 +33,5 @@ sharedscripts postrotate sv reload syslog-ng > /dev/null - sv restart syslog-forwarder > /dev/null endscript } diff --git a/image/services/syslog-ng/syslog-forwarder.runit b/image/services/syslog-ng/syslog-forwarder.runit deleted file mode 100755 index 5bd832f..0000000 --- a/image/services/syslog-ng/syslog-forwarder.runit +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -exec tail -F -n 0 /var/log/syslog diff --git a/image/services/syslog-ng/syslog-ng.conf b/image/services/syslog-ng/syslog-ng.conf index 9dc76a3..11f6b41 100644 --- a/image/services/syslog-ng/syslog-ng.conf +++ b/image/services/syslog-ng/syslog-ng.conf @@ -74,6 +74,9 @@ destination d_xconsole { pipe("/dev/xconsole"); }; # Debian only destination d_ppp { file("/var/log/ppp.log"); }; +# stdout for docker +destination d_stdout { pipe("/dev/stdout"); }; + ######################## # Filters ######################## @@ -119,7 +122,7 @@ log { source(s_src); filter(f_cron); destination(d_cron); }; log { source(s_src); filter(f_daemon); destination(d_daemon); }; log { source(s_src); filter(f_kern); destination(d_kern); }; log { source(s_src); filter(f_lpr); destination(d_lpr); }; -log { source(s_src); filter(f_syslog3); destination(d_syslog); }; +log { source(s_src); filter(f_syslog3); destination(d_syslog); destination(d_stdout); }; log { source(s_src); filter(f_user); destination(d_user); }; log { source(s_src); filter(f_uucp); destination(d_uucp); }; diff --git a/image/services/syslog-ng/syslog-ng.init b/image/services/syslog-ng/syslog-ng.init new file mode 100755 index 0000000..8a33b78 --- /dev/null +++ b/image/services/syslog-ng/syslog-ng.init @@ -0,0 +1,34 @@ +#!/bin/bash +set -em + +# If /dev/log is either a named pipe or it was placed there accidentally, +# e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25, +# then we remove it. +if [ ! -S /dev/log ]; then rm -f /dev/log; fi +if [ ! -S /var/lib/syslog-ng/syslog-ng.ctl ]; then rm -f /var/lib/syslog-ng/syslog-ng.ctl; fi + +PIDFILE="/var/run/syslog-ng.pid" +SYSLOGNG_OPTS="" + +[ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng + +syslogng_wait() { + if [ "$2" -ne 0 ]; then + return 1 + fi + + RET=1 + for i in $(seq 1 30); do + status=0 + syslog-ng-ctl stats >/dev/null 2>&1 || status=$? + if [ "$status" != "$1" ]; then + RET=0 + break + fi + sleep 1s + done + return $RET +} + +/usr/sbin/syslog-ng --pidfile "$PIDFILE" -F $SYSLOGNG_OPTS & +syslogng_wait 1 $? diff --git a/image/services/syslog-ng/syslog-ng.runit b/image/services/syslog-ng/syslog-ng.runit deleted file mode 100755 index 7045d26..0000000 --- a/image/services/syslog-ng/syslog-ng.runit +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -set -e - -# If /dev/log is either a named pipe or it was placed there accidentally, -# e.g. because of the issue documented at https://github.com/phusion/baseimage-docker/pull/25, -# then we remove it. -if [ ! -S /dev/log ]; then rm -f /dev/log; fi -if [ ! -S /var/lib/syslog-ng/syslog-ng.ctl ]; then rm -f /var/lib/syslog-ng/syslog-ng.ctl; fi - -SYSLOGNG_OPTS="" - -[ -r /etc/default/syslog-ng ] && . /etc/default/syslog-ng - -case "x$CONSOLE_LOG_LEVEL" in - x[1-8]) - dmesg -n $CONSOLE_LOG_LEVEL - ;; - x) - ;; - *) - echo "CONSOLE_LOG_LEVEL is of unaccepted value." - ;; -esac - -if [ ! -e /dev/xconsole ] -then - mknod -m 640 /dev/xconsole p - chown root:adm /dev/xconsole - [ -x /sbin/restorecon ] && /sbin/restorecon $XCONSOLE -fi - -exec syslog-ng -F -p /var/run/syslog-ng.pid $SYSLOGNG_OPTS diff --git a/image/services/syslog-ng/syslog-ng.sh b/image/services/syslog-ng/syslog-ng.sh index 2b0be4a..610d80c 100755 --- a/image/services/syslog-ng/syslog-ng.sh +++ b/image/services/syslog-ng/syslog-ng.sh @@ -7,18 +7,14 @@ SYSLOG_NG_BUILD_PATH=/bd_build/services/syslog-ng ## Install a syslog daemon. $minimal_apt_get_install syslog-ng-core -mkdir /etc/service/syslog-ng -cp $SYSLOG_NG_BUILD_PATH/syslog-ng.runit /etc/service/syslog-ng/run +cp $SYSLOG_NG_BUILD_PATH/syslog-ng.init /etc/my_init.d/10_syslog-ng.init +cp $SYSLOG_NG_BUILD_PATH/syslog-ng.shutdown /etc/my_init.post_shutdown.d/10_syslog-ng.shutdown mkdir -p /var/lib/syslog-ng cp $SYSLOG_NG_BUILD_PATH/syslog_ng_default /etc/default/syslog-ng touch /var/log/syslog chmod u=rw,g=r,o= /var/log/syslog cp $SYSLOG_NG_BUILD_PATH/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf -## Install syslog to "docker logs" forwarder. -mkdir /etc/service/syslog-forwarder -cp $SYSLOG_NG_BUILD_PATH/syslog-forwarder.runit /etc/service/syslog-forwarder/run - ## Install logrotate. $minimal_apt_get_install logrotate cp $SYSLOG_NG_BUILD_PATH/logrotate.conf /etc/logrotate.conf diff --git a/image/services/syslog-ng/syslog-ng.shutdown b/image/services/syslog-ng/syslog-ng.shutdown new file mode 100755 index 0000000..7046d02 --- /dev/null +++ b/image/services/syslog-ng/syslog-ng.shutdown @@ -0,0 +1,27 @@ +#!/bin/bash + +PIDFILE="/var/run/syslog-ng.pid" + +syslogng_wait() { + if [ "$2" -ne 0 ]; then + return 1 + fi + + RET=1 + for i in $(seq 1 30); do + status=0 + syslog-ng-ctl stats >/dev/null 2>&1 || status=$? + if [ "$status" != "$1" ]; then + RET=0 + break + fi + sleep 1s + done + return $RET +} + +if [ -f "$PIDFILE" ]; then + kill $(cat "$PIDFILE") +fi + +syslogng_wait 0 $? diff --git a/image/utilities.sh b/image/utilities.sh index 9f0c1a9..d1aa273 100755 --- a/image/utilities.sh +++ b/image/utilities.sh @@ -9,3 +9,6 @@ ln -s /usr/bin/vim.tiny /usr/bin/vim ## This tool runs a command as another user and sets $HOME. cp /bd_build/bin/setuser /sbin/setuser + +## This tool allows installation of apt packages with automatic cache cleanup. +cp /bd_build/bin/install_clean /sbin/install_clean