Iwan/baseimage-docker_fr
1
0
Fork 0
forked from Docker/baseimage-docker
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #378 from phusion/next

Browse Source 
Release 0.9.20
This commit is contained in:
Travis Rowland
2017-03-21 04:23:33 -07:00
committed by GitHub
parent 24b8bcebc8 17a5cede8c
commit ce6a9e0dfc
12 changed files with 166 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.travis.yml Normal file
View File

@@ -0,0 +1,7 @@
sudo: required
services:
- docker
script:
- make build

6
Makefile
View File

@@ -1,5 +1,5 @@
NAME = phusion/baseimage NAME = phusion/baseimage
VERSION = 0.9.19 VERSION = 0.9.20
.PHONY: all build test tag_latest release ssh .PHONY: all build test tag_latest release ssh
@@ -12,13 +12,13 @@ test:
env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
tag_latest: tag_latest:
docker tag -f $(NAME):$(VERSION) $(NAME):latest docker tag $(NAME):$(VERSION) $(NAME):latest
release: test tag_latest release: test tag_latest
@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi @if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi
@if ! head -n 1 Changelog.md | grep -q 'release date'; then echo 'Please note the release date in Changelog.md.' && false; fi @if ! head -n 1 Changelog.md | grep -q 'release date'; then echo 'Please note the release date in Changelog.md.' && false; fi
docker push $(NAME) docker push $(NAME)
@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)" @echo "*** Don't forget to create a tag. git tag $(VERSION) && git push origin $(VERSION)"
ssh: ssh:
chmod 600 image/services/sshd/keys/insecure_key chmod 600 image/services/sshd/keys/insecure_key

51
README.md
View File

@@ -1,6 +1,7 @@
# A minimal Ubuntu base image modified for Docker-friendliness # A minimal Ubuntu base image modified for Docker-friendliness
[![](https://badge.imagelayers.io/phusion/baseimage:0.9.17.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io') [![](https://badge.imagelayers.io/phusion/baseimage:0.9.17.svg)](https://imagelayers.io/?images=phusion/baseimage:latest 'Get your own badge on imagelayers.io')
[![Travis](https://img.shields.io/travis/phusion/baseimage-docker.svg)](https://travis-ci.org/phusion/baseimage-docker)
_Baseimage-docker only consumes 6 MB RAM and is much powerful than Busybox or Alpine. See why below._ _Baseimage-docker only consumes 6 MB RAM and is much powerful than Busybox or Alpine. See why below._
@@ -16,7 +17,7 @@ Baseimage-docker is available for pulling from [the Docker registry](https://reg
### What are the problems with the stock Ubuntu base image? ### What are the problems with the stock Ubuntu base image?
Ubuntu is not designed to be run inside Docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system anyway, you want a minimal system. But configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems. Ubuntu is not designed to be run inside Docker. Its init system, Upstart, assumes that it's running on either real hardware or virtualized hardware, but not inside a Docker container. But inside a container you don't want a full system; you want a minimal system. Configuring that minimal system for use within a container has many strange corner cases that are hard to get right if you are not intimately familiar with the Unix system model. This can cause a lot of strange problems.
Baseimage-docker gets everything right. The "Contents" section describes all the things that it modifies. Baseimage-docker gets everything right. The "Contents" section describes all the things that it modifies.
@@ -26,7 +27,7 @@ Baseimage-docker gets everything right. The "Contents" section describes all the
You can configure the stock `ubuntu` image yourself from your Dockerfile, so why bother using baseimage-docker? You can configure the stock `ubuntu` image yourself from your Dockerfile, so why bother using baseimage-docker?
* Configuring the base system for Docker-friendliness is no easy task. As stated before, there are many corner cases. By the time that you've gotten all that right, you've reinvented baseimage-docker. Using baseimage-docker will save you from this effort. * Configuring the base system for Docker-friendliness is no easy task. As stated before, there are many corner cases. By the time that you've gotten all that right, you've reinvented baseimage-docker. Using baseimage-docker will save you from this effort.
* It reduces the time needed to write a correct Dockerfile. You won't have to worry about the base system and can focus on your stack and your app. * It reduces the time needed to write a correct Dockerfile. You won't have to worry about the base system and focusing you on the stack and the app.
* It reduces the time needed to run `docker build`, allowing you to iterate your Dockerfile more quickly. * It reduces the time needed to run `docker build`, allowing you to iterate your Dockerfile more quickly.
* It reduces download time during redeploys. Docker only needs to download the base image once: during the first deploy. On every subsequent deploys, only the changes you make on top of the base image are downloaded. * It reduces download time during redeploys. Docker only needs to download the base image once: during the first deploy. On every subsequent deploys, only the changes you make on top of the base image are downloaded.
@@ -86,9 +87,9 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
| Component | Why is it included? / Remarks | | Component | Why is it included? / Remarks |
| ---------------- | ------------------- | | ---------------- | ------------------- |
| Ubuntu 16.04 LTS | The base system. | | Ubuntu 16.04 LTS | The base system. |
| A **correct** init process | _Main article: [Docker and the PID 1 zombie reaping problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)._ <br><br>According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. | | A **correct** init process | _Main article: [Docker and the PID 1 zombie reaping problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)._ <br><br>According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly. As a result, their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which stops all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
| Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. | | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
| syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs". | | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs".<br><br>Why syslog-ng?<br>I've had bad experience with rsyslog. I regularly run into bugs with rsyslog, and once in a while it takes my log host down by entering a 100% CPU loop in which it can't do anything. Syslog-ng seems to be much more stable. |
| logrotate | Rotates and compresses logs on a regular basis. | | logrotate | Rotates and compresses logs on a regular basis. |
| SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is **disabled by default** and is only one of the methods provided by baseimage-docker for this purpose. The other method is through [docker exec](#login_docker_exec). SSH is also provided as an alternative because `docker exec` comes with several caveats._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed. | | SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is **disabled by default** and is only one of the methods provided by baseimage-docker for this purpose. The other method is through [docker exec](#login_docker_exec). SSH is also provided as an alternative because `docker exec` comes with several caveats._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed. |
| cron | The cron daemon must be running for cron jobs to work. | | cron | The cron daemon must be running for cron jobs to work. |
@@ -111,11 +112,11 @@ Do we advocate running multiple *logical services* in a single container? Not ne
<a name="fat_containers"></a> <a name="fat_containers"></a>
### Does Baseimage-docker advocate "fat containers" or "treating containers as VMs"? ### Does Baseimage-docker advocate "fat containers" or "treating containers as VMs"?
There are people who are under the impression that Baseimage-docker advocates treating containers as VMs, because of the fact that Baseimage-docker advocates the use of multiple processes. Therefore they are also under the impression that Baseimage-docker does not follow the Docker philosophy. Neither of these impressions are true. There are people who think that Baseimage-docker advocates treating containers as VMs because Baseimage-docker advocates the use of multiple processes. Therefore, they also think that Baseimage-docker does not follow the Docker philosophy. Neither of these impressions are true.
The Docker developers advocate running a single *logical service* inside a single container. But we are not disputing that. Baseimage-docker advocates running multiple *OS processes* inside a single container, and a single logical service can consist of multiple OS processes. The Docker developers advocate running a single *logical service* inside a single container. But we are not disputing that. Baseimage-docker advocates running multiple *OS processes* inside a single container, and a single logical service can consist of multiple OS processes.
It follows from this that Baseimage-docker also does not deny the Docker philosophy. In fact, many of the modifications we introduce are explicitly in line with the Docker philosophy. For example, using environment variables to pass parameters to containers is very much the "Docker way", and provide [a mechanism to easily work with environment variables](#environment_variables) in the presence of multiple processes that may run as different users. It follows that Baseimage-docker also does not deny the Docker philosophy. In fact, many of the modifications we introduce are explicitly in line with the Docker philosophy. For example, using environment variables to pass parameters to containers is very much the "Docker way", and providing [a mechanism to easily work with environment variables](#environment_variables) in the presence of multiple processes that may run as different users.
<a name="inspecting"></a> <a name="inspecting"></a>
## Inspecting baseimage-docker ## Inspecting baseimage-docker
@@ -169,7 +170,8 @@ In `memcached.sh` (make sure this file is chmod +x):
In `Dockerfile`: In `Dockerfile`:
RUN mkdir /etc/service/memcached RUN mkdir /etc/service/memcached
ADD memcached.sh /etc/service/memcached/run COPY memcached.sh /etc/service/memcached/run
RUN chmod +x /etc/service/memcached/run
Note that the shell script must run the daemon **without letting it daemonize/fork it**. Usually, daemons provide a command line flag or a config file option for that. Note that the shell script must run the daemon **without letting it daemonize/fork it**. Usually, daemons provide a command line flag or a config file option for that.
@@ -183,9 +185,11 @@ The baseimage-docker init system, `/sbin/my_init`, runs the following scripts du
All scripts must exit correctly, e.g. with exit code 0. If any script exits with a non-zero exit code, the booting will fail. All scripts must exit correctly, e.g. with exit code 0. If any script exits with a non-zero exit code, the booting will fail.
**Important note:** If you are executing the container in interactive mode (i.e. when you run a container with `-it`), rather than daemon mode, you are sending stdout directly to the terminal (`-i` interactive `-t` terminal). If you are not calling `/sbin/my_init` in your run declaration, `/sbin/my_init` will not be executed, therefore your scripts will not be called during container startup.
The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt. The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt.
In `logtime.sh` (make sure this file is chmod +x): In `logtime.sh`:
#!/bin/sh #!/bin/sh
date > /tmp/boottime.txt date > /tmp/boottime.txt
@@ -193,7 +197,8 @@ In `logtime.sh` (make sure this file is chmod +x):
In `Dockerfile`: In `Dockerfile`:
RUN mkdir -p /etc/my_init.d RUN mkdir -p /etc/my_init.d
ADD logtime.sh /etc/my_init.d/logtime.sh COPY logtime.sh /etc/my_init.d/logtime.sh
RUN chmod +x /etc/my_init.d/logtime.sh
<a name="environment_variables"></a> <a name="environment_variables"></a>
### Environment variables ### Environment variables
@@ -203,13 +208,14 @@ If you use `/sbin/my_init` as the main container command, then any environment v
* Environment variables on Unix are inherited on a per-process basis. This means that it is generally not possible for a child process to change the environment variables of other processes. * Environment variables on Unix are inherited on a per-process basis. This means that it is generally not possible for a child process to change the environment variables of other processes.
* Because of the aforementioned point, there is no good central place for defining environment variables for all applications and services. Debian has the `/etc/environment` file but it only works in some situations. * Because of the aforementioned point, there is no good central place for defining environment variables for all applications and services. Debian has the `/etc/environment` file but it only works in some situations.
* Some services change environment variables for child processes. Nginx is one such example: it removes all environment variables unless you explicitly instruct it to retain them through the `env` configuration option. If you host any applications on Nginx (e.g. using the [passenger-docker](https://github.com/phusion/passenger-docker) image, or using Phusion Passenger in your own image) then they will not see the environment variables that were originally passed by Docker. * Some services change environment variables for child processes. Nginx is one such example: it removes all environment variables unless you explicitly instruct it to retain them through the `env` configuration option. If you host any applications on Nginx (e.g. using the [passenger-docker](https://github.com/phusion/passenger-docker) image, or using Phusion Passenger in your own image) then they will not see the environment variables that were originally passed by Docker.
* We ignore HOME, SHELL, USER and a bunch of other environment variables on purpose, because _not_ ignoring them will break multi-user containers. See https://github.com/phusion/baseimage-docker/pull/86 -- A workaround for setting the `HOME` environment variable looks like this: `RUN echo /root > /etc/container_environment/HOME`. See https://github.com/phusion/baseimage-docker/issues/119
`my_init` provides a solution for all these caveats. `my_init` provides a solution for all these caveats.
<a name="envvar_central_definition"></a> <a name="envvar_central_definition"></a>
#### Centrally defining your own environment variables #### Centrally defining your own environment variables
During startup, before running any [startup scripts](#running_startup_scripts), `my_init` imports environment variables from the directory `/etc/container_environment`. This directory contains files who are named after the environment variable names. The file contents contain the environment variable values. This directory is therefore a good place to centrally define your own environment variables, which will be inherited by all startup scripts and Runit services. During startup, before running any [startup scripts](#running_startup_scripts), `my_init` imports environment variables from the directory `/etc/container_environment`. This directory contains files named after the environment variable names. The file contents contain the environment variable values. This directory is therefore a good place to centrally define your own environment variables, which will be inherited by all startup scripts and Runit services.
For example, here's how you can define an environment variable from your Dockerfile: For example, here's how you can define an environment variable from your Dockerfile:
@@ -225,14 +231,14 @@ You can verify that it works, as follows:
**Handling newlines** **Handling newlines**
If you've looked carefully, you'll notice that the 'echo' command actually prints a newline. Why does $MY_NAME not contain a newline then? It's because `my_init` strips the trailing newline, if any. If you intended on the value having a newline, you should add *another* newline, like this: If you've looked carefully, you'll notice that the 'echo' command actually prints a newline. Why does $MY_NAME not contain a newline then? It's because `my_init` strips the trailing newline. If you intended on the value having a newline, you should add *another* newline, like this:
RUN echo -e "Apachai Hopachai\n" > /etc/container_environment/MY_NAME RUN echo -e "Apachai Hopachai\n" > /etc/container_environment/MY_NAME
<a name="envvar_dumps"></a> <a name="envvar_dumps"></a>
#### Environment variable dumps #### Environment variable dumps
While the previously mentioned mechanism is good for centrally defining environment variables, it by itself does not prevent services (e.g. Nginx) from changing and resetting environment variables from child processes. However, the `my_init` mechanism does make it easy for you to query what the original environment variables are. While the previously mentioned mechanism is good for centrally defining environment variables, itself does not prevent services (e.g. Nginx) from changing and resetting environment variables from child processes. However, the `my_init` mechanism does make it easy for you to query what the original environment variables are.
During startup, right after importing environment variables from `/etc/container_environment`, `my_init` will dump all its environment variables (that is, all variables imported from `container_environment`, as well as all variables it picked up from `docker run --env`) to the following locations, in the following formats: During startup, right after importing environment variables from `/etc/container_environment`, `my_init` will dump all its environment variables (that is, all variables imported from `container_environment`, as well as all variables it picked up from `docker run --env`) to the following locations, in the following formats:
@@ -240,7 +246,7 @@ During startup, right after importing environment variables from `/etc/container
* `/etc/container_environment.sh` - a dump of the environment variables in Bash format. You can source the file directly from a Bash shell script. * `/etc/container_environment.sh` - a dump of the environment variables in Bash format. You can source the file directly from a Bash shell script.
* `/etc/container_environment.json` - a dump of the environment variables in JSON format. * `/etc/container_environment.json` - a dump of the environment variables in JSON format.
The multiple formats makes it easy for you to query the original environment variables no matter which language your scripts/apps are written in. The multiple formats make it easy for you to query the original environment variables no matter which language your scripts/apps are written in.
Here is an example shell session showing you how the dumps look like: Here is an example shell session showing you how the dumps look like:
@@ -273,7 +279,7 @@ But note that:
<a name="envvar_security"></a> <a name="envvar_security"></a>
#### Security #### Security
Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only by the `docker_env` group (so that any user added this group will have these variables automatically loaded). Because environment variables can potentially contain sensitive information, `/etc/container_environment` and its Bash and JSON dumps are by default owned by root, and accessible only to the `docker_env` group (so that any user added this group will have these variables automatically loaded).
If you are sure that your environment variables don't contain sensitive data, then you can also relax the permissions on that directory and those files by making them world-readable: If you are sure that your environment variables don't contain sensitive data, then you can also relax the permissions on that directory and those files by making them world-readable:
@@ -285,7 +291,7 @@ If you are sure that your environment variables don't contain sensitive data, th
Baseimage-docker images contain an Ubuntu 16.04 operating system. You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can. Baseimage-docker images contain an Ubuntu 16.04 operating system. You may want to update this OS from time to time, for example to pull in the latest security updates. OpenSSL is a notorious example. Vulnerabilities are discovered in OpenSSL on a regular basis, so you should keep OpenSSL up-to-date as much as you can.
While we release Baseimage-docker images with the latest OS updates from time to time, you do not have to rely on us. You can update the OS inside Baseimage-docker images yourself, and it is recommend that you do this instead of waiting for us. While we release Baseimage-docker images with the latest OS updates from time to time, you do not have to rely on us. You can update the OS inside Baseimage-docker images yourself, and it is recommended that you do this instead of waiting for us.
To upgrade the OS in the image, run this in your Dockerfile: To upgrade the OS in the image, run this in your Dockerfile:
@@ -407,6 +413,19 @@ Baseimage-docker disables the SSH server by default. Add the following to your D
# init system will auto-generate one during boot. # init system will auto-generate one during boot.
RUN /etc/my_init.d/00_regen_ssh_host_keys.sh RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
Alternatively, to enable sshd only for a single instance of your container, create a folder with a [startup script](#running_startup_scripts). The contents of that should be
### In myfolder/enable_ssh.sh (make sure this file is chmod +x):
#!/bin/sh
rm -f /etc/service/sshd/down
ssh-keygen -P "" -t dsa -f /etc/ssh/ssh_host_dsa_key
Then, you can start your container with
docker run -d -v `pwd`/myfolder:/etc/my_init.d my/dockerimage
This will initialize sshd on container boot. You can then access it with the insecure key as below, or using the methods to add a secure key. Further, you can publish the port to your machine with -p 22:2222 allowing you to ssh to localhost:2222 instead of looking up the ip address.
<a name="ssh_keys"></a> <a name="ssh_keys"></a>
#### About SSH keys #### About SSH keys
@@ -458,7 +477,7 @@ Instructions for logging in the container is the same as in section [Using the i
Edit your Dockerfile to install an SSH public key: Edit your Dockerfile to install an SSH public key:
## Install an SSH of your choice. ## Install an SSH of your choice.
ADD your_key.pub /tmp/your_key.pub COPY your_key.pub /tmp/your_key.pub
RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
Then rebuild your image. Once you have that, start a container based on that image: Then rebuild your image. Once you have that, start a container based on that image:

14
README_ZH_cn_.md
View File

@@ -142,7 +142,7 @@ Baseimage-docker *鼓励* 通过runit来运行多进程.
<a name="adding_additional_daemons"></a> <a name="adding_additional_daemons"></a>
### 增加后台进程 ### 增加后台进程
你可以通过runit工具向你的镜像中添加后台进程(例如:你自己的某些应用).你需要编写一个运行你需要的后台进程的脚就可以了,runit工具会保证它的正常运行,如果进程死掉,runit也会重启它的. 你可以通过runit工具向你的镜像中添加后台进程(例如:你自己的某些应用).你需要编写一个运行你需要的后台进程的脚就可以了,runit工具会保证它的正常运行,如果进程死掉,runit也会重启它的.
脚本的名称必须是`run`,必须是可以运行的,它需要放到`/etc/service/<NAME>`. 脚本的名称必须是`run`,必须是可以运行的,它需要放到`/etc/service/<NAME>`.
@@ -155,7 +155,7 @@ Baseimage-docker *鼓励* 通过runit来运行多进程.
### 在Dockerfile中: ### 在Dockerfile中:
RUN mkdir /etc/service/memcached RUN mkdir /etc/service/memcached
ADD memcached.sh /etc/service/memcached/run COPY memcached.sh /etc/service/memcached/run
注意脚本必须运行在后台的,**不能让他们进程进行daemonize/fork**.通常,后台进程会提供一个标志位或者配置文件. 注意脚本必须运行在后台的,**不能让他们进程进行daemonize/fork**.通常,后台进程会提供一个标志位或者配置文件.
@@ -177,7 +177,7 @@ baseimage-docker的初始化脚本 `/sbin/my_init`,在启动的时候进程运
### 在 Dockerfile中: ### 在 Dockerfile中:
RUN mkdir -p /etc/my_init.d RUN mkdir -p /etc/my_init.d
ADD logtime.sh /etc/my_init.d/logtime.sh COPY logtime.sh /etc/my_init.d/logtime.sh
<a name="environment_variables"></a> <a name="environment_variables"></a>
@@ -434,10 +434,10 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
* 不想使用`nsenter`,运行的进程和正在的进程会不一样. * 不想使用`nsenter`,运行的进程和正在的进程会不一样.
* 不需要docker主机提供root权限. * 不需要docker主机提供root权限.
* 运行你让用户登录到容器,而不需要登录到docker主机.然而,默认这是不启用的,因为baseimage-docker默认不是开放ssh服务的. * 运行你让用户登录到容器,而不需要登录到docker主机.然而,默认这是不启用的,因为baseimage-docker默认不是开放ssh服务的.
* 缺点 * 缺点
* 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容.阅读更多信息. * 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容.阅读更多信息.
第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.** 第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认是不安装任何key的,所以任何人都无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.**
<a name="using_the_insecure_key_for_one_container_only"></a> <a name="using_the_insecure_key_for_one_container_only"></a>
@@ -486,7 +486,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
编辑你的dockerfile,来安装ssh public key: 编辑你的dockerfile,来安装ssh public key:
## 安装你自己的public key. ## 安装你自己的public key.
ADD your_key.pub /tmp/your_key.pub COPY your_key.pub /tmp/your_key.pub
RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
重新创建你的镜像.一旦你创建成功,启动基于这个镜像的容器. 重新创建你的镜像.一旦你创建成功,启动基于这个镜像的容器.

14
README_zh_tw.md
View File

@@ -143,7 +143,7 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
<a name="adding_additional_daemons"></a> <a name="adding_additional_daemons"></a>
### 增加後臺行程 ### 增加後臺行程
你可以通過runit工具向你的鏡像中添加後臺行程(例如:你自己的某些應用).你需要編寫一個運行你需要的後臺行程的腳就可以了,runit工具會保證它的正常運行,如果行程死掉,runit也會重啓它的. 你可以通過runit工具向你的鏡像中添加後臺行程(例如:你自己的某些應用).你需要編寫一個運行你需要的後臺行程的腳就可以了,runit工具會保證它的正常運行,如果行程死掉,runit也會重啓它的.
腳本的名稱必須是`run`,必須是可以運行的,它需要放到`/etc/service/<NAME>`. 腳本的名稱必須是`run`,必須是可以運行的,它需要放到`/etc/service/<NAME>`.
@@ -156,7 +156,7 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
### 在Dockerfile中: ### 在Dockerfile中:
RUN mkdir /etc/service/memcached RUN mkdir /etc/service/memcached
ADD memcached.sh /etc/service/memcached/run COPY memcached.sh /etc/service/memcached/run
注意腳本必須運行在後臺的,**不能讓他們行程進行daemonize/fork**.通常,後臺行程會提供一個標誌位或者配置文件. 注意腳本必須運行在後臺的,**不能讓他們行程進行daemonize/fork**.通常,後臺行程會提供一個標誌位或者配置文件.
@@ -178,7 +178,7 @@ baseimage-docker的初始化腳本 `/sbin/my_init`,在啓動的時候行程運
### 在 Dockerfile中: ### 在 Dockerfile中:
RUN mkdir -p /etc/my_init.d RUN mkdir -p /etc/my_init.d
ADD logtime.sh /etc/my_init.d/logtime.sh COPY logtime.sh /etc/my_init.d/logtime.sh
<a name="environment_variables"></a> <a name="environment_variables"></a>
@@ -435,10 +435,10 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令,
* 不想使用`nsenter`,運行的行程和正在的行程會不一樣. * 不想使用`nsenter`,運行的行程和正在的行程會不一樣.
* 不需要docker主機提供root權限. * 不需要docker主機提供root權限.
* 運行你讓用戶登錄到容器,而不需要登錄到docker主機.然而,默認這是不啓用的,因爲baseimage-docker默認不是開放ssh服務的. * 運行你讓用戶登錄到容器,而不需要登錄到docker主機.然而,默認這是不啓用的,因爲baseimage-docker默認不是開放ssh服務的.
* 缺點 * 缺點
* 需要設置ssh key.然而,baseimage-docker會提供一中辦法,會讓key的生成會很容.閱讀更多信息. * 需要設置ssh key.然而,baseimage-docker會提供一中辦法,會讓key的生成會很容.閱讀更多信息.
第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認,沒有任何安裝key的,所有你無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.** 第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認是不安裝任何key的,所以任何人都無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.**
<a name="using_the_insecure_key_for_one_container_only"></a> <a name="using_the_insecure_key_for_one_container_only"></a>
@@ -487,7 +487,7 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令,
編輯你的dockerfile,來安裝ssh public key: 編輯你的dockerfile,來安裝ssh public key:
## 安裝你自己的public key. ## 安裝你自己的public key.
ADD your_key.pub /tmp/your_key.pub COPY your_key.pub /tmp/your_key.pub
RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub RUN cat /tmp/your_key.pub >> /root/.ssh/authorized_keys && rm -f /tmp/your_key.pub
重新創建你的鏡像.一旦你創建成功,啓動基於這個鏡像的容器. 重新創建你的鏡像.一旦你創建成功,啓動基於這個鏡像的容器.

6
image/Dockerfile
View File

@@ -1,7 +1,7 @@
FROM ubuntu:16.04 FROM ubuntu:16.04
MAINTAINER Phusion <info@phusion.nl> MAINTAINER Phusion <info@phusion.nl>
ADD . /bd_build COPY . /bd_build
RUN /bd_build/prepare.sh && \ RUN /bd_build/prepare.sh && \
/bd_build/system_services.sh && \ /bd_build/system_services.sh && \
@@ -9,4 +9,8 @@ RUN /bd_build/prepare.sh && \
/bd_build/fix_pam_bug.sh && \ /bd_build/fix_pam_bug.sh && \
/bd_build/cleanup.sh /bd_build/cleanup.sh
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
CMD ["/sbin/my_init"] CMD ["/sbin/my_init"]

4
image/bin/my_init
View File

@@ -1,8 +1,8 @@
#!/usr/bin/python3 -u #!/usr/bin/python3 -u
import os, os.path, sys, stat, signal, errno, argparse, time, json, re import os, os.path, sys, stat, signal, errno, argparse, time, json, re
KILL_PROCESS_TIMEOUT = 5 KILL_PROCESS_TIMEOUT = os.environ.get('KILL_PROCESS_TIMEOUT', 5)
KILL_ALL_PROCESSES_TIMEOUT = 5 KILL_ALL_PROCESSES_TIMEOUT = os.environ.get('KILL_ALL_PROCESSES_TIMEOUT', 5)
LOG_LEVEL_ERROR = 1 LOG_LEVEL_ERROR = 1
LOG_LEVEL_WARN = 1 LOG_LEVEL_WARN = 1

46
image/bin/setuser
View File

@@ -1,14 +1,43 @@
#!/usr/bin/python3 #!/usr/bin/python3
import sys, os, pwd '''
Copyright (c) 2013-2015 Phusion Holding B.V.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
'''
import sys
import os
import pwd
if len(sys.argv) < 3:
sys.stderr.write("Usage: /sbin/setuser USERNAME COMMAND [args..]\n")
sys.exit(1)
def abort(message): def abort(message):
sys.stderr.write("setuser: %s\n" % message) sys.stderr.write("setuser: %s\n" % message)
sys.exit(1) sys.exit(1)
def main():
'''
A simple alternative to sudo that executes a command as a user by setting
the user ID and user parameters to those described by the system and then
using execvp(3) to execute the command without the necessity of a TTY
'''
username = sys.argv[1] username = sys.argv[1]
try: try:
user = pwd.getpwnam(username) user = pwd.getpwnam(username)
@@ -24,3 +53,12 @@ try:
os.execvp(sys.argv[2], sys.argv[2:]) os.execvp(sys.argv[2], sys.argv[2:])
except OSError as e: except OSError as e:
abort("cannot execute %s: %s" % (sys.argv[2], str(e))) abort("cannot execute %s: %s" % (sys.argv[2], str(e)))
if __name__ == '__main__':
if len(sys.argv) < 3:
sys.stderr.write("Usage: /sbin/setuser USERNAME COMMAND [args..]\n")
sys.exit(1)
main()

2
image/cleanup.sh
View File

@@ -4,7 +4,7 @@ source /bd_build/buildconfig
set -x set -x
apt-get clean apt-get clean
rm -rf /bd_build ls -d -1 /bd_build/**/* | grep -v "cleanup.sh" | grep -v "buildconfig" | grep -v "services/" | xargs rm -f
rm -rf /tmp/* /var/tmp/* rm -rf /tmp/* /var/tmp/*
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*

2
image/services/cron/cron.sh
View File

@@ -7,6 +7,8 @@ $minimal_apt_get_install cron
mkdir /etc/service/cron mkdir /etc/service/cron
chmod 600 /etc/crontab chmod 600 /etc/crontab
cp /bd_build/services/cron/cron.runit /etc/service/cron/run cp /bd_build/services/cron/cron.runit /etc/service/cron/run
# Fix cron issues in 0.9.19, see also #345: https://github.com/phusion/baseimage-docker/issues/345
sed -i 's/^\s*session\s\+required\s\+pam_loginuid.so/# &/' /etc/pam.d/cron
## Remove useless cron entries. ## Remove useless cron entries.
# Checks for lost+found and scans for mtab. # Checks for lost+found and scans for mtab.

36
image/services/syslog-ng/logrotate.conf Normal file
View File

@@ -0,0 +1,36 @@
# see "man logrotate" for details
# rotate log files weekly
weekly
# use the syslog group by default, since this is the owning group
# of /var/log/syslog.
# su root syslog
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0660 root utmp
rotate 1
}
# system-specific logs may be configured here

1
image/services/syslog-ng/syslog-ng.sh
View File

@@ -21,4 +21,5 @@ cp $SYSLOG_NG_BUILD_PATH/syslog-forwarder.runit /etc/service/syslog-forwarder/ru
## Install logrotate. ## Install logrotate.
$minimal_apt_get_install logrotate $minimal_apt_get_install logrotate
cp $SYSLOG_NG_BUILD_PATH/logrotate.conf /etc/logrotate.conf
cp $SYSLOG_NG_BUILD_PATH/logrotate_syslogng /etc/logrotate.d/syslog-ng cp $SYSLOG_NG_BUILD_PATH/logrotate_syslogng /etc/logrotate.d/syslog-ng