From 81af926a780da7859099e73528e56616f3921a08 Mon Sep 17 00:00:00 2001
From: Bryan Bishop <kanzure@gmail.com>
Date: Mon, 24 Nov 2014 10:56:23 -0600
Subject: [PATCH 01/18] remove Dockerfile step for mkdir /build

The ADD command will create /build automatically, so the RUN mkdir step
can be safely removed. Also, this has the benefit of reducing the number
of steps in the Dockerfile which is helpful for not as quickly hitting
the 127 layer limit.
---
 image/Dockerfile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/image/Dockerfile b/image/Dockerfile
index 369d0fa..4571e5c 100644
--- a/image/Dockerfile
+++ b/image/Dockerfile
@@ -2,7 +2,6 @@ FROM ubuntu:14.04
 MAINTAINER Phusion <info@phusion.nl>
 
 ENV HOME /root
-RUN mkdir /build
 ADD . /build
 
 RUN /build/prepare.sh && \

From 19c2df66b392aee5b013d81705dd9fe70d8e2ad9 Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Fri, 16 Jan 2015 16:45:26 +0100
Subject: [PATCH 02/18] Remove workaround for Docker bug #2267 now that Docker
 has fixed this

Closes GH-155.
---
 Changelog.md                     |  4 ++++
 README.md                        | 26 ++------------------------
 image/bin/my_init                |  4 ----
 image/bin/workaround-docker-2267 |  2 --
 image/prepare.sh                 |  6 ------
 5 files changed, 6 insertions(+), 36 deletions(-)
 delete mode 100755 image/bin/workaround-docker-2267

diff --git a/Changelog.md b/Changelog.md
index 473ac1f..fe3b8e4 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,3 +1,7 @@
+## 0.9.16 (next version, not yet released)
+
+ * The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream.
+
 ## 0.9.15 (release date: 2014-10-03)
 
  * Fixed the setuid bit on /usr/bin/sudo. This problem was caused by Docker bug #6828.
diff --git a/README.md b/README.md
index c33b31b..ff355cb 100644
--- a/README.md
+++ b/README.md
@@ -3,8 +3,8 @@
 Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
 
  * Modifications for Docker-friendliness.
- * Workarounds for [some Docker bugs](#workaroud_modifying_etc_hosts).
- * Useful administration tools.
+ * Administration tools that are especially useful in the context of Docker.
+ * Mechanisms for easily running multiple processes, [without violating the Docker philosophy](#docker_single_process).
 
 You can use it as a base for your own Docker images.
 
@@ -52,7 +52,6 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
      * [Environment variable dumps](#envvar_dumps)
      * [Modifying environment variables](#modifying_envvars)
      * [Security](#envvar_security)
-   * [Working around Docker's inability to modify /etc/hosts](#workaroud_modifying_etc_hosts)
    * [Disabling SSH](#disabling_ssh)
  * [Container administration](#container_administration)
    * [Running a one-shot command in a new container](#oneshot)
@@ -83,7 +82,6 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | Ubuntu 14.04 LTS | The base system. |
 | A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
-| Workarounds for Docker bugs | [Learn more.](#workaroud_modifying_etc_hosts) |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
 | logrotate | Rotates and compresses logs on a regular basis. |
 | SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is only one of the methods provided by baseimage-docker for this purpose. The other method is through [the nsenter tool](#login_nsenter). SSH is also provided as an option because nsenter has many issues._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. |
@@ -280,26 +278,6 @@ If you are sure that your environment variables don't contain sensitive data, th
     RUN chmod 755 /etc/container_environment
     RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
 
-<a name="workaroud_modifying_etc_hosts"></a>
-### Working around Docker's inability to modify /etc/hosts
-
-It is currently not possible to modify /etc/hosts inside a Docker container because of [Docker bug 2267](https://github.com/dotcloud/docker/issues/2267). Baseimage-docker includes a workaround for this. You have to be explicitly opt-in for the workaround.
-
-The workaround involves modifying a system library, libnss_files.so.2, so that it looks for the host file in /etc/workaround-docker-2267/hosts instead of /etc/hosts. Instead of modifying /etc/hosts, you modify /etc/workaround-docker-2267/hosts instead.
-
-Add this to your Dockerfile to opt-in for the workaround. This command modifies libnss_files.so.2 as described above.
-
-    RUN /usr/bin/workaround-docker-2267
-
-(You don't necessarily have to run this command from the Dockerfile. You can also run it from a shell inside the container.)
-
-To verify that it works, [open a bash shell in your container](#inspecting), modify /etc/workaround-docker-2267/hosts, and check whether it had any effect:
-
-    bash# echo 127.0.0.1 my-test-domain.com >> /etc/workaround-docker-2267/hosts
-    bash# ping my-test-domain.com
-    ...should ping 127.0.0.1...
-
-**Note on apt-get upgrading:** if any Ubuntu updates overwrite libnss_files.so.2, then the workaround is removed. You have to re-enable it by running `/usr/bin/workaround-docker-2267`. To be safe, you should run this command every time after running `apt-get upgrade`.
 
 <a name="disabling_ssh"></a>
 ### Disabling SSH
diff --git a/image/bin/my_init b/image/bin/my_init
index a34694e..0502c6a 100755
--- a/image/bin/my_init
+++ b/image/bin/my_init
@@ -56,9 +56,6 @@ def is_exe(path):
 	except OSError:
 		return False
 
-def create_hosts_file():
-	run_command_killable("/bin/cp", "/etc/hosts", "/etc/workaround-docker-2267/")
-
 def import_envvars(clear_existing_environment = True, override_existing_environment = True):
 	new_env = {}
 	for envfile in listdir("/etc/container_environment"):
@@ -252,7 +249,6 @@ def install_insecure_key():
 	run_command_killable("/usr/sbin/enable_insecure_key")
 
 def main(args):
-	create_hosts_file()
 	import_envvars(False, False)
 	export_envvars()
 
diff --git a/image/bin/workaround-docker-2267 b/image/bin/workaround-docker-2267
deleted file mode 100755
index 4c16da0..0000000
--- a/image/bin/workaround-docker-2267
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-exec /usr/bin/perl -pi -e 's:/etc/hosts:/cte/hosts:g' /lib/x86_64-linux-gnu/libnss_files.so.2
diff --git a/image/prepare.sh b/image/prepare.sh
index 24da000..ef49700 100755
--- a/image/prepare.sh
+++ b/image/prepare.sh
@@ -30,12 +30,6 @@ ln -sf /bin/true /sbin/initctl
 dpkg-divert --local --rename --add /usr/bin/ischroot
 ln -sf /bin/true /usr/bin/ischroot
 
-## Workaround https://github.com/dotcloud/docker/issues/2267,
-## not being able to modify /etc/hosts.
-mkdir -p /etc/workaround-docker-2267
-ln -s /etc/workaround-docker-2267 /cte
-cp /build/bin/workaround-docker-2267 /usr/bin/
-
 ## Install HTTPS support for APT.
 $minimal_apt_get_install apt-transport-https ca-certificates
 

From 8f2877c806186511611017395d6f87cd00392adf Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Sat, 17 Jan 2015 14:32:41 +0100
Subject: [PATCH 03/18] Do not set APT's force-unsafe-io option because the
 latest ubuntu image already does that

---
 image/prepare.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/image/prepare.sh b/image/prepare.sh
index ef49700..5e5d188 100755
--- a/image/prepare.sh
+++ b/image/prepare.sh
@@ -4,7 +4,9 @@ source /build/buildconfig
 set -x
 
 ## Temporarily disable dpkg fsync to make building faster.
-echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02apt-speedup
+if [[ ! -e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup ]]; then
+	echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup
+fi
 
 ## Prevent initramfs updates from trying to run grub and lilo.
 ## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/

From d9023071e4395a77c1f9eb0da42f5b534670b90d Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Mon, 19 Jan 2015 16:00:13 +0100
Subject: [PATCH 04/18] Bump version to 0.9.16

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 0e7b713..2213442 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 NAME = phusion/baseimage
-VERSION = 0.9.15
+VERSION = 0.9.16
 
 .PHONY: all build test tag_latest release ssh
 

From 2640bc7b036f216a149d6c8e284008f26bbb41f9 Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Mon, 19 Jan 2015 16:39:14 +0100
Subject: [PATCH 05/18] Make 'docker exec' the default and disable SSH by
 default

Closes GH-168.
---
 Changelog.md                    |   3 +-
 README.md                       | 107 +++++++++++---------------------
 image/00_regen_ssh_host_keys.sh |   2 +-
 image/system_services.sh        |   1 +
 test/runner.sh                  |  11 +++-
 5 files changed, 48 insertions(+), 76 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index fe3b8e4..50654fa 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,6 +1,7 @@
 ## 0.9.16 (next version, not yet released)
 
- * The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream.
+ * `docker exec` is now the default and recommended mechanism for running commands in the container. SSH is now disabled by default, but is still supported for those cases where "docker exec" is not appropriate. Closes GH-168.
+ * The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream. Closes GH-155.
 
 ## 0.9.15 (release date: 2014-10-03)
 
diff --git a/README.md b/README.md
index 35149d6..f497ab9 100644
--- a/README.md
+++ b/README.md
@@ -52,14 +52,14 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
      * [Environment variable dumps](#envvar_dumps)
      * [Modifying environment variables](#modifying_envvars)
      * [Security](#envvar_security)
-   * [Disabling SSH](#disabling_ssh)
  * [Container administration](#container_administration)
    * [Running a one-shot command in a new container](#oneshot)
    * [Running a command in an existing, running container](#run_inside_existing_container)
-   * [Login to the container via nsenter](#login_nsenter)
-     * [Usage](#nsenter_usage)
-     * [The `docker-bash` tool](#docker_bash)
+   * [Login to the container via `docker exec`](#login_docker_exec)
+     * [Usage](#docker_exec)
    * [Login to the container via SSH](#login_ssh)
+     * [Enabling SSH](#enabling_ssh)
+     * [About SSH keys](#ssh_keys)
      * [Using the insecure key for one container only](#using_the_insecure_key_for_one_container_only)
      * [Enabling the insecure key permanently](#enabling_the_insecure_key_permanently)
      * [Using your own key](#using_your_own_key)
@@ -84,7 +84,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
 | logrotate | Rotates and compresses logs on a regular basis. |
-| SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is only one of the methods provided by baseimage-docker for this purpose. The other method is through [the nsenter tool](#login_nsenter). SSH is also provided as an option because nsenter has many issues._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. |
+| SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is **disabled by default** and is only one of the methods provided by baseimage-docker for this purpose. The other method is through [docker exec](#login_docker_exec). SSH is also provided as an alternative because `docker exec` comes with several caveats._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed. |
 | cron | The cron daemon must be running for cron jobs to work. |
 | [runit](http://smarden.org/runit/) | Replaces Ubuntu's Upstart. Used for service supervision and management. Much easier to use than SysV init and supports restarting daemons when they crash. Much easier to use and more lightweight than Upstart. |
 | `setuser` | A tool for running a command as another user. Easier to use than `su`, has a smaller attack vector than `sudo`, and unlike `chpst` this tool sets `$HOME` correctly. Available as `/sbin/setuser`. |
@@ -139,11 +139,6 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
     # Set correct environment variables.
     ENV HOME /root
     
-    # Regenerate SSH host keys. baseimage-docker does not contain any, so you
-    # have to do that yourself. You may also comment out this instruction; the
-    # init system will auto-generate one during boot.
-    RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
-    
     # Use baseimage-docker's init system.
     CMD ["/sbin/my_init"]
     
@@ -278,14 +273,6 @@ If you are sure that your environment variables don't contain sensitive data, th
     RUN chmod 755 /etc/container_environment
     RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
 
-
-<a name="disabling_ssh"></a>
-### Disabling SSH
-
-Baseimage-docker enables an SSH server by default, so that you can [use SSH](#login_ssh) to [administer your container](#container_administration). In case you do not want to enable SSH, here's how you can disable it:
-
-    RUN rm -rf /etc/service/sshd /etc/my_init.d/00_regen_ssh_host_keys.sh
-
 <a name="container_administration"></a>
 ## Container administration
 
@@ -316,11 +303,6 @@ This will perform the following:
 For example:
 
     $ docker run phusion/baseimage:<VERSION> /sbin/my_init -- ls
-    *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...
-    No SSH host key available. Generating one...
-    Creating SSH2 RSA key; this may take some time ...
-    Creating SSH2 DSA key; this may take some time ...
-    Creating SSH2 ECDSA key; this may take some time ...
     *** Running /etc/rc.local...
     *** Booting runit daemon...
     *** Runit started as PID 80
@@ -342,15 +324,15 @@ The following example runs `ls` without running the startup files and with less
 
 There are two ways to run a command inside an existing, running container.
 
- * Through the `nsenter` tool. This tool uses Linux kernel system calls in order to execute a command within the context of a container. Learn more in [Login to the container, or running a command inside it, via nsenter](#login_nsenter).
+ * Through the `docker exec` tool. This is builtin Docker tool, available since Docker 1.4. Internally, it uses Linux kernel system calls in order to execute a command within the context of a container. Learn more in [Login to the container, or running a command inside it, via `docker exec`](#login_docker_exec).
  * Through SSH. This approach requires running an SSH daemon inside the container, and requires you to setup SSH keys. Learn more in [Login to the container, or running a command inside it, via SSH](#login_ssh).
 
 Both way have their own pros and cons, which you can learn in their respective subsections.
 
-<a name="login_nsenter"></a>
-### Login to the container, or running a command inside it, via nsenter
+<a name="login_docker_exec"></a>
+### Login to the container, or running a command inside it, via `docker exec`
 
-You can use the `nsenter` tool on the Docker host OS to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container. `nsenter` works by using Linux kernel system calls.
+You can use the `docker exec` tool on the Docker host OS to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container. `docker exec` works by using Linux kernel system calls.
 
 Here's how it compares to [using SSH to login to the container or to run a command inside it](#login_ssh):
 
@@ -359,19 +341,14 @@ Here's how it compares to [using SSH to login to the container or to run a comma
    * Does not require setting up SSH keys.
    * Works on any container, even containers not based on baseimage-docker.
  * Cons
-   * Processes executed by `nsenter` behave in a slightly different manner than normal. For example, they cannot be killed by any normal processes inside the container. This applies to all child processes as well.
-   * If the `nsenter` process is terminated by a signal (e.g. with the `kill` command), then the command that is executed by nsenter is *not* killed and cleaned up. You will have to do that manually. (Note that terminal control commands like Ctrl-C *do* clean up all child processes, because terminal signals are sent to all processes in the terminal session.)
-   * Requires learning another tool.
-   * Requires root privileges on the Docker host.
-   * Requires the `nsenter` tool to be available on the Docker host. At the time of writing (July 2014), most Linux distributions do not ship it. However, baseimage-docker provides a precompiled binary, and allows you to easily use it, through its [docker-bash](#docker_bash) tool.
+   * If the `docker exec` process on the host is terminated by a signal (e.g. with the `kill` command or even with Ctrl-C), then the command that is executed by `docker exec` is *not* killed and cleaned up. You will either have to do that manually, or you have to run `docker exec` with `-t -i`.
+   * Requires privileges on the Docker host to be able to access the Docker daemon. Note that anybody who can access the Docker daemon effectively has root access.
    * Not possible to allow users to login to the container without also letting them login to the Docker host.
 
-<a name="nsenter_usage"></a>
+<a name="docker_exec_usage"></a>
 #### Usage
 
-First, ensure that `nsenter` is installed. At the time of writing (July 2014), almost no Linux distribution ships the `nsenter` tool. However, we provide [a precompiled binary](#docker_bash) that anybody can use.
-
-Anyway, start a container:
+Start a container:
 
     docker run YOUR_IMAGE
 
@@ -379,57 +356,43 @@ Find out the ID of the container that you just ran:
 
     docker ps
 
-Once you have the ID, look for the PID of the main process inside the container.
+Now that you have the ID, you can use `docker exec` to run arbitrary commands in the container. For example, to run `echo hello world`:
 
-    docker inspect -f "{{ .State.Pid }}" <ID>
+    docker exec YOUR-CONTAINER-ID echo hello world
 
-Now that you have the container's main process PID, you can use `nsenter` to login to the container, or to execute a command inside it:
+To open a bash session inside the container, you must pass `-t -i` so that a terminal is available:
 
-    # Login to the container
-    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid bash -l
-
-    # Running a command inside the container
-    nsenter --target <MAIN PROCESS PID> --mount --uts --ipc --net --pid -- echo hello world
-
-<a name="docker_bash"></a>
-#### The `docker-bash` tool
-
-Looking up the main process PID of a container and typing the long nsenter command quickly becomes tedious. Luckily, we provide the `docker-bash` tool which automates this process. This tool is to be run on the *Docker host*, not inside a Docker container.
-
-This tool also comes with a precompiled `nsenter` binary, so that you don't have to install `nsenter` yourself. `docker-bash` works out-of-the-box!
-
-First, install the tool on the Docker host:
-
-    curl --fail -L -O https://github.com/phusion/baseimage-docker/archive/master.tar.gz && \
-    tar xzf master.tar.gz && \
-    sudo ./baseimage-docker-master/install-tools.sh
-
-Then run the tool as follows to login to a container:
-
-    docker-bash YOUR-CONTAINER-ID
-
-You can lookup `YOUR-CONTAINER-ID` by running `docker ps`.
-
-By default, `docker-bash` will open a Bash session. You can also tell it to run a command, and then exit:
-
-    docker-bash YOUR-CONTAINER-ID echo hello world
+    docker exec -t -i YOUR-CONTAINER-ID bash -l
 
 <a name="login_ssh"></a>
 ### Login to the container, or running a command inside it, via SSH
 
 You can use SSH to login to any container that is based on baseimage-docker. You can also use it to run a command inside a running container.
 
-Here's how it compares to [using nsenter to login to the container or to run a command inside it](#login_nsenter):
+Here's how it compares to [using `docker exec` to login to the container or to run a command inside it](#login_docker_exec):
 
  * Pros
-   * Does not require a tool like `nsenter` to be available on the Docker host. Virtually everybody already has an SSH client installed.
-   * There no surprises with processes behaving slightly differently than normal, as is the case when using `nsenter`.
    * Does not require root privileges on the Docker host.
    * Allows you to let users login to the container, without letting them login to the Docker host. However, this is not enabled by default because baseimage-docker does not expose the SSH server to the public Internet by default.
  * Cons
    * Requires setting up SSH keys. However, baseimage-docker makes this easy for many cases through a pregenerated, insecure key. Read on to learn more.
 
-The first thing that you need to do is to ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so you can't login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
+<a name="enabling_ssh"></a>
+#### Enabling SSH
+
+Baseimage-docker disables the SSH server by default. Add the following to your Dockerfile to enable it:
+
+    RUN rm -f /etc/service/sshd/down
+    
+    # Regenerate SSH host keys. baseimage-docker does not contain any, so you
+    # have to do that yourself. You may also comment out this instruction; the
+    # init system will auto-generate one during boot.
+    RUN /etc/my_init.d/00_regen_ssh_host_keys.sh
+
+<a name="ssh_keys"></a>
+#### About SSH keys
+
+First, you must ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so nobody can login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
 
 <a name="using_the_insecure_key_for_one_container_only"></a>
 #### Using the insecure key for one container only
@@ -463,7 +426,7 @@ Now that you have the IP address, you can use SSH to login to the container, or
 <a name="enabling_the_insecure_key_permanently"></a>
 #### Enabling the insecure key permanently
 
-It is also possible to enable the insecure key in the image permanently. This is not generally recommended, but it suitable for e.g. temporary development or demo environments where security does not matter.
+It is also possible to enable the insecure key in the image permanently. This is not generally recommended, but is suitable for e.g. temporary development or demo environments where security does not matter.
 
 Edit your Dockerfile to install the insecure key permanently:
 
diff --git a/image/00_regen_ssh_host_keys.sh b/image/00_regen_ssh_host_keys.sh
index a639ee8..d4531cb 100755
--- a/image/00_regen_ssh_host_keys.sh
+++ b/image/00_regen_ssh_host_keys.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-if [[ ! -e /etc/ssh/ssh_host_rsa_key ]]; then
+if [[ ! -e /etc/service/sshd/down && ! -e /etc/ssh/ssh_host_rsa_key ]] || [[ "$1" == "-f" ]]; then
 	echo "No SSH host key available. Generating one..."
 	export LC_ALL=C
 	export DEBIAN_FRONTEND=noninteractive
diff --git a/image/system_services.sh b/image/system_services.sh
index c0bb7b4..607cab2 100755
--- a/image/system_services.sh
+++ b/image/system_services.sh
@@ -36,6 +36,7 @@ $minimal_apt_get_install logrotate
 $minimal_apt_get_install openssh-server
 mkdir /var/run/sshd
 mkdir /etc/service/sshd
+touch /etc/service/sshd/down
 cp /build/runit/sshd /etc/service/sshd/run
 cp /build/config/sshd_config /etc/ssh/sshd_config
 cp /build/00_regen_ssh_host_keys.sh /etc/my_init.d/
diff --git a/test/runner.sh b/test/runner.sh
index 6720df5..e73ac9c 100755
--- a/test/runner.sh
+++ b/test/runner.sh
@@ -28,8 +28,15 @@ fi
 
 trap cleanup EXIT
 
+echo " --> Enabling SSH in the container"
+docker exec -t -i $ID /etc/my_init.d/00_regen_ssh_host_keys.sh -f
+docker exec -t -i $ID rm /etc/service/sshd/down
+docker exec -t -i $ID sv start /etc/service/sshd
+sleep 1
+
 echo " --> Logging into container and running tests"
-chmod 600 image/insecure_key
+cp image/insecure_key /tmp/insecure_key
+chmod 600 /tmp/insecure_key
 sleep 1 # Give container some more time to start up.
-ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/insecure_key root@$IP \
+ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/insecure_key root@$IP \
 	/bin/bash /test/test.sh

From 9b08ea9cd4ef554c7127130795dd515d2988064b Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Mon, 19 Jan 2015 16:55:09 +0100
Subject: [PATCH 06/18] Logrotate now reloads syslog-ng properly

Closes GH-167.
---
 Changelog.md             | 1 +
 image/system_services.sh | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Changelog.md b/Changelog.md
index 50654fa..b0dceda 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,7 @@
 
  * `docker exec` is now the default and recommended mechanism for running commands in the container. SSH is now disabled by default, but is still supported for those cases where "docker exec" is not appropriate. Closes GH-168.
  * The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream. Closes GH-155.
+ * Logrotate now reloads syslog-ng properly. Closes GH-167.
 
 ## 0.9.15 (release date: 2014-10-03)
 
diff --git a/image/system_services.sh b/image/system_services.sh
index 607cab2..b9699c1 100755
--- a/image/system_services.sh
+++ b/image/system_services.sh
@@ -31,6 +31,7 @@ sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/sys
 
 ## Install logrotate.
 $minimal_apt_get_install logrotate
+sed -i 's|invoke-rc.d syslog-ng reload|sv reload syslog-ng|g' /etc/logrotate.d/syslog-ng
 
 ## Install the SSH server.
 $minimal_apt_get_install openssh-server

From 0b2de757f52d3f8762e764f6c3b8f7adbd435c67 Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Mon, 19 Jan 2015 17:22:00 +0100
Subject: [PATCH 07/18] Fixed some locale issues

Closes GH-178. Thanks to David J. M. Karlsen.
---
 Changelog.md     | 1 +
 image/prepare.sh | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Changelog.md b/Changelog.md
index b0dceda..057df31 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -3,6 +3,7 @@
  * `docker exec` is now the default and recommended mechanism for running commands in the container. SSH is now disabled by default, but is still supported for those cases where "docker exec" is not appropriate. Closes GH-168.
  * The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream. Closes GH-155.
  * Logrotate now reloads syslog-ng properly. Closes GH-167.
+ * Fixed some locale issues. Closes GH-178. Thanks to David J. M. Karlsen.
 
 ## 0.9.15 (release date: 2014-10-03)
 
diff --git a/image/prepare.sh b/image/prepare.sh
index 5e5d188..8166fa5 100755
--- a/image/prepare.sh
+++ b/image/prepare.sh
@@ -44,3 +44,4 @@ apt-get dist-upgrade -y --no-install-recommends
 ## Fix locale.
 $minimal_apt_get_install language-pack-en
 locale-gen en_US
+update-locale LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8

From 6e55e3d515a1c25767c82fb87495d969f3b04a1e Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Mon, 19 Jan 2015 18:07:15 +0100
Subject: [PATCH 08/18] Redirect syslog to 'docker logs' and fix cron

Closes GH-123. Closes GH-115.
---
 Changelog.md                    |  2 ++
 README.md                       |  2 +-
 image/config/logrotate_syslogng | 38 +++++++++++++++++++++++++++++++++
 image/prepare.sh                |  2 ++
 image/runit/syslog-forwarder    |  2 ++
 image/system_services.sh        |  9 +++++++-
 6 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 image/config/logrotate_syslogng
 create mode 100755 image/runit/syslog-forwarder

diff --git a/Changelog.md b/Changelog.md
index 057df31..5d35291 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,9 +1,11 @@
 ## 0.9.16 (next version, not yet released)
 
  * `docker exec` is now the default and recommended mechanism for running commands in the container. SSH is now disabled by default, but is still supported for those cases where "docker exec" is not appropriate. Closes GH-168.
+ * All syslog output is now forwarded to `docker logs`. Closes GH-123.
  * The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream. Closes GH-155.
  * Logrotate now reloads syslog-ng properly. Closes GH-167.
  * Fixed some locale issues. Closes GH-178. Thanks to David J. M. Karlsen.
+ * Fixed problems with cron. Closes GH-115.
 
 ## 0.9.15 (release date: 2014-10-03)
 
diff --git a/README.md b/README.md
index f497ab9..2cd3b1b 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | Ubuntu 14.04 LTS | The base system. |
 | A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
-| syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
+| syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs". |
 | logrotate | Rotates and compresses logs on a regular basis. |
 | SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is **disabled by default** and is only one of the methods provided by baseimage-docker for this purpose. The other method is through [docker exec](#login_docker_exec). SSH is also provided as an alternative because `docker exec` comes with several caveats._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed. |
 | cron | The cron daemon must be running for cron jobs to work. |
diff --git a/image/config/logrotate_syslogng b/image/config/logrotate_syslogng
new file mode 100644
index 0000000..b56ffc3
--- /dev/null
+++ b/image/config/logrotate_syslogng
@@ -0,0 +1,38 @@
+/var/log/syslog
+{
+	rotate 7
+	daily
+	missingok
+	notifempty
+	delaycompress
+	compress
+	postrotate
+		sv reload syslog-ng > /dev/null
+	endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+	rotate 4
+	weekly
+	missingok
+	notifempty
+	compress
+	delaycompress
+	sharedscripts
+	postrotate
+		sv reload syslog-ng > /dev/null
+		sv restart cron-log-forwarder > /dev/null
+	endscript
+}
diff --git a/image/prepare.sh b/image/prepare.sh
index 8166fa5..3c2baac 100755
--- a/image/prepare.sh
+++ b/image/prepare.sh
@@ -45,3 +45,5 @@ apt-get dist-upgrade -y --no-install-recommends
 $minimal_apt_get_install language-pack-en
 locale-gen en_US
 update-locale LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8
+echo -n en_US.UTF-8 > /etc/container_environment/LANG
+echo -n en_US.UTF-8 > /etc/container_environment/LC_CTYPE
diff --git a/image/runit/syslog-forwarder b/image/runit/syslog-forwarder
new file mode 100755
index 0000000..2a20072
--- /dev/null
+++ b/image/runit/syslog-forwarder
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec tail -f -n 0 /var/log/syslog
diff --git a/image/system_services.sh b/image/system_services.sh
index b9699c1..56c65bb 100755
--- a/image/system_services.sh
+++ b/image/system_services.sh
@@ -25,13 +25,19 @@ mkdir /etc/service/syslog-ng
 cp /build/runit/syslog-ng /etc/service/syslog-ng/run
 mkdir -p /var/lib/syslog-ng
 cp /build/config/syslog_ng_default /etc/default/syslog-ng
+touch /var/log/syslog
+chmod u=rw,g=r,o= /var/log/syslog
 # Replace the system() source because inside Docker we
 # can't access /proc/kmsg.
 sed -i -E 's/^(\s*)system\(\);/\1unix-stream("\/dev\/log");/' /etc/syslog-ng/syslog-ng.conf
 
+## Install syslog to "docker logs" forwarder.
+mkdir /etc/service/syslog-forwarder
+cp /build/runit/syslog-forwarder /etc/service/syslog-forwarder/run
+
 ## Install logrotate.
 $minimal_apt_get_install logrotate
-sed -i 's|invoke-rc.d syslog-ng reload|sv reload syslog-ng|g' /etc/logrotate.d/syslog-ng
+cp /build/config/logrotate_syslogng /etc/logrotate.d/syslog-ng
 
 ## Install the SSH server.
 $minimal_apt_get_install openssh-server
@@ -55,6 +61,7 @@ cp /build/bin/enable_insecure_key /usr/sbin/
 ## Install cron daemon.
 $minimal_apt_get_install cron
 mkdir /etc/service/cron
+chmod 600 /etc/crontab
 cp /build/runit/cron /etc/service/cron/run
 
 ## Remove useless cron entries.

From d85b76dfd909139715a35e7b2c08cabe98671d6b Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Tue, 20 Jan 2015 10:52:48 +0100
Subject: [PATCH 09/18] Update URLs in the README, add translation note

---
 README.md        | 4 ++--
 README_ZH_cn_.md | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 2cd3b1b..fa3447c 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # A minimal Ubuntu base image modified for Docker-friendliness
 
-Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
+Baseimage-docker is a special [Docker](https://www.docker.com) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
 
  * Modifications for Docker-friendliness.
  * Administration tools that are especially useful in the context of Docker.
@@ -8,7 +8,7 @@ Baseimage-docker is a special [Docker](http://www.docker.io) image that is confi
 
 You can use it as a base for your own Docker images.
 
-Baseimage-docker is available for pulling from [the Docker registry](https://index.docker.io/u/phusion/baseimage/)!
+Baseimage-docker is available for pulling from [the Docker registry](https://registry.hub.docker.com/u/phusion/baseimage/)!
 
 ### What are the problems with the stock Ubuntu base image?
 
diff --git a/README_ZH_cn_.md b/README_ZH_cn_.md
index 05ce824..099a729 100644
--- a/README_ZH_cn_.md
+++ b/README_ZH_cn_.md
@@ -1,6 +1,8 @@
 # 小巧玲珑的ubuntu镜像
 
-Baseimage-docker是一个特殊的 [Docker](http://www.docker.io) 镜像，可以很优雅的将它用于docker镜像。相对于 Ubuntu, 有这些新增：
+**This translation was last updated October 24, 2014.**
+
+Baseimage-docker是一个特殊的 [Docker](https://www.docker.com) 镜像，可以很优雅的将它用于docker镜像。相对于 Ubuntu, 有这些新增：
 
  * 修改之后，可以很友好的使用docker
  * 修复了一些docker的bug [some Docker bugs](#workaroud_modifying_etc_hosts).
@@ -8,7 +10,7 @@ Baseimage-docker是一个特殊的 [Docker](http://www.docker.io) 镜像，可
 
 你可以用它作为你自己的基础docker镜像。
 
-Baseimage-docker 可以从[the Docker registry](https://index.docker.io/u/phusion/baseimage/)获取到!
+Baseimage-docker 可以从[the Docker registry](https://registry.hub.docker.com/u/phusion/baseimage/)获取到!
 
 ### 原生的ubuntu基础镜像有什么问题呢？
 

From bc40f72c846a411cb1a48f0836c6fce9ca3c8eda Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Tue, 20 Jan 2015 11:14:53 +0100
Subject: [PATCH 10/18] Update documentation

---
 CONTRIBUTING.md | 4 +++-
 Changelog.md    | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 18be95d..1feaa45 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,4 +2,6 @@ Hey, thanks for wanting to contribute to baseimage-docker. :)
 
 If you have a question, please use the [discussion forum](https://groups.google.com/d/forum/passenger-docker). The Github issue tracker is only for **bug reports and feature requests**.
 
-If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the image.
+If you want to develop baseimage-docker, use the Vagrantfile in the repository. It will setup an Ubuntu VM with Docker installed in it. Use the Makefile to build the Docker image.
+
+All development happens on the `next` branch. The `master` branch is supposed to point to the latest stable release, because users read documentation from the `master` branch.
diff --git a/Changelog.md b/Changelog.md
index 5d35291..0e207b7 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -6,6 +6,7 @@
  * Logrotate now reloads syslog-ng properly. Closes GH-167.
  * Fixed some locale issues. Closes GH-178. Thanks to David J. M. Karlsen.
  * Fixed problems with cron. Closes GH-115.
+ * Contribution by Bryan Bishop.
 
 ## 0.9.15 (release date: 2014-10-03)
 

From 65e212f2359ef44f88a785330a29e4d11bf2deb7 Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Tue, 20 Jan 2015 11:39:50 +0100
Subject: [PATCH 11/18] When uploading new release, run 'docker tag' with '-f'

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 2213442..a8d5252 100644
--- a/Makefile
+++ b/Makefile
@@ -12,7 +12,7 @@ test:
 	env NAME=$(NAME) VERSION=$(VERSION) ./test/runner.sh
 
 tag_latest:
-	docker tag $(NAME):$(VERSION) $(NAME):latest
+	docker tag -f $(NAME):$(VERSION) $(NAME):latest
 
 release: test tag_latest
 	@if ! docker images $(NAME) | awk '{ print $$2 }' | grep -q -F $(VERSION); then echo "$(NAME) version $(VERSION) is not yet built. Please run 'make build'"; false; fi

From 1812fbf09327318e4a6b8b8ee10d837b3cceb993 Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Tue, 20 Jan 2015 11:40:15 +0100
Subject: [PATCH 12/18] Note 0.9.16 release date

---
 Changelog.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Changelog.md b/Changelog.md
index 0e207b7..9bcc822 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,4 +1,4 @@
-## 0.9.16 (next version, not yet released)
+## 0.9.16 (release date: 2015-01-20)
 
  * `docker exec` is now the default and recommended mechanism for running commands in the container. SSH is now disabled by default, but is still supported for those cases where "docker exec" is not appropriate. Closes GH-168.
  * All syslog output is now forwarded to `docker logs`. Closes GH-123.

From 4f52a9c6a40ce589d0180285811dfc8f64e18c93 Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Tue, 20 Jan 2015 13:23:53 +0100
Subject: [PATCH 13/18] Link to the PID 1 problem article

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index fa3447c..95f058c 100644
--- a/README.md
+++ b/README.md
@@ -80,7 +80,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
 | Component        | Why is it included? / Remarks |
 | ---------------- | ------------------- |
 | Ubuntu 14.04 LTS | The base system. |
-| A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
+| A **correct** init process | _Main article: [Docker and the PID 1 zombie reaping problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/)._ <br><br>According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
 | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
 | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. All syslog messages are forwarded to "docker logs". |
 | logrotate | Rotates and compresses logs on a regular basis. |
@@ -96,7 +96,7 @@ Baseimage-docker is very lightweight: it only consumes 6 MB of memory.
 
 The Docker developers advocate the philosophy of running a single *logical service* per container. A logical service can consist of multiple OS processes.
 
-Baseimage-docker only advocates running multiple OS processes inside a single container. We believe this makes sense because at the very least it would solve [the PID 1 problem](#whats_inside_overview) and the "syslog blackhole" problem. By running multiple processes, we solve very real Unix OS-level problems, with minimal overhead and without turning the container into multiple logical services.
+Baseimage-docker only advocates running multiple OS processes inside a single container. We believe this makes sense because at the very least it would solve [the PID 1 problem](http://blog.phusion.nl/2015/01/20/docker-and-the-pid-1-zombie-reaping-problem/) and the "syslog blackhole" problem. By running multiple processes, we solve very real Unix OS-level problems, with minimal overhead and without turning the container into multiple logical services.
 
 Splitting your logical service into multiple OS processes also makes sense from a security standpoint. By running processes as different users, you can limit the impact of vulnerabilities. Baseimage-docker provides tools to encourage running processes as different users, e.g. the `setuser` tool.
 

From 795f12a5549617745f8edcb18e9789265c129275 Mon Sep 17 00:00:00 2001
From: Olivier Adam <olivier.adam@m4x.org>
Date: Fri, 23 Jan 2015 17:18:35 +0100
Subject: [PATCH 14/18] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 95f058c..ccdee45 100644
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ Do we advocate running multiple *logical services* in a single container? Not ne
 
 There are people who are under the impression that Baseimage-docker advocates treating containers as VMs, because of the fact that Baseimage-docker advocates the use of multiple processes. Therefore they are also under the impression that Baseimage-docker does not follow the Docker philosophy. Neither of these impressions are true.
 
-The Docker developers advocate running multiple *logical services* inside a single container. But we are not disputing that. Baseimage-docker advocates running multiple *OS processes* inside a single container, and a single logical service can consist of multiple OS processes.
+The Docker developers advocate running a single *logical service* inside a single container. But we are not disputing that. Baseimage-docker advocates running multiple *OS processes* inside a single container, and a single logical service can consist of multiple OS processes.
 
 It follows from this that Baseimage-docker also does not deny the Docker philosophy. In fact, many of the modifications we introduce are explicitly in line with the Docker philosophy. For example, using environment variables to pass parameters to containers is very much the "Docker way", and provide [a mechanism to easily work with environment variables](#environment_variables) in the presence of multiple processes that may run as different users.
 

From 5eeb176bd040a0acacec075fbdd5dce562a8dced Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Mon, 26 Jan 2015 17:15:29 +0100
Subject: [PATCH 15/18] No longer recommend setting 'ENV HOME' in Dockerfile

This is because https://github.com/docker/docker/issues/2968 has been fixed.
---
 README.md | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/README.md b/README.md
index ccdee45..2c838fb 100644
--- a/README.md
+++ b/README.md
@@ -136,9 +136,6 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
     # a list of version numbers.
     FROM phusion/baseimage:<VERSION>
     
-    # Set correct environment variables.
-    ENV HOME /root
-    
     # Use baseimage-docker's init system.
     CMD ["/sbin/my_init"]
     

From efd9a67a79553453741b78020626fd40dc06fb7c Mon Sep 17 00:00:00 2001
From: Buck Golemon <workitharder@gmail.com>
Date: Fri, 6 Feb 2015 13:13:20 -0800
Subject: [PATCH 16/18] editorconfig helps me match your style, and avoid
 repeated python whitespace errors

---
 .editorconfig | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 .editorconfig

diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..5dc6d24
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,11 @@
+# EditorConfig is awesome: http://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_size = 4
+indent_style = tab

From eb23de21d9e8b02f3770bffc285ba02bb7497abb Mon Sep 17 00:00:00 2001
From: Sergey Shepelev <temotor@gmail.com>
Date: Fri, 20 Feb 2015 00:44:38 +0300
Subject: [PATCH 17/18] syslog-forwarder continue after logrotate

tail -F to continue reading new /var/log/syslog
---
 image/runit/syslog-forwarder | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/image/runit/syslog-forwarder b/image/runit/syslog-forwarder
index 2a20072..5bd832f 100755
--- a/image/runit/syslog-forwarder
+++ b/image/runit/syslog-forwarder
@@ -1,2 +1,2 @@
 #!/bin/sh
-exec tail -f -n 0 /var/log/syslog
+exec tail -F -n 0 /var/log/syslog

From d04ad4793068fb733bf4b5d285b252218c3bcb3a Mon Sep 17 00:00:00 2001
From: "Daniel Knoppel (Phusion)" <daniel@phusion.nl>
Date: Wed, 20 May 2015 09:44:52 +0200
Subject: [PATCH 18/18] Avoid suggesting that there should be a comment line
 before the shebang.

---
 README.md | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 2c838fb..c2b468b 100644
--- a/README.md
+++ b/README.md
@@ -153,13 +153,15 @@ The shell script must be called `run`, must be executable, and is to be placed i
 
 Here's an example showing you how a memcached server runit entry can be made.
 
-    ### In memcached.sh (make sure this file is chmod +x):
+In `memcached.sh` (make sure this file is chmod +x):
+
     #!/bin/sh
     # `/sbin/setuser memcache` runs the given command as the user `memcache`.
     # If you omit that part, the command will be run as root.
     exec /sbin/setuser memcache /usr/bin/memcached >>/var/log/memcached.log 2>&1
 
-    ### In Dockerfile:
+In `Dockerfile`:
+
     RUN mkdir /etc/service/memcached
     ADD memcached.sh /etc/service/memcached/run
 
@@ -177,11 +179,13 @@ All scripts must exit correctly, e.g. with exit code 0. If any script exits with
 
 The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt.
 
-    ### In logtime.sh (make sure this file is chmod +x):
+In `logtime.sh` (make sure this file is chmod +x):
+    
     #!/bin/sh
     date > /tmp/boottime.txt
 
-    ### In Dockerfile:
+In `Dockerfile`:
+
     RUN mkdir -p /etc/my_init.d
     ADD logtime.sh /etc/my_init.d/logtime.sh