Initial commit

.gitignore

@@ -0,0 +1,2 @@
+.DS_Store
+.vagrant

Makefile

@@ -0,0 +1,12 @@
+NAME = phusion/baseimage
+VERSION = 0.9.0
+
+.PHONY: all build tag_latest
+
+all: build
+
+build:
+	docker build -t $(NAME):$(VERSION) -rm image
+
+tag_latest:
+	docker tag $(NAME):$(VERSION) $(NAME):latest

Vagrantfile

@@ -0,0 +1,31 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+ROOT = File.dirname(File.expand_path(__FILE__))
+
+# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.box = "phusion-open-ubuntu-12.04-amd64"
+  config.vm.box_url = "https://oss-binaries.phusionpassenger.com/vagrant/boxes/ubuntu-12.04.3-amd64-vbox.box"
+  config.ssh.forward_agent = true
+  if File.directory?("#{ROOT}/passenger-docker")
+    config.vm.synced_folder File.expand_path("#{ROOT}/../passenger-docker"),
+      "/vagrant/passenger-docker"
+  end
+
+  config.vm.provider :vmware_fusion do |f, override|
+    override.vm.box_url = "https://oss-binaries.phusionpassenger.com/vagrant/boxes/ubuntu-12.04.3-amd64-vmwarefusion.box"
+    f.vmx["displayName"] = "baseimage-docker"
+  end
+
+  if Dir.glob("#{File.dirname(__FILE__)}/.vagrant/machines/default/*/id").empty?
+    # Add lxc-docker package
+    pkg_cmd = "wget -q -O - https://get.docker.io/gpg | apt-key add -;" \
+      "echo deb http://get.docker.io/ubuntu docker main > /etc/apt/sources.list.d/docker.list;" \
+      "apt-get update -qq; apt-get install -q -y --force-yes lxc-docker; "
+    # Add vagrant user to the docker group
+    pkg_cmd << "usermod -a -G docker vagrant; "
+    config.vm.provision :shell, :inline => pkg_cmd
+  end
+end

image/Dockerfile

@@ -0,0 +1,14 @@
+FROM ubuntu:12.04
+MAINTAINER Phusion <info@phusion.nl>
+
+ENV HOME /root
+RUN mkdir /build
+ADD . /build
+
+RUN /build/prepare.sh && \
+	/build/system_services.sh && \
+	/build/utilities.sh && \
+	/build/cleanup.sh
+
+CMD ["/sbin/my_init"]
+EXPOSE 22 80 443

image/buildconfig

@@ -0,0 +1,2 @@
+export LC_ALL=C
+export DEBIAN_FRONTEND=noninteractive

image/cleanup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+source /build/buildconfig
+set -x
+
+apt-get clean
+rm -rf /var/lib/apt/lists/*
+rm -rf /build

image/config/sshd_config

@@ -0,0 +1,135 @@
+#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options change a
+# default value.
+
+UseDNS no
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh_host_rsa_key
+#HostKey /etc/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile	.ssh/authorized_keys
+
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here! Also,
+# remember to set the UsePAM setting to 'no'.
+#PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# SACL options
+# The default for the SACLSupport option is now "no", as this option has been
+# depreciated in favor of SACL enforcement in the PAM configuration (/etc/pam.d/sshd).
+#SACLSupport no
+
+# Change to no to disable s/key passwords
+# Disabled for passenger-docker. We only allow key authentication.
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# Also, PAM will deny null passwords by default.  If you need to allow
+# null passwords, add the "	nullok" option to the end of the
+# securityserver.so line in /etc/pam.d/sshd.
+#UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	ForceCommand cvs server
+
+# XAuthLocation added by XQuartz (http://xquartz.macosforge.org)
+XAuthLocation /opt/X11/bin/xauth

image/insecure_key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1ZswRub+3DvSEnBiyM5YRpRzRYV88vO1X2j867u6pyCHUNXv
+RRCr7ahMLPIVYsZwlHb4sF+Zb3DJOBH+E265o93chdMxbWG44k0spf10JRevA0JX
+NrEwHR8vesCR74e5MuddbSic88lsEqnnn+Fo3lStvE6nBp6tbqdEu7GhTtHSYejn
+wwINnA5ocsHkd1YE9L2Scqw1e4bXveTAQnSvhqe33QshGXFpt0tQwRWngah887f2
+P54wFSm2C/UyFT7pvIjINKzIi4vUoXz/nU+V7neTmt3XDdjloYg3ycOaX4RSVneO
+HCf7hkcEKbzbPzzSrGAAYYC5UzFB+ImsIbtV2wIDAQABAoIBAQCjROxgtX2Gft7y
+Ix8Ol9IXmK6HLCI2XZt7ovb3hFWGGzHy0qMBql2P2Tzoed1o038Hq+woe9n+uTnE
+dtQ6rD6PByzgyW2VSsWTjCOdeJ5HH9Qw7ItXDZZWHBkhfYHOkXI4e2oI3qshGAtY
+NLALn7KVhioJriCyyaSM2KOLx5khcY+EJ1inQfwQJKqPGsdKc72liz07T8ifRj+m
+NLKtwrxlK3IXYfIdgLp/1pCKdrC80DhprMsD4xvNgq4pCR9jd4FoqM9t/Up5ppTm
++p6A/bDwdIPh6cFFeyMP+G3+bTlW1Gg7RLoNCc6qh53WWVgEOQqdLHcQ8Ge4RLmb
+wLUmnRuRAoGBAPfXYfjpPZi8rPIQpux13Bs7xaS1/Fa9WqrEfrPptFdUVHeFCGY8
+qOUVewPviHdbs0nB71Ynk9/e96agFYijQdqTQzVnpYI4i8GiGk5gPMiB2UYeJ/HZ
+mIB3jtWyf6Z/GO0hJ1a6mX0XD3zJGNqFaiwqaYgdO1Fwh9gcH3O2lHyjAoGBANyj
+TGDBYHpxPu6uKcGreLd0SgO61PEj7aOSNfrBB2PK83A+zjZCFZRIWqjfrkxGG6+a
+2WuHbEHuCGvu2V5juHYxbAD/38iV/lQl/2xyvN1eR/baE3US06qn6idxjnmeNZDy
+DelAx1RGuEvLX1TNAzDTxBwYyzH3W2RpKAUAD11pAoGAN38YJhd8Pn5JL68A4cQG
+dGau/BHwHjAqZEC5qmmzgzaT72tvlQ0SOLHVqOzzHt7+x45QnHciSqfvxnTkPYNp
+FJuTGhtKWV12FfbJczFjivZgg63u/d3eoy2iY0GkCdE98KNS3r3L7tHCGwwgr5Xe
+T2Nz3BHHnZXYJVEuzcddeocCgYEAnhDjPAHtw2p0Inxlb9kPb6aBC/ECcwtBSUkL
+IOy/BZA1HPnxs89eNFAtmwQ8k2o6lXDDSJTJSuZj5CdGVKfuU8aOUJz/Tm2eudxL
+A/+jLJhJyCBthhcJyx3m04E4CAr+5ytyKeP9qXPMvoghcNg66/UabuKYV+CU+feX
+8xUa7NkCgYEAlX8HGvWMmiG+ZRFB//3Loy87bBxGlN0pUtCEScabZxdB2HkI9Vp7
+Yr67QIZ3y7T88Mhkwam54JCjiV+3TZbSyRMOjkqf7UhTCZC6hHNqdUnlpv4bJWeW
+i5Eun8ltYxBnemNc2QGxA4r+KCspi+pRvWNGzL3PFVBGXiLsmOMul78=
+-----END RSA PRIVATE KEY-----

image/insecure_key.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVmzBG5v7cO9IScGLIzlhGlHNFhXzy87VfaPzru7qnIIdQ1e9FEKvtqEws8hVixnCUdviwX5lvcMk4Ef4Tbrmj3dyF0zFtYbjiTSyl/XQlF68DQlc2sTAdHy96wJHvh7ky511tKJzzyWwSqeef4WjeVK28TqcGnq1up0S7saFO0dJh6OfDAg2cDmhyweR3VgT0vZJyrDV7hte95MBCdK+Gp7fdCyEZcWm3S1DBFaeBqHzzt/Y/njAVKbYL9TIVPum8iMg0rMiLi9ShfP+dT5Xud5Oa3dcN2OWhiDfJw5pfhFJWd44cJ/uGRwQpvNs/PNKsYABhgLlTMUH4iawhu1Xb hongli@asuna-3939

image/my_init

@@ -0,0 +1,5 @@
+#!/bin/bash
+set -e
+# No exec. We want bash to be the init process so that it can kill
+# zombie processes.
+/usr/sbin/runsvdir-start

image/prepare.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+set -e
+source /build/buildconfig
+set -x
+
+## Enable Ubuntu Universe.
+echo deb http://archive.ubuntu.com/ubuntu precise main universe > /etc/apt/sources.list
+echo deb http://archive.ubuntu.com/ubuntu precise-updates main universe >> /etc/apt/sources.list
+apt-get update
+
+## Install HTTPS support for APT.
+apt-get install -y apt-transport-https
+
+## Fix some issues with APT packages.
+## See https://github.com/dotcloud/docker/issues/1024
+dpkg-divert --local --rename --add /sbin/initctl
+ln -s /bin/true /sbin/initctl
+
+## Upgrade all packages.
+echo "initscripts hold" | dpkg --set-selections
+apt-get upgrade -y
+
+## Fix locale.
+apt-get install -y language-pack-en
+locale-gen en_US

image/runit/sshd

@@ -0,0 +1,3 @@
+#!/bin/sh
+set -e
+exec /usr/sbin/sshd -D

image/runit/syslog-ng

@@ -0,0 +1,3 @@
+#!/bin/sh
+set -e
+exec syslog-ng -F -p /var/run/syslog-ng.pid

image/setuser

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+
+user="$1"
+shift
+
+if [[ "$user" == "root" ]]; then
+	export HOME=/root
+else
+	export HOME=/home/$user
+fi
+exec chpst -u "$user" "$@"

image/system_services.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+source /build/buildconfig
+set -x
+
+## Install init process.
+cp /build/my_init /sbin/
+
+## Install runit.
+apt-get install -y runit
+
+## Install a syslog daemon.
+apt-get install -y syslog-ng
+mkdir /etc/service/syslog-ng
+cp /build/runit/syslog-ng /etc/service/syslog-ng/run
+
+## Install the SSH server.
+apt-get install -y openssh-server
+mkdir /var/run/sshd
+mkdir /etc/service/sshd
+cp /build/runit/sshd /etc/service/sshd/run
+cp /build/config/sshd_config /etc/ssh/sshd_config
+
+## Install default SSH key for root and app.
+mkdir -p /root/.ssh /home/app/.ssh
+chmod 700 /root/.ssh /home/app/.ssh
+chown root:root /root/.ssh
+chown app:app /home/app/.ssh
+cat /build/insecure_key.pub > /root/.ssh/authorized_keys
+cat /build/insecure_key.pub > /home/app/.ssh/authorized_keys

image/utilities.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+source /build/buildconfig
+set -x
+
+## Often used tools.
+apt-get install -y curl less nano vim psmisc
+
+## This tool runs a command as another user and sets $HOME.
+cp /build/setuser /sbin/setuser