40n8.me/baseimage-docker
1
0
Fork 0
mirror of /repos/baseimage-docker.git synced 2025-12-30 08:01:31 +01:00
Code Issues Releases Wiki Activity

Made services installation optional during build

Browse Source 
You can user `ENV` directive in Dockerfile to disable the installation
for some services or change `image/buildconfig`.

The flags are :

DISABLE_SSHD
DISABLE_CRON
DISABLE_SYSLOG
This commit is contained in:
Enderson Maia 2014-11-12 22:11:40 -03:00
parent 7425da2825
commit 9adbd423d0
25 changed files with 138 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile
View File

@ -21,9 +21,9 @@ release: test tag_latest
@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)" @echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
ssh: ssh:
chmod 600 image/insecure_key chmod 600 image/services/sshd/keys/insecure_key
@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \ @ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \ if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \ IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \
echo "SSHing into $$IP" && \ echo "SSHing into $$IP" && \
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/insecure_key root@$$IP ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/services/sshd/keys/insecure_key root@$$IP

59
README.md
View File

@ -68,6 +68,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
* [Using your own key](#using_your_own_key) * [Using your own key](#using_your_own_key)
* [The `docker-ssh` tool](#docker_ssh) * [The `docker-ssh` tool](#docker_ssh)
* [Building the image yourself](#building) * [Building the image yourself](#building)
* [Removing optional services](#removing_optional_services)
* [Conclusion](#conclusion) * [Conclusion](#conclusion)
----------------------------------------- -----------------------------------------
@ -138,12 +139,12 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
# See https://github.com/phusion/baseimage-docker/blob/master/Changelog.md for # See https://github.com/phusion/baseimage-docker/blob/master/Changelog.md for
# a list of version numbers. # a list of version numbers.
FROM phusion/baseimage:<VERSION> FROM phusion/baseimage:<VERSION>
# Use baseimage-docker's init system. # Use baseimage-docker's init system.
CMD ["/sbin/my_init"] CMD ["/sbin/my_init"]
# ...put your own build instructions here... # ...put your own build instructions here...
# Clean up APT when done. # Clean up APT when done.
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@ -183,7 +184,7 @@ All scripts must exit correctly, e.g. with exit code 0. If any script exits with
The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt. The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt.
In `logtime.sh` (make sure this file is chmod +x): In `logtime.sh` (make sure this file is chmod +x):
#!/bin/sh #!/bin/sh
date > /tmp/boottime.txt date > /tmp/boottime.txt
@ -398,7 +399,7 @@ Here's how it compares to [using `docker exec` to login to the container or to r
Baseimage-docker disables the SSH server by default. Add the following to your Dockerfile to enable it: Baseimage-docker disables the SSH server by default. Add the following to your Dockerfile to enable it:
RUN rm -f /etc/service/sshd/down RUN rm -f /etc/service/sshd/down
# Regenerate SSH host keys. baseimage-docker does not contain any, so you # Regenerate SSH host keys. baseimage-docker does not contain any, so you
# have to do that yourself. You may also comment out this instruction; the # have to do that yourself. You may also comment out this instruction; the
# init system will auto-generate one during boot. # init system will auto-generate one during boot.
@ -407,7 +408,7 @@ Baseimage-docker disables the SSH server by default. Add the following to your D
<a name="ssh_keys"></a> <a name="ssh_keys"></a>
#### About SSH keys #### About SSH keys
First, you must ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so nobody can login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**. First, you must ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so nobody can login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
<a name="using_the_insecure_key_for_one_container_only"></a> <a name="using_the_insecure_key_for_one_container_only"></a>
#### Using the insecure key for one container only #### Using the insecure key for one container only
@ -429,7 +430,7 @@ Once you have the ID, look for its IP address with:
Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it: Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it:
# Download the insecure private key # Download the insecure private key
curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key
chmod 600 insecure_key chmod 600 insecure_key
# Login to the container # Login to the container
@ -524,6 +525,50 @@ If you want to call the resulting image something else, pass the NAME variable,
make build NAME=joe/baseimage make build NAME=joe/baseimage
<a name="removing_optional_services"></a>
### Removing optional services
The default baseimage-docker installs `syslog-ng`, `cron` and `sshd` services during the build process.
In case you don't need one or more of these services in your image, you can disable its installation and/or install the substituite service of your preference.
You can user the `ENV` directive in your Dockerfile for these three variables :
* `DISABLE_SYSLOG`
* `DISABLE_SSH`
* `DISABLE_CRON`
For ex., if you want to disable ssh on your image :
#...
FROM phusion/baseimage:<VERSION>
# Set correct environment variables.
ENV HOME /root
# Disable SSH
ENV DISABLE_SSH 1
# Use baseimage-docker's init system.
CMD ["/sbin/my_init"]
# ...put your own build instructions here...
# Clean up APT when done.
RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
If you don't want to use the `ENV` directive inside your Dockerfile and avoid creating another image layer, as shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file.
### In ./image/buildconfig
# ...
# Default services
# Set 1 to the service you want to disable
export DISABLE_SYSLOG=${DISABLE_SYSLOG:-0}
export DISABLE_SSH=${DISABLE_SSH:-1}
export DISABLE_CRON=${DISABLE_CRON:-0}
Then you can proceed with `docker build` command.
<a name="conclusion"></a> <a name="conclusion"></a>
## Conclusion ## Conclusion

4
README_ZH_cn_.md
View File

@ -438,7 +438,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
* 缺点 * 缺点
* 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容器.阅读更多信息. * 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容器.阅读更多信息.
第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全行,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.** 第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全行,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.**
<a name="using_the_insecure_key_for_one_container_only"></a> <a name="using_the_insecure_key_for_one_container_only"></a>
@ -461,7 +461,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
现在你有得了IP地址,你就看通过SSH来登录容器,或者在容器中执行命令了: 现在你有得了IP地址,你就看通过SSH来登录容器,或者在容器中执行命令了:
# 下载key # 下载key
curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key
chmod 600 insecure_key chmod 600 insecure_key
# 登录容器 # 登录容器

4
README_zh_tw.md
View File

@ -438,7 +438,7 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令,
* 缺點 * 缺點
* 需要設置ssh key.然而,baseimage-docker會提供一中辦法,會讓key的生成會很容器.閱讀更多信息. * 需要設置ssh key.然而,baseimage-docker會提供一中辦法,會讓key的生成會很容器.閱讀更多信息.
第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認,沒有任何安裝key的,所有你無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全行,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.** 第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認,沒有任何安裝key的,所有你無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全行,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.**
<a name="using_the_insecure_key_for_one_container_only"></a> <a name="using_the_insecure_key_for_one_container_only"></a>
@ -461,7 +461,7 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令,
現在你有得了IP地址,你就看通過SSH來登錄容器,或者在容器中執行命令了: 現在你有得了IP地址,你就看通過SSH來登錄容器,或者在容器中執行命令了:
# 下載key # 下載key
curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key
chmod 600 insecure_key chmod 600 insecure_key
# 登錄容器 # 登錄容器

6
image/buildconfig
View File

@ -1,3 +1,9 @@
export LC_ALL=C export LC_ALL=C
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
minimal_apt_get_install='apt-get install -y --no-install-recommends' minimal_apt_get_install='apt-get install -y --no-install-recommends'
# Default services
# Set 1 to the service you want to disable
export DISABLE_SYSLOG=${DISABLE_SYSLOG:-0}
export DISABLE_SSH=${DISABLE_SSH:-0}
export DISABLE_CRON=${DISABLE_CRON:-0}

0
image/runit/cron → image/services/cron/cron.runit
View File

17
image/services/cron/cron.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
set -e
source /bd_build/buildconfig
set -x
$minimal_apt_get_install cron
mkdir /etc/service/cron
chmod 600 /etc/crontab
cp /bd_build/services/cron/cron.runit /etc/service/cron/run
## Remove useless cron entries.
# Checks for lost+found and scans for mtab.
rm -f /etc/cron.daily/standard
rm -f /etc/cron.daily/upstart
rm -f /etc/cron.daily/dpkg
rm -f /etc/cron.daily/password
rm -f /etc/cron.weekly/fstrim

0
image/00_regen_ssh_host_keys.sh → image/services/sshd/00_regen_ssh_host_keys.sh
View File

0
image/bin/enable_insecure_key → image/services/sshd/enable_insecure_key
View File

0
image/insecure_key → image/services/sshd/keys/insecure_key
View File

0
image/insecure_key.ppk → image/services/sshd/keys/insecure_key.ppk
View File

0
image/insecure_key.pub → image/services/sshd/keys/insecure_key.pub
View File

0
image/runit/sshd → image/services/sshd/sshd.runit
View File

25
image/services/sshd/sshd.sh Executable file
View File

@ -0,0 +1,25 @@
#!/bin/bash
set -e
source /bd_build/buildconfig
set -x
SSHD_BUILD_PATH=/bd_build/services/sshd
## Install the SSH server.
$minimal_apt_get_install openssh-server
mkdir /var/run/sshd
mkdir /etc/service/sshd
touch /etc/service/sshd/down
cp $SSHD_BUILD_PATH/sshd.runit /etc/service/sshd/run
cp $SSHD_BUILD_PATH/sshd_config /etc/ssh/sshd_config
cp $SSHD_BUILD_PATH/00_regen_ssh_host_keys.sh /etc/my_init.d/
## Install default SSH key for root and app.
mkdir -p /root/.ssh
chmod 700 /root/.ssh
chown root:root /root/.ssh
cp $SSHD_BUILD_PATH/keys/insecure_key.pub /etc/insecure_key.pub
cp $SSHD_BUILD_PATH/keys/insecure_key /etc/insecure_key
chmod 644 /etc/insecure_key*
chown root:root /etc/insecure_key*
cp $SSHD_BUILD_PATH/enable_insecure_key /usr/sbin/

0
image/config/sshd_config → image/services/sshd/sshd_config
View File

0
image/config/logrotate_syslogng → image/services/syslog-ng/logrotate_syslogng
View File

0
image/runit/syslog-forwarder → image/services/syslog-ng/syslog-forwarder.runit
View File

0
image/config/syslog-ng.conf → image/services/syslog-ng/syslog-ng.conf
View File

0
image/runit/syslog-ng → image/services/syslog-ng/syslog-ng.runit
View File

24
image/services/syslog-ng/syslog-ng.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
set -e
source /bd_build/buildconfig
set -x
SYSLOG_NG_BUILD_PATH=/bd_build/services/syslog-ng
## Install a syslog daemon.
$minimal_apt_get_install syslog-ng-core
mkdir /etc/service/syslog-ng
cp $SYSLOG_NG_BUILD_PATH/syslog-ng.runit /etc/service/syslog-ng/run
mkdir -p /var/lib/syslog-ng
cp $SYSLOG_NG_BUILD_PATH/syslog_ng_default /etc/default/syslog-ng
touch /var/log/syslog
chmod u=rw,g=r,o= /var/log/syslog
cp $SYSLOG_NG_BUILD_PATH/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
## Install syslog to "docker logs" forwarder.
mkdir /etc/service/syslog-forwarder
cp $SYSLOG_NG_BUILD_PATH/syslog-forwarder.runit /etc/service/syslog-forwarder/run
## Install logrotate.
$minimal_apt_get_install logrotate
cp $SYSLOG_NG_BUILD_PATH/logrotate_syslogng /etc/logrotate.d/syslog-ng

0
image/config/syslog_ng_default → image/services/syslog-ng/syslog_ng_default
View File

51
image/system_services.sh
View File

@ -19,54 +19,11 @@ ln -s /etc/container_environment.sh /etc/profile.d/
## Install runit. ## Install runit.
$minimal_apt_get_install runit $minimal_apt_get_install runit
## Install a syslog daemon. ## Install a syslog daemon and logrotate.
$minimal_apt_get_install syslog-ng-core [ "$DISABLE_SYSLOG" -eq 0 ] && /bd_build/services/syslog-ng/syslog-ng.sh
mkdir /etc/service/syslog-ng
cp /bd_build/runit/syslog-ng /etc/service/syslog-ng/run
mkdir -p /var/lib/syslog-ng
cp /bd_build/config/syslog_ng_default /etc/default/syslog-ng
touch /var/log/syslog
chmod u=rw,g=r,o= /var/log/syslog
cp /bd_build/config/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
## Install syslog to "docker logs" forwarder.
mkdir /etc/service/syslog-forwarder
cp /bd_build/runit/syslog-forwarder /etc/service/syslog-forwarder/run
## Install logrotate.
$minimal_apt_get_install logrotate
cp /bd_build/config/logrotate_syslogng /etc/logrotate.d/syslog-ng
## Install the SSH server. ## Install the SSH server.
$minimal_apt_get_install openssh-server [ "$DISABLE_SSH" -eq 0 ] && /bd_build/services/sshd/sshd.sh
mkdir /var/run/sshd
mkdir /etc/service/sshd
touch /etc/service/sshd/down
cp /bd_build/runit/sshd /etc/service/sshd/run
cp /bd_build/config/sshd_config /etc/ssh/sshd_config
cp /bd_build/00_regen_ssh_host_keys.sh /etc/my_init.d/
## Install default SSH key for root and app.
mkdir -p /root/.ssh
chmod 700 /root/.ssh
chown root:root /root/.ssh
cp /bd_build/insecure_key.pub /etc/insecure_key.pub
cp /bd_build/insecure_key /etc/insecure_key
chmod 644 /etc/insecure_key*
chown root:root /etc/insecure_key*
cp /bd_build/bin/enable_insecure_key /usr/sbin/
## Install cron daemon. ## Install cron daemon.
$minimal_apt_get_install cron [ "$DISABLE_CRON" -eq 0 ] && /bd_build/services/cron/cron.sh
mkdir /etc/service/cron
chmod 600 /etc/crontab
cp /bd_build/runit/cron /etc/service/cron/run
## Remove useless cron entries.
# Checks for lost+found and scans for mtab.
rm -f /etc/cron.daily/standard
rm -f /etc/cron.daily/upstart
rm -f /etc/cron.daily/dpkg
rm -f /etc/cron.daily/password
rm -f /etc/cron.weekly/fstrim

2
install-tools.sh
View File

@ -8,5 +8,5 @@ cp tools/docker-bash /usr/local/bin/
cp tools/docker-ssh /usr/local/bin/ cp tools/docker-ssh /usr/local/bin/
cp tools/baseimage-docker-nsenter /usr/local/bin/ cp tools/baseimage-docker-nsenter /usr/local/bin/
mkdir -p /usr/local/share/baseimage-docker mkdir -p /usr/local/share/baseimage-docker
cp image/insecure_key /usr/local/share/baseimage-docker/ cp image/services/sshd/keys/insecure_key /usr/local/share/baseimage-docker/
chmod 644 /usr/local/share/baseimage-docker/insecure_key chmod 644 /usr/local/share/baseimage-docker/insecure_key

2
test/runner.sh
View File

@ -35,7 +35,7 @@ docker exec -t -i $ID sv start /etc/service/sshd
sleep 1 sleep 1
echo " --> Logging into container and running tests" echo " --> Logging into container and running tests"
cp image/insecure_key /tmp/insecure_key cp image/services/sshd/keys/insecure_key /tmp/insecure_key
chmod 600 /tmp/insecure_key chmod 600 /tmp/insecure_key
sleep 1 # Give container some more time to start up. sleep 1 # Give container some more time to start up.
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/insecure_key root@$IP \ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/insecure_key root@$IP \

4
tools/docker-ssh
View File

@ -40,8 +40,8 @@ if ! test -e ~/.baseimage_docker_insecure_key; then
else else
dir=`dirname "$0"` dir=`dirname "$0"`
dir=`cd "$dir/.." && pwd` dir=`cd "$dir/.." && pwd`
if test -e "$dir/image/insecure_key"; then if test -e "$dir/image/services/sshd/keys/insecure_key"; then
cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key cp "$dir/image/services/sshd/keys/insecure_key" ~/.baseimage_docker_insecure_key
else else
echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2 echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
echo "You probably didn't install docker-ssh properly. Please reinstall it:" >&2 echo "You probably didn't install docker-ssh properly. Please reinstall it:" >&2