40n8.me/baseimage-docker
1
0
Fork 0
mirror of /repos/baseimage-docker.git synced 2025-12-30 08:01:31 +01:00
Code Issues Releases Wiki Activity

Merge branch 'remove_etc_hosts_workaround' into next

Browse Source
This commit is contained in:
Hongli Lai (Phusion) 2015-01-19 16:01:53 +01:00
commit a0a48d8fd3
6 changed files with 10 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Changelog.md
View File

@ -1,3 +1,7 @@
## 0.9.16 (next version, not yet released)
* The workaround for Docker bug 2267 (the inability to modify /etc/hosts) has been removed, because it has been fixed upstream.
## 0.9.15 (release date: 2014-10-03) ## 0.9.15 (release date: 2014-10-03)
* Fixed the setuid bit on /usr/bin/sudo. This problem was caused by Docker bug #6828. * Fixed the setuid bit on /usr/bin/sudo. This problem was caused by Docker bug #6828.

2
Makefile
View File

@ -1,5 +1,5 @@
NAME = phusion/baseimage NAME = phusion/baseimage
VERSION = 0.9.15 VERSION = 0.9.16
.PHONY: all build test tag_latest release ssh .PHONY: all build test tag_latest release ssh

26
README.md
View File

@ -3,8 +3,8 @@
Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus: Baseimage-docker is a special [Docker](http://www.docker.io) image that is configured for correct use within Docker containers. It is Ubuntu, plus:
* Modifications for Docker-friendliness. * Modifications for Docker-friendliness.
* Workarounds for [some Docker bugs](#workaroud_modifying_etc_hosts). * Administration tools that are especially useful in the context of Docker.
* Useful administration tools. * Mechanisms for easily running multiple processes, [without violating the Docker philosophy](#docker_single_process).
You can use it as a base for your own Docker images. You can use it as a base for your own Docker images.
@ -52,7 +52,6 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
* [Environment variable dumps](#envvar_dumps) * [Environment variable dumps](#envvar_dumps)
* [Modifying environment variables](#modifying_envvars) * [Modifying environment variables](#modifying_envvars)
* [Security](#envvar_security) * [Security](#envvar_security)
* [Working around Docker's inability to modify /etc/hosts](#workaroud_modifying_etc_hosts)
* [Disabling SSH](#disabling_ssh) * [Disabling SSH](#disabling_ssh)
* [Container administration](#container_administration) * [Container administration](#container_administration)
* [Running a one-shot command in a new container](#oneshot) * [Running a one-shot command in a new container](#oneshot)
@ -83,7 +82,6 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
| Ubuntu 14.04 LTS | The base system. | | Ubuntu 14.04 LTS | The base system. |
| A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. | | A **correct** init process | According to the Unix process model, [the init process](https://en.wikipedia.org/wiki/Init) -- PID 1 -- inherits all [orphaned child processes](https://en.wikipedia.org/wiki/Orphan_process) and must [reap them](https://en.wikipedia.org/wiki/Wait_(system_call)). Most Docker containers do not have an init process that does this correctly, and as a result their containers become filled with [zombie processes](https://en.wikipedia.org/wiki/Zombie_process) over time. <br><br>Furthermore, `docker stop` sends SIGTERM to the init process, which is then supposed to stop all services. Unfortunately most init systems don't do this correctly within Docker since they're built for hardware shutdowns instead. This causes processes to be hard killed with SIGKILL, which doesn't give them a chance to correctly deinitialize things. This can cause file corruption. <br><br>Baseimage-docker comes with an init process `/sbin/my_init` that performs both of these tasks correctly. |
| Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. | | Fixes APT incompatibilities with Docker | See https://github.com/dotcloud/docker/issues/1024. |
| Workarounds for Docker bugs | [Learn more.](#workaroud_modifying_etc_hosts) |
| syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. | | syslog-ng | A syslog daemon is necessary so that many services - including the kernel itself - can correctly log to /var/log/syslog. If no syslog daemon is running, a lot of important messages are silently swallowed. <br><br>Only listens locally. |
| logrotate | Rotates and compresses logs on a regular basis. | | logrotate | Rotates and compresses logs on a regular basis. |
| SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is only one of the methods provided by baseimage-docker for this purpose. The other method is through [the nsenter tool](#login_nsenter). SSH is also provided as an option because nsenter has many issues._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. | | SSH server | Allows you to easily login to your container to [inspect or administer](#login_ssh) things. <br><br>_SSH is only one of the methods provided by baseimage-docker for this purpose. The other method is through [the nsenter tool](#login_nsenter). SSH is also provided as an option because nsenter has many issues._<br><br>Password and challenge-response authentication are disabled by default. Only key authentication is allowed.<br><br>SSH access can be easily disabled if you so wish. Read on for instructions. |
@ -280,26 +278,6 @@ If you are sure that your environment variables don't contain sensitive data, th
RUN chmod 755 /etc/container_environment RUN chmod 755 /etc/container_environment
RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json RUN chmod 644 /etc/container_environment.sh /etc/container_environment.json
<a name="workaroud_modifying_etc_hosts"></a>
### Working around Docker's inability to modify /etc/hosts
It is currently not possible to modify /etc/hosts inside a Docker container because of [Docker bug 2267](https://github.com/dotcloud/docker/issues/2267). Baseimage-docker includes a workaround for this. You have to be explicitly opt-in for the workaround.
The workaround involves modifying a system library, libnss_files.so.2, so that it looks for the host file in /etc/workaround-docker-2267/hosts instead of /etc/hosts. Instead of modifying /etc/hosts, you modify /etc/workaround-docker-2267/hosts instead.
Add this to your Dockerfile to opt-in for the workaround. This command modifies libnss_files.so.2 as described above.
RUN /usr/bin/workaround-docker-2267
(You don't necessarily have to run this command from the Dockerfile. You can also run it from a shell inside the container.)
To verify that it works, [open a bash shell in your container](#inspecting), modify /etc/workaround-docker-2267/hosts, and check whether it had any effect:
bash# echo 127.0.0.1 my-test-domain.com >> /etc/workaround-docker-2267/hosts
bash# ping my-test-domain.com
...should ping 127.0.0.1...
**Note on apt-get upgrading:** if any Ubuntu updates overwrite libnss_files.so.2, then the workaround is removed. You have to re-enable it by running `/usr/bin/workaround-docker-2267`. To be safe, you should run this command every time after running `apt-get upgrade`.
<a name="disabling_ssh"></a> <a name="disabling_ssh"></a>
### Disabling SSH ### Disabling SSH

4
image/bin/my_init
View File

@ -56,9 +56,6 @@ def is_exe(path):
except OSError: except OSError:
return False return False
def create_hosts_file():
run_command_killable("/bin/cp", "/etc/hosts", "/etc/workaround-docker-2267/")
def import_envvars(clear_existing_environment = True, override_existing_environment = True): def import_envvars(clear_existing_environment = True, override_existing_environment = True):
new_env = {} new_env = {}
for envfile in listdir("/etc/container_environment"): for envfile in listdir("/etc/container_environment"):
@ -252,7 +249,6 @@ def install_insecure_key():
run_command_killable("/usr/sbin/enable_insecure_key") run_command_killable("/usr/sbin/enable_insecure_key")
def main(args): def main(args):
create_hosts_file()
import_envvars(False, False) import_envvars(False, False)
export_envvars() export_envvars()

2
image/bin/workaround-docker-2267
View File

@ -1,2 +0,0 @@
#!/bin/sh
exec /usr/bin/perl -pi -e 's:/etc/hosts:/cte/hosts:g' /lib/x86_64-linux-gnu/libnss_files.so.2

10
image/prepare.sh
View File

@ -4,7 +4,9 @@ source /build/buildconfig
set -x set -x
## Temporarily disable dpkg fsync to make building faster. ## Temporarily disable dpkg fsync to make building faster.
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02apt-speedup if [[ ! -e /etc/dpkg/dpkg.cfg.d/docker-apt-speedup ]]; then
echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/docker-apt-speedup
fi
## Prevent initramfs updates from trying to run grub and lilo. ## Prevent initramfs updates from trying to run grub and lilo.
## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/ ## https://journal.paul.querna.org/articles/2013/10/15/docker-ubuntu-on-rackspace/
@ -30,12 +32,6 @@ ln -sf /bin/true /sbin/initctl
dpkg-divert --local --rename --add /usr/bin/ischroot dpkg-divert --local --rename --add /usr/bin/ischroot
ln -sf /bin/true /usr/bin/ischroot ln -sf /bin/true /usr/bin/ischroot
## Workaround https://github.com/dotcloud/docker/issues/2267,
## not being able to modify /etc/hosts.
mkdir -p /etc/workaround-docker-2267
ln -s /etc/workaround-docker-2267 /cte
cp /build/bin/workaround-docker-2267 /usr/bin/
## Install HTTPS support for APT. ## Install HTTPS support for APT.
$minimal_apt_get_install apt-transport-https ca-certificates $minimal_apt_get_install apt-transport-https ca-certificates