Made services installation optional during build

You can user `ENV` directive in Dockerfile to disable the installation
for some services or change `image/buildconfig`.

The flags are :

DISABLE_SSHD
DISABLE_CRON
DISABLE_SYSLOG

Makefile

@@ -21,9 +21,9 @@ release: test tag_latest
 	@echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)"
 
 ssh:
-	chmod 600 image/insecure_key
+	chmod 600 image/services/sshd/keys/insecure_key
 	@ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \
 		if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \
 		IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \
 		echo "SSHing into $$IP" && \
-		ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/insecure_key root@$$IP
+		ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/services/sshd/keys/insecure_key root@$$IP

README.md

@@ -68,6 +68,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
      * [Using your own key](#using_your_own_key)
      * [The `docker-ssh` tool](#docker_ssh)
  * [Building the image yourself](#building)
+  * [Removing optional services](#removing_optional_services)
  * [Conclusion](#conclusion)
 
 -----------------------------------------
@@ -138,12 +139,12 @@ The image is called `phusion/baseimage`, and is available on the Docker registry
     # See https://github.com/phusion/baseimage-docker/blob/master/Changelog.md for
     # a list of version numbers.
     FROM phusion/baseimage:<VERSION>
-    
+
     # Use baseimage-docker's init system.
     CMD ["/sbin/my_init"]
-    
+
     # ...put your own build instructions here...
-    
+
     # Clean up APT when done.
     RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
@@ -183,7 +184,7 @@ All scripts must exit correctly, e.g. with exit code 0. If any script exits with
 The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt.
 
 In `logtime.sh` (make sure this file is chmod +x):
-    
+
     #!/bin/sh
     date > /tmp/boottime.txt
 
@@ -398,7 +399,7 @@ Here's how it compares to [using `docker exec` to login to the container or to r
 Baseimage-docker disables the SSH server by default. Add the following to your Dockerfile to enable it:
 
     RUN rm -f /etc/service/sshd/down
-    
+
     # Regenerate SSH host keys. baseimage-docker does not contain any, so you
     # have to do that yourself. You may also comment out this instruction; the
     # init system will auto-generate one during boot.
@@ -407,7 +408,7 @@ Baseimage-docker disables the SSH server by default. Add the following to your D
 <a name="ssh_keys"></a>
 #### About SSH keys
 
-First, you must ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so nobody can login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
+First, you must ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so nobody can login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**.
 
 <a name="using_the_insecure_key_for_one_container_only"></a>
 #### Using the insecure key for one container only
@@ -429,7 +430,7 @@ Once you have the ID, look for its IP address with:
 Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it:
 
     # Download the insecure private key
-    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
+    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key
     chmod 600 insecure_key
 
     # Login to the container
@@ -524,6 +525,50 @@ If you want to call the resulting image something else, pass the NAME variable,
 
     make build NAME=joe/baseimage
 
+<a name="removing_optional_services"></a>
+### Removing optional services
+
+The default baseimage-docker installs `syslog-ng`, `cron` and `sshd` services during the build process.
+
+In case you don't need one or more of these services in your image, you can disable its installation and/or install the substituite service of your preference.
+
+You can user the `ENV` directive in your Dockerfile for these three variables :
+
+* `DISABLE_SYSLOG`
+* `DISABLE_SSH`
+* `DISABLE_CRON`
+
+For ex., if you want to disable ssh on your image :
+
+    #...
+    FROM phusion/baseimage:<VERSION>
+
+    # Set correct environment variables.
+    ENV HOME /root
+
+    # Disable SSH
+    ENV DISABLE_SSH 1
+
+    # Use baseimage-docker's init system.
+    CMD ["/sbin/my_init"]
+
+    # ...put your own build instructions here...
+
+    # Clean up APT when done.
+    RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+If you don't want to use the `ENV` directive inside your Dockerfile and avoid creating another image layer, as shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file.
+
+    ### In ./image/buildconfig
+    # ...
+    # Default services
+    # Set 1 to the service you want to disable
+    export DISABLE_SYSLOG=${DISABLE_SYSLOG:-0}
+    export DISABLE_SSH=${DISABLE_SSH:-1}
+    export DISABLE_CRON=${DISABLE_CRON:-0}
+
+
+Then you can proceed with `docker build` command.
 
 <a name="conclusion"></a>
 ## Conclusion

README_ZH_cn_.md

@@ -438,7 +438,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
  *　缺点
    * 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容器.阅读更多信息.
 
-第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全行,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.**
+第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全行,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.**
 
 
 <a name="using_the_insecure_key_for_one_container_only"></a>
@@ -461,7 +461,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令,
 现在你有得了IP地址,你就看通过SSH来登录容器,或者在容器中执行命令了:
 
     # 下载key
-    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
+    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key
     chmod 600 insecure_key
 
     # 登录容器

README_zh_tw.md

@@ -438,7 +438,7 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令,
  *　缺點
    * 需要設置ssh key.然而,baseimage-docker會提供一中辦法,會讓key的生成會很容器.閱讀更多信息.
 
-第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認,沒有任何安裝key的,所有你無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全行,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.**
+第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認,沒有任何安裝key的,所有你無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全行,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.**
 
 
 <a name="using_the_insecure_key_for_one_container_only"></a>
@@ -461,7 +461,7 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令,
 現在你有得了IP地址,你就看通過SSH來登錄容器,或者在容器中執行命令了:
 
     # 下載key
-    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
+    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key
     chmod 600 insecure_key
 
     # 登錄容器

image/buildconfig

@@ -1,3 +1,9 @@
 export LC_ALL=C
 export DEBIAN_FRONTEND=noninteractive
 minimal_apt_get_install='apt-get install -y --no-install-recommends'
+
+# Default services
+# Set 1 to the service you want to disable
+export DISABLE_SYSLOG=${DISABLE_SYSLOG:-0}
+export DISABLE_SSH=${DISABLE_SSH:-0}
+export DISABLE_CRON=${DISABLE_CRON:-0}

image/services/cron/cron.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+source /bd_build/buildconfig
+set -x
+
+$minimal_apt_get_install cron
+mkdir /etc/service/cron
+chmod 600 /etc/crontab
+cp /bd_build/services/cron/cron.runit /etc/service/cron/run
+
+## Remove useless cron entries.
+# Checks for lost+found and scans for mtab.
+rm -f /etc/cron.daily/standard
+rm -f /etc/cron.daily/upstart
+rm -f /etc/cron.daily/dpkg
+rm -f /etc/cron.daily/password
+rm -f /etc/cron.weekly/fstrim

image/services/sshd/sshd.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+set -e
+source /bd_build/buildconfig
+set -x
+
+SSHD_BUILD_PATH=/bd_build/services/sshd
+
+## Install the SSH server.
+$minimal_apt_get_install openssh-server
+mkdir /var/run/sshd
+mkdir /etc/service/sshd
+touch /etc/service/sshd/down
+cp $SSHD_BUILD_PATH/sshd.runit /etc/service/sshd/run
+cp $SSHD_BUILD_PATH/sshd_config /etc/ssh/sshd_config
+cp $SSHD_BUILD_PATH/00_regen_ssh_host_keys.sh /etc/my_init.d/
+
+## Install default SSH key for root and app.
+mkdir -p /root/.ssh
+chmod 700 /root/.ssh
+chown root:root /root/.ssh
+cp $SSHD_BUILD_PATH/keys/insecure_key.pub /etc/insecure_key.pub
+cp $SSHD_BUILD_PATH/keys/insecure_key /etc/insecure_key
+chmod 644 /etc/insecure_key*
+chown root:root /etc/insecure_key*
+cp $SSHD_BUILD_PATH/enable_insecure_key /usr/sbin/

image/services/syslog-ng/syslog-ng.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+source /bd_build/buildconfig
+set -x
+
+SYSLOG_NG_BUILD_PATH=/bd_build/services/syslog-ng
+
+## Install a syslog daemon.
+$minimal_apt_get_install syslog-ng-core
+mkdir /etc/service/syslog-ng
+cp $SYSLOG_NG_BUILD_PATH/syslog-ng.runit /etc/service/syslog-ng/run
+mkdir -p /var/lib/syslog-ng
+cp $SYSLOG_NG_BUILD_PATH/syslog_ng_default /etc/default/syslog-ng
+touch /var/log/syslog
+chmod u=rw,g=r,o= /var/log/syslog
+cp $SYSLOG_NG_BUILD_PATH/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+
+## Install syslog to "docker logs" forwarder.
+mkdir /etc/service/syslog-forwarder
+cp $SYSLOG_NG_BUILD_PATH/syslog-forwarder.runit /etc/service/syslog-forwarder/run
+
+## Install logrotate.
+$minimal_apt_get_install logrotate
+cp $SYSLOG_NG_BUILD_PATH/logrotate_syslogng /etc/logrotate.d/syslog-ng

image/system_services.sh

@@ -19,54 +19,11 @@ ln -s /etc/container_environment.sh /etc/profile.d/
 ## Install runit.
 $minimal_apt_get_install runit
 
-## Install a syslog daemon.
-$minimal_apt_get_install syslog-ng-core
-mkdir /etc/service/syslog-ng
-cp /bd_build/runit/syslog-ng /etc/service/syslog-ng/run
-mkdir -p /var/lib/syslog-ng
-cp /bd_build/config/syslog_ng_default /etc/default/syslog-ng
-touch /var/log/syslog
-chmod u=rw,g=r,o= /var/log/syslog
-cp /bd_build/config/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
-
-## Install syslog to "docker logs" forwarder.
-mkdir /etc/service/syslog-forwarder
-cp /bd_build/runit/syslog-forwarder /etc/service/syslog-forwarder/run
-
-## Install logrotate.
-$minimal_apt_get_install logrotate
-cp /bd_build/config/logrotate_syslogng /etc/logrotate.d/syslog-ng
+## Install a syslog daemon and logrotate.
+[ "$DISABLE_SYSLOG" -eq 0 ] && /bd_build/services/syslog-ng/syslog-ng.sh
 
 ## Install the SSH server.
-$minimal_apt_get_install openssh-server
-mkdir /var/run/sshd
-mkdir /etc/service/sshd
-touch /etc/service/sshd/down
-cp /bd_build/runit/sshd /etc/service/sshd/run
-cp /bd_build/config/sshd_config /etc/ssh/sshd_config
-cp /bd_build/00_regen_ssh_host_keys.sh /etc/my_init.d/
-
-## Install default SSH key for root and app.
-mkdir -p /root/.ssh
-chmod 700 /root/.ssh
-chown root:root /root/.ssh
-cp /bd_build/insecure_key.pub /etc/insecure_key.pub
-cp /bd_build/insecure_key /etc/insecure_key
-chmod 644 /etc/insecure_key*
-chown root:root /etc/insecure_key*
-cp /bd_build/bin/enable_insecure_key /usr/sbin/
+[ "$DISABLE_SSH" -eq 0 ] && /bd_build/services/sshd/sshd.sh
 
 ## Install cron daemon.
-$minimal_apt_get_install cron
-mkdir /etc/service/cron
-chmod 600 /etc/crontab
-cp /bd_build/runit/cron /etc/service/cron/run
-
-## Remove useless cron entries.
-# Checks for lost+found and scans for mtab.
-rm -f /etc/cron.daily/standard
-rm -f /etc/cron.daily/upstart
-rm -f /etc/cron.daily/dpkg
-rm -f /etc/cron.daily/password
-rm -f /etc/cron.weekly/fstrim
-
+[ "$DISABLE_CRON" -eq 0 ] && /bd_build/services/cron/cron.sh

install-tools.sh

@@ -8,5 +8,5 @@ cp tools/docker-bash /usr/local/bin/
 cp tools/docker-ssh /usr/local/bin/
 cp tools/baseimage-docker-nsenter /usr/local/bin/
 mkdir -p /usr/local/share/baseimage-docker
-cp image/insecure_key /usr/local/share/baseimage-docker/
+cp image/services/sshd/keys/insecure_key /usr/local/share/baseimage-docker/
 chmod 644 /usr/local/share/baseimage-docker/insecure_key

test/runner.sh

@@ -35,7 +35,7 @@ docker exec -t -i $ID sv start /etc/service/sshd
 sleep 1
 
 echo " --> Logging into container and running tests"
-cp image/insecure_key /tmp/insecure_key
+cp image/services/sshd/keys/insecure_key /tmp/insecure_key
 chmod 600 /tmp/insecure_key
 sleep 1 # Give container some more time to start up.
 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/insecure_key root@$IP \

tools/docker-ssh

@@ -40,8 +40,8 @@ if ! test -e ~/.baseimage_docker_insecure_key; then
 	else
 		dir=`dirname "$0"`
 		dir=`cd "$dir/.." && pwd`
-		if test -e "$dir/image/insecure_key"; then
-			cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key
+		if test -e "$dir/image/services/sshd/keys/insecure_key"; then
+			cp "$dir/image/services/sshd/keys/insecure_key" ~/.baseimage_docker_insecure_key
 		else
 			echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2
 			echo "You probably didn't install docker-ssh properly. Please reinstall it:" >&2