diff --git a/Makefile b/Makefile index cb1bde8be..0adc6adb8 100644 --- a/Makefile +++ b/Makefile @@ -21,9 +21,9 @@ release: test tag_latest @echo "*** Don't forget to create a tag. git tag rel-$(VERSION) && git push origin rel-$(VERSION)" ssh: - chmod 600 image/insecure_key + chmod 600 image/services/sshd/keys/insecure_key @ID=$$(docker ps | grep -F "$(NAME):$(VERSION)" | awk '{ print $$1 }') && \ if test "$$ID" = ""; then echo "Container is not running."; exit 1; fi && \ IP=$$(docker inspect $$ID | grep IPAddr | sed 's/.*: "//; s/".*//') && \ echo "SSHing into $$IP" && \ - ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/insecure_key root@$$IP + ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i image/services/sshd/keys/insecure_key root@$$IP diff --git a/README.md b/README.md index 65d0188af..5222e8359 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why * [Using your own key](#using_your_own_key) * [The `docker-ssh` tool](#docker_ssh) * [Building the image yourself](#building) + * [Removing optional services](#removing_optional_services) * [Conclusion](#conclusion) ----------------------------------------- @@ -138,12 +139,12 @@ The image is called `phusion/baseimage`, and is available on the Docker registry # See https://github.com/phusion/baseimage-docker/blob/master/Changelog.md for # a list of version numbers. FROM phusion/baseimage: - + # Use baseimage-docker's init system. CMD ["/sbin/my_init"] - + # ...put your own build instructions here... - + # Clean up APT when done. RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -183,7 +184,7 @@ All scripts must exit correctly, e.g. with exit code 0. If any script exits with The following example shows how you can add a startup script. This script simply logs the time of boot to the file /tmp/boottime.txt. In `logtime.sh` (make sure this file is chmod +x): - + #!/bin/sh date > /tmp/boottime.txt @@ -398,7 +399,7 @@ Here's how it compares to [using `docker exec` to login to the container or to r Baseimage-docker disables the SSH server by default. Add the following to your Dockerfile to enable it: RUN rm -f /etc/service/sshd/down - + # Regenerate SSH host keys. baseimage-docker does not contain any, so you # have to do that yourself. You may also comment out this instruction; the # init system will auto-generate one during boot. @@ -407,7 +408,7 @@ Baseimage-docker disables the SSH server by default. Add the following to your D #### About SSH keys -First, you must ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so nobody can login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**. +First, you must ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so nobody can login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk) that you can easily enable. However, please be aware that using this key is for convenience only. It does not provide any security because this key (both the public and the private side) is publicly available. **In production environments, you should use your own keys**. #### Using the insecure key for one container only @@ -429,7 +430,7 @@ Once you have the ID, look for its IP address with: Now that you have the IP address, you can use SSH to login to the container, or to execute a command inside it: # Download the insecure private key - curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key + curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key chmod 600 insecure_key # Login to the container @@ -524,6 +525,50 @@ If you want to call the resulting image something else, pass the NAME variable, make build NAME=joe/baseimage + +### Removing optional services + +The default baseimage-docker installs `syslog-ng`, `cron` and `sshd` services during the build process. + +In case you don't need one or more of these services in your image, you can disable its installation and/or install the substituite service of your preference. + +You can user the `ENV` directive in your Dockerfile for these three variables : + +* `DISABLE_SYSLOG` +* `DISABLE_SSH` +* `DISABLE_CRON` + +For ex., if you want to disable ssh on your image : + + #... + FROM phusion/baseimage: + + # Set correct environment variables. + ENV HOME /root + + # Disable SSH + ENV DISABLE_SSH 1 + + # Use baseimage-docker's init system. + CMD ["/sbin/my_init"] + + # ...put your own build instructions here... + + # Clean up APT when done. + RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +If you don't want to use the `ENV` directive inside your Dockerfile and avoid creating another image layer, as shown in the following example, to prevent `sshd` from being installed into your image, set `1` to the `DISABLE_SSH` variable in the `./image/buildconfig` file. + + ### In ./image/buildconfig + # ... + # Default services + # Set 1 to the service you want to disable + export DISABLE_SYSLOG=${DISABLE_SYSLOG:-0} + export DISABLE_SSH=${DISABLE_SSH:-1} + export DISABLE_CRON=${DISABLE_CRON:-0} + + +Then you can proceed with `docker build` command. ## Conclusion diff --git a/README_ZH_cn_.md b/README_ZH_cn_.md index 6ebd8be45..cca0dbe56 100644 --- a/README_ZH_cn_.md +++ b/README_ZH_cn_.md @@ -438,7 +438,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令, * 缺点 * 需要设置ssh key.然而,baseimage-docker会提供一中办法,会让key的生成会很容器.阅读更多信息. -第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全行,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.** +第一件事情,就是你需要确定你在容器中已经安装设置了ssh key. 默认,没有任何安装key的,所有你无法登录.为了方便的原因,我们提供了一个[已经生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),为了让你使用方便.然后,请注意这个key仅仅是为方便.他没有任何安全行,因为它的key是在网络上提供的.**在生产环境,你必须使用你自己的key.** @@ -461,7 +461,7 @@ Baseimage-docker提供了一个灵活的方式运行只要一闪而过的命令, 现在你有得了IP地址,你就看通过SSH来登录容器,或者在容器中执行命令了: # 下载key - curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key + curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key chmod 600 insecure_key # 登录容器 diff --git a/README_zh_tw.md b/README_zh_tw.md index 2baf6d31a..1a8da2fae 100644 --- a/README_zh_tw.md +++ b/README_zh_tw.md @@ -438,7 +438,7 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令, * 缺點 * 需要設置ssh key.然而,baseimage-docker會提供一中辦法,會讓key的生成會很容器.閱讀更多信息. -第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認,沒有任何安裝key的,所有你無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全行,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.** +第一件事情,就是你需要確定你在容器中已經安裝設置了ssh key. 默認,沒有任何安裝key的,所有你無法登錄.爲了方便的原因,我們提供了一個[已經生成的key](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key) [(PuTTY format)](https://github.com/phusion/baseimage-docker/blob/master/image/services/sshd/keys/insecure_key.ppk),爲了讓你使用方便.然後,請注意這個key僅僅是爲方便.他沒有任何安全行,因爲它的key是在網絡上提供的.**在生產環境,你必須使用你自己的key.** @@ -461,7 +461,7 @@ Baseimage-docker提供了一個靈活的方式運行只要一閃而過的命令, 現在你有得了IP地址,你就看通過SSH來登錄容器,或者在容器中執行命令了: # 下載key - curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key + curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/services/sshd/keys/insecure_key chmod 600 insecure_key # 登錄容器 diff --git a/image/buildconfig b/image/buildconfig index 0085fd0e6..564c51006 100644 --- a/image/buildconfig +++ b/image/buildconfig @@ -1,3 +1,9 @@ export LC_ALL=C export DEBIAN_FRONTEND=noninteractive minimal_apt_get_install='apt-get install -y --no-install-recommends' + +# Default services +# Set 1 to the service you want to disable +export DISABLE_SYSLOG=${DISABLE_SYSLOG:-0} +export DISABLE_SSH=${DISABLE_SSH:-0} +export DISABLE_CRON=${DISABLE_CRON:-0} diff --git a/image/runit/cron b/image/services/cron/cron.runit similarity index 100% rename from image/runit/cron rename to image/services/cron/cron.runit diff --git a/image/services/cron/cron.sh b/image/services/cron/cron.sh new file mode 100755 index 000000000..7d884b9e2 --- /dev/null +++ b/image/services/cron/cron.sh @@ -0,0 +1,17 @@ +#!/bin/bash +set -e +source /bd_build/buildconfig +set -x + +$minimal_apt_get_install cron +mkdir /etc/service/cron +chmod 600 /etc/crontab +cp /bd_build/services/cron/cron.runit /etc/service/cron/run + +## Remove useless cron entries. +# Checks for lost+found and scans for mtab. +rm -f /etc/cron.daily/standard +rm -f /etc/cron.daily/upstart +rm -f /etc/cron.daily/dpkg +rm -f /etc/cron.daily/password +rm -f /etc/cron.weekly/fstrim diff --git a/image/00_regen_ssh_host_keys.sh b/image/services/sshd/00_regen_ssh_host_keys.sh similarity index 100% rename from image/00_regen_ssh_host_keys.sh rename to image/services/sshd/00_regen_ssh_host_keys.sh diff --git a/image/bin/enable_insecure_key b/image/services/sshd/enable_insecure_key similarity index 100% rename from image/bin/enable_insecure_key rename to image/services/sshd/enable_insecure_key diff --git a/image/insecure_key b/image/services/sshd/keys/insecure_key similarity index 100% rename from image/insecure_key rename to image/services/sshd/keys/insecure_key diff --git a/image/insecure_key.ppk b/image/services/sshd/keys/insecure_key.ppk similarity index 100% rename from image/insecure_key.ppk rename to image/services/sshd/keys/insecure_key.ppk diff --git a/image/insecure_key.pub b/image/services/sshd/keys/insecure_key.pub similarity index 100% rename from image/insecure_key.pub rename to image/services/sshd/keys/insecure_key.pub diff --git a/image/runit/sshd b/image/services/sshd/sshd.runit similarity index 100% rename from image/runit/sshd rename to image/services/sshd/sshd.runit diff --git a/image/services/sshd/sshd.sh b/image/services/sshd/sshd.sh new file mode 100755 index 000000000..8d26f87d6 --- /dev/null +++ b/image/services/sshd/sshd.sh @@ -0,0 +1,25 @@ +#!/bin/bash +set -e +source /bd_build/buildconfig +set -x + +SSHD_BUILD_PATH=/bd_build/services/sshd + +## Install the SSH server. +$minimal_apt_get_install openssh-server +mkdir /var/run/sshd +mkdir /etc/service/sshd +touch /etc/service/sshd/down +cp $SSHD_BUILD_PATH/sshd.runit /etc/service/sshd/run +cp $SSHD_BUILD_PATH/sshd_config /etc/ssh/sshd_config +cp $SSHD_BUILD_PATH/00_regen_ssh_host_keys.sh /etc/my_init.d/ + +## Install default SSH key for root and app. +mkdir -p /root/.ssh +chmod 700 /root/.ssh +chown root:root /root/.ssh +cp $SSHD_BUILD_PATH/keys/insecure_key.pub /etc/insecure_key.pub +cp $SSHD_BUILD_PATH/keys/insecure_key /etc/insecure_key +chmod 644 /etc/insecure_key* +chown root:root /etc/insecure_key* +cp $SSHD_BUILD_PATH/enable_insecure_key /usr/sbin/ diff --git a/image/config/sshd_config b/image/services/sshd/sshd_config similarity index 100% rename from image/config/sshd_config rename to image/services/sshd/sshd_config diff --git a/image/config/logrotate_syslogng b/image/services/syslog-ng/logrotate_syslogng similarity index 100% rename from image/config/logrotate_syslogng rename to image/services/syslog-ng/logrotate_syslogng diff --git a/image/runit/syslog-forwarder b/image/services/syslog-ng/syslog-forwarder.runit similarity index 100% rename from image/runit/syslog-forwarder rename to image/services/syslog-ng/syslog-forwarder.runit diff --git a/image/config/syslog-ng.conf b/image/services/syslog-ng/syslog-ng.conf similarity index 100% rename from image/config/syslog-ng.conf rename to image/services/syslog-ng/syslog-ng.conf diff --git a/image/runit/syslog-ng b/image/services/syslog-ng/syslog-ng.runit similarity index 100% rename from image/runit/syslog-ng rename to image/services/syslog-ng/syslog-ng.runit diff --git a/image/services/syslog-ng/syslog-ng.sh b/image/services/syslog-ng/syslog-ng.sh new file mode 100755 index 000000000..f6557568f --- /dev/null +++ b/image/services/syslog-ng/syslog-ng.sh @@ -0,0 +1,24 @@ +#!/bin/bash +set -e +source /bd_build/buildconfig +set -x + +SYSLOG_NG_BUILD_PATH=/bd_build/services/syslog-ng + +## Install a syslog daemon. +$minimal_apt_get_install syslog-ng-core +mkdir /etc/service/syslog-ng +cp $SYSLOG_NG_BUILD_PATH/syslog-ng.runit /etc/service/syslog-ng/run +mkdir -p /var/lib/syslog-ng +cp $SYSLOG_NG_BUILD_PATH/syslog_ng_default /etc/default/syslog-ng +touch /var/log/syslog +chmod u=rw,g=r,o= /var/log/syslog +cp $SYSLOG_NG_BUILD_PATH/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf + +## Install syslog to "docker logs" forwarder. +mkdir /etc/service/syslog-forwarder +cp $SYSLOG_NG_BUILD_PATH/syslog-forwarder.runit /etc/service/syslog-forwarder/run + +## Install logrotate. +$minimal_apt_get_install logrotate +cp $SYSLOG_NG_BUILD_PATH/logrotate_syslogng /etc/logrotate.d/syslog-ng diff --git a/image/config/syslog_ng_default b/image/services/syslog-ng/syslog_ng_default similarity index 100% rename from image/config/syslog_ng_default rename to image/services/syslog-ng/syslog_ng_default diff --git a/image/system_services.sh b/image/system_services.sh index e80253b6d..cdcab5bc9 100755 --- a/image/system_services.sh +++ b/image/system_services.sh @@ -19,54 +19,11 @@ ln -s /etc/container_environment.sh /etc/profile.d/ ## Install runit. $minimal_apt_get_install runit -## Install a syslog daemon. -$minimal_apt_get_install syslog-ng-core -mkdir /etc/service/syslog-ng -cp /bd_build/runit/syslog-ng /etc/service/syslog-ng/run -mkdir -p /var/lib/syslog-ng -cp /bd_build/config/syslog_ng_default /etc/default/syslog-ng -touch /var/log/syslog -chmod u=rw,g=r,o= /var/log/syslog -cp /bd_build/config/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf - -## Install syslog to "docker logs" forwarder. -mkdir /etc/service/syslog-forwarder -cp /bd_build/runit/syslog-forwarder /etc/service/syslog-forwarder/run - -## Install logrotate. -$minimal_apt_get_install logrotate -cp /bd_build/config/logrotate_syslogng /etc/logrotate.d/syslog-ng +## Install a syslog daemon and logrotate. +[ "$DISABLE_SYSLOG" -eq 0 ] && /bd_build/services/syslog-ng/syslog-ng.sh ## Install the SSH server. -$minimal_apt_get_install openssh-server -mkdir /var/run/sshd -mkdir /etc/service/sshd -touch /etc/service/sshd/down -cp /bd_build/runit/sshd /etc/service/sshd/run -cp /bd_build/config/sshd_config /etc/ssh/sshd_config -cp /bd_build/00_regen_ssh_host_keys.sh /etc/my_init.d/ - -## Install default SSH key for root and app. -mkdir -p /root/.ssh -chmod 700 /root/.ssh -chown root:root /root/.ssh -cp /bd_build/insecure_key.pub /etc/insecure_key.pub -cp /bd_build/insecure_key /etc/insecure_key -chmod 644 /etc/insecure_key* -chown root:root /etc/insecure_key* -cp /bd_build/bin/enable_insecure_key /usr/sbin/ +[ "$DISABLE_SSH" -eq 0 ] && /bd_build/services/sshd/sshd.sh ## Install cron daemon. -$minimal_apt_get_install cron -mkdir /etc/service/cron -chmod 600 /etc/crontab -cp /bd_build/runit/cron /etc/service/cron/run - -## Remove useless cron entries. -# Checks for lost+found and scans for mtab. -rm -f /etc/cron.daily/standard -rm -f /etc/cron.daily/upstart -rm -f /etc/cron.daily/dpkg -rm -f /etc/cron.daily/password -rm -f /etc/cron.weekly/fstrim - +[ "$DISABLE_CRON" -eq 0 ] && /bd_build/services/cron/cron.sh diff --git a/install-tools.sh b/install-tools.sh index 239d470be..2692d5031 100755 --- a/install-tools.sh +++ b/install-tools.sh @@ -8,5 +8,5 @@ cp tools/docker-bash /usr/local/bin/ cp tools/docker-ssh /usr/local/bin/ cp tools/baseimage-docker-nsenter /usr/local/bin/ mkdir -p /usr/local/share/baseimage-docker -cp image/insecure_key /usr/local/share/baseimage-docker/ +cp image/services/sshd/keys/insecure_key /usr/local/share/baseimage-docker/ chmod 644 /usr/local/share/baseimage-docker/insecure_key diff --git a/test/runner.sh b/test/runner.sh index e73ac9c3b..fd5691aa7 100755 --- a/test/runner.sh +++ b/test/runner.sh @@ -35,7 +35,7 @@ docker exec -t -i $ID sv start /etc/service/sshd sleep 1 echo " --> Logging into container and running tests" -cp image/insecure_key /tmp/insecure_key +cp image/services/sshd/keys/insecure_key /tmp/insecure_key chmod 600 /tmp/insecure_key sleep 1 # Give container some more time to start up. ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/insecure_key root@$IP \ diff --git a/tools/docker-ssh b/tools/docker-ssh index 54769dd79..599a13249 100755 --- a/tools/docker-ssh +++ b/tools/docker-ssh @@ -40,8 +40,8 @@ if ! test -e ~/.baseimage_docker_insecure_key; then else dir=`dirname "$0"` dir=`cd "$dir/.." && pwd` - if test -e "$dir/image/insecure_key"; then - cp "$dir/image/insecure_key" ~/.baseimage_docker_insecure_key + if test -e "$dir/image/services/sshd/keys/insecure_key"; then + cp "$dir/image/services/sshd/keys/insecure_key" ~/.baseimage_docker_insecure_key else echo "*** ERROR ***: Baseimage-docker insecure key not found." >&2 echo "You probably didn't install docker-ssh properly. Please reinstall it:" >&2