Merge pull request #748 from jdeathe/centos-7-develop

Release changes for 2.5.1

Author: jdeathe

.dockerignore

@@ -1,7 +1,10 @@
+.env
+.env.example
 .git
 .gitignore
 dist
 test
+docker-compose.yml
 LICENSE
 README-short.txt
 *.md

.env.example

@@ -0,0 +1,16 @@
+SSH_AUTHORIZED_KEYS=
+SSH_AUTOSTART_SSHD=true
+SSH_AUTOSTART_SSHD_BOOTSTRAP=true
+SSH_CHROOT_DIRECTORY=%h
+SSH_INHERIT_ENVIRONMENT=false
+SSH_PASSWORD_AUTHENTICATION=false
+SSH_SUDO=ALL=(ALL) ALL
+SSH_TIMEZONE=UTC
+SSH_USER=app-admin
+SSH_USER_FORCE_SFTP=false
+SSH_USER_HOME=/home/%u
+SSH_USER_ID=500:500
+SSH_USER_PASSWORD=
+SSH_USER_PASSWORD_HASHED=false
+SSH_USER_PRIVATE_KEY=
+SSH_USER_SHELL=/bin/bash

.gitignore

@@ -1,2 +1,3 @@
+.env
 packages
 dist

CHANGELOG.md

@@ -4,6 +4,24 @@
 
 Summary of release changes for Version 2 - CentOS-7
 
+### 2.5.1 - 2019-02-28
+
+- Deprecates use of `supervisor_stdout` - the default value of `SSH_AUTOSTART_SUPERVISOR_STDOUT` will be switched to "false" in a future release.
+- Updates Dockerfile with combined ADD to reduce layer count in final image.
+- Fixes `scmi` installation error when using the `--manager=systemd` option on Ubuntu hosts.
+- Fixes issues with failure to install/uninstall systemd units installed with scmi.
+- Adds improvement to pull logic in systemd unit install template.
+- Adds `docker-compose.yml` to `.dockerignore` to reduce size of build context.
+- Adds docker-compose configuration example.
+- Adds `SSH_AUTOSTART_SUPERVISOR_STDOUT` to control startup of `supervisor_stdout`.
+- Adds drop-in configuration for `supervisor_stdout` in `/etc/supervisord.d/00-supervisor_stdout.conf`.
+- Adds improved `healtchcheck`, `sshd-bootstrap` and `sshd-wrapper` scripts.
+- Adds validation of `SSH_INHERIT_ENVIRONMENT` values.
+- Removes reference to `python-setuptools` from README as it's no longer installed.
+- Removes requirement of `supervisor_stdout` for output of supervisord logs to stdout.
+- Removes unnecessary configuration file `/etc/sshd-bootstrap.conf`.
+- Removes unnecessary environment file `/etc/sshd-bootstrap.env`.
+
 ### 2.5.0 - 2019-01-28
 
 - Updates `openssl` package to 1.0.2k-16.el7.

Dockerfile

@@ -1,14 +1,14 @@
 FROM centos:7.5.1804
 
-ARG RELEASE_VERSION="2.5.0"
+ARG RELEASE_VERSION="2.5.1"
 
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 # - Import the RPM GPG keys for repositories
 # - Base install of required packages
 # - Install supervisord (used to run more than a single process)
 # - Install supervisor-stdout to allow output of services started by
 #  supervisord to be easily inspected with "docker logs".
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 RUN rpm --rebuilddb \
 	&& rpm --import \
 		http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7 \
@@ -48,27 +48,20 @@ RUN rpm --rebuilddb \
 	&& rm -rf /{root,tmp,var/cache/{ldconfig,yum}}/* \
 	&& > /etc/sysconfig/i18n
 
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 # Copy files into place
-# -----------------------------------------------------------------------------
-ADD src/usr/bin \
-	/usr/bin/
-ADD src/usr/sbin \
-	/usr/sbin/
-ADD src/opt/scmi \
-	/opt/scmi/
-ADD src/etc \
-	/etc/
+# ------------------------------------------------------------------------------
+ADD src /
 
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 # Provisioning
 # - UTC Timezone
 # - Networking
 # - Configure SSH defaults for non-root public key authentication
 # - Enable the wheel sudoers group
 # - Replace placeholders with values in systemd service unit template
 # - Set permissions
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 RUN ln -sf \
 		/usr/share/zoneinfo/UTC \
 		/etc/localtime \
@@ -88,18 +81,20 @@ RUN ln -sf \
 		-e "s~{{RELEASE_VERSION}}~${RELEASE_VERSION}~g" \
 		/etc/systemd/system/centos-ssh@.service \
 	&& chmod 644 \
-		/etc/{sshd-bootstrap.{conf,env},supervisord.conf,supervisord.d/sshd-{bootstrap,wrapper}.conf} \
+		/etc/{supervisord.conf,supervisord.d/sshd-{bootstrap,wrapper}.conf} \
 	&& chmod 700 \
 		/usr/{bin/healthcheck,sbin/{scmi,sshd-{bootstrap,wrapper}}}
 
 EXPOSE 22
 
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 # Set default environment variables
-# -----------------------------------------------------------------------------
-ENV SSH_AUTHORIZED_KEYS="" \
+# ------------------------------------------------------------------------------
+ENV \
+	SSH_AUTHORIZED_KEYS="" \
 	SSH_AUTOSTART_SSHD="true" \
 	SSH_AUTOSTART_SSHD_BOOTSTRAP="true" \
+	SSH_AUTOSTART_SUPERVISOR_STDOUT="true" \
 	SSH_CHROOT_DIRECTORY="%h" \
 	SSH_INHERIT_ENVIRONMENT="false" \
 	SSH_PASSWORD_AUTHENTICATION="false" \
@@ -114,9 +109,9 @@ ENV SSH_AUTHORIZED_KEYS="" \
 	SSH_USER_PRIVATE_KEY="" \
 	SSH_USER_SHELL="/bin/bash"
 
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 # Set image metadata
-# -----------------------------------------------------------------------------
+# ------------------------------------------------------------------------------
 LABEL \
 	maintainer="James Deathe <james.deathe@gmail.com>" \
 	install="docker run \
@@ -153,4 +148,4 @@ HEALTHCHECK \
 	--retries=5 \
 	CMD ["/usr/bin/healthcheck"]
 
-CMD ["/usr/bin/supervisord", "--configuration=/etc/supervisord.conf"]
+CMD ["/usr/bin/supervisord", "--configuration=/etc/supervisord.conf"]

README.md

@@ -7,18 +7,18 @@ Includes public key authentication, Automated password generation and supports c
 
 ## Overview & links
 
-The latest CentOS-6 / CentOS-7 based releases can be pulled from the `centos-6` / `centos-7` Docker tags respectively. For production use it is recommended to select a specific release tag - the convention is `centos-6-1.10.0` OR `1.10.0` for the [1.10.0](https://github.com/jdeathe/centos-ssh/tree/1.10.0) release tag and `centos-7-2.5.0` OR `2.5.0` for the [2.5.0](https://github.com/jdeathe/centos-ssh/tree/2.5.0) release tag.
+The latest CentOS-6 / CentOS-7 based releases can be pulled from the `centos-6` / `centos-7` Docker tags respectively. For production use it is recommended to select a specific release tag - the convention is `centos-6-1.10.1` OR `1.10.1` for the [1.10.1](https://github.com/jdeathe/centos-ssh/tree/1.10.1) release tag and `centos-7-2.5.1` OR `2.5.1` for the [2.5.1](https://github.com/jdeathe/centos-ssh/tree/2.5.1) release tag.
 
 ### Tags and respective `Dockerfile` links
 
-- `centos-7`,`centos-7-2.5.0`,`2.5.0` [(centos-7/Dockerfile)](https://github.com/jdeathe/centos-ssh/blob/centos-7/Dockerfile)
-- `centos-6`,`centos-6-1.10.0`,`1.10.0` [(centos-6/Dockerfile)](https://github.com/jdeathe/centos-ssh/blob/centos-6/Dockerfile)
+- `centos-7`,`centos-7-2.5.1`,`2.5.1` [(centos-7/Dockerfile)](https://github.com/jdeathe/centos-ssh/blob/centos-7/Dockerfile)
+- `centos-6`,`centos-6-1.10.1`,`1.10.1` [(centos-6/Dockerfile)](https://github.com/jdeathe/centos-ssh/blob/centos-6/Dockerfile)
 
 The Dockerfile can be used to build a base image that is the bases for several other docker images.
 
-Included in the build are the [SCL](https://www.softwarecollections.org/), [EPEL](http://fedoraproject.org/wiki/EPEL) and [IUS](https://ius.io) repositories. Installed packages include [OpenSSH](http://www.openssh.com/portable.html) secure shell, [Sudo](http://www.courtesan.com/sudo/) and [vim-minimal](http://www.vim.org/) are along with python-setuptools, [supervisor](http://supervisord.org/) and [supervisor-stdout](https://github.com/coderanger/supervisor-stdout).
+Included in the build are the [SCL](https://www.softwarecollections.org/), [EPEL](http://fedoraproject.org/wiki/EPEL) and [IUS](https://ius.io) repositories. Installed packages include [OpenSSH](http://www.openssh.com/portable.html) secure shell, [Sudo](http://www.courtesan.com/sudo/) and [vim-minimal](http://www.vim.org/) are along with [supervisor](http://supervisord.org/) and [supervisor-stdout](https://github.com/coderanger/supervisor-stdout).
 
-[Supervisor](http://supervisord.org/) is used to start and the sshd daemon when a docker container based on this image is run. To enable simple viewing of stdout for the sshd subprocess, supervisor-stdout is included. This allows you to see output from the supervisord controlled subprocesses with `docker logs {container-name}`.
+[Supervisor](http://supervisord.org/) is used to start and the sshd daemon when a docker container based on this image is run.
 
 SSH access is by public key authentication and, by default, the [Vagrant](http://www.vagrantup.com/) [insecure private key](https://github.com/mitchellh/vagrant/blob/master/keys/vagrant) is required.
 
@@ -42,7 +42,7 @@ Run up an SSH container named 'ssh.1' from the docker image 'jdeathe/centos-ssh'
 $ docker run -d \
   --name ssh.1 \
   -p 2020:22 \
-  jdeathe/centos-ssh:2.5.0
+  jdeathe/centos-ssh:2.5.1
 ```
 
 Check the logs for the password (required for sudo).
@@ -76,7 +76,7 @@ $ docker run -d \
   --name sftp.1 \
   -p 2021:22 \
   -e SSH_USER_FORCE_SFTP=true \
-  jdeathe/centos-ssh:2.5.0
+  jdeathe/centos-ssh:2.5.1
 ```
 
 Connect using the `sftp` command line client with the [insecure private key](https://github.com/mitchellh/vagrant/blob/master/keys/vagrant).
@@ -106,10 +106,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh:2.5.0 \
+  jdeathe/centos-ssh:2.5.1 \
   /usr/sbin/scmi install \
     --chroot=/media/root \
-    --tag=2.5.0 \
+    --tag=2.5.1 \
     --name=ssh.1 \
     --setopt="--volume {{NAME}}.config-ssh:/etc/ssh"
 ```
@@ -123,10 +123,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh:2.5.0 \
+  jdeathe/centos-ssh:2.5.1 \
   /usr/sbin/scmi uninstall \
     --chroot=/media/root \
-    --tag=2.5.0 \
+    --tag=2.5.1 \
     --name=ssh.1 \
     --setopt="--volume {{NAME}}.config-ssh:/etc/ssh"
 ```
@@ -140,10 +140,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh:2.5.0 \
+  jdeathe/centos-ssh:2.5.1 \
   /usr/sbin/scmi install \
     --chroot=/media/root \
-    --tag=2.5.0 \
+    --tag=2.5.1 \
     --name=ssh.1 \
     --manager=systemd \
     --register \
@@ -159,7 +159,7 @@ Since release tags `1.7.2` / `2.1.2` the install template has been added to the
 _NOTE:_ A prerequisite of the following examples is that the image has been pulled (or loaded from the release package).
 
 ```
-$ docker pull jdeathe/centos-ssh:2.5.0
+$ docker pull jdeathe/centos-ssh:2.5.1
 ```
 
 To see detailed information about the image run `scmi` with the `--info` option. To see all available `scmi` options run with the `--help` option.
@@ -168,7 +168,7 @@ To see detailed information about the image run `scmi` with the `--info` option.
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.install}}" \
-    jdeathe/centos-ssh:2.5.0
+    jdeathe/centos-ssh:2.5.1
   ) --info"
 ```
 
@@ -178,7 +178,7 @@ To perform an installation using the docker name `ssh.2` simply use the `--name`
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.install}}" \
-    jdeathe/centos-ssh:2.5.0
+    jdeathe/centos-ssh:2.5.1
   ) --name=ssh.2"
 ```
 
@@ -188,7 +188,7 @@ To uninstall use the *same command* that was used to install but with the `unins
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.uninstall}}" \
-    jdeathe/centos-ssh:2.5.0
+    jdeathe/centos-ssh:2.5.1
   ) --name=ssh.2"
 ```
 
@@ -201,7 +201,7 @@ To see detailed information about the image run `scmi` with the `--info` option.
 ```
 $ sudo -E atomic install \
   -n ssh.3 \
-  jdeathe/centos-ssh:2.5.0 \
+  jdeathe/centos-ssh:2.5.1 \
   --info
 ```
 
@@ -210,14 +210,14 @@ To perform an installation using the docker name `ssh.3` simply use the `-n` opt
 ```
 $ sudo -E atomic install \
   -n ssh.3 \
-  jdeathe/centos-ssh:2.5.0
+  jdeathe/centos-ssh:2.5.1
 ```
 
 Alternatively, you could use the `scmi` options `--name` or `-n` for naming the container.
 
 ```
 $ sudo -E atomic install \
-  jdeathe/centos-ssh:2.5.0 \
+  jdeathe/centos-ssh:2.5.1 \
   --name ssh.3
 ```
 
@@ -226,7 +226,7 @@ To uninstall use the *same command* that was used to install but with the `unins
 ```
 $ sudo -E atomic uninstall \
   -n ssh.3 \
-  jdeathe/centos-ssh:2.5.0
+  jdeathe/centos-ssh:2.5.1
 ```
 
 #### Using environment variables
@@ -242,7 +242,7 @@ $ docker stop ssh.1 \
   --name ssh.1 \
   -p :22 \
   --env "SSH_USER=centos" \
-  jdeathe/centos-ssh:2.5.0
+  jdeathe/centos-ssh:2.5.1
 ```
 
 To identify the `SSH_USER` user's sudoer password, inspect the container's logs as follows:
@@ -265,8 +265,7 @@ The output of the logs will show the auto-generated password for the user specif
 2019-01-17 18:56:10,089 INFO success: supervisor_stdout entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
 2019-01-17 18:56:10,089 INFO success: sshd-bootstrap entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
 2019-01-17 18:56:10,089 INFO success: sshd-wrapper entered RUNNING state, process has stayed up for > than 0 seconds (startsecs)
-sshd-bootstrap stdout | Initialising SSH.
-sshd-bootstrap stdout |
+
 ================================================================================
 SSH Details
 --------------------------------------------------------------------------------
@@ -335,6 +334,10 @@ It may be desirable to prevent the startup of the sshd daemon and/or sshd-bootst
 ...
 ```
 
+##### SSH_AUTOSTART_SUPERVISOR_STDOUT
+
+This image has `supervisor_stdout` installed which can be used to allow a process controlled by supervisord to send output to both a log file and stdout. It is recommended to simply output to stdout in order to reduce the number of running processes to a minimum. Setting `SSH_AUTOSTART_SUPERVISOR_STDOUT` to "false" will prevent the startup of `supervisor_stdout`. Where an image requires this feature for its logging output `SSH_AUTOSTART_SUPERVISOR_STDOUT` should be set to "true".
+
 ##### SSH_CHROOT_DIRECTORY
 
 This option is only applicable when `SSH_USER_FORCE_SFTP` is set to `true`. When using the SFTP option the user is jailed into the ChrootDirectory. The value can contain the placeholders `%h` and `%u` which will be replaced with the values of `SSH_USER_HOME` and `SSH_USER` respectively. The default value of `%h` is the best choice in most cases but the user requires a sub-directory in their HOME directory which they have write access to. If no volume is mounted into the path of the SSH user's HOME directory then a directory named `_data` is created automatically. If you need the user to be able to write to their HOME directory then use an alternative value such as `/chroot/%u` so that the user's HOME path, (relative to the ChrootDirectory), becomes `/chroot/app-admin/home/app-admin` by default.

default.mk

@@ -44,6 +44,7 @@ define DOCKER_CONTAINER_PARAMETERS
 --env "SSH_AUTHORIZED_KEYS=$(SSH_AUTHORIZED_KEYS)" \
 --env "SSH_AUTOSTART_SSHD=$(SSH_AUTOSTART_SSHD)" \
 --env "SSH_AUTOSTART_SSHD_BOOTSTRAP=$(SSH_AUTOSTART_SSHD_BOOTSTRAP)" \
+--env "SSH_AUTOSTART_SUPERVISOR_STDOUT=$(SSH_AUTOSTART_SUPERVISOR_STDOUT)" \
 --env "SSH_CHROOT_DIRECTORY=$(SSH_CHROOT_DIRECTORY)" \
 --env "SSH_INHERIT_ENVIRONMENT=$(SSH_INHERIT_ENVIRONMENT)" \
 --env "SSH_PASSWORD_AUTHENTICATION=$(SSH_PASSWORD_AUTHENTICATION)" \