Syncs up with heroku/stack-images

Dockerfile

@@ -1,60 +1,4 @@
 FROM ubuntu-debootstrap:14.04
-
-RUN echo 'deb http://archive.ubuntu.com/ubuntu trusty main' >/etc/apt/sources.list
-RUN echo 'deb http://archive.ubuntu.com/ubuntu trusty-security main' >>/etc/apt/sources.list
-RUN echo 'deb http://archive.ubuntu.com/ubuntu trusty-updates main' >>/etc/apt/sources.list
-RUN echo 'deb http://archive.ubuntu.com/ubuntu trusty universe' >>/etc/apt/sources.list
-
-RUN apt-get update
-
-RUN apt-get install -y --force-yes \
-    autoconf \
-    bind9-host \
-    bison \
-    build-essential \
-    coreutils \
-    curl \
-    daemontools \
-    dnsutils \
-    ed \
-    git \
-    imagemagick \
-    iputils-tracepath \
-    language-pack-en \
-    libbz2-dev \
-    libcurl4-openssl-dev \
-    libevent-dev \
-    libglib2.0-dev \
-    libjpeg-dev \
-    libmagickwand-dev \
-    libmysqlclient-dev \
-    libncurses5-dev \
-    libpq-dev \
-    libpq5 \
-    libreadline6-dev \
-    libssl-dev \
-    libxml2-dev \
-    libxslt-dev \
-    netcat-openbsd \
-    openjdk-7-jdk \
-    openjdk-7-jre-headless \
-    openssh-client \
-    openssh-server \
-    postgresql-server-dev-9.3 \
-    python \
-    python-dev \
-    ruby \
-    ruby-dev \
-    socat \
-    syslinux \
-    tar \
-    telnet \
-    zip \
-    zlib1g-dev \
-    -
-
-RUN apt-cache search language-pack \
-    | cut -d ' ' -f 1 \
-    | grep -v '^language\-pack\-\(gnome\|kde\)\-' \
-    | grep -v '\-base$' \
-    | xargs apt-get install -y --force-yes --no-install-recommends
+COPY ./provisioner.sh /tmp/provisioner.sh
+RUN LC_ALL=C DEBIAN_FRONTEND=noninteractive /tmp/provisioner.sh \
+  && rm -rf /var/lib/apt/lists/*

provisioner.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+
+exec 2>&1
+set -e
+set -x
+
+cat > /etc/apt/sources.list <<EOF
+deb http://archive.ubuntu.com/ubuntu trusty main
+deb http://archive.ubuntu.com/ubuntu trusty-security main
+deb http://archive.ubuntu.com/ubuntu trusty-updates main
+deb http://archive.ubuntu.com/ubuntu trusty universe
+EOF
+
+cat > /etc/dpkg/dpkg.cfg.d/excludes <<EOF
+path-exclude=/usr/share/man/*
+EOF
+
+apt-get update
+apt-get upgrade -y --force-yes
+apt-get install -y --force-yes \
+    autoconf \
+    bind9-host \
+    bison \
+    build-essential \
+    coreutils \
+    curl \
+    daemontools \
+    dnsutils \
+    ed \
+    git \
+    imagemagick \
+    iputils-tracepath \
+    language-pack-en \
+    libbz2-dev \
+    libcurl4-openssl-dev \
+    libevent-dev \
+    libglib2.0-dev \
+    libjpeg-dev \
+    libmagickwand-dev \
+    libmysqlclient-dev \
+    libncurses5-dev \
+    libpq-dev \
+    libpq5 \
+    libreadline6-dev \
+    libssl-dev \
+    libxml2-dev \
+    libxslt-dev \
+    netcat-openbsd \
+    openjdk-7-jdk \
+    openjdk-7-jre-headless \
+    openssh-client \
+    openssh-server \
+    postgresql-client-9.3 \
+    postgresql-server-dev-9.3 \
+    python \
+    python-dev \
+    ruby \
+    ruby-dev \
+    socat \
+    stunnel \
+    syslinux \
+    tar \
+    telnet \
+    zip \
+    zlib1g-dev \
+    #
+
+# locales
+apt-cache search language-pack \
+    | cut -d ' ' -f 1 \
+    | grep -v '^language\-pack\-\(gnome\|kde\)\-' \
+    | grep -v '\-base$' \
+    | xargs apt-get install -y --force-yes --no-install-recommends
+
+cd /
+rm -rf /var/cache/apt/archives/*.deb
+rm -rf /root/*
+rm -rf /tmp/*
+rm -rf /var/log/*
+
+echo "127.0.0.1 localhost localhost.localdomain" > /etc/hosts
+
+# remove SUID and SGID flags from all binaries
+function pruned_find() {
+  find / -type d \( -name dev -o -name proc \) -prune -o $@ -print
+}
+
+pruned_find -perm /u+s | xargs -r chmod u-s
+pruned_find -perm /g+s | xargs -r chmod g-s
+
+# remove non-root ownership of files
+chown root:root /var/lib/libuuid
+
+# display build summary
+set +x
+echo -e "\nRemaining suspicious security bits:"
+(
+  pruned_find ! -user root
+  pruned_find -perm /u+s
+  pruned_find -perm /g+s
+  pruned_find -perm /+t
+) | sed -u "s/^/  /"
+
+echo -e "\nInstalled versions:"
+(
+  git --version
+  ruby -v
+  gem -v
+  python -V
+) | sed -u "s/^/  /"
+
+echo -e "\nSuccess!"
+exit 0