From 039a6d79e65d144e930b55b0cb143c3b4fcd7146 Mon Sep 17 00:00:00 2001 From: William Budington Date: Fri, 20 Mar 2015 20:29:26 +0000 Subject: [PATCH 01/22] Adding a Dockerfile for standalone setup --- Dockerfile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..02c07f40a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,15 @@ +FROM ubuntu:trusty + +EXPOSE 443 + +RUN apt-get update && apt-get -y install python python-setuptools python-virtualenv python-dev \ + gcc swig dialog libaugeas0 libssl-dev libffi-dev ca-certificates git && \ + apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +RUN cd /opt && git clone https://github.com/letsencrypt/lets-encrypt-preview.git +WORKDIR /opt/lets-encrypt-preview +RUN \ + virtualenv --no-site-packages -p python2 venv && \ + ./venv/bin/python setup.py install + +ENTRYPOINT [ "./venv/bin/letsencrypt", "--text" ] From 028179de257441dd294c67bcf20a33dd890bba01 Mon Sep 17 00:00:00 2001 From: William Budington Date: Fri, 20 Mar 2015 23:02:43 +0000 Subject: [PATCH 02/22] Adding docker-compose file for runtime configuration --- docker-compose.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 docker-compose.yml diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 000000000..a3c950257 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,4 @@ +letsencrypt: + build: . + ports: + - "443:443" From 95090974e9982bfa16f12f8fed76902674d6c774 Mon Sep 17 00:00:00 2001 From: William Budington Date: Sat, 21 Mar 2015 01:03:14 +0000 Subject: [PATCH 03/22] When running standalone client with docker, do not check container cert output dir for permissions --- Dockerfile | 1 + letsencrypt/client/client.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 02c07f40a..b11baa12c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,4 +12,5 @@ RUN \ virtualenv --no-site-packages -p python2 venv && \ ./venv/bin/python setup.py install +ENV DOCKER_RUN True ENTRYPOINT [ "./venv/bin/letsencrypt", "--text" ] diff --git a/letsencrypt/client/client.py b/letsencrypt/client/client.py index d415403f3..3a4388076 100644 --- a/letsencrypt/client/client.py +++ b/letsencrypt/client/client.py @@ -336,7 +336,8 @@ def init_csr(privkey, names, cert_dir): csr_pem, csr_der = crypto_util.make_csr(privkey.pem, names) # Save CSR - le_util.make_or_verify_dir(cert_dir, 0o755) + if not os.environ.get('DOCKER_RUN'): + le_util.make_or_verify_dir(cert_dir, 0o755) csr_f, csr_filename = le_util.unique_file( os.path.join(cert_dir, "csr-letsencrypt.pem"), 0o644) csr_f.write(csr_pem) From 147f198d7cc35d1d6773017d19876c8926bc2dcb Mon Sep 17 00:00:00 2001 From: William Budington Date: Sat, 21 Mar 2015 02:01:40 +0000 Subject: [PATCH 04/22] Adding a cert path for certs generated in docker --- certs/.gitignore | 2 ++ docker-compose.yml | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 certs/.gitignore diff --git a/certs/.gitignore b/certs/.gitignore new file mode 100644 index 000000000..d6b7ef32c --- /dev/null +++ b/certs/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/docker-compose.yml b/docker-compose.yml index a3c950257..8cac124c9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,3 +2,5 @@ letsencrypt: build: . ports: - "443:443" + volumes: + - ./certs/:/etc/letsencrypt/certs/ From 55494fd9cfa5ea347ca3468a533160a7e1ee8ca4 Mon Sep 17 00:00:00 2001 From: William Budington Date: Sat, 21 Mar 2015 02:43:15 +0000 Subject: [PATCH 05/22] Updating docs for docker usage --- docs/using.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/using.rst b/docs/using.rst index 9b09833e4..5f49f844e 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -37,6 +37,16 @@ Mac OSX sudo brew install augeas swig +Quick Usage +=========== +Using docker you can quickly get yourself a testing cert. From the server that the domain your requesting a cert for resolves to, download docker 1.5, and issue the following command: + +:: + + docker run -it --rm -p 443:443 -v $PWD/certs/:/etc/letsencrypt/certs/ letsencrypt/lets-encrypt-preview + +And follow the instructions. Your new cert will be available in `certs/` + Installation ============ From 64a00d37bb6653f885b0b68d7c9bce9f0a3e4fef Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Tue, 5 May 2015 08:26:23 +0000 Subject: [PATCH 06/22] Update docker setup. Changes: - uses debian:jessie as base image (more lightweight) - .dockerignore .git/.tox to speed up build process considerably - more caching-aware Dockerfile - copy current directory instead of git cloning the repo inside the container - /etc/letsencrypt and /var/lib/letsencrypt volumes; no need for "if os.environ.get" hack bootstrap script for debian had to be adjusted, as lsb_release is not present in debian:jessie image. --- .dockerignore | 9 ++++++ Dockerfile | 61 ++++++++++++++++++++++++++++++++-------- bootstrap/_deb_common.sh | 26 ++++++++++++----- certs/.gitignore | 2 -- docker-compose.yml | 3 +- docs/using.rst | 15 +++++++--- 6 files changed, 91 insertions(+), 25 deletions(-) create mode 100644 .dockerignore delete mode 100644 certs/.gitignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..b1a1a48bf --- /dev/null +++ b/.dockerignore @@ -0,0 +1,9 @@ +# this file uses slightly different syntax that .gitignore, +# e.g. ".tox/" will not ignore .tox directory + +# well, official docker build should be done on clean git checkout +# anyway, so .tox should be empty... But I'm sure people will try to +# test docker on their git working directories. + +.git +.tox \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index b11baa12c..496c3c609 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,55 @@ -FROM ubuntu:trusty +FROM buildpack-deps:jessie +MAINTAINER Jakub Warmuz +# You neccesarily have to bind to 443@host as well! (ACME spec) EXPOSE 443 -RUN apt-get update && apt-get -y install python python-setuptools python-virtualenv python-dev \ - gcc swig dialog libaugeas0 libssl-dev libffi-dev ca-certificates git && \ - apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* +# TODO: make sure --config-dir and --work-dir cannot be changed +# through the CLI (letsencrypt-docker wrapper that uses standalone +# authenticator and text mode only?) +VOLUME /etc/letsencrypt /var/lib/letsencrypt -RUN cd /opt && git clone https://github.com/letsencrypt/lets-encrypt-preview.git -WORKDIR /opt/lets-encrypt-preview -RUN \ - virtualenv --no-site-packages -p python2 venv && \ - ./venv/bin/python setup.py install +WORKDIR /opt/letsencrypt -ENV DOCKER_RUN True -ENTRYPOINT [ "./venv/bin/letsencrypt", "--text" ] +# no need to mkdir anything: +# https://docs.docker.com/reference/builder/#copy +# If doesn't exist, it is created along with all missing +# directories in its path. + +# The following copies too much than we need... +#COPY . /opt/letsencrypt/ + +COPY bootstrap/debian.sh /opt/letsencrypt/src/ +RUN /opt/letsencrypt/src/debian.sh newer && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* \ + /tmp/* \ + /var/tmp/* + +# the above is not likely to change, so by putting it further up the +# Dockerfile we make sure we cache as much as possible + + +COPY setup.py README.rst CHANGES.rst MANIFEST.in /opt/letsencrypt/src/ + +# all above files are necessary for setup.py, however, package source +# code directory has to be copied separately to a subdirectory... +# https://docs.docker.com/reference/builder/#copy: "If is a +# directory, the entire contents of the directory are copied, +# including filesystem metadata. Note: The directory itself is not +# copied, just its contents." Order again matters, three files are far +# more likely to be cached than the whole project directory + +COPY letsencrypt /opt/letsencrypt/src/letsencrypt/ + + +RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt && \ + /opt/letsencrypt/bin/pip install -e /opt/letsencrypt/src + +# install in editable mode (-e) to save space: it's not possible to +# "rm -rf /opt/letsencrypt/src" (it's stays in the underlaying image); +# this might also help in debugging: you can "docker run --entrypoint +# bash" and investigate, apply patches, etc. + +# TODO: is --text really necessary? +ENTRYPOINT [ "/opt/letsencrypt/bin/letsencrypt", "--text" ] diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index b09130d77..07222e74d 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -10,21 +10,33 @@ # - 7.8 "wheezy" (x64) # - 8.0 "jessie" (x64) + # virtualenv binary can be found in different packages depending on # distro version (#346) -distro=$(lsb_release -si) -# 6.0.10 => 60, 14.04 => 1404 -version=$(lsb_release -sr | awk -F '.' '{print $1 $2}') -if [ "$distro" = "Ubuntu" -a "$version" -ge 1410 ] -then - virtualenv="virtualenv" -elif [ "$distro" = "Debian" -a "$version" -ge 80 ] +newer () { + distro=$(lsb_release -si) + # 6.0.10 => 60, 14.04 => 1404 + # TODO: in sid version==unstable + version=$(lsb_release -sr | awk -F '.' '{print $1 $2}') + if [ "$distro" = "Ubuntu" -a "$version" -ge 1410 ] + then + return 0; + elif [ "$distro" = "Debian" -a "$version" -ge 80 ] + then + return 0; + else + return 1; + fi +} + +if [ "$1" = "newer" ] || newer then virtualenv="virtualenv" else virtualenv="python-virtualenv" fi + # dpkg-dev: dpkg-architecture binary necessary to compile M2Crypto, c.f. # #276, https://github.com/martinpaljak/M2Crypto/issues/62, # M2Crypto setup.py:add_multiarch_paths diff --git a/certs/.gitignore b/certs/.gitignore deleted file mode 100644 index d6b7ef32c..000000000 --- a/certs/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -* -!.gitignore diff --git a/docker-compose.yml b/docker-compose.yml index 8cac124c9..7e291eef2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,4 +3,5 @@ letsencrypt: ports: - "443:443" volumes: - - ./certs/:/etc/letsencrypt/certs/ + - /etc/letsencrypt:/etc/letsencrypt/certs + - /var/lib/letsenecrypt:/var/lib/letsenecrypt diff --git a/docs/using.rst b/docs/using.rst index 387652154..39cbd99a9 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -49,13 +49,20 @@ Mac OSX Quick Usage =========== -Using docker you can quickly get yourself a testing cert. From the server that the domain your requesting a cert for resolves to, download docker 1.5, and issue the following command: -:: +Using docker you can quickly get yourself a testing cert. From the +server that the domain your requesting a cert for resolves to, +download docker, and issue the following command - docker run -it --rm -p 443:443 -v $PWD/certs/:/etc/letsencrypt/certs/ letsencrypt/lets-encrypt-preview +.. code-block:: shell -And follow the instructions. Your new cert will be available in `certs/` + sudo docker run -it --rm -p 443:443 \ + -v "/etc/letsenecrypt:/etc/letsencrypt" \ + -v "/var/lib/letsenecrypt:/var/lib/letsencrypt" \ + letsencrypt/lets-encrypt-preview + +And follow the instructions. Your new cert will be available in +``/etc/letsencrypt/certs``. Installation ============ From d0b63a35004417297355c44294ac5a02d29d58e0 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Tue, 5 May 2015 08:40:05 +0000 Subject: [PATCH 07/22] nit: EOF newline --- .dockerignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index b1a1a48bf..065d674bb 100644 --- a/.dockerignore +++ b/.dockerignore @@ -6,4 +6,4 @@ # test docker on their git working directories. .git -.tox \ No newline at end of file +.tox From b6b86e44cec2ccb52023f816a87de081c7c3da51 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Tue, 5 May 2015 10:47:36 +0000 Subject: [PATCH 08/22] Fix typo --- .dockerignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.dockerignore b/.dockerignore index 065d674bb..70c90de9f 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,4 @@ -# this file uses slightly different syntax that .gitignore, +# this file uses slightly different syntax than .gitignore, # e.g. ".tox/" will not ignore .tox directory # well, official docker build should be done on clean git checkout From 9a0073fff53f7f2ea04de944dfbf46db76eb2bc3 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Wed, 6 May 2015 09:33:56 +0000 Subject: [PATCH 09/22] docker: use quay.io, move quick start section to the top --- docs/using.rst | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index 39cbd99a9..a27c82103 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -2,6 +2,24 @@ Using the Let's Encrypt client ============================== +Quick start +=========== + +Using docker you can quickly get yourself a testing cert. From the +server that the domain your requesting a cert for resolves to, +download docker, and issue the following command + +.. code-block:: shell + + sudo docker run -it --rm -p 443:443 --name letsencrypt \ + -v "/etc/letsenecrypt:/etc/letsencrypt" \ + -v "/var/lib/letsenecrypt:/var/lib/letsencrypt" \ + quay.io/letsencrypt/lets-encrypt-preview:latest + +And follow the instructions. Your new cert will be available in +``/etc/letsencrypt/certs``. + + Prerequisites ============= @@ -47,23 +65,6 @@ Mac OSX sudo ./bootstrap/mac.sh -Quick Usage -=========== - -Using docker you can quickly get yourself a testing cert. From the -server that the domain your requesting a cert for resolves to, -download docker, and issue the following command - -.. code-block:: shell - - sudo docker run -it --rm -p 443:443 \ - -v "/etc/letsenecrypt:/etc/letsencrypt" \ - -v "/var/lib/letsenecrypt:/var/lib/letsencrypt" \ - letsencrypt/lets-encrypt-preview - -And follow the instructions. Your new cert will be available in -``/etc/letsencrypt/certs``. - Installation ============ From 29fdde5f5f31d346ff8ab1e3344dd854494d9177 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sat, 9 May 2015 18:50:40 +0000 Subject: [PATCH 10/22] Dockerfile: set PATH --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 496c3c609..66047484b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,5 +51,6 @@ RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt && \ # this might also help in debugging: you can "docker run --entrypoint # bash" and investigate, apply patches, etc. +ENV PATH /opt/letsencrypt/bin:$PATH # TODO: is --text really necessary? -ENTRYPOINT [ "/opt/letsencrypt/bin/letsencrypt", "--text" ] +ENTRYPOINT [ "letsencrypt", "--text" ] From 973672761d743f7a6f9c7ecd1fe446cbef1d8a23 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Sun, 10 May 2015 14:26:33 +0000 Subject: [PATCH 11/22] .dockerignore venv and docs --- .dockerignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.dockerignore b/.dockerignore index 70c90de9f..2ce8a8209 100644 --- a/.dockerignore +++ b/.dockerignore @@ -7,3 +7,5 @@ .git .tox +venv +docs From 125ba6449e9fa3a7c758a94daf8099730aa13ea4 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Tue, 12 May 2015 21:14:44 +0000 Subject: [PATCH 12/22] Dockerfile: copy dep modules dirs --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 66047484b..505d6e2eb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,6 +41,9 @@ COPY setup.py README.rst CHANGES.rst MANIFEST.in /opt/letsencrypt/src/ # more likely to be cached than the whole project directory COPY letsencrypt /opt/letsencrypt/src/letsencrypt/ +COPY acme /opt/letsencrypt/src/acme/ +COPY letsencrypt_apache /opt/letsencrypt/src/letsencrypt_apache/ +COPY letsencrypt_nginx /opt/letsencrypt/src/letsencrypt_nginx/ RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt && \ From 514d319662251bc9d3e493d0f9a56633ef973e93 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Tue, 12 May 2015 22:01:09 +0000 Subject: [PATCH 13/22] Use debian:jessie as docker base image le latest e1f2e8ce3a0e 14 minutes ago 780.2 MB vs le latest d3276dd3976c About a minute ago 393.6 MB where: buildpack-deps jessie ecff3a5a9760 12 days ago 677.4 MB debian jessie 41b730702607 13 days ago 125.1 MB --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 505d6e2eb..b998b1f8d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM buildpack-deps:jessie +FROM debian:jessie MAINTAINER Jakub Warmuz # You neccesarily have to bind to 443@host as well! (ACME spec) From 3c0ce923b21b79e1185d057d387aa8e6a1232314 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Tue, 19 May 2015 20:51:11 +0000 Subject: [PATCH 14/22] Dockerfile: use ubuntu:trusty (based on review feedback). --- Dockerfile | 7 +++++-- bootstrap/_deb_common.sh | 2 ++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b998b1f8d..73d843399 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,7 @@ -FROM debian:jessie +# https://github.com/letsencrypt/lets-encrypt-preview/pull/431#issuecomment-103659297 +# it is more likely developers will already have ubuntu:trusty rather +# than e.g. debian:jessie and image size differences are negligible +FROM ubuntu:trusty MAINTAINER Jakub Warmuz # You neccesarily have to bind to 443@host as well! (ACME spec) @@ -20,7 +23,7 @@ WORKDIR /opt/letsencrypt #COPY . /opt/letsencrypt/ COPY bootstrap/debian.sh /opt/letsencrypt/src/ -RUN /opt/letsencrypt/src/debian.sh newer && \ +RUN /opt/letsencrypt/src/debian.sh && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* \ /tmp/* \ diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index 07222e74d..4e4c75b33 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -29,6 +29,8 @@ newer () { fi } +# you can force newer if lsb_release is not available (e.g. Docker +# debian:jessie base image) if [ "$1" = "newer" ] || newer then virtualenv="virtualenv" From 5a22ff17d03400564985f2746cd77cc6020bb2ba Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Tue, 19 May 2015 21:49:57 +0000 Subject: [PATCH 15/22] Dockerfile: debian.sh -> ubuntu.sh --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 73d843399..edf2c9ff7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,8 +22,8 @@ WORKDIR /opt/letsencrypt # The following copies too much than we need... #COPY . /opt/letsencrypt/ -COPY bootstrap/debian.sh /opt/letsencrypt/src/ -RUN /opt/letsencrypt/src/debian.sh && \ +COPY bootstrap/ubuntu.sh /opt/letsencrypt/src/ +RUN /opt/letsencrypt/src/ubuntu.sh && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* \ /tmp/* \ From e7cf4792b3c5192cc0eec50ec99cfb2aa9af93c4 Mon Sep 17 00:00:00 2001 From: Jakub Warmuz Date: Tue, 19 May 2015 22:01:01 +0000 Subject: [PATCH 16/22] Fix typos --- docker-compose.yml | 4 ++-- docs/using.rst | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 7e291eef2..8bb3182fa 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,5 +3,5 @@ letsencrypt: ports: - "443:443" volumes: - - /etc/letsencrypt:/etc/letsencrypt/certs - - /var/lib/letsenecrypt:/var/lib/letsenecrypt + - /etc/letsencrypt:/etc/letsencrypt + - /var/lib/letsencrypt:/var/lib/letsencrypt diff --git a/docs/using.rst b/docs/using.rst index f69531b5b..a9b547cf9 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -12,8 +12,8 @@ download docker, and issue the following command .. code-block:: shell sudo docker run -it --rm -p 443:443 --name letsencrypt \ - -v "/etc/letsenecrypt:/etc/letsencrypt" \ - -v "/var/lib/letsenecrypt:/var/lib/letsencrypt" \ + -v "/etc/letsencrypt:/etc/letsencrypt" \ + -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ quay.io/letsencrypt/lets-encrypt-preview:latest And follow the instructions. Your new cert will be available in From ea667744f5cb4b6660add655648ccfa286004ee5 Mon Sep 17 00:00:00 2001 From: William Budington Date: Tue, 19 May 2015 16:39:54 -0700 Subject: [PATCH 17/22] Being more verbose in explanation of EXPOSE instruction --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index edf2c9ff7..0c8830d5b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,8 @@ FROM ubuntu:trusty MAINTAINER Jakub Warmuz -# You neccesarily have to bind to 443@host as well! (ACME spec) +# Note: this only exposes the port to other docker containers. You +# still have to bind to 443@host at runtime, as per the ACME spec. EXPOSE 443 # TODO: make sure --config-dir and --work-dir cannot be changed From 1b1763b011d7496901709cb739119c9573e17584 Mon Sep 17 00:00:00 2001 From: William Budington Date: Tue, 19 May 2015 16:41:32 -0700 Subject: [PATCH 18/22] Removing cruft from Dockerfile which copies entire project working directory --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0c8830d5b..8bbb68a2e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,9 +20,6 @@ WORKDIR /opt/letsencrypt # If doesn't exist, it is created along with all missing # directories in its path. -# The following copies too much than we need... -#COPY . /opt/letsencrypt/ - COPY bootstrap/ubuntu.sh /opt/letsencrypt/src/ RUN /opt/letsencrypt/src/ubuntu.sh && \ apt-get clean && \ From 6a7e3438a92561efb04ee8ac7a0fa3fe1985b626 Mon Sep 17 00:00:00 2001 From: William Budington Date: Tue, 19 May 2015 16:43:51 -0700 Subject: [PATCH 19/22] Adding self as maintainer --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 8bbb68a2e..6fbc6d240 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,6 +3,7 @@ # than e.g. debian:jessie and image size differences are negligible FROM ubuntu:trusty MAINTAINER Jakub Warmuz +MAINTAINER William Budington # Note: this only exposes the port to other docker containers. You # still have to bind to 443@host at runtime, as per the ACME spec. From e4e4c69f369406842ecc92bccf86ad1899085f3f Mon Sep 17 00:00:00 2001 From: William Budington Date: Tue, 19 May 2015 16:53:31 -0700 Subject: [PATCH 20/22] sharng docker-compose.yml to add two separate container specifications: one for development (that mounts the host git root to /opt/letsencrypt/src) and one for production (that doesn't). --- docker-compose.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 8bb3182fa..f7c071f1f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,13 @@ -letsencrypt: +production: + build: . + ports: + - "443:443" + +# For development, mount git root to /opt/letsencrypt/src in order to +# make the dev workflow more vagrant-like. +development: build: . ports: - "443:443" volumes: - - /etc/letsencrypt:/etc/letsencrypt - - /var/lib/letsencrypt:/var/lib/letsencrypt + - .:/opt/letsencrypt/src From 58156a29d376a83b01be8256894f277d5e5f5b0e Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Tue, 19 May 2015 17:06:06 -0700 Subject: [PATCH 21/22] Fix typos --- acme/messages2_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acme/messages2_test.py b/acme/messages2_test.py index 62de0832c..c1521e2c3 100644 --- a/acme/messages2_test.py +++ b/acme/messages2_test.py @@ -33,9 +33,9 @@ class ErrorTest(unittest.TestCase): def test_typ_decoder_missing_prefix(self): from acme.messages2 import Error - self.jobj['type'] = 'malfomed' + self.jobj['type'] = 'malformed' self.assertRaises(jose.DeserializationError, Error.from_json, self.jobj) - self.jobj['type'] = 'not balid bare type' + self.jobj['type'] = 'not valid bare type' self.assertRaises(jose.DeserializationError, Error.from_json, self.jobj) def test_typ_decoder_not_recognized(self): From 2fe8a75200b4ee85ec22cdb54e3f8760619bf953 Mon Sep 17 00:00:00 2001 From: William Budington Date: Tue, 19 May 2015 17:39:53 -0700 Subject: [PATCH 22/22] Use a discrete path for venv in docker, rather than /opt/letsencrypt. This is useful for the docker development container, which we will want venv to persist for across runs. --- Dockerfile | 6 +++--- docker-compose.yml | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6fbc6d240..b6a07388c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,14 +48,14 @@ COPY letsencrypt_apache /opt/letsencrypt/src/letsencrypt_apache/ COPY letsencrypt_nginx /opt/letsencrypt/src/letsencrypt_nginx/ -RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt && \ - /opt/letsencrypt/bin/pip install -e /opt/letsencrypt/src +RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt/venv && \ + /opt/letsencrypt/venv/bin/pip install -e /opt/letsencrypt/src # install in editable mode (-e) to save space: it's not possible to # "rm -rf /opt/letsencrypt/src" (it's stays in the underlaying image); # this might also help in debugging: you can "docker run --entrypoint # bash" and investigate, apply patches, etc. -ENV PATH /opt/letsencrypt/bin:$PATH +ENV PATH /opt/letsencrypt/venv/bin:$PATH # TODO: is --text really necessary? ENTRYPOINT [ "letsencrypt", "--text" ] diff --git a/docker-compose.yml b/docker-compose.yml index f7c071f1f..dbe6e4f01 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,3 +11,4 @@ development: - "443:443" volumes: - .:/opt/letsencrypt/src + - /opt/letsencrypt/venv