upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-05 14:54:24 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Update README

Browse source 
fix branch name

grammar

remove readme link

Remove links to Robie's repo.

say you cant use docker

Commands not command

Update publishing permissions section.

Have Certbot trust plugins.

Do not run snapcraft with sudo.
This commit is contained in:
Brad Warren 2020-04-27 15:22:57 -07:00 committed by Erica Portnoy
parent 0bebdedcbc
commit 44b1bd8e0e
2 changed files with 41 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
README.md
View file

@ -53,38 +53,46 @@ You can now operate the plugin as normal.
To try this out, you'll need to build the snaps (a patched Certbot snap and a
plugin snap) manually.
1. Start with a Xenial VM.
2. Install snapcraft with `snap install --classic snapcraft`.
3. Run `git clone git://github.com/basak/certbot-snap-build -b snap-plugins/snap/certbot`.
4. `cd certbot-snap-build`
5. Run `git clone https://github.com/basak/certbot-snap-build -b snap-plugins/certbot certbot` (this is a workaround for #13).
6. Run `certbot/tools/strip_hashes.py certbot/letsencrypt-auto-source/pieces/dependency-requirements.txt > certbot/constraints.txt` (this is a workaround for #13).
7. Run `snapcraft`.
8. Install the generated snap with `sudo snap install --dangerous --classic certbot_*_amd64.snap`. You can transfer the snap to a different machine to run it there instead if you prefer.
9. `cd ..`
10. `git clone git://github.com/basak/certbot-snap-build.git -b snap-plugins/snap/certbot-dns-dnsimple certbot-dns-dnsimple`
11. `cd certbot-dns-dnsimple`
12. `snapcraft`
13. Install the generated snap with `sudo snap install --dangerous certbot-dns-dnsimple_*_amd64.snap`. Again, you can transfer the snap to a different machine to run it there instead if you prefer.
14. Connect the plugin with `sudo snap connect certbot:plugin certbot-dns-dnsimple`.
15. Now you can run Certbot as normal. For example, `certbot plugins` should display the DNSimple plugin as installed.
### Initial VM Set Up
## Code
These steps need to be done once to set up your VM and do not need to be run again to rebuild the snap.
This proof of concept ships four git branches:
1. Start with a Xenial VM. You need a full virtual machine using something like DigitalOcean, EC2, or VirtualBox. Docker won't work. Another version of Ubuntu can probably be used, but Xenial was used when writing these instructions.
2. Set up a user other than root with sudo privileges for use with snapcraft and run all of the following commands with it. A command to do this for a user named certbot looks like `adduser certbot && usermod -aG sudo certbot && su - certbot`.
3. Install git and python with `sudo apt update && sudo apt install git python`.
4. Set up lxd for use with snapcraft by running `sudo snap install lxd && sudo /snap/bin/lxd.migrate -yes && sudo /snap/bin/lxd waitready && sudo /snap/bin/lxd init --auto`
5. Add your current user to the lxd group and update your shell to have the new assignment by running `sudo usermod -a -G lxd ${USER} && newgrp lxd`.
6. Install snapcraft with `sudo snap install --classic snapcraft`.
7. `cd ~` (or any other directory where you want our source files to be)
8. Run `git clone git://github.com/certbot/certbot -b snap-plugin`
9. `cd certbot`
1. [This documentation](https://github.com/basak/certbot-snap-build/tree/snap-plugins/doc).
2. [A fork of Certbot upstream that adds support for
`CERTBOT_PLUGIN_PATH`](https://github.com/basak/certbot-snap-build/tree/snap-plugins/certbot).
3. [A fork of the proof of concept Certbot snap packaging that adds plugin
support](https://github.com/basak/certbot-snap-build/tree/snap-plugins/snap/certbot).
4. [An example of snap packaging for the Certbot DNSimple
plugin](https://github.com/basak/certbot-snap-build/tree/snap-plugins/snap/certbot-dns-dnsimple).
### Build the Snaps
If adopted, these would all be upstreamed, and no branches would be necessary.
Snap packaging is intended to be maintained within upstream code trees
themselves with the addition of `snapcraft.yaml`, much like Travis CI
integration.
These are the steps to build and install the snaps. If you have run these steps before, you may want to run the commands in the section below to clean things up before building the snap again.
1. Run `tools/strip_hashes.py letsencrypt-auto-source/pieces/dependency-requirements.txt > constraints.txt` (this is a workaround for https://github.com/certbot/certbot/issues/7957).
2. Run `snapcraft --use-lxd`.
3. Install the generated snap with `sudo snap install --dangerous --classic certbot_*_amd64.snap`. You can transfer the snap to a different machine to run it there instead if you prefer.
4. Run `tools/strip_hashes.py letsencrypt-auto-source/pieces/dependency-requirements.txt > certbot-dns-dnsimple/constraints.txt`.
5. `cd certbot-dns-dnsimple`
6. `snapcraft --use-lxd`
7. Run `sudo snap set certbot trust-plugin-with-root=ok`.
8. Install the generated snap with `sudo snap install --dangerous certbot-dns-dnsimple_*_amd64.snap`. Again, you can transfer the snap to a different machine to run it there instead if you prefer.
9. Connect the plugin with `sudo snap connect certbot:plugin certbot-dns-dnsimple`.
10. Now you can run Certbot as normal. For example, `certbot plugins` should display the DNSimple plugin as installed.
### Reset the Environment
The instructions below clean up the build environment so it can reliably be used again.
1. `cd ~/certbot` (or to an alternate path where you put our source files)
2. `snapcraft clean --use-lxd`
3. `rm certbot_*_amd64.snap`
4. `cd certbot-dns-dnsimple`
5. `rm certbot-dns-dnsimple_*_amd64.snap`
6. `snapcraft clean --use-lxd`
7. `cd ..`
## Publishing Permissions
@ -99,12 +107,11 @@ As implemented, Certbot will only load plugins connected via the snap interface
mechanism, so permission is effectively delegated to what interface connections
the snap infrastucture will permit.
I am not clear as to exactly what is and isn't currently permitted, and what
interfaces can or cannot be set to be automatically connected.
It seems fairly clear that, at a minimum, a manual connection between snaps
coming from the same publisher will be permitted.
We have approval from the snap team to use this design as long as we make it
more explicit what a user is agreeing to when they connect a plugin to the
Certbot snap. That work is tracked by
https://github.com/certbot/certbot/issues/7667.
## Outstanding issues
[Outstanding items relating to plugin support in Certbot snaps are tracked on GitHub](https://github.com/basak/certbot-snap-build/issues?q=is%3Aissue+is%3Aopen+label%3Aplugin).
[Outstanding items relating to plugin support in Certbot snaps are tracked on GitHub](https://github.com/certbot/certbot/issues?q=is%3Aopen+is%3Aissue+label%3A%22area%3A+snaps%22).

1
README.rst
View file

@ -1 +0,0 @@
certbot/README.rst