Update docker setup.

Changes:
- uses debian:jessie as base image (more lightweight)
- .dockerignore .git/.tox to speed up build process considerably
- more caching-aware Dockerfile
- copy current directory instead of git cloning the repo inside the container
- /etc/letsencrypt and /var/lib/letsencrypt volumes;
  no need for "if os.environ.get" hack

bootstrap script for debian had to be adjusted, as lsb_release is not
present in debian:jessie image.

.dockerignore

@@ -0,0 +1,9 @@
+# this file uses slightly different syntax that .gitignore,
+# e.g. ".tox/" will not ignore .tox directory
+
+# well, official docker build should be done on clean git checkout
+# anyway, so .tox should be empty... But I'm sure people will try to
+# test docker on their git working directories.
+
+.git
+.tox

Dockerfile

@@ -1,16 +1,55 @@
-FROM ubuntu:trusty
+FROM buildpack-deps:jessie
+MAINTAINER Jakub Warmuz <jakub@warmuz.org>
 
+# You neccesarily have to bind to 443@host as well! (ACME spec)
 EXPOSE 443
 
-RUN apt-get update && apt-get -y install python python-setuptools python-virtualenv python-dev \
-  gcc swig dialog libaugeas0 libssl-dev libffi-dev ca-certificates git && \
-  apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+# TODO: make sure --config-dir and --work-dir cannot be changed
+# through the CLI (letsencrypt-docker wrapper that uses standalone
+# authenticator and text mode only?)
+VOLUME /etc/letsencrypt /var/lib/letsencrypt
 
-RUN cd /opt && git clone https://github.com/letsencrypt/lets-encrypt-preview.git
-WORKDIR /opt/lets-encrypt-preview
-RUN \
-  virtualenv --no-site-packages -p python2 venv && \
-  ./venv/bin/python setup.py install
+WORKDIR /opt/letsencrypt
 
-ENV DOCKER_RUN True
-ENTRYPOINT [ "./venv/bin/letsencrypt", "--text" ]
+# no need to mkdir anything:
+# https://docs.docker.com/reference/builder/#copy
+# If <dest> doesn't exist, it is created along with all missing
+# directories in its path.
+
+# The following copies too much than we need...
+#COPY . /opt/letsencrypt/
+
+COPY bootstrap/debian.sh /opt/letsencrypt/src/
+RUN /opt/letsencrypt/src/debian.sh newer && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* \
+           /tmp/* \
+           /var/tmp/*
+
+# the above is not likely to change, so by putting it further up the
+# Dockerfile we make sure we cache as much as possible
+
+
+COPY setup.py README.rst CHANGES.rst MANIFEST.in /opt/letsencrypt/src/
+
+# all above files are necessary for setup.py, however, package source
+# code directory has to be copied separately to a subdirectory...
+# https://docs.docker.com/reference/builder/#copy: "If <src> is a
+# directory, the entire contents of the directory are copied,
+# including filesystem metadata. Note: The directory itself is not
+# copied, just its contents." Order again matters, three files are far
+# more likely to be cached than the whole project directory
+
+COPY letsencrypt /opt/letsencrypt/src/letsencrypt/
+
+
+RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt && \
+    /opt/letsencrypt/bin/pip install -e /opt/letsencrypt/src
+
+# install in editable mode (-e) to save space: it's not possible to
+# "rm -rf /opt/letsencrypt/src" (it's stays in the underlaying image);
+# this might also help in debugging: you can "docker run --entrypoint
+# bash" and investigate, apply patches, etc.
+
+# TODO: is --text really necessary?
+ENTRYPOINT [ "/opt/letsencrypt/bin/letsencrypt", "--text" ]

bootstrap/_deb_common.sh

@@ -10,21 +10,33 @@
 #     - 7.8 "wheezy" (x64)
 #     - 8.0 "jessie" (x64)
 
+
 # virtualenv binary can be found in different packages depending on
 # distro version (#346)
-distro=$(lsb_release -si)
-# 6.0.10 => 60, 14.04 => 1404
-version=$(lsb_release -sr | awk -F '.' '{print $1 $2}')
-if [ "$distro" = "Ubuntu" -a "$version" -ge 1410 ]
-then
-  virtualenv="virtualenv"
-elif [ "$distro" = "Debian" -a "$version" -ge 80 ]
+newer () {
+  distro=$(lsb_release -si)
+  # 6.0.10 => 60, 14.04 => 1404
+  # TODO: in sid version==unstable
+  version=$(lsb_release -sr | awk -F '.' '{print $1 $2}')
+  if [ "$distro" = "Ubuntu" -a "$version" -ge 1410 ]
+  then
+    return 0;
+  elif [ "$distro" = "Debian" -a "$version" -ge 80 ]
+  then
+    return 0;
+  else
+    return 1;
+  fi
+}
+
+if [ "$1" = "newer" ] || newer
 then
   virtualenv="virtualenv"
 else
   virtualenv="python-virtualenv"
 fi
 
+
 # dpkg-dev: dpkg-architecture binary necessary to compile M2Crypto, c.f.
 #           #276, https://github.com/martinpaljak/M2Crypto/issues/62,
 #           M2Crypto setup.py:add_multiarch_paths

certs/.gitignore

@@ -1,2 +0,0 @@
-*
-!.gitignore

docker-compose.yml

@@ -3,4 +3,5 @@ letsencrypt:
   ports:
     - "443:443"
   volumes:
-    - ./certs/:/etc/letsencrypt/certs/
+    - /etc/letsencrypt:/etc/letsencrypt/certs
+    - /var/lib/letsenecrypt:/var/lib/letsenecrypt

docs/using.rst

@@ -49,13 +49,20 @@ Mac OSX
 
 Quick Usage
 ===========
-Using docker you can quickly get yourself a testing cert.  From the server that the domain your requesting a cert for resolves to, download docker 1.5, and issue the following command:
 
-::
+Using docker you can quickly get yourself a testing cert. From the
+server that the domain your requesting a cert for resolves to,
+download docker, and issue the following command
 
-    docker run -it --rm -p 443:443 -v $PWD/certs/:/etc/letsencrypt/certs/ letsencrypt/lets-encrypt-preview
+.. code-block:: shell
 
-And follow the instructions.  Your new cert will be available in `certs/`
+   sudo docker run -it --rm -p 443:443 \
+               -v "/etc/letsenecrypt:/etc/letsencrypt" \
+               -v "/var/lib/letsenecrypt:/var/lib/letsencrypt" \
+               letsencrypt/lets-encrypt-preview
+
+And follow the instructions. Your new cert will be available in
+``/etc/letsencrypt/certs``.
 
 Installation
 ============