diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..b1a1a48bf --- /dev/null +++ b/.dockerignore @@ -0,0 +1,9 @@ +# this file uses slightly different syntax that .gitignore, +# e.g. ".tox/" will not ignore .tox directory + +# well, official docker build should be done on clean git checkout +# anyway, so .tox should be empty... But I'm sure people will try to +# test docker on their git working directories. + +.git +.tox \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index b11baa12c..496c3c609 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,55 @@ -FROM ubuntu:trusty +FROM buildpack-deps:jessie +MAINTAINER Jakub Warmuz +# You neccesarily have to bind to 443@host as well! (ACME spec) EXPOSE 443 -RUN apt-get update && apt-get -y install python python-setuptools python-virtualenv python-dev \ - gcc swig dialog libaugeas0 libssl-dev libffi-dev ca-certificates git && \ - apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* +# TODO: make sure --config-dir and --work-dir cannot be changed +# through the CLI (letsencrypt-docker wrapper that uses standalone +# authenticator and text mode only?) +VOLUME /etc/letsencrypt /var/lib/letsencrypt -RUN cd /opt && git clone https://github.com/letsencrypt/lets-encrypt-preview.git -WORKDIR /opt/lets-encrypt-preview -RUN \ - virtualenv --no-site-packages -p python2 venv && \ - ./venv/bin/python setup.py install +WORKDIR /opt/letsencrypt -ENV DOCKER_RUN True -ENTRYPOINT [ "./venv/bin/letsencrypt", "--text" ] +# no need to mkdir anything: +# https://docs.docker.com/reference/builder/#copy +# If doesn't exist, it is created along with all missing +# directories in its path. + +# The following copies too much than we need... +#COPY . /opt/letsencrypt/ + +COPY bootstrap/debian.sh /opt/letsencrypt/src/ +RUN /opt/letsencrypt/src/debian.sh newer && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* \ + /tmp/* \ + /var/tmp/* + +# the above is not likely to change, so by putting it further up the +# Dockerfile we make sure we cache as much as possible + + +COPY setup.py README.rst CHANGES.rst MANIFEST.in /opt/letsencrypt/src/ + +# all above files are necessary for setup.py, however, package source +# code directory has to be copied separately to a subdirectory... +# https://docs.docker.com/reference/builder/#copy: "If is a +# directory, the entire contents of the directory are copied, +# including filesystem metadata. Note: The directory itself is not +# copied, just its contents." Order again matters, three files are far +# more likely to be cached than the whole project directory + +COPY letsencrypt /opt/letsencrypt/src/letsencrypt/ + + +RUN virtualenv --no-site-packages -p python2 /opt/letsencrypt && \ + /opt/letsencrypt/bin/pip install -e /opt/letsencrypt/src + +# install in editable mode (-e) to save space: it's not possible to +# "rm -rf /opt/letsencrypt/src" (it's stays in the underlaying image); +# this might also help in debugging: you can "docker run --entrypoint +# bash" and investigate, apply patches, etc. + +# TODO: is --text really necessary? +ENTRYPOINT [ "/opt/letsencrypt/bin/letsencrypt", "--text" ] diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index b09130d77..07222e74d 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -10,21 +10,33 @@ # - 7.8 "wheezy" (x64) # - 8.0 "jessie" (x64) + # virtualenv binary can be found in different packages depending on # distro version (#346) -distro=$(lsb_release -si) -# 6.0.10 => 60, 14.04 => 1404 -version=$(lsb_release -sr | awk -F '.' '{print $1 $2}') -if [ "$distro" = "Ubuntu" -a "$version" -ge 1410 ] -then - virtualenv="virtualenv" -elif [ "$distro" = "Debian" -a "$version" -ge 80 ] +newer () { + distro=$(lsb_release -si) + # 6.0.10 => 60, 14.04 => 1404 + # TODO: in sid version==unstable + version=$(lsb_release -sr | awk -F '.' '{print $1 $2}') + if [ "$distro" = "Ubuntu" -a "$version" -ge 1410 ] + then + return 0; + elif [ "$distro" = "Debian" -a "$version" -ge 80 ] + then + return 0; + else + return 1; + fi +} + +if [ "$1" = "newer" ] || newer then virtualenv="virtualenv" else virtualenv="python-virtualenv" fi + # dpkg-dev: dpkg-architecture binary necessary to compile M2Crypto, c.f. # #276, https://github.com/martinpaljak/M2Crypto/issues/62, # M2Crypto setup.py:add_multiarch_paths diff --git a/certs/.gitignore b/certs/.gitignore deleted file mode 100644 index d6b7ef32c..000000000 --- a/certs/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -* -!.gitignore diff --git a/docker-compose.yml b/docker-compose.yml index 8cac124c9..7e291eef2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,4 +3,5 @@ letsencrypt: ports: - "443:443" volumes: - - ./certs/:/etc/letsencrypt/certs/ + - /etc/letsencrypt:/etc/letsencrypt/certs + - /var/lib/letsenecrypt:/var/lib/letsenecrypt diff --git a/docs/using.rst b/docs/using.rst index 387652154..39cbd99a9 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -49,13 +49,20 @@ Mac OSX Quick Usage =========== -Using docker you can quickly get yourself a testing cert. From the server that the domain your requesting a cert for resolves to, download docker 1.5, and issue the following command: -:: +Using docker you can quickly get yourself a testing cert. From the +server that the domain your requesting a cert for resolves to, +download docker, and issue the following command - docker run -it --rm -p 443:443 -v $PWD/certs/:/etc/letsencrypt/certs/ letsencrypt/lets-encrypt-preview +.. code-block:: shell -And follow the instructions. Your new cert will be available in `certs/` + sudo docker run -it --rm -p 443:443 \ + -v "/etc/letsenecrypt:/etc/letsencrypt" \ + -v "/var/lib/letsenecrypt:/var/lib/letsencrypt" \ + letsencrypt/lets-encrypt-preview + +And follow the instructions. Your new cert will be available in +``/etc/letsencrypt/certs``. Installation ============