Make dehydrated write to /dehydrated.

This allows for more effective and efficient use with read-only root filesystems. That is, /dehydrated can be mounted as volume, while /etc/dehydrated/config can be read-only.
schnatterer · Jun 27, 2020 · db68c08 · db68c08
1 parent 1cbef1f
commit db68c08
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,8 +10,8 @@ USER root
 RUN apt-get update && apt-get install -y gpg 
 
 RUN mkdir -p /dist/letsencrypt/usr/local/bin/ \
-             /dist/letsencrypt/var/www/dehydrated \
              /dist/letsencrypt/static/.well-known/acme-challenge \
+             /dist/letsencrypt/dehydrated \
              /dist/tomcat-reloading-connector \
              /dist/lib/usr/local/lib 
 
@@ -31,7 +31,11 @@ RUN mv /tmp/dehydrated-*/dehydrated /dist/letsencrypt/usr/local/bin/dehydrated
 COPY meta-entrypoint.sh /dist/letsencrypt/
 COPY etc /dist/letsencrypt/etc
 RUN mkdir /dist/letsencrypt/certs/
-RUN chmod -R 770 /dist
+# Make certain dirs writable
+RUN chmod -R 770 /dist/letsencrypt/certs/ \
+                 /dist/letsencrypt/static/.well-known/acme-challenge \
+                 /dist/letsencrypt/dehydrated \
+                 /dist/letsencrypt/meta-entrypoint.sh
 
 # Add Tomcat APR Protocol that is able of reloading certificates at runtime
 RUN curl --fail -L https://keybase.io/schnatterer/pgp_keys.asc | gpg --import 

diff --git a/README.md b/README.md
@@ -24,10 +24,11 @@ It's a mere container were you can copy the components needed for your app.
 It contains the following directories:
 
 * `/letsencrypt` necessary for all apps:
-  * `dehydrated` for cert retrival
-  * `dumb-init` for properly handling your main process and the certificate process
+  * [`dehydrated`](http://dehydrated.io/) for cert retrival
+  * [`dumb-init`](https://github.com/Yelp/dumb-init) for properly handling your main process and the certificate process
   * `meta-entrypoint.sh` for launching the processes
-* `/tomcat-reloading-connector` necessary for standalone tomcat instances so they can reload the certificate at runtime  
+* `[/tomcat-reloading-connector](https://github.com/schnatterer/tomcat-reloading-connector)` necessary for standalone 
+  tomcat instances, so they can reload the certificate at runtime  
   See [standalone example](examples/standalone).
 * `/lib` - pre-compiled version of Apache Portable Runtime (APR) and JNI wrappers for APR used by Tomcat (libtcnative).  
   Requires glibc and openssl (works with debian images, for example).  

diff --git a/etc/dehydrated/config b/etc/dehydrated/config
@@ -1,4 +1,4 @@
 # See https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config
 
-# If we could set this via a param we wouldn't need this config file at all (except for staging maybe)
 WELLKNOWN="/static/.well-known/acme-challenge"
+BASEDIR="/dehydrated"