Clever Geek Handbook

Docker compose: make sure level is set before running CMD

I have built a container with nginx and some configuration for HTTPS inside it. Certificates are generated automatically by another container using https://letsencrypt.org/ . The nginx container also provides some default self-signed certificates for use until the certbot container generates good ones. This is how my config looks like:

version: '2'

services:
  # Nginx, the master of puppets, listens in port 80
  nginx:
    image: mycompany/nginx:v1.2.8
    depends_on: [api, admin, front, postgres, redis, certbot]
    ports: ["80:80", "443:443"]
    volumes:
      - acme_challenge:/var/www/acme_challenge
      - ssl_certs:/var/certs
    environment:
      ACME_CHALLENGE_PATH: /var/www/acme_challenge

      # Where will the container put the default certs
      DEFAULT_SSL_CERTS_PATH: /var/default_certs

      # Use temporary self signed keys by default
      SSL_CERTIFICATE:     /var/default_certs/selfsigned.crt
      SSL_CERTIFICATE_KEY: /var/default_certs/selfsigned.key

      # Once certbot generates certs I change config to this and recreate the container
      # SSL_CERTIFICATE:     /var/cerst/mycompany.com/fullchain.pem
      # SSL_CERTIFICATE_KEY: /var/certs/mycompany.com/privkey.pem

  # Certbot renews SSL certificates periodically
  certbot:
    image: mycompany/certbot:v1.0.9
    restart: on-failure:3
    environment:
      - WEBROOT_PATH=/var/www/acme_challenge
      - SIGNING_EMAIL=info@yavende.com
      - DOMAINS=mycompany.com, api.mycompany.com
    volumes:
      - acme_challenge:/var/www/acme_challenge
      - ssl_certs:/etc/letsencrypt/live

volumes:
  acme_challenge:
  ssl_certs:

This is more or less how the stuff works:

  • Nginx container configured to use some self-signed certificates
  • docker compose up -d

    runs certbot and nginx in parallel.
  • In the meantime, certbot starts the process of generating certificates. Let's assume it succeeded.

  • After a while, I attach to the nginx container and run ls /var/certs

    and the certbot certificates are stored there. Nice!

  • I am modifying the nginx container config to use these new certificates (via env vars SSL_CERTIFICATE *) and recreate the container.

  • Nginx won't start because there are no files there even when I know there are files (verified with many methods)

I suspect that the image ( CMD

) command runs regardless of whether the volumes are still attached to the container or not. It's true? Do I have to write multiple bash to wait until these files are present?

+3


source to share


1 answer


Disclaimer: This is a plugin for my own docker image.

I made a very good nginx based docker image for this specific purpose, with features like automatic letencrypt management, HTTP basic auth, virtual hosts, etc., controlled by passing a simple json configuration through an environment variable. I am using it in production, so it is stable.

You can find it here and it's in tcjn/json-webrouter

on the docker hub.



All you have to do is pass something like this to your CONFIG environment variable:

{"servers": [
          {"ServerName": "example.com", "Target": "192.168.2.52:32407", "Https": true},
          {"ServerName": "*.example.com", "Target": "192.168.2.52:4444", "Https": true},
          {"ServerName": "secret.example.com", "Target": "192.168.2.52:34505", "Https": true, "Auth": {"Realm": "Login for secret stuff", "Set": "secret_users"}}
        ], "auth": {
          "secret_users": {"bob": "HASH GENERATED BY openssl passwd"}
        }}

And yes, it is as easy as "Https": true

. You can find all the possible options in the github repo .

+1


source






More articles:


All Articles