From 6e8224011c36dd8388d92035ba57b267afe84a70 Mon Sep 17 00:00:00 2001 From: Josh Klar Date: Tue, 28 Feb 2023 11:30:12 -0800 Subject: [PATCH] docker: Restore ability to generate SSL certs with LetsEncrypt. Zulip Server 4.9+ regressed Docker setups by always creating a /etc/letsencrypt directory in the top layer of the Docker container, meaning it couldn't be symlinked over from the volume mount. Since that volume mount has useful properties (providing and/or overriding LetsEncrypt setting), restore it and copy the in-image configs into the volume as defaults if and only if those files don't already exist in the volume. Fixes #381. --- Dockerfile | 12 +++++++++++- entrypoint.sh | 10 +++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8d85b83bce..dd45b7873d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -73,7 +73,17 @@ RUN \ rm -f /etc/zulip/zulip-secrets.conf /etc/zulip/settings.py && \ apt-get -qq autoremove --purge -y && \ apt-get -qq clean && \ - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ + mv /etc/letsencrypt /etc/letsencrypt.zulip +# ^ Zulip Server installs LetsEncrypt with some default settings. We want to +# allow /etc/letsencrypt to be volume mountable from the host while retaining +# these settings unless overridden, so let's unclobber this path so that +# entrypoint.sh can symlink from the volume mount and repopulate any missing +# default files. +# +# This incantation must be part of the same layer that creates +# /etc/letsencrypt/renewal-hooks to avoid Directory Not Empty / Invalid +# Argument errors attempting to rename or unlink it. COPY entrypoint.sh /sbin/entrypoint.sh COPY certbot-deploy-hook /sbin/certbot-deploy-hook diff --git a/entrypoint.sh b/entrypoint.sh index 77ff692bd0..813a8f6ce8 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -51,7 +51,15 @@ SETTINGS_PY="/etc/zulip/settings.py" # === initialConfiguration === prepareDirectories() { mkdir -p "$DATA_DIR" "$DATA_DIR/backups" "$DATA_DIR/certs" "$DATA_DIR/letsencrypt" "$DATA_DIR/uploads" - [ -e /etc/letsencrypt ] || ln -ns "$DATA_DIR/letsencrypt" /etc/letsencrypt + + # See commentary in the Dockerfile about this process. + if [ -e /etc/letsencrypt ]; then + echo "Found unexpected /etc/letsencrypt in the Docker image, are you using the latest build?" >&2 + exit 1 + fi + ln -s "${DATA_DIR}/letsencrypt" /etc/letsencrypt + cp -an /etc/letsencrypt.zulip/* /etc/letsencrypt/ + echo "Preparing and linking the uploads folder ..." rm -rf /home/zulip/uploads ln -sfT "$DATA_DIR/uploads" /home/zulip/uploads