diff options
author | ohemorange <ebportnoy@gmail.com> | 2020-08-07 02:46:17 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-07 02:46:17 +0300 |
commit | 22730dc0acfcb68fad0953d107b0beab9cde12dd (patch) | |
tree | af5adbf7a3e3a180b02939a876a8b9c24d4122ca | |
parent | 086e6c46b6f4d946df700e881980e2b06faafc77 (diff) | |
parent | 271be07267d0f54bd4f5e245036be52d76be9aba (diff) |
Merge pull request #8192 from certbot/docker-base
Add certbot-docker files to this repository preserving history
-rw-r--r-- | tools/docker/LICENSE.txt | 190 | ||||
-rw-r--r-- | tools/docker/README.md | 80 | ||||
-rwxr-xr-x | tools/docker/build.sh | 63 | ||||
-rw-r--r-- | tools/docker/core/.gitignore | 1 | ||||
-rw-r--r-- | tools/docker/core/Dockerfile | 54 | ||||
-rw-r--r-- | tools/docker/core/README.md | 26 | ||||
-rw-r--r-- | tools/docker/core/hooks/build | 11 | ||||
-rw-r--r-- | tools/docker/core/hooks/post_push | 12 | ||||
-rwxr-xr-x | tools/docker/core/hooks/pre_build | 10 | ||||
-rw-r--r-- | tools/docker/core/hooks/push | 11 | ||||
-rwxr-xr-x | tools/docker/deploy.sh | 35 | ||||
-rw-r--r-- | tools/docker/lib/common | 142 | ||||
-rw-r--r-- | tools/docker/plugin/.gitignore | 1 | ||||
-rw-r--r-- | tools/docker/plugin/Dockerfile | 20 | ||||
-rw-r--r-- | tools/docker/plugin/README.md | 13 | ||||
-rw-r--r-- | tools/docker/plugin/hooks/build | 12 | ||||
-rw-r--r-- | tools/docker/plugin/hooks/post_push | 12 | ||||
-rw-r--r-- | tools/docker/plugin/hooks/pre_build | 10 | ||||
-rw-r--r-- | tools/docker/plugin/hooks/push | 11 |
19 files changed, 714 insertions, 0 deletions
diff --git a/tools/docker/LICENSE.txt b/tools/docker/LICENSE.txt new file mode 100644 index 000000000..9c14e2b17 --- /dev/null +++ b/tools/docker/LICENSE.txt @@ -0,0 +1,190 @@ + Copyright 2019 Electronic Frontier Foundation and others + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS diff --git a/tools/docker/README.md b/tools/docker/README.md new file mode 100644 index 000000000..f4b9c6de4 --- /dev/null +++ b/tools/docker/README.md @@ -0,0 +1,80 @@ +Running Certbot in Docker +========================= + +Docker is an amazingly simple and quick way to obtain a certificate. However, this mode of operation is unable to install certificates automatically or configure your webserver, because our installer plugins cannot reach your webserver from inside the Docker container. + +**Most users should install Certbot by following the installation instructions at https://certbot.eff.org/instructions. You should only use Docker if you are sure you know what you are doing (you understand [volumes](https://docs.docker.com/storage/volumes/)) and have a good reason to do so, such as following the [one service per container rule](https://docs.docker.com/config/containers/multi-service_container/).** + +For more information, please read [Certbot - Running with Docker](https://certbot.eff.org/docs/install.html#running-with-docker). + +Certbot-Docker project +====================== + +Goal +---- + +This project is used to publish a new version of the official Certbot Docker and related Certbot DNS plugins Dockers on DockerHub upon release of a new version of Certbot. +It leverages the AutoBuild features of DockerHub to coordinate this publication through a continous integration/deployment approach. + +High-level behavior +------------------- + +When a new version tag (eg. v0.35.0) is pushed to this repository, it triggers a new build in each DockerHub project, to construct and publish the new version of the Docker +containing the Certbot version corresponding to the pushed tag. For example, after following the instructions for v0.35.0 below, after a few minutes the DockerHub projects will contain a new tag "v0.35.0", +whose Docker contains Certbot v0.35.0. + +Configuration +------------- + +To set up the publication process, the target DockerHub project must be configured appropriately. There are two types of DockerHub projects to take into account: +* the Docker project for Certbot core features (eg. certbot/certbot) +* a Docker project for Certbot DNS plugins (eg. certbot/dns-rfc2136) + +1) Define a GitHub user with push rights to the current GIT repository. +2) Create the DockerHub project if necessary. +3) Activate the AutoBuild feature, using the current GIT repository as source (eg. https://github.com/certbot-docker/certbot-docker.git) and the user defined in 1). +4) Define a unique tag build rule in AutoBuild configuration: + + _For a Certbot core Docker_ -> Source: `/^(v[0-9.]+).*$/`, Tag: `{\1}`, Dockerfile: `Dockerfile`, Build context: `/core` + + _For a Certbot DNS plugin Docker_ -> Source: `/^(v[0-9.]+).*$/`, Tag: `{\1}`, Dockerfile: `Dockerfile`, Build context: `/plugin` + +Publication worfklow +------------------- + +Assuming the version to publish is `v0.35.0` + +1) Clone this repository locally, check out branch `master`, and ensure the workspace is clean. +2) (Optional) Execute `./build.sh v0.35.0` to test the Docker builds. +3) Execute `./deploy.sh v0.35.0` to trigger the publication of all Dockers with version `v0.35.0`. + +Scripts usage +------------- + +``` +./build.sh [VERSION] +``` + +This script will locally build all Dockers for the given version using the same runtime as DockerHub. +This can be used to test the build process before invoking the actual publication workflow. + +``` +./deploy.sh [VERSION] +``` + +This script will trigger the publication of all Dockers for the given version to DockerHub. To do so, this script will: +- update the relevant `README.md` files that will be used as descriptions in the DockerHub repositories, +- locally commit the modifications, +- tag this commit with the given version, +- push this tag and the updated `master` branch. + +Assuming the version to publish is `v0.35.0`, the following docker images will be created at DockerHub. + +- certbot/certbot:v0.35.0 *(amd64 architecture)* +- certbot/certbot:amd64-v0.35.0 +- certbot/certbot:arm32v6-v0.35.0 +- certbot/certbot:arm64v8-v0.35.0 +- certbot/certbot:latest *(amd64 architecture)* +- certbot/certbot:amd64-latest +- certbot/certbot:arm32v6-latest +- certbot/certbot:arm64v8-latest diff --git a/tools/docker/build.sh b/tools/docker/build.sh new file mode 100755 index 000000000..765aa79c5 --- /dev/null +++ b/tools/docker/build.sh @@ -0,0 +1,63 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' + +# This script builds certbot docker and certbot dns plugins docker against a given release version of certbot. +# The build is done following the environment used by Dockerhub to handle its autobuild feature, and so can be +# used as a pre-deployment validation test. + +# Usage: ./build.sh [VERSION] +# with [VERSION] corresponding to a released version of certbot, like `v0.34.0` + +trap Cleanup 1 2 3 6 + +Cleanup() { + if [ ! -z "$WORK_DIR" ]; then + rm -rf "$WORK_DIR"/core/qemu-*-static || true + rm -rf "$WORK_DIR"/plugin/qemu-*-static || true + fi + popd 2> /dev/null || true +} + +Build() { + DOCKER_REPO="$1" + CERTBOT_VERSION="$2" + CONTEXT_PATH="$3" + DOCKERFILE_PATH="$CONTEXT_PATH/Dockerfile" + DOCKER_TAG="$CERTBOT_VERSION" + pushd "$CONTEXT_PATH" + DOCKER_TAG="$DOCKER_TAG" DOCKER_REPO="$DOCKER_REPO" DOCKERFILE_PATH="$DOCKERFILE_PATH" bash hooks/pre_build + DOCKER_TAG="$DOCKER_TAG" DOCKER_REPO="$DOCKER_REPO" DOCKERFILE_PATH="$DOCKERFILE_PATH" bash hooks/build + popd +} + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" + +CERTBOT_VERSION="$1" + +# Step 1: Certbot core Docker +Build "certbot/certbot" "$CERTBOT_VERSION" "$WORK_DIR/core" + +# Step 2: Certbot dns plugins Dockers +CERTBOT_PLUGINS_DOCKER_REPOS=( + "certbot/dns-dnsmadeeasy" + "certbot/dns-dnsimple" + "certbot/dns-ovh" + "certbot/dns-cloudflare" + "certbot/dns-cloudxns" + "certbot/dns-digitalocean" + "certbot/dns-google" + "certbot/dns-luadns" + "certbot/dns-nsone" + "certbot/dns-rfc2136" + "certbot/dns-route53" + "certbot/dns-gehirn" + "certbot/dns-linode" + "certbot/dns-sakuracloud" +) + +for DOCKER_REPO in "${CERTBOT_PLUGINS_DOCKER_REPOS[@]}"; do + Build "${DOCKER_REPO}" "$CERTBOT_VERSION" "$WORK_DIR/plugin" +done + +Cleanup diff --git a/tools/docker/core/.gitignore b/tools/docker/core/.gitignore new file mode 100644 index 000000000..4cc493afa --- /dev/null +++ b/tools/docker/core/.gitignore @@ -0,0 +1 @@ +qemu-*-static diff --git a/tools/docker/core/Dockerfile b/tools/docker/core/Dockerfile new file mode 100644 index 000000000..a0dfb1c51 --- /dev/null +++ b/tools/docker/core/Dockerfile @@ -0,0 +1,54 @@ +# Docker Arch (amd64, arm32v6, ...) +ARG TARGET_ARCH +FROM ${TARGET_ARCH}/python:3.8-alpine3.12 + +# Qemu Arch (x86_64, arm, ...) +ARG QEMU_ARCH +ENV QEMU_ARCH=${QEMU_ARCH} +COPY qemu-${QEMU_ARCH}-static /usr/bin/ + +ARG CERTBOT_VERSION +ENV CERTBOT_VERSION=${CERTBOT_VERSION} + +ENTRYPOINT [ "certbot" ] +EXPOSE 80 443 +VOLUME /etc/letsencrypt /var/lib/letsencrypt +WORKDIR /opt/certbot + +# Retrieve certbot code +RUN mkdir -p src \ + && wget -O certbot-${CERTBOT_VERSION}.tar.gz https://github.com/certbot/certbot/archive/v${CERTBOT_VERSION}.tar.gz \ + && tar xf certbot-${CERTBOT_VERSION}.tar.gz \ + && cp certbot-${CERTBOT_VERSION}/CHANGELOG.md certbot-${CERTBOT_VERSION}/README.rst src/ \ + && cp certbot-${CERTBOT_VERSION}/letsencrypt-auto-source/pieces/dependency-requirements.txt . \ + && cp certbot-${CERTBOT_VERSION}/letsencrypt-auto-source/pieces/pipstrap.py . \ + && cp -r certbot-${CERTBOT_VERSION}/tools tools \ + && cp -r certbot-${CERTBOT_VERSION}/acme src/acme \ + && cp -r certbot-${CERTBOT_VERSION}/certbot src/certbot \ + && rm -rf certbot-${CERTBOT_VERSION}.tar.gz certbot-${CERTBOT_VERSION} + +# Generate constraints file to pin dependency versions +RUN cat dependency-requirements.txt | tools/strip_hashes.py > unhashed_requirements.txt \ + && cat tools/dev_constraints.txt unhashed_requirements.txt | tools/merge_requirements.py > docker_constraints.txt + +# Install certbot runtime dependencies +RUN apk add --no-cache --virtual .certbot-deps \ + libffi \ + libssl1.1 \ + openssl \ + ca-certificates \ + binutils + +# Install certbot from sources +RUN apk add --no-cache --virtual .build-deps \ + gcc \ + linux-headers \ + openssl-dev \ + musl-dev \ + libffi-dev \ + && python pipstrap.py \ + && pip install -r dependency-requirements.txt \ + && pip install --no-cache-dir --no-deps \ + --editable src/acme \ + --editable src/certbot \ +&& apk del .build-deps diff --git a/tools/docker/core/README.md b/tools/docker/core/README.md new file mode 100644 index 000000000..9267b8cc4 --- /dev/null +++ b/tools/docker/core/README.md @@ -0,0 +1,26 @@ +# ![](https://certbot.eff.org/images/certbot-logo-1A.svg) +[![](https://img.shields.io/badge/current-v1.7.0-blue.svg)](https://github.com/certbot/certbot.git) [![](https://travis-ci.com/certbot/certbot.svg?branch=1.7.x)](https://travis-ci.com/certbot/certbot) + +This is the Docker repository for Certbot Core. + +## Certbot DNS plugins + +* [dns-dnsmadeeasy](https://hub.docker.com/r/certbot/dns-dnsmadeeasy) +* [dns-dnsimple](https://hub.docker.com/r/certbot/dns-dnsimple) +* [dns-ovh](https://hub.docker.com/r/certbot/dns-ovh) +* [dns-cloudflare](https://hub.docker.com/r/certbot/dns-cloudflare) +* [dns-cloudxns](https://hub.docker.com/r/certbot/dns-cloudxns) +* [dns-digitalocean](https://hub.docker.com/r/certbot/dns-digitalocean) +* [dns-google](https://hub.docker.com/r/certbot/dns-google) +* [dns-luadns](https://hub.docker.com/r/certbot/dns-luadns) +* [dns-nsone](https://hub.docker.com/r/certbot/dns-nsone) +* [dns-rfc2136](https://hub.docker.com/r/certbot/dns-rfc2136) +* [dns-route53](https://hub.docker.com/r/certbot/dns-route53) +* [dns-gehirn](https://hub.docker.com/r/certbot/dns-gehirn) +* [dns-linode](https://hub.docker.com/r/certbot/dns-linode) +* [dns-sakuracloud](https://hub.docker.com/r/certbot/dns-sakuracloud) + +## Sources: + +* [docker](https://www.github.com/certbot-docker/certbot-docker.git) +* [certbot](https://www.github.com/certbot/certbot.git) diff --git a/tools/docker/core/hooks/build b/tools/docker/core/hooks/build new file mode 100644 index 000000000..9f3f035d9 --- /dev/null +++ b/tools/docker/core/hooks/build @@ -0,0 +1,11 @@ +#!/bin/bash +set -ex + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +source "$WORK_DIR/../../lib/common" + +CERTBOT_VERSION=$(GetCerbotVersionFromTag "$DOCKER_TAG") + +for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do + BuildDockerCoreImage "${TARGET_ARCH}" "${CERTBOT_VERSION}" +done diff --git a/tools/docker/core/hooks/post_push b/tools/docker/core/hooks/post_push new file mode 100644 index 000000000..6bac191fd --- /dev/null +++ b/tools/docker/core/hooks/post_push @@ -0,0 +1,12 @@ +#!/bin/bash +set -ex + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +source "$WORK_DIR/../../lib/common" + +CERTBOT_VERSION=$(GetCerbotVersionFromTag "$DOCKER_TAG") + +for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do + TagDockerImageAliases "${TARGET_ARCH}" "${CERTBOT_VERSION}" + PushDockerImageAliases "${TARGET_ARCH}" "${CERTBOT_VERSION}" +done diff --git a/tools/docker/core/hooks/pre_build b/tools/docker/core/hooks/pre_build new file mode 100755 index 000000000..723e35161 --- /dev/null +++ b/tools/docker/core/hooks/pre_build @@ -0,0 +1,10 @@ +#!/bin/bash +set -ex + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +source "$WORK_DIR/../../lib/common" + +RegisterQemuHandlers +for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do + DownloadQemuStatic "${TARGET_ARCH}" +done diff --git a/tools/docker/core/hooks/push b/tools/docker/core/hooks/push new file mode 100644 index 000000000..4dc5ea080 --- /dev/null +++ b/tools/docker/core/hooks/push @@ -0,0 +1,11 @@ +#!/bin/bash +set -ex + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +source "$WORK_DIR/../../lib/common" + +CERTBOT_VERSION=$(GetCerbotVersionFromTag "$DOCKER_TAG") + +for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do + PushDockerImage "${TARGET_ARCH}" "${CERTBOT_VERSION}" +done diff --git a/tools/docker/deploy.sh b/tools/docker/deploy.sh new file mode 100755 index 000000000..9ff4f52e5 --- /dev/null +++ b/tools/docker/deploy.sh @@ -0,0 +1,35 @@ +#!/bin/bash +set -euo pipefail +IFS=$'\n\t' + +# This script deploys a new version of certbot dockers (core+plugins) regarding a released version of Certbot. +# The README.md is updated to include the reference of this new version, and a tag version is pushed to the +# Certbot Docker repository, triggering the DockerHub autobuild feature that will take care of the release. + +# Usage: ./deploy.sh [VERSION] +# with [VERSION] corresponding to a released version of certbot, like `v0.34.0` + +trap Cleanup 1 2 3 6 + +Cleanup() { + popd 2> /dev/null || true +} + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" + +CERTBOT_DOCKER_VERSION="$1" # Eg. v0.35.0 or v0.35.0-1 +CERTBOT_VERSION=$(sed -E -e 's|(v[0-9+]\.[0-9]+\.[0-9]+).*|\1|g' <<< "$CERTBOT_DOCKER_VERSION") # Eg. v0.35.0 +BRANCH_NAME=$(sed -E -e 's|v(.*)\.[0-9]+|\1.x|g' <<< "$CERTBOT_VERSION") # Eg. 0.35.x + +sed -i -e "s|current-.*-blue\\.svg|current-$CERTBOT_VERSION-blue.svg|g" core/README.md +sed -i -e "s|branch=.*)\\]|branch=$BRANCH_NAME)]|g" core/README.md + +sed -i -e "s|current-.*-blue\\.svg|current-$CERTBOT_VERSION-blue.svg|g" plugin/README.md +sed -i -e "s|branch=.*)\\]|branch=$BRANCH_NAME)]|g" plugin/README.md + +pushd "$WORK_DIR" + git commit -a -m "Release version $CERTBOT_DOCKER_VERSION" --allow-empty + git tag "$CERTBOT_DOCKER_VERSION" + git push + git push --tags +popd diff --git a/tools/docker/lib/common b/tools/docker/lib/common new file mode 100644 index 000000000..35f473603 --- /dev/null +++ b/tools/docker/lib/common @@ -0,0 +1,142 @@ +#!/bin/bash +set -ex + +# Current supported architectures +export ALL_TARGET_ARCH=(amd64 arm32v6 arm64v8) + +# Architecture used in tags with no architecture especified (certbot/certbot:latest, certbot/cerbot:v0.35.0, ...) +export DEFAULT_ARCH=amd64 + +# Returns certbot version (ex. v0.35.0 returns 0.35.0) +# Usage: GetCerbotVersionFromTag <DOCKER_VERSION> +GetCerbotVersionFromTag() { + TAG=$1 + echo "${TAG//v/}" +} + +# Returns the translation from Docker to QEMU architecture +# Usage: GetQemuArch [amd64|arm32v6|arm64v8] +GetQemuArch() { + ARCH=$1 + + case "$ARCH" in + "amd64") + echo "x86_64" + ;; + "arm32v6") + echo "arm" + ;; + "arm64v8") + echo "aarch64" + ;; + "*") + echo "Not supported build architecture '$1'." >&2 + exit -1 + esac +} + +# Downloads QEMU static binary file for architecture +# Usage: DownloadQemuStatic [x86_64|arm|aarch64] +DownloadQemuStatic() { + ARCH=$1 + + QEMU_ARCH=$(GetQemuArch "$ARCH") + if [ ! -f "qemu-${QEMU_ARCH}-static" ]; then + QEMU_DOWNLOAD_URL="https://github.com/multiarch/qemu-user-static/releases/download" + QEMU_LATEST_TAG=$(curl -s https://api.github.com/repos/multiarch/qemu-user-static/tags \ + | grep 'name.*v[0-9]' \ + | head -n 1 \ + | cut -d '"' -f 4) + curl -SL "${QEMU_DOWNLOAD_URL}/${QEMU_LATEST_TAG}/x86_64_qemu-$QEMU_ARCH-static.tar.gz" \ + | tar xzv + fi +} + +# Executes the QEMU register script +# Usage: RegisterQemuHandlers +RegisterQemuHandlers() { + docker run --rm --privileged multiarch/qemu-user-static:register --reset +} + +# Builds docker certbot core image for a specific architecture and certbot version (ex. 0.35.0). +# Usage: BuildDockerCoreImage [amd64|arm32v6|arm64v8] <CERTBOT_VERSION> +BuildDockerCoreImage() { + ARCH=$1 + VERSION=$2 + + QEMU=$(GetQemuArch "$ARCH") + docker build \ + --build-arg CERTBOT_VERSION="${VERSION}" \ + --build-arg TARGET_ARCH="${ARCH}" \ + --build-arg QEMU_ARCH="${QEMU}" \ + -f "${DOCKERFILE_PATH}" \ + -t "${DOCKER_REPO}:${ARCH}-v${VERSION}" \ + . +} + +# Builds docker certbot plugin image for a specific architecture and certbot version (ex. 0.35.0). +# Usage: BuildDockerPluginImage [amd64|arm32v6|arm64v8] <CERTBOT_VERSION> <PLUGIN_NAME> +BuildDockerPluginImage() { + ARCH=$1 + VERSION=$2 + PLUGIN=$3 + + QEMU=$(GetQemuArch "$ARCH") + docker build \ + --build-arg CERTBOT_VERSION="${VERSION}" \ + --build-arg TARGET_ARCH="${ARCH}" \ + --build-arg QEMU_ARCH="${QEMU}" \ + --build-arg PLUGIN_NAME="${PLUGIN}" \ + -f "${DOCKERFILE_PATH}" \ + -t "${DOCKER_REPO}:${ARCH}-v${VERSION}" \ + . +} + +# Pushes docker image for a specific architecture and certbot version (ex. 0.35.0). +# Usage: BuildDockerCoreImage [amd64|arm32v6|arm64v8] <CERTBOT_VERSION> +PushDockerImage() { + ARCH=$1 + VERSION=$2 + + docker push "${DOCKER_REPO}:${ARCH}-v${VERSION}" +} + +# Creates docker image "latest" tag for a specific architecture and certbot version. +# In case of default architecture, it also creates tags without architecture part. +# As an example, for version 0.35.0 in amd64 (default arquitecture): +# - certbot/certbot:v0.35.0 +# - certbot/certbot:latest +# - certbot/certbot:amd64-latest +# For version 0.35.0 in arm32v6: +# - certbot/certbot:arm32v6-latest +# Usage: TagDockerImageAliases [amd64|arm32v6|arm64v8] <CERTBOT_VERSION> +TagDockerImageAliases() { + ARCH=$1 + VERSION=$2 + + docker tag "${DOCKER_REPO}:${ARCH}-v${VERSION}" "${DOCKER_REPO}:${ARCH}-latest" + if [ "${ARCH}" == "${DEFAULT_ARCH}" ]; then + docker tag "${DOCKER_REPO}:${ARCH}-v${VERSION}" "${DOCKER_REPO}:v${VERSION}" + docker tag "${DOCKER_REPO}:${ARCH}-v${VERSION}" "${DOCKER_REPO}:latest" + fi +} + +# Pushes docker "latest" image for a specific architecture and certbot version. +# In case of default architecture, it also pushes image without architecture part. +# As an example, for version 0.35.0 in amd64 (default arquitecture): +# - certbot/certbot:v0.35.0 +# - certbot/certbot:latest +# - certbot/certbot:amd64-latest +# For version 0.35.0 in arm32v6: +# - certbot/certbot:arm32v6-latest +# Usage: PushDockerImageAliases [amd64|arm32v6|arm64v8] <CERTBOT_VERSION> +PushDockerImageAliases() { + ARCH=$1 + VERSION=$2 + + docker push "${DOCKER_REPO}:${ARCH}-latest" + if [ "${ARCH}" == "${DEFAULT_ARCH}" ]; then + docker push "${DOCKER_REPO}:v${VERSION}" + docker push "${DOCKER_REPO}:latest" + fi +} diff --git a/tools/docker/plugin/.gitignore b/tools/docker/plugin/.gitignore new file mode 100644 index 000000000..4cc493afa --- /dev/null +++ b/tools/docker/plugin/.gitignore @@ -0,0 +1 @@ +qemu-*-static diff --git a/tools/docker/plugin/Dockerfile b/tools/docker/plugin/Dockerfile new file mode 100644 index 000000000..9369ba0d3 --- /dev/null +++ b/tools/docker/plugin/Dockerfile @@ -0,0 +1,20 @@ +# Docker Arch (amd64, arm32v6, ...) +ARG TARGET_ARCH +ARG CERTBOT_VERSION +FROM certbot/certbot:${TARGET_ARCH}-v${CERTBOT_VERSION} + +# Qemu Arch (x86_64, arm, ...) +ARG QEMU_ARCH +ENV QEMU_ARCH=${QEMU_ARCH} +COPY qemu-${QEMU_ARCH}-static /usr/bin/ + +ARG PLUGIN_NAME + +# Retrieve Certbot DNS plugin code +RUN wget -O certbot-${CERTBOT_VERSION}.tar.gz https://github.com/certbot/certbot/archive/v${CERTBOT_VERSION}.tar.gz \ + && tar xf certbot-${CERTBOT_VERSION}.tar.gz \ + && cp -r certbot-${CERTBOT_VERSION}/certbot-${PLUGIN_NAME} /opt/certbot/src/certbot-${PLUGIN_NAME} \ + && rm -rf certbot-${CERTBOT_VERSION}.tar.gz certbot-${CERTBOT_VERSION} + +# Install the DNS plugin +RUN pip install --constraint /opt/certbot/docker_constraints.txt --no-cache-dir --editable /opt/certbot/src/certbot-${PLUGIN_NAME} diff --git a/tools/docker/plugin/README.md b/tools/docker/plugin/README.md new file mode 100644 index 000000000..446be8da8 --- /dev/null +++ b/tools/docker/plugin/README.md @@ -0,0 +1,13 @@ +# ![](https://certbot.eff.org/images/certbot-logo-1A.svg) +[![](https://img.shields.io/badge/current-v1.7.0-blue.svg)](https://github.com/certbot/certbot.git) [![](https://travis-ci.com/certbot/certbot.svg?branch=1.7.x)](https://travis-ci.com/certbot/certbot) + +This is one of the Docker repository for the Certbot DNS plugins. + +## Certbot Core + +* [certbot](https://hub.docker.com/r/certbot/certbot) + +## Sources: + +* [docker](https://www.github.com/certbot-docker/certbot-docker.git) +* [certbot](https://www.github.com/certbot/certbot.git) diff --git a/tools/docker/plugin/hooks/build b/tools/docker/plugin/hooks/build new file mode 100644 index 000000000..4545bbb3a --- /dev/null +++ b/tools/docker/plugin/hooks/build @@ -0,0 +1,12 @@ +#!/bin/bash +set -ex + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +source "$WORK_DIR/../../lib/common" + +CERTBOT_VERSION=$(GetCerbotVersionFromTag "$DOCKER_TAG") +PLUGIN_NAME=${DOCKER_REPO//*\//} + +for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do + BuildDockerPluginImage "${TARGET_ARCH}" "${CERTBOT_VERSION}" "${PLUGIN_NAME}" +done diff --git a/tools/docker/plugin/hooks/post_push b/tools/docker/plugin/hooks/post_push new file mode 100644 index 000000000..6bac191fd --- /dev/null +++ b/tools/docker/plugin/hooks/post_push @@ -0,0 +1,12 @@ +#!/bin/bash +set -ex + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +source "$WORK_DIR/../../lib/common" + +CERTBOT_VERSION=$(GetCerbotVersionFromTag "$DOCKER_TAG") + +for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do + TagDockerImageAliases "${TARGET_ARCH}" "${CERTBOT_VERSION}" + PushDockerImageAliases "${TARGET_ARCH}" "${CERTBOT_VERSION}" +done diff --git a/tools/docker/plugin/hooks/pre_build b/tools/docker/plugin/hooks/pre_build new file mode 100644 index 000000000..723e35161 --- /dev/null +++ b/tools/docker/plugin/hooks/pre_build @@ -0,0 +1,10 @@ +#!/bin/bash +set -ex + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +source "$WORK_DIR/../../lib/common" + +RegisterQemuHandlers +for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do + DownloadQemuStatic "${TARGET_ARCH}" +done diff --git a/tools/docker/plugin/hooks/push b/tools/docker/plugin/hooks/push new file mode 100644 index 000000000..4dc5ea080 --- /dev/null +++ b/tools/docker/plugin/hooks/push @@ -0,0 +1,11 @@ +#!/bin/bash +set -ex + +WORK_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" +source "$WORK_DIR/../../lib/common" + +CERTBOT_VERSION=$(GetCerbotVersionFromTag "$DOCKER_TAG") + +for TARGET_ARCH in "${ALL_TARGET_ARCH[@]}"; do + PushDockerImage "${TARGET_ARCH}" "${CERTBOT_VERSION}" +done |