Release Docker images for marathon-acme.
Arguments can be provided to the container to configure marathon-acme:
> $ docker run --rm praekeltfoundation/marathon-acme --help
usage: marathon-acme [-h] [-a ACME] [-e EMAIL] [-m MARATHON[,MARATHON,...]]
[-l LB[,LB,...]] [-g GROUP] [--allow-multiple-certs]
[--listen LISTEN]
[--log-level {debug,info,warn,error,critical}]
storage-dir
Automatically manage ACME certificates for Marathon apps
...
By default, this Docker image stores certificates to /var/lib/marathon-acme which is advertised as a volume. It exposes port 8000.
In most cases, marathon-acme should be run using Marathon itself. Here is an example of an app definition:
{
"id": "/marathon-acme",
"cpus": 0.01,
"mem": 128.0,
"args": [
"--email", "[email protected]",
"--marathon", "http://marathon1:8080,http://marathon2:8080,http://marathon3:8080",
"--lb", "http://lb1:9090,http://lb2:9090",
"/var/lib/marathon-acme"
],
"labels": {
"HAPROXY_GROUP": "external",
"HAPROXY_0_VHOST": "marathon-acme.example.com",
"HAPROXY_0_BACKEND_WEIGHT": "1",
"HAPROXY_0_PATH": "/.well-known/acme-challenge/",
"HAPROXY_0_HTTP_FRONTEND_ACL_WITH_PATH": " acl host_{cleanedUpHostname} hdr(host) -i {hostname}\n acl path_{backend} path_beg {path}\n redirect prefix http://{hostname} code 302 if !host_{cleanedUpHostname} path_{backend}\n use_backend {backend} if host_{cleanedUpHostname} path_{backend}\n"
},
"container": {
"type": "DOCKER",
"docker": {
"image": "praekeltfoundation/marathon-acme",
"network": "BRIDGE",
"portMappings": [
{ "containerPort": 8000, "hostPort": 0 }
],
"parameters": [
{
"value": "my-volume-driver",
"key": "volume-driver"
},
{
"value": "marathon-acme-certs:/var/lib/marathon-acme",
"key": "volume"
}
],
}
}
}Please see the marathon-acme repository for more information about configuration.
By default, marathon-acme will run as root inside its container. Because marathon-acme will usually be set up to store certificates in a networked storage volume, filesystem permissions would get complicated if we were to create and use a lesser-privileged user inside the container.
However, a user can be specified to switch to when running marathon-acme, using the MARATHON_ACME_USER environment variable. It is up to you to make sure that user will have the correct filesystem permissions within whatever networked storage you use.
The value of the MARATHON_ACME_USER variable is of the same format as that provided to the USER Dockerfile directive. You could either switch to an explicit, known-good UID/GID (without the user necessarily existing) or create a new image based on this one that creates the user/group that you want.