Changes in ae25652: Updated haproxy-letsencrypt-docker.md

				haproxy-letsencrypt-docker.md
			
          @@ -218,10 +218,10 @@ networks:

           Here we have:

           * The container_name is 'haproxy'. We'll be referring to this container name later on for sending signals when certs are renewed.

           * The 'haproxy/bind' dir is mounted at /usr/local/etc/haproxy, so the haproxy.cfg file we created is in the right place for haproxy to read it. Mounted read-only, and with the 'Z' selinux flag (I'm running RedHat-ish host OSes here, so it's required - leave off the ',Z' if docker complains).

          -* The letsencrypt volume is mounted at /etc/letsencrypt so haproxy can read the cert file

          -* We're creating a user-defined network called 'haproxy' so we an talk to other containers

          -* The high port numbers are mapped down to the usual 80/443

          -* We're setting a non-priv UID to run as. Because [containers don't need to run as root](https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b)

          +* The letsencrypt volume is mounted at /etc/letsencrypt so haproxy can read the cert file.

          +* We're creating a user-defined network called 'haproxy' so we an talk to other containers.

          +* The high port numbers are mapped down to the usual 80/443 .

          +* We're setting a non-priv UID to run as. Because [containers don't need to run as root](https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b).

           ## Go!

           Run that bad boy with `docker-compose up`. You should see some startup messages and hopefully no errors. haproxy might complain about the backends being down, but that's OK for now.

          @@ -235,10 +235,10 @@ Bring haproxy back down with `docker-compose stop` so we've got a clean slate fo

           # Stage 3 - automatic cert renewal

           So far we've got haproxy up, with certs, and everything is just [tickety boo](https://en.wiktionary.org/wiki/tickety-boo).

           Those certs only last for 90 days though, and we're not in the habit of breaking [rule 7](/rules#thou-shalt-automate-everything). We'll need a container that can:

          -* See the certificates we already have

          -* Renew them

          -* Tell haproxy something has changed

          -* Keep doing the above

          +* See the certificates we already have.

          +* Renew them.

          +* Tell haproxy something has changed.

          +* Keep doing the above.

           ## Dockerfile

           We've already built the image for this in stage 1, so we're good to go.

          @@ -283,11 +283,11 @@ networks:

             haproxy:

           ```

           What doing?

          -* We're mounting the letsencrypt volume back up at /etc/letsencrypt

          +* We're mounting the letsencrypt volume back up at /etc/letsencrypt .

           * The docker socket from the host is mounted at /var/run/docker.sock. This lets us do docker operations from inside the container.

           * There's a small sleep to let haproxy start up (ewww, but also, whatever), then we attempt a renew and run the deploy-hook script (see stage 1) if anything changed.

          -* The deploy-hook script (see stage 1) cats the cert chain and key into an haproxy style .pem file, then sends a SIGHUP via the docker command to the haproxy container, telling it to re-read its config

          -* The container is granted privileged permissions to let the docker socket work

          +* The deploy-hook script (see stage 1) cats the cert chain and key into an haproxy style .pem file, then sends a SIGHUP via the docker command to the haproxy container, telling it to re-read its config.

          +* The container is granted privileged permissions to let the docker socket work.

           ## Go!

           Run `docker-compose up` to bring up haproxy and the letsencrypt container. certbot will (after 10 seconds) read the current certs and decide there's nothing to do, then go to sleep for a day. haproxy should start up and tell you nice things about the letsencrypt backend being up.

...	...	@@ -218,10 +218,10 @@ networks:
218	218	Here we have:
219	219	* The container_name is 'haproxy'. We'll be referring to this container name later on for sending signals when certs are renewed.
220	220	* The 'haproxy/bind' dir is mounted at /usr/local/etc/haproxy, so the haproxy.cfg file we created is in the right place for haproxy to read it. Mounted read-only, and with the 'Z' selinux flag (I'm running RedHat-ish host OSes here, so it's required - leave off the ',Z' if docker complains).
221		-* The letsencrypt volume is mounted at /etc/letsencrypt so haproxy can read the cert file
222		-* We're creating a user-defined network called 'haproxy' so we an talk to other containers
223		-* The high port numbers are mapped down to the usual 80/443
224		-* We're setting a non-priv UID to run as. Because [containers don't need to run as root](https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b)
	221	+* The letsencrypt volume is mounted at /etc/letsencrypt so haproxy can read the cert file.
	222	+* We're creating a user-defined network called 'haproxy' so we an talk to other containers.
	223	+* The high port numbers are mapped down to the usual 80/443 .
	224	+* We're setting a non-priv UID to run as. Because [containers don't need to run as root](https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b).
225	225
226	226	## Go!
227	227	Run that bad boy with `docker-compose up`. You should see some startup messages and hopefully no errors. haproxy might complain about the backends being down, but that's OK for now.
...	...	@@ -235,10 +235,10 @@ Bring haproxy back down with `docker-compose stop` so we've got a clean slate fo
235	235	# Stage 3 - automatic cert renewal
236	236	So far we've got haproxy up, with certs, and everything is just [tickety boo](https://en.wiktionary.org/wiki/tickety-boo).
237	237	Those certs only last for 90 days though, and we're not in the habit of breaking [rule 7](/rules#thou-shalt-automate-everything). We'll need a container that can:
238		-* See the certificates we already have
239		-* Renew them
240		-* Tell haproxy something has changed
241		-* Keep doing the above
	238	+* See the certificates we already have.
	239	+* Renew them.
	240	+* Tell haproxy something has changed.
	241	+* Keep doing the above.
242	242
243	243	## Dockerfile
244	244	We've already built the image for this in stage 1, so we're good to go.
...	...	@@ -283,11 +283,11 @@ networks:
283	283	haproxy:
284	284	```
285	285	What doing?
286		-* We're mounting the letsencrypt volume back up at /etc/letsencrypt
	286	+* We're mounting the letsencrypt volume back up at /etc/letsencrypt .
287	287	* The docker socket from the host is mounted at /var/run/docker.sock. This lets us do docker operations from inside the container.
288	288	* There's a small sleep to let haproxy start up (ewww, but also, whatever), then we attempt a renew and run the deploy-hook script (see stage 1) if anything changed.
289		-* The deploy-hook script (see stage 1) cats the cert chain and key into an haproxy style .pem file, then sends a SIGHUP via the docker command to the haproxy container, telling it to re-read its config
290		-* The container is granted privileged permissions to let the docker socket work
	289	+* The deploy-hook script (see stage 1) cats the cert chain and key into an haproxy style .pem file, then sends a SIGHUP via the docker command to the haproxy container, telling it to re-read its config.
	290	+* The container is granted privileged permissions to let the docker socket work.
291	291
292	292	## Go!
293	293	Run `docker-compose up` to bring up haproxy and the letsencrypt container. certbot will (after 10 seconds) read the current certs and decide there's nothing to do, then go to sleep for a day. haproxy should start up and tell you nice things about the letsencrypt backend being up.