starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 15:13:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Allow for configure writing to different dir than BASEDIR (read-only FS) #483

New Issue
Closed
opened 2025-12-29 01:26:00 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:26:00 +01:00
Owner
Copy Link

Originally created by @schnatterer on GitHub (Jun 27, 2020).

I'd like to run dehydrated in a "docker" container with read-only root file system for security reasons.
For this to work, all writeable directories are mounted as separate volumes.

dehydrated is not compatible with this approach, because it writes accounts, lockfile, chains, etc. in the BASEDIR, i.e. next to the dehydrated script.

Mounting /etc/dehydrated/ as a volume makes the whole process complicated, because dehydrated then is location within the volume.

So what I like to achieve is to separate the dehydrated script from the writeable dirs.

I'm eager to open a PR, but I'm not sure what's the best option to implement this.

  • Allowing for configure BASEDIR?
  • Or would it be better to expose the individual files/dirs that are written (LOCKFILE, CHAINCACHE, etc.) to configuration?
  • If the default values were not set, this could be achieved by using env vars. Is this done for a reason?
    One option would be to check if the values are present in the environment before setting defaults, e.g. like so
CHAINCACHE=${CHAINCACHE:-}
AUTO_CLEANUP=${AUTO_CLEANUP:-'no'}

This would allow for configuring the whole thing via the environment. Very 12-factor-y 😉

Originally created by @schnatterer on GitHub (Jun 27, 2020). I'd like to run dehydrated in a "docker" container with read-only root file system for security reasons. For this to work, all writeable directories are mounted as separate volumes. dehydrated is not compatible with this approach, because it writes accounts, lockfile, chains, etc. in the `BASEDIR`, i.e. next to the `dehydrated` script. Mounting `/etc/dehydrated/` as a volume makes the whole process complicated, because `dehydrated` then is location within the volume. So what I like to achieve is to separate the `dehydrated` script from the writeable dirs. I'm eager to open a PR, but I'm not sure what's the best option to implement this. * Allowing for configure `BASEDIR`? * Or would it be better to expose the individual files/dirs that are written (`LOCKFILE`, `CHAINCACHE`, etc.) to configuration? * If the [default values](https://github.com/dehydrated-io/dehydrated/blob/master/dehydrated#L125) were not set, this could be achieved by using env vars. Is this done for a reason? One option would be to check if the values are present in the environment before setting defaults, e.g. like so ```bash CHAINCACHE=${CHAINCACHE:-} AUTO_CLEANUP=${AUTO_CLEANUP:-'no'} ``` This would allow for configuring the whole thing via the environment. Very [12-factor](https://12factor.net/config)-y :wink:
adam closed this issue 2025-12-29 01:26:00 +01:00
adam commented 2025-12-29 01:26:01 +01:00
Author
Owner
Copy Link

@jobe1986 commented on GitHub (Jun 27, 2020):

Dehydrated has support for a "config" file. An example of said file can be found in docs/examples/ and it does allow you to configure BASEDIR amongst MANY other options.

You can also tell dehydrated to use a config file in a location other then the script's directory by using the --config command line parameter.

A copy of the example config can be found on github at https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config

@jobe1986 commented on GitHub (Jun 27, 2020): Dehydrated has support for a "config" file. An example of said file can be found in docs/examples/ and it does allow you to configure BASEDIR amongst MANY other options. You can also tell dehydrated to use a config file in a location other then the script's directory by using the --config <file> command line parameter. A copy of the example config can be found on github at https://github.com/dehydrated-io/dehydrated/blob/master/docs/examples/config
adam commented 2025-12-29 01:26:01 +01:00
Author
Owner
Copy Link

@schnatterer commented on GitHub (Jun 27, 2020):

@jobe1986 Thanks for pointing out the BASEDIR option in the config. Works fine! How could I miss that one 🙈 ?

BTW if someone ever stumbles upon this issue - here's an example how to use BASEDIR in config.
schnatterer/letsencrypt-tomcat@db68c08

@schnatterer commented on GitHub (Jun 27, 2020): @jobe1986 Thanks for pointing out the `BASEDIR` option in the `config`. Works fine! How could I miss that one :see_no_evil: ? BTW if someone ever stumbles upon this issue - here's an example how to use `BASEDIR` in `config`. schnatterer/letsencrypt-tomcat@db68c08
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#483
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?