Why the directory "/etc/nginx/certs" is volume?

[ikeji]

Hi

I'm creating my container image from jwilder/nginx-proxy with my certs.

FROM jwilder/nginx-proxy
ADD certs /etc/nginx

Reentry I updated the certs and re-build my container image,
then I updated my container by "docker-compose up" command,
But my container still use old certs.
Because the "/etc/nginx/certs" directory is volume and it's not updated by "docker-compose up".
After remove the volume by manual, new certs are works as intended.

This is question instead of bug reports.
Why the directory "/etc/nginx/certs" is volume?

[jwilder]

I don't have a good reason for it being a volume. Might have been added as one mistakenly.

[thaJeztah]

One advantage is that certificates will never end up in an image when committing / pushing (I doubt you'd want to have your image on Docker Hub, containing your certificates).

Otoh, the disadvantage is that certificates may be left behind in a volume, after the container has been removed (and the -v flag is forgotten when doing docker rm)

[ikeji]

One advantage is that certificates will never end up in an image when committing / pushing (I doubt you'd want to have your image on Docker Hub, containing your certificates).

For my use case, I push image with certificates (and vhost config) to my private repository.
This will avoid manual copy of certificate to instance.

I didn't think about commit.
Personally I never use commit, is it common for this kind of image?

If the user commit the image and run this image to other machine,
The server will loose certs directory and behave differently from original machine.

[thaJeztah]

@ikeji that's the downside, basically, I don't think it should be a volume, but there should be a warning in the README that people think properly before committing/pushing an image; especially if it is pushed to a public repository 😄

[geertvanheusden]

Is it possible to remove the volume? Apparently it's not possible to create a volume using docker-compose when a volume is already specified in the Dockerfile:

When I try to use the following configuration my /etc/nginx/certs dir is empty. Switching to docker run -v ./nginx/cert:/etc/nginx/certs works as desinged.

nginx:
    image: jwilder/nginx-proxy
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./nginx/cert:/etc/nginx/certs
    ports:
      - 443:443
      - 80:80

Not sure if the docker-compose (1.4) behaviour is correct in this situation...

[md5]

Apparently it's not possible to create a volume using docker-compose when a volume is already specified in the Dockerfile:

@geertvanheusden This is not true, so there must be something else going on. You may want to look at the output of docker inspect $CONTAINER_NAME to see how it differs in the two cases.

[geertvanheusden]

@md5 You are right. I had some issues with this volume not being replaced/updated by docker-compose. Not sure if it is a bug or expected behaviour but after removing the stopped container and doing a docker-compose up again it works.

[md5]

@geertvanheusden I think what you're running into with docker-compose is almost certainly a known issue. I took a quick look through the docker/compose issues and found this one: docker/compose#465

There are probably others too since I've definitely seen reports across a variety of images that docker-compose is having issues due to its efforts to preserve volumes across container builds.

[md5]

If you're not on the latest version of docker-compose, it may be worth upgrading.

[geertvanheusden]

@md5 I am already running the latest version of docker-compose but I encountered the following issue.

• Run the nginx-proxy image using docker-compose without a custom volume for the certificates.
• Update the docker-compose.yml file with a custom volume that contains the certificates.
• Run docker-compose up again (without deleting the stopped container)
• Result: no certificates available in the nginx proxy container. The old volume from the Dockerfile is used which is still empty.
• Deleting the stopped container and running docker-compose up again fixed the issue for me.

[md5]

Those steps to reproduce look great. Any chance you'd want to report that over at https://github.com/docker/compose/issues, possibly on docker/compose#465 or another existing issue?

[geertvanheusden]

@md5 Done! docker/compose#1882

[md5]

@geertvanheusden 👍

[baryshev]

+1 for remove volume /etc/nginx/certs from Dockerfile. We can add it from command line or docker-compose if it's needed, but can't remove it if not.

[sgabe]

This issue has been resolved by #692 and can be closed.