From 114fe4ada138bb3a97bff7564260c2e27a502417 Mon Sep 17 00:00:00 2001 From: Matthew Vance Date: Mon, 6 Apr 2020 20:10:29 -0500 Subject: [PATCH] :hammer: Use standalone Unbound --- README.md | 2 +- docker-compose.yml | 2 +- unbound/Dockerfile | 137 --------------------------------------------- 3 files changed, 2 insertions(+), 139 deletions(-) delete mode 100644 unbound/Dockerfile diff --git a/README.md b/README.md index c71d87b..2c043dc 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ To achieve this, this setup uses two containers, one running Stubby and another `sudo docker build -t mvance/stubby:latest .` -`sudo docker build -t mvance/unbound:1.10.0-stubby .` +_Note: This no longer comes with its own Unbound image/Dockerfile. Instead, it uses includes the necesseary config and references a [standalone Unbound](https://github.com/MatthewVance/unbound-docker) instance._ ### Standard usage diff --git a/docker-compose.yml b/docker-compose.yml index 506fdbf..8f63d6f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ services: - dns restart: unless-stopped unbound: - image: "mvance/unbound:1.10.0-stubby" + image: "mvance/unbound:latest" depends_on: - "stubby" ports: diff --git a/unbound/Dockerfile b/unbound/Dockerfile deleted file mode 100644 index aceb366..0000000 --- a/unbound/Dockerfile +++ /dev/null @@ -1,137 +0,0 @@ -FROM debian:buster as openssl -LABEL maintainer="Matthew Vance" - -ENV VERSION_OPENSSL=openssl-1.1.1f \ - SHA256_OPENSSL=186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35 \ - SOURCE_OPENSSL=https://www.openssl.org/source/ \ - OPGP_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491 - -WORKDIR /tmp/src - -RUN set -e -x && \ - build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \ - DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ - $build_deps && \ - curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \ - echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \ - curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \ - GNUPGHOME="$(mktemp -d)" && \ - export GNUPGHOME && \ - ( gpg --no-tty --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$OPGP_OPENSSL" \ - || gpg --no-tty --keyserver ha.pool.sks-keyservers.net --recv-keys "$OPGP_OPENSSL" ) && \ - gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz && \ - tar xzf openssl.tar.gz && \ - cd $VERSION_OPENSSL && \ - ./config --prefix=/opt/openssl no-weak-ssl-ciphers no-ssl3 no-shared enable-ec_nistp_64_gcc_128 -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong && \ - make depend && \ - make && \ - make install_sw && \ - apt-get purge -y --auto-remove \ - $build_deps && \ - rm -rf \ - /tmp/* \ - /var/tmp/* \ - /var/lib/apt/lists/* - -FROM debian:buster as unbound -LABEL maintainer="Matthew Vance" - -ENV NAME=unbound \ - UNBOUND_VERSION=1.10.0 \ - UNBOUND_SHA256=152f486578242fe5c36e89995d0440b78d64c05123990aae16246b7f776ce955 \ - UNBOUND_DOWNLOAD_URL=https://nlnetlabs.nl/downloads/unbound/unbound-1.10.0.tar.gz - -WORKDIR /tmp/src - -COPY --from=openssl /opt/openssl /opt/openssl - -RUN build_deps="curl gcc libc-dev libevent-dev libexpat1-dev make" && \ - set -x && \ - DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ - $build_deps \ - bsdmainutils \ - ca-certificates \ - ldnsutils \ - libevent-2.1-6 \ - libexpat1 && \ - curl -sSL $UNBOUND_DOWNLOAD_URL -o unbound.tar.gz && \ - echo "${UNBOUND_SHA256} *unbound.tar.gz" | sha256sum -c - && \ - tar xzf unbound.tar.gz && \ - rm -f unbound.tar.gz && \ - cd unbound-1.10.0 && \ - groupadd _unbound && \ - useradd -g _unbound -s /etc -d /dev/null _unbound && \ - ./configure \ - --disable-dependency-tracking \ - --prefix=/opt/unbound \ - --with-pthreads \ - --with-username=_unbound \ - --with-ssl=/opt/openssl \ - --with-libevent \ - --enable-tfo-server \ - --enable-tfo-client \ - --enable-event-api && \ - make install && \ - mv /opt/unbound/etc/unbound/unbound.conf /opt/unbound/etc/unbound/unbound.conf.example && \ - apt-get purge -y --auto-remove \ - $build_deps && \ - rm -rf \ - /opt/unbound/share/man \ - /tmp/* \ - /var/tmp/* \ - /var/lib/apt/lists/* - - -FROM debian:buster -LABEL maintainer="Matthew Vance" - -ENV name=unbound \ - unbound_version=1.10.0 \ - version=1.5 - -ENV summary="${name} is a validating, recursive, and caching DNS resolver." \ - description="${name} is a validating, recursive, and caching DNS resolver." - -LABEL summary="${summary}" \ - description="${description}" \ - io.k8s.description="${description}" \ - io.k8s.display-name="Unbound ${unbound_version}" \ - name="mvance/${name}" \ - maintainer="Matthew Vance" - -WORKDIR /tmp/src - -COPY --from=unbound /opt /opt - -RUN set -x && \ - DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ - bsdmainutils \ - ca-certificates \ - ldnsutils \ - libevent-2.1-6\ - libexpat1 && \ - groupadd _unbound && \ - useradd -g _unbound -s /etc -d /dev/null _unbound && \ - apt-get purge -y --auto-remove \ - $build_deps && \ - rm -rf \ - /opt/unbound/share/man \ - /tmp/* \ - /var/tmp/* \ - /var/lib/apt/lists/* - -COPY a-records.conf /opt/unbound/etc/unbound/ -COPY unbound.sh / - -RUN chmod +x /unbound.sh - -WORKDIR /opt/unbound/ - -ENV PATH /opt/unbound/sbin:"$PATH" - -EXPOSE 53/tcp -EXPOSE 53/udp - -HEALTHCHECK --interval=5s --timeout=3s --start-period=5s CMD drill @127.0.0.1 cloudflare.com || exit 1 - -CMD ["/unbound.sh"]