-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
543ce34
commit 4a06090
Showing
1 changed file
with
73 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,86 +1,120 @@ | ||
| FROM debian:buster as builder | ||
| LABEL maintainer="Matthew Vance" | ||
| FROM debian:buster as openssl | ||
|
|
||
| ENV version_openssl=openssl-1.1.1a \ | ||
| sha256_openssl=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41 \ | ||
| source_openssl=https://www.openssl.org/source/ \ | ||
| opgp_openssl=8657ABB260F056B1E5190839D9C4D26D0E604491 | ||
| ENV VERSION_OPENSSL=openssl-1.1.1f \ | ||
| SHA256_OPENSSL=186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35 \ | ||
| SOURCE_OPENSSL=https://www.openssl.org/source/ \ | ||
| OPGP_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491 | ||
|
|
||
| WORKDIR /tmp/src | ||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
|
||
| RUN set -e -x && \ | ||
| build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \ | ||
| debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends \ | ||
| $build_deps && \ | ||
| curl -L "${source_openssl}${version_openssl}.tar.gz" -o openssl.tar.gz && \ | ||
| echo "${sha256_openssl} ./openssl.tar.gz" | sha256sum -c - && \ | ||
| curl -L "${source_openssl}${version_openssl}.tar.gz.asc" -o openssl.tar.gz.asc && \ | ||
| DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ | ||
| build-essential \ | ||
| ca-certificates \ | ||
| curl \ | ||
| dirmngr \ | ||
| gnupg \ | ||
| libidn2-0-dev \ | ||
| libssl-dev && \ | ||
| curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \ | ||
| echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \ | ||
| curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \ | ||
| GNUPGHOME="$(mktemp -d)" && \ | ||
| export GNUPGHOME && \ | ||
| ( gpg --no-tty --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$opgp_openssl" \ | ||
| || gpg --no-tty --keyserver ha.pool.sks-keyservers.net --recv-keys "$opgp_openssl" ) && \ | ||
| ( gpg --no-tty --keyserver ipv4.pool.sks-keyservers.net --recv-keys "${OPGP_OPENSSL}" \ | ||
| || gpg --no-tty --keyserver ha.pool.sks-keyservers.net --recv-keys "${OPGP_OPENSSL}" ) && \ | ||
| gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz && \ | ||
| tar xzf openssl.tar.gz && \ | ||
| cd "$version_openssl" && \ | ||
| ./config --prefix=/opt/openssl no-weak-ssl-ciphers no-ssl3 no-shared enable-ec_nistp_64_gcc_128 -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong && \ | ||
| cd "${VERSION_OPENSSL}" && \ | ||
| ./config \ | ||
| -Wl,-rpath=/opt/openssl/lib \ | ||
| --prefix=/opt/openssl \ | ||
| --openssldir=/opt/openssl \ | ||
| enable-ec_nistp_64_gcc_128 \ | ||
| -DOPENSSL_NO_HEARTBEATS \ | ||
| no-weak-ssl-ciphers \ | ||
| no-ssl2 \ | ||
| no-ssl3 \ | ||
| shared \ | ||
| -fstack-protector-strong && \ | ||
| make depend && \ | ||
| make && \ | ||
| make install_sw && \ | ||
| apt-get purge -y --auto-remove \ | ||
| $build_deps && \ | ||
| rm -rf \ | ||
| /tmp/* \ | ||
| /var/tmp/* \ | ||
| /var/lib/apt/lists/* | ||
| /tmp/* \ | ||
| /var/tmp/* \ | ||
| /var/lib/apt/lists/* | ||
|
|
||
| FROM debian:buster | ||
| FROM debian:buster as stubby | ||
| LABEL maintainer="Matthew Vance" | ||
|
|
||
| EXPOSE 8053/udp | ||
| ENV VERSION_GETDNS=v1.6.0 | ||
|
|
||
| WORKDIR /tmp/src | ||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
|
||
| COPY --from=builder /opt/openssl /opt/openssl | ||
| COPY --from=openssl /opt/openssl /opt/openssl | ||
|
|
||
| RUN set -e -x && \ | ||
| build_deps="autoconf build-essential dh-autoreconf git libssl-dev libtool-bin libyaml-dev make m4" && \ | ||
| build_deps="autoconf build-essential check cmake dh-autoreconf git libssl-dev libyaml-dev make m4" && \ | ||
| debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends \ | ||
| $build_deps \ | ||
| ${build_deps} \ | ||
| ca-certificates \ | ||
| dns-root-data \ | ||
| ldnsutils \ | ||
| libev4 \ | ||
| libevent-core-2.1-6 \ | ||
| libidn11 \ | ||
| libuv1 \ | ||
| libyaml-0-2 && \ | ||
| git clone https://github.com/getdnsapi/getdns.git --branch develop && \ | ||
| debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends check cmake && \ | ||
| git clone https://github.com/getdnsapi/getdns.git && \ | ||
| cd getdns && \ | ||
| git checkout "${VERSION_GETDNS}" && \ | ||
| git submodule update --init && \ | ||
| libtoolize -ci && \ | ||
| autoreconf -fi && \ | ||
| mkdir build && \ | ||
| cd build && \ | ||
| ../configure --prefix=/opt/stubby --without-libidn --without-libidn2 --enable-stub-only --with-ssl=/opt/openssl --with-stubby && \ | ||
| cmake \ | ||
| -DBUILD_STUBBY=ON \ | ||
| -DENABLE_STUB_ONLY=ON \ | ||
| -DCMAKE_INSTALL_PREFIX=/opt/stubby \ | ||
| -DOPENSSL_INCLUDE_DIR=/opt/openssl \ | ||
| -DOPENSSL_CRYPTO_LIBRARY=/opt/openssl/lib/libcrypto.so \ | ||
| -DOPENSSL_SSL_LIBRARY=/opt/openssl/lib/libssl.so \ | ||
| -DUSE_LIBIDN2=OFF \ | ||
| -DBUILD_LIBEV=OFF \ | ||
| -DBUILD_LIBEVENT2=OFF \ | ||
| -DBUILD_LIBUV=OFF ..&& \ | ||
| cmake .. && \ | ||
| make && \ | ||
| make install && \ | ||
| make install | ||
|
|
||
| FROM debian:buster | ||
|
|
||
| COPY --from=openssl /opt/openssl /opt/openssl | ||
| COPY --from=stubby /opt/stubby /opt/stubby | ||
| COPY stubby.yml /opt/stubby/etc/stubby/stubby.yml | ||
|
|
||
| ENV PATH /opt/stubby/bin:$PATH | ||
|
|
||
| RUN set -e -x && \ | ||
| debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends \ | ||
| ca-certificates \ | ||
| dns-root-data \ | ||
| ldnsutils \ | ||
| libyaml-0-2 && \ | ||
| groupadd -r stubby && \ | ||
| useradd --no-log-init -r -g stubby stubby && \ | ||
| apt-get purge -y --auto-remove \ | ||
| $build_deps && \ | ||
| rm -rf \ | ||
| /tmp/* \ | ||
| /var/tmp/* \ | ||
| /var/lib/apt/lists/* | ||
|
|
||
| WORKDIR /opt/stubby | ||
|
|
||
| ENV PATH /opt/stubby/bin:$PATH | ||
| EXPOSE 8053/udp | ||
|
|
||
| USER stubby:stubby | ||
|
|
||
| COPY stubby.yml /opt/stubby/etc/stubby/stubby.yml | ||
|
|
||
| HEALTHCHECK --interval=5s --timeout=3s --start-period=5s CMD drill @127.0.0.1 -p 8053 cloudflare.com || exit 1 | ||
|
|
||
| CMD ["/opt/stubby/bin/stubby"] | ||
| CMD ["/opt/stubby/bin/stubby", "-C", "/opt/stubby/etc/stubby/stubby.yml"] |