From 4a06090ac5500d755387722e470f40ad6a59d289 Mon Sep 17 00:00:00 2001 From: Matthew Vance Date: Sat, 4 Apr 2020 16:05:19 -0500 Subject: [PATCH] Use cmake #fixes 10 --- stubby/Dockerfile | 112 ++++++++++++++++++++++++++++++---------------- 1 file changed, 73 insertions(+), 39 deletions(-) diff --git a/stubby/Dockerfile b/stubby/Dockerfile index a63337b..6789317 100644 --- a/stubby/Dockerfile +++ b/stubby/Dockerfile @@ -1,73 +1,109 @@ -FROM debian:buster as builder -LABEL maintainer="Matthew Vance" +FROM debian:buster as openssl -ENV version_openssl=openssl-1.1.1a \ - sha256_openssl=fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41 \ - source_openssl=https://www.openssl.org/source/ \ - opgp_openssl=8657ABB260F056B1E5190839D9C4D26D0E604491 +ENV VERSION_OPENSSL=openssl-1.1.1f \ + SHA256_OPENSSL=186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35 \ + SOURCE_OPENSSL=https://www.openssl.org/source/ \ + OPGP_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491 WORKDIR /tmp/src +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN set -e -x && \ build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \ - debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends \ - $build_deps && \ - curl -L "${source_openssl}${version_openssl}.tar.gz" -o openssl.tar.gz && \ - echo "${sha256_openssl} ./openssl.tar.gz" | sha256sum -c - && \ - curl -L "${source_openssl}${version_openssl}.tar.gz.asc" -o openssl.tar.gz.asc && \ + DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ + build-essential \ + ca-certificates \ + curl \ + dirmngr \ + gnupg \ + libidn2-0-dev \ + libssl-dev && \ + curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \ + echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \ + curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \ GNUPGHOME="$(mktemp -d)" && \ export GNUPGHOME && \ - ( gpg --no-tty --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$opgp_openssl" \ - || gpg --no-tty --keyserver ha.pool.sks-keyservers.net --recv-keys "$opgp_openssl" ) && \ + ( gpg --no-tty --keyserver ipv4.pool.sks-keyservers.net --recv-keys "${OPGP_OPENSSL}" \ + || gpg --no-tty --keyserver ha.pool.sks-keyservers.net --recv-keys "${OPGP_OPENSSL}" ) && \ gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz && \ tar xzf openssl.tar.gz && \ - cd "$version_openssl" && \ - ./config --prefix=/opt/openssl no-weak-ssl-ciphers no-ssl3 no-shared enable-ec_nistp_64_gcc_128 -DOPENSSL_NO_HEARTBEATS -fstack-protector-strong && \ + cd "${VERSION_OPENSSL}" && \ + ./config \ + -Wl,-rpath=/opt/openssl/lib \ + --prefix=/opt/openssl \ + --openssldir=/opt/openssl \ + enable-ec_nistp_64_gcc_128 \ + -DOPENSSL_NO_HEARTBEATS \ + no-weak-ssl-ciphers \ + no-ssl2 \ + no-ssl3 \ + shared \ + -fstack-protector-strong && \ make depend && \ make && \ make install_sw && \ apt-get purge -y --auto-remove \ $build_deps && \ rm -rf \ - /tmp/* \ - /var/tmp/* \ - /var/lib/apt/lists/* + /tmp/* \ + /var/tmp/* \ + /var/lib/apt/lists/* -FROM debian:buster +FROM debian:buster as stubby LABEL maintainer="Matthew Vance" -EXPOSE 8053/udp +ENV VERSION_GETDNS=v1.6.0 WORKDIR /tmp/src +SHELL ["/bin/bash", "-o", "pipefail", "-c"] -COPY --from=builder /opt/openssl /opt/openssl +COPY --from=openssl /opt/openssl /opt/openssl RUN set -e -x && \ - build_deps="autoconf build-essential dh-autoreconf git libssl-dev libtool-bin libyaml-dev make m4" && \ + build_deps="autoconf build-essential check cmake dh-autoreconf git libssl-dev libyaml-dev make m4" && \ debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends \ - $build_deps \ + ${build_deps} \ ca-certificates \ dns-root-data \ - ldnsutils \ - libev4 \ - libevent-core-2.1-6 \ - libidn11 \ - libuv1 \ libyaml-0-2 && \ - git clone https://github.com/getdnsapi/getdns.git --branch develop && \ + debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends check cmake && \ + git clone https://github.com/getdnsapi/getdns.git && \ cd getdns && \ + git checkout "${VERSION_GETDNS}" && \ git submodule update --init && \ - libtoolize -ci && \ - autoreconf -fi && \ mkdir build && \ cd build && \ - ../configure --prefix=/opt/stubby --without-libidn --without-libidn2 --enable-stub-only --with-ssl=/opt/openssl --with-stubby && \ + cmake \ + -DBUILD_STUBBY=ON \ + -DENABLE_STUB_ONLY=ON \ + -DCMAKE_INSTALL_PREFIX=/opt/stubby \ + -DOPENSSL_INCLUDE_DIR=/opt/openssl \ + -DOPENSSL_CRYPTO_LIBRARY=/opt/openssl/lib/libcrypto.so \ + -DOPENSSL_SSL_LIBRARY=/opt/openssl/lib/libssl.so \ + -DUSE_LIBIDN2=OFF \ + -DBUILD_LIBEV=OFF \ + -DBUILD_LIBEVENT2=OFF \ + -DBUILD_LIBUV=OFF ..&& \ + cmake .. && \ make && \ - make install && \ + make install + +FROM debian:buster + +COPY --from=openssl /opt/openssl /opt/openssl +COPY --from=stubby /opt/stubby /opt/stubby +COPY stubby.yml /opt/stubby/etc/stubby/stubby.yml + +ENV PATH /opt/stubby/bin:$PATH + +RUN set -e -x && \ + debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ + dns-root-data \ + ldnsutils \ + libyaml-0-2 && \ groupadd -r stubby && \ useradd --no-log-init -r -g stubby stubby && \ - apt-get purge -y --auto-remove \ - $build_deps && \ rm -rf \ /tmp/* \ /var/tmp/* \ @@ -75,12 +111,10 @@ RUN set -e -x && \ WORKDIR /opt/stubby -ENV PATH /opt/stubby/bin:$PATH +EXPOSE 8053/udp USER stubby:stubby -COPY stubby.yml /opt/stubby/etc/stubby/stubby.yml - HEALTHCHECK --interval=5s --timeout=3s --start-period=5s CMD drill @127.0.0.1 -p 8053 cloudflare.com || exit 1 -CMD ["/opt/stubby/bin/stubby"] +CMD ["/opt/stubby/bin/stubby", "-C", "/opt/stubby/etc/stubby/stubby.yml"] \ No newline at end of file