diff --git a/README.md b/README.md index 2c043dc..d0f3707 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ To achieve this, this setup uses two containers, one running Stubby and another `sudo docker build -t mvance/stubby:latest .` -_Note: This no longer comes with its own Unbound image/Dockerfile. Instead, it uses includes the necesseary config and references a [standalone Unbound](https://github.com/MatthewVance/unbound-docker) instance._ +`sudo docker build -t mvance/unbound:1.10.1-stubby .` ### Standard usage diff --git a/docker-compose.yml b/docker-compose.yml index 8f63d6f..4f2d09f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ services: - dns restart: unless-stopped unbound: - image: "mvance/unbound:latest" + image: "mvance/unbound:1.10.1-stubby" depends_on: - "stubby" ports: diff --git a/unbound/Dockerfile b/unbound/Dockerfile new file mode 100644 index 0000000..80fef64 --- /dev/null +++ b/unbound/Dockerfile @@ -0,0 +1,143 @@ +FROM debian:buster as openssl +LABEL maintainer="Matthew Vance" + +ENV VERSION_OPENSSL=openssl-1.1.1g \ + SHA256_OPENSSL=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46 \ + SOURCE_OPENSSL=https://www.openssl.org/source/ \ + OPGP_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491 + +WORKDIR /tmp/src + +RUN set -e -x && \ + build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \ + DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ + $build_deps && \ + curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \ + echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \ + curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \ + GNUPGHOME="$(mktemp -d)" && \ + export GNUPGHOME && \ + ( gpg --no-tty --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$OPGP_OPENSSL" \ + || gpg --no-tty --keyserver ha.pool.sks-keyservers.net --recv-keys "$OPGP_OPENSSL" ) && \ + gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz && \ + tar xzf openssl.tar.gz && \ + cd $VERSION_OPENSSL && \ + ./config \ + --prefix=/opt/openssl \ + --openssldir=/opt/openssl \ + no-weak-ssl-ciphers \ + no-ssl3 \ + no-shared \ + enable-ec_nistp_64_gcc_128 \ + -DOPENSSL_NO_HEARTBEATS \ + -fstack-protector-strong && \ + make depend && \ + make && \ + make install_sw && \ + apt-get purge -y --auto-remove \ + $build_deps && \ + rm -rf \ + /tmp/* \ + /var/tmp/* \ + /var/lib/apt/lists/* + +FROM debian:buster as unbound +LABEL maintainer="Matthew Vance" + +ENV NAME=unbound \ + UNBOUND_VERSION=1.10.1 \ + UNBOUND_SHA256=b73677c21a71cf92f15cc8cfe76a3d875e40f65b6150081c39620b286582d536 \ + UNBOUND_DOWNLOAD_URL=https://nlnetlabs.nl/downloads/unbound/unbound-1.10.1.tar.gz + +WORKDIR /tmp/src + +COPY --from=openssl /opt/openssl /opt/openssl + +RUN build_deps="curl gcc libc-dev libevent-dev libexpat1-dev make" && \ + set -x && \ + DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ + $build_deps \ + bsdmainutils \ + ca-certificates \ + ldnsutils \ + libevent-2.1-6 \ + libexpat1 && \ + curl -sSL $UNBOUND_DOWNLOAD_URL -o unbound.tar.gz && \ + echo "${UNBOUND_SHA256} *unbound.tar.gz" | sha256sum -c - && \ + tar xzf unbound.tar.gz && \ + rm -f unbound.tar.gz && \ + cd unbound-1.10.1 && \ + groupadd _unbound && \ + useradd -g _unbound -s /etc -d /dev/null _unbound && \ + ./configure \ + --disable-dependency-tracking \ + --prefix=/opt/unbound \ + --with-pthreads \ + --with-username=_unbound \ + --with-ssl=/opt/openssl \ + --with-libevent \ + --enable-tfo-server \ + --enable-tfo-client \ + --enable-event-api && \ + make install && \ + mv /opt/unbound/etc/unbound/unbound.conf /opt/unbound/etc/unbound/unbound.conf.example && \ + apt-get purge -y --auto-remove \ + $build_deps && \ + rm -rf \ + /opt/unbound/share/man \ + /tmp/* \ + /var/tmp/* \ + /var/lib/apt/lists/* + + +FROM debian:buster +LABEL maintainer="Matthew Vance" + +ENV NAME=unbound \ + VERSION=1.0 \ + SUMMARY="${NAME} is a validating, recursive, and caching DNS resolver." \ + DESCRIPTION="${NAME} is a validating, recursive, and caching DNS resolver." + +LABEL summary="${SUMMARY}" \ + description="${DESCRIPTION}" \ + io.k8s.description="${DESCRIPTION}" \ + io.k8s.display-name="Unbound ${UNBOUND_VERSION}" \ + name="mvance/${NAME}" \ + maintainer="Matthew Vance" + +WORKDIR /tmp/src + +COPY --from=unbound /opt /opt + +RUN set -x && \ + DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \ + bsdmainutils \ + ca-certificates \ + ldnsutils \ + libevent-2.1-6\ + libexpat1 && \ + groupadd _unbound && \ + useradd -g _unbound -s /etc -d /dev/null _unbound && \ + apt-get purge -y --auto-remove \ + $build_deps && \ + rm -rf \ + /opt/unbound/share/man \ + /tmp/* \ + /var/tmp/* \ + /var/lib/apt/lists/* + +COPY a-records.conf /opt/unbound/etc/unbound/ +COPY unbound.sh / + +RUN chmod +x /unbound.sh + +WORKDIR /opt/unbound/ + +ENV PATH /opt/unbound/sbin:"$PATH" + +EXPOSE 53/tcp +EXPOSE 53/udp + +HEALTHCHECK --interval=5s --timeout=3s --start-period=5s CMD drill @127.0.0.1 cloudflare.com || exit 1 + +CMD ["/unbound.sh"]