-
Notifications
You must be signed in to change notification settings - Fork 911
/
Dockerfile-dnsdist
131 lines (101 loc) · 4.43 KB
/
Dockerfile-dnsdist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# our chosen base image
FROM debian:12-slim AS builder
ENV NO_LUA_JIT="s390x arm64"
# TODO: make sure /source looks roughly the same from git or tar
# Reusable layer for base update
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# devscripts gives us mk-build-deps (and a lot of other stuff)
RUN apt-get update && apt-get -y dist-upgrade && apt-get install -y --no-install-recommends devscripts equivs git && apt-get clean
COPY builder-support /source/builder-support
# TODO: control file is not in tarballs at all right now
RUN mk-build-deps -i -t 'apt-get -y -o Debug::pkgProblemResolver=yes --no-install-recommends' /source/builder-support/debian/dnsdist/debian-bookworm/control && \
apt-get clean
COPY pdns /source/pdns
COPY build-aux /source/build-aux
COPY m4 /source/m4
COPY ext /source/ext
COPY builder/helpers/set-configure-ac-version.sh /usr/local/bin
COPY .git /source/.git
# build and install (TODO: before we hit this line, rearrange /source structure if we are coming from a tarball)
WORKDIR /source/pdns/dnsdistdist
ARG MAKEFLAGS=
ENV MAKEFLAGS ${MAKEFLAGS:--j2}
ARG DOCKER_FAKE_RELEASE=NO
ENV DOCKER_FAKE_RELEASE ${DOCKER_FAKE_RELEASE}
RUN touch dnsdist.1 # avoid having to install pandoc and venv
RUN if [ "${DOCKER_FAKE_RELEASE}" = "YES" ]; then \
BUILDER_VERSION="$(IS_RELEASE=YES BUILDER_MODULES=dnsdist ./builder-support/gen-version | sed 's/\([0-9]\+\.[0-9]\+\.[0-9]\+\(\(alpha|beta|rc\)\d\+\)\)?.*/\1/')" set-configure-ac-version.sh;\
fi && \
BUILDER_MODULES=dnsdist autoreconf -vfi
RUN mkdir /libh2o && cd /libh2o && \
apt-get update && apt-get install -y cmake curl jq libssl-dev zlib1g-dev && \
cd /source/builder-support/helpers/ && \
./install_h2o.sh
RUN mkdir /quiche && cd /quiche && \
apt-get install -y libclang-dev && \
apt-get clean && \
cd /source/builder-support/helpers/ && \
./install_rust.sh && \
./install_quiche.sh
RUN mkdir /build && \
LUAVER=$([ -z "${NO_LUA_JIT##*$(dpkg --print-architecture)*}" ] && echo 'lua5.3' || echo 'luajit') && \
apt-get install -y lib${LUAVER}-*dev && \
./configure \
--with-lua=${LUAVER} \
LDFLAGS=-rdynamic \
--sysconfdir=/etc/dnsdist \
--enable-option-checking=fatal \
--enable-dnscrypt \
--enable-dns-over-tls \
--enable-dns-over-https \
--with-re2 \
--with-h2o \
--enable-dns-over-quic \
--enable-dns-over-http3 \
--with-quiche \
PKG_CONFIG_PATH=/opt/lib/pkgconfig && \
make clean && \
make $MAKEFLAGS install DESTDIR=/build && make clean && \
strip /build/usr/local/bin/* &&\
mkdir -p /build/usr/lib/ && \
cp -rf /usr/lib/libdnsdist-quiche.so /build/usr/lib/
RUN cd /tmp && mkdir /build/tmp/ && mkdir debian && \
echo 'Source: docker-deps-for-pdns' > debian/control && \
dpkg-shlibdeps /build/usr/local/bin/dnsdist && \
sed 's/^shlibs:Depends=/Depends: /' debian/substvars >> debian/control && \
equivs-build debian/control && \
dpkg-deb -I equivs-dummy_1.0_all.deb && cp equivs-dummy_1.0_all.deb /build/tmp/
# Runtime
FROM debian:12-slim
# Reusable layer for base update - Should be cached from builder
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# - python3 and jinja2 (for startup script)
# - python3-atomicwrites (for backend management)
# - tini (for signal management)
# - ca-certificates (for verifying downstream DoH/DoT certificates)
RUN apt-get install -y python3 python3-jinja2 python3-atomicwrites tini libcap2-bin ca-certificates && apt-get clean
# Output from builder
COPY --from=builder /build /
RUN chmod 1777 /tmp # FIXME: better not use /build/tmp for equivs at all
# Ensure dependencies are present
RUN apt-get install -y /tmp/equivs-dummy_1.0_all.deb && apt-get clean
# Config
RUN mkdir -p /etc/dnsdist/conf.d /etc/dnsdist/templates.d
COPY dockerdata/dnsdist.conf /etc/dnsdist/
# Start script
COPY dockerdata/startup.py /usr/local/bin/dnsdist-startup
# Work with pdns user - not root
RUN adduser --system --disabled-password --disabled-login --no-create-home --group pdns --uid 953
RUN chown pdns:pdns /etc/dnsdist/conf.d /etc/dnsdist/templates.d
USER pdns
# Default DNS ports
EXPOSE 53/udp
EXPOSE 53/tcp
# Default console port
EXPOSE 5199/tcp
# Default webserver port
EXPOSE 8083/tcp
WORKDIR /etc/dnsdist
COPY dockerdata/dnsdist-resolver.lua /etc/dnsdist/
COPY dockerdata/dnsdist-resolver.py /usr/local/bin/dnsdist-resolver
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/dnsdist-startup"]