-
Notifications
You must be signed in to change notification settings - Fork 914
/
Copy pathDockerfile-dnsdist
148 lines (119 loc) · 5.15 KB
/
Dockerfile-dnsdist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# our chosen base image
FROM debian:12-slim AS builder
ENV NO_LUA_JIT="s390x arm64"
# TODO: make sure /source looks roughly the same from git or tar
# Reusable layer for base update
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# Unable backports to get a recent enough version of meson
RUN echo "deb http://deb.debian.org/debian bookworm-backports main" > /etc/apt/sources.list.d/bookworm-backports.list
# devscripts gives us mk-build-deps (and a lot of other stuff)
RUN apt-get update && apt-get -y dist-upgrade && apt-get install -y --no-install-recommends devscripts equivs git && apt-get clean
COPY builder-support /source/builder-support
# TODO: control file is not in tarballs at all right now
RUN mk-build-deps -i -t 'apt-get -y -o Debug::pkgProblemResolver=yes --no-install-recommends' /source/builder-support/debian/dnsdist/debian-bookworm/control && \
apt-get install -y -t bookworm-backports meson && \
apt-get clean
COPY meson /source/meson
COPY pdns /source/pdns
COPY build-aux /source/build-aux
COPY m4 /source/m4
COPY ext /source/ext
COPY builder/helpers/set-configure-ac-version.sh /usr/local/bin
COPY .git /source/.git
# build and install (TODO: before we hit this line, rearrange /source structure if we are coming from a tarball)
WORKDIR /source/pdns/dnsdistdist
ARG MAKEFLAGS=
ENV MAKEFLAGS=${MAKEFLAGS:--j2}
ARG DOCKER_FAKE_RELEASE=NO
ENV DOCKER_FAKE_RELEASE=${DOCKER_FAKE_RELEASE}
RUN touch dnsdist.1 # avoid having to install pandoc and venv
RUN if [ "${DOCKER_FAKE_RELEASE}" = "YES" ]; then \
BUILDER_VERSION="$(IS_RELEASE=YES BUILDER_MODULES=dnsdist ./builder-support/gen-version | sed 's/\([0-9]\+\.[0-9]\+\.[0-9]\+\(\(alpha|beta|rc\)\d\+\)\)?.*/\1/')" set-configure-ac-version.sh;\
fi && \
BUILDER_MODULES=dnsdist autoreconf -vfi
RUN mkdir /quiche && cd /quiche && \
apt-get install -y cmake curl jq libclang-dev && \
apt-get clean && \
cd /source/builder-support/helpers/ && \
./install_rust.sh && \
./install_quiche.sh
RUN mkdir /build && \
LUAVER=$([ -z "${NO_LUA_JIT##*$(dpkg --print-architecture)*}" ] && echo 'lua5.3' || echo 'luajit') && \
apt-get install -y lib${LUAVER}-*dev ninja-build && \
BUILDDIR=$(mktemp -d) && \
IS_RELEASE="${DOCKER_FAKE_RELEASE}" \
LDFLAGS="-latomic -fuse-ld=lld -Wl,--build-id=sha1 -ldl" \
CC=clang \
CXX=clang++ \
PKG_CONFIG_PATH=/opt/lib/pkgconfig meson setup ${BUILDDIR} \
--sysconfdir=/etc/dnsdist \
-Dlua=auto \
-Db_lto=true \
-Db_lto_mode=thin \
-Db_pie=true \
-Ddns-over-https=enabled \
-Ddns-over-quic=enabled \
-Ddns-over-http3=enabled \
-Ddns-over-tls=enabled \
-Ddnscrypt=enabled \
-Ddnstap=enabled \
-Dyaml=enabled \
-Debpf=enabled \
-Dyaml=enabled \
-Dtls-gnutls=enabled \
-Dsnmp=enabled \
-Dlibcap=enabled \
-Dlibsodium=enabled \
-Dquiche=enabled \
-Dre2=enabled \
-Dsystemd-service=disabled \
-Dxsk=enabled && \
meson compile -C ${BUILDDIR} && \
meson install -C ${BUILDDIR} --destdir /build && \
strip /build/usr/local/bin/* && \
rm -rf /build/lib # remove systemd unit files, we do not need them and copying /lib to the run-time image breaks it
RUN for tentative in "lib/x86_64-linux-gnu" "lib/aarch64-linux-gnu" "lib64" "lib"; do \
if [ -f "/usr/${tentative}/libdnsdist-quiche.so" ]; then \
mkdir -p "/build/usr/${tentative}/"; \
cp "/usr/${tentative}/libdnsdist-quiche.so" "/build/usr/${tentative}/"; \
break; \
fi; \
done
RUN cd /tmp && mkdir /build/tmp/ && mkdir debian && \
echo 'Source: docker-deps-for-pdns' > debian/control && \
dpkg-shlibdeps /build/usr/local/bin/dnsdist && \
sed 's/^shlibs:Depends=/Depends: /' debian/substvars >> debian/control && \
equivs-build debian/control && \
dpkg-deb -I equivs-dummy_1.0_all.deb && cp equivs-dummy_1.0_all.deb /build/tmp/
# Runtime
FROM debian:12-slim
# Reusable layer for base update - Should be cached from builder
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# - python3 and jinja2 (for startup script)
# - tini (for signal management)
# - ca-certificates (for verifying downstream DoH/DoT certificates)
RUN apt-get install -y python3 python3-jinja2 tini libcap2-bin ca-certificates && apt-get clean
# Output from builder
COPY --from=builder /build /
RUN chmod 1777 /tmp # FIXME: better not use /build/tmp for equivs at all
# Ensure dependencies are present
RUN apt-get install -y /tmp/equivs-dummy_1.0_all.deb && apt-get clean
# Config
RUN mkdir -p /etc/dnsdist/conf.d /etc/dnsdist/templates.d
COPY dockerdata/dnsdist.conf /etc/dnsdist/
# Start script
COPY dockerdata/startup.py /usr/local/bin/dnsdist-startup
# Work with pdns user - not root
RUN adduser --system --disabled-password --disabled-login --no-create-home --group pdns --uid 953
RUN chown pdns:pdns /etc/dnsdist/conf.d /etc/dnsdist/templates.d
USER pdns
# Default DNS ports
EXPOSE 53/udp
EXPOSE 53/tcp
# Default console port
EXPOSE 5199/tcp
# Default webserver port
EXPOSE 8083/tcp
WORKDIR /etc/dnsdist
COPY dockerdata/dnsdist-resolver.lua /etc/dnsdist/
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/dnsdist-startup"]