-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile
128 lines (102 loc) · 6.38 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# I am pulling in my alpine-s6 image as the base here so I can reuse it for the common buildimage and later in the runtime.
# Initially I used to pull this separately at each stage but that gave errors with docker buildx for the BASE_VERSION argument.
ARG BASE_VERSION=3.13-2.2.0.3
FROM rakheshster/alpine-s6:${BASE_VERSION} AS mybase
################################### COMMON BUILDIMAGE ####################################
# This image is to be a base where all the build dependencies are installed.
# I can use this in the subsequent stages to build stuff
FROM mybase AS alpinebuild
# I realized that the build process doesn't remove this intermediate image automatically so best to LABEL it here and then prune later
# Thanks to https://stackoverflow.com/a/55082473
LABEL stage="alpinebuild"
LABEL maintainer="Rakhesh Sasidharan"
# Get the build-dependencies for everything I plan on building later
# common stuff: git build-base libtool xz cmake gnupg (to verify)
# kea: (https://kea.readthedocs.io/en/kea-1.6.2/arm/install.html#build-requirements) build-base libtool openssl-dev boost-dev log4cplus-dev automake
# knot dns: pkgconf gnutls-dev userspace-rcu-dev libedit-dev libidn2-dev fstrm-dev protobuf-c-dev lmdb-dev
RUN apk add --update --no-cache \
git build-base libtool xz cmake gnupg \
openssl-dev boost-dev log4cplus-dev automake \
pkgconf gnutls-dev userspace-rcu-dev libedit-dev libidn2-dev fstrm-dev protobuf-c-dev lmdb-dev
RUN rm -rf /var/cache/apk/*
################################## KEA DHCP ####################################
# This image is to only build Kea DHCP
FROM alpinebuild AS alpinekea
# ENV KEA_VERSION 1.7.10
ENV KEA_VERSION 1.8.2
LABEL stage="alpinekea"
LABEL maintainer="Rakhesh Sasidharan"
# Download the source & build it
ADD https://downloads.isc.org/isc/kea/${KEA_VERSION}/kea-${KEA_VERSION}.tar.gz /tmp/
ADD https://downloads.isc.org/isc/kea/${KEA_VERSION}/kea-${KEA_VERSION}.tar.gz.asc /tmp/
# Import the PGP key used by ISC (https://www.isc.org/pgpkey/; get from https://downloads.isc.org/isc/pgpkeys/)
# Note to self: Using gpg --recv-keys fails for this key on the Debian version of gpg; see https://superuser.com/questions/1485213/gpg-cant-import-key-new-key-but-contains-no-user-id-skipped
# Workaround is to use the Ubuntu key server or download the key directly and import.
# RUN gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x156890685EA0DF6A1371EF2017CC5DB1F0088407
RUN wget -qO - https://downloads.isc.org/isc/pgpkeys/codesign2021.txt | gpg --import
# Verify the download (exit if it fails)
RUN gpg --status-fd 1 --verify /tmp/kea-${KEA_VERSION}.tar.gz.asc /tmp/kea-${KEA_VERSION}.tar.gz 2>/dev/null | grep -q "GOODSIG 17CC5DB1F0088407" \
|| exit 1
WORKDIR /src
RUN tar xzf /tmp/kea-${KEA_VERSION}.tar.gz -C ./
WORKDIR /src/kea-${KEA_VERSION}
# Configure kea to expect everything in / (--prefix=/) but when installing put everything into /usr/local (via DESTDIR=) (I copy the contents of this to / in the final image)
RUN ./configure --prefix=/ --with-openssl
RUN make && DESTDIR=/usr/local make install
# Disable keactrl as its broken under alpine (ps -p does not work) and also it conflicts with s6 if I try to stop etc.
# The only thing I need keactrl for is to reload the config, for that use the included kea-dhcpx-reload script which I provide.
RUN chmod -x /usr/local/sbin/keactrl
################################## BUILD KNOT DNS ####################################
# This image is to only build Knot DNS
FROM alpinebuild AS alpineknot
ENV KNOTDNS_VERSION 3.0.4
LABEL stage="alpineknot"
LABEL maintainer="Rakhesh Sasidharan"
# Download the source & build it
ADD https://secure.nic.cz/files/knot-dns/knot-${KNOTDNS_VERSION}.tar.xz /tmp/
ADD https://secure.nic.cz/files/knot-dns/knot-${KNOTDNS_VERSION}.tar.xz.asc /tmp/
# Import the PGP key used by cz.nic (https://www.knot-dns.cz/download/)
# As above, the import fails on Debian if I download from the default keys.openpgp.org server so use keyserver.ubuntu.com instead
RUN gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x10BB7AF6FEBBD6AB
# Verify the download (exit if it fails)
RUN gpg --status-fd 1 --verify /tmp/knot-${KNOTDNS_VERSION}.tar.xz.asc /tmp/knot-${KNOTDNS_VERSION}.tar.xz 2>/dev/null | grep -q "GOODSIG 10BB7AF6FEBBD6AB" \
|| exit 1
WORKDIR /src
RUN tar xf /tmp/knot-${KNOTDNS_VERSION}.tar.xz -C ./
WORKDIR /src/knot-${KNOTDNS_VERSION}
# Configure knot to expect everything in / (--prefix=/) but when installing put everything into /usr/local (via DESTDIR=) (I copy the contents of this to / in the final image)
RUN ./configure --prefix=/ --enable-dnstap --disable-systemd
RUN make && DESTDIR=/usr/local make install
################################### RUNTIME ENVIRONMENT FOR KEA & KNOT ####################################
# This image has all the runtime dependencies, the built files from the previous stage, and I also create the groups and assign folder permissions etc.
# I got to create the folder after copying the stuff from previous stage so the permissions don't get overwritten
FROM mybase AS alpineruntime
# Get the runtimes deps for all
# Kea: (https://kea.readthedocs.io/en/kea-1.6.2/arm/intro.html#required-software)
# Knot: libuv luajit lmdb gnutls userspace-rcu libedit libidn2
RUN apk add --update --no-cache ca-certificates tzdata \
drill \
openssl log4cplus boost \
libuv luajit lmdb gnutls userspace-rcu libedit libidn2 fstrm protobuf-c \
nano
RUN rm -rf /var/cache/apk/*
# /usr/local/bin -> /bin etc.
COPY --from=alpineknot /usr/local/ /
COPY --from=alpinekea /usr/local/ /
RUN addgroup -S knot && adduser -D -S knot -G knot
RUN mkdir -p /var/lib/knot && chown knot:knot /var/lib/knot
RUN mkdir -p /var/run/knot && chown knot:knot /var/run/knot
################################### FINALIZE ####################################
# This pulls in the previous stage, adds S6. This is my final stage.
FROM alpineruntime
LABEL maintainer="Rakhesh Sasidharan"
LABEL org.opencontainers.image.source=https://github.com/rakheshster/docker-kea-knot
# Copy the config files & s6 service files to the correct location
COPY root/ /
# NOTE: s6 overlay doesn't support running as a different user. However, Knot is configured to run as a non-root user in its config. Kea needs to run as root.
EXPOSE 53/udp 53/tcp 8080/tcp
# Knot DNS runs on 53.
# Kea requires 8080 for HA
HEALTHCHECK --interval=5s --timeout=3s --start-period=5s \
CMD drill @127.0.0.1 -p 53 google.com || exit 1
ENTRYPOINT ["/init"]