-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile
222 lines (177 loc) · 10.2 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
ARG FROM_REGISTRY=docker.io/dubodubonduponey
ARG FROM_IMAGE_BUILDER=base:builder-bookworm-2023-09-05
ARG FROM_IMAGE_AUDITOR=base:auditor-bookworm-2023-09-05
ARG FROM_IMAGE_RUNTIME=base:runtime-bookworm-2023-09-05
ARG FROM_IMAGE_TOOLS=tools:linux-bookworm-2023-09-05
FROM $FROM_REGISTRY/$FROM_IMAGE_TOOLS AS builder-tools
#######################
# Fetcher
#######################
FROM --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_BUILDER AS fetcher-lego
ARG GIT_REPO=github.com/go-acme/lego
ARG GIT_VERSION=v4.15.0
ARG GIT_COMMIT=46fe435c2c2e447ae48df712eca8278bbca8986e
ENV WITH_BUILD_SOURCE="./cmd/lego"
ENV WITH_BUILD_OUTPUT="lego"
ENV CGO_ENABLED=1
RUN git clone --recurse-submodules https://"$GIT_REPO" .; git checkout "$GIT_COMMIT"
RUN --mount=type=secret,id=CA \
--mount=type=secret,id=NETRC \
[[ "${GOFLAGS:-}" == *-mod=vendor* ]] || go mod download
#######################
# Lego builder
#######################
FROM --platform=$BUILDPLATFORM fetcher-lego AS builder-lego
ARG TARGETARCH
ARG TARGETOS
ARG TARGETVARIANT
ENV GOOS=$TARGETOS
ENV GOARCH=$TARGETARCH
ENV CGO_CFLAGS="${CFLAGS:-} ${ENABLE_PIE:+-fPIE}"
ENV GOFLAGS="-trimpath ${ENABLE_PIE:+-buildmode=pie} ${GOFLAGS:-}"
RUN export GOARM="$(printf "%s" "$TARGETVARIANT" | tr -d v)"; \
[ "${CGO_ENABLED:-}" != 1 ] || { \
eval "$(dpkg-architecture -A "$(echo "$TARGETARCH$TARGETVARIANT" | sed -e "s/^armv6$/armel/" -e "s/^armv7$/armhf/" -e "s/^ppc64le$/ppc64el/" -e "s/^386$/i386/")")"; \
export PKG_CONFIG="${DEB_TARGET_GNU_TYPE}-pkg-config"; \
export AR="${DEB_TARGET_GNU_TYPE}-ar"; \
export CC="${DEB_TARGET_GNU_TYPE}-gcc"; \
export CXX="${DEB_TARGET_GNU_TYPE}-g++"; \
[ ! "${ENABLE_STATIC:-}" ] || { \
[ ! "${WITH_CGO_NET:-}" ] || { \
ENABLE_STATIC=; \
LDFLAGS="${LDFLAGS:-} -static-libgcc -static-libstdc++"; \
}; \
[ "$GOARCH" == "amd64" ] || [ "$GOARCH" == "arm64" ] || [ "${ENABLE_PIE:-}" != true ] || ENABLE_STATIC=; \
}; \
WITH_LDFLAGS="${WITH_LDFLAGS:-} -linkmode=external -extld="$CC" -extldflags \"${LDFLAGS:-} ${ENABLE_STATIC:+-static}${ENABLE_PIE:+-pie}\""; \
WITH_TAGS="${WITH_TAGS:-} cgo ${ENABLE_STATIC:+static static_build}"; \
}; \
go build -ldflags "-s -w -v ${WITH_LDFLAGS:-}" -tags "${WITH_TAGS:-} net${WITH_CGO_NET:+c}go osusergo" -o /dist/boot/bin/"$WITH_BUILD_OUTPUT" "$WITH_BUILD_SOURCE"
#######################
# Fetcher
#######################
FROM --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_BUILDER AS fetcher-coredns
ARG GIT_REPO=github.com/coredns/coredns
ARG GIT_VERSION=v1.11.1
ARG GIT_COMMIT=ae2bbc29be1aaae0b3ded5d188968a6c97bb3144
ENV WITH_BUILD_SOURCE=./coredns.go
ENV WITH_BUILD_OUTPUT=coredns
ENV WITH_LDFLAGS="-X $GIT_REPO/coremain.GitCommit=$GIT_COMMIT"
ENV CGO_ENABLED=1
RUN git clone --recurse-submodules https://"$GIT_REPO" .; git checkout "$GIT_COMMIT"
RUN --mount=type=secret,id=CA \
--mount=type=secret,id=NETRC \
[[ "${GOFLAGS:-}" == *-mod=vendor* ]] || go mod download; \
printf "mdns:github.com/openshift/coredns-mdns\n" >> plugin.cfg; \
printf "unbound:github.com/coredns/unbound\n" >> plugin.cfg; \
go generate coredns.go; \
go mod tidy -compat=1.17
# XXX how to pin that?
# hadolint ignore=DL3009
RUN --mount=type=secret,uid=100,id=CA \
--mount=type=secret,uid=100,id=CERTIFICATE \
--mount=type=secret,uid=100,id=KEY \
--mount=type=secret,uid=100,id=GPG.gpg \
--mount=type=secret,id=NETRC \
--mount=type=secret,id=APT_SOURCES \
--mount=type=secret,id=APT_CONFIG \
apt-get update -qq; \
for architecture in arm64 amd64; do \
apt-get install -qq --no-install-recommends \
libunbound-dev:"$architecture"=1.17.1-2 \
nettle-dev:"$architecture"=3.8.1-2 \
libevent-dev:"$architecture"=2.1.12-stable-8; \
done
##########################
# Builder custom
##########################
FROM --platform=$BUILDPLATFORM fetcher-coredns AS builder-coredns
ARG TARGETARCH
ARG TARGETOS
ARG TARGETVARIANT
ENV GOOS=$TARGETOS
ENV GOARCH=$TARGETARCH
ENV CGO_CFLAGS="${CFLAGS:-} ${ENABLE_PIE:+-fPIE}"
ENV GOFLAGS="-trimpath ${ENABLE_PIE:+-buildmode=pie} ${GOFLAGS:-}"
RUN export GOARM="$(printf "%s" "$TARGETVARIANT" | tr -d v)"; \
[ "${CGO_ENABLED:-}" != 1 ] || { \
eval "$(dpkg-architecture -A "$(echo "$TARGETARCH$TARGETVARIANT" | sed -e "s/^armv6$/armel/" -e "s/^armv7$/armhf/" -e "s/^ppc64le$/ppc64el/" -e "s/^386$/i386/")")"; \
export PKG_CONFIG="${DEB_TARGET_GNU_TYPE}-pkg-config"; \
export AR="${DEB_TARGET_GNU_TYPE}-ar"; \
export CC="${DEB_TARGET_GNU_TYPE}-gcc"; \
export CXX="${DEB_TARGET_GNU_TYPE}-g++"; \
[ ! "${ENABLE_STATIC:-}" ] || { \
[ ! "${WITH_CGO_NET:-}" ] || { \
ENABLE_STATIC=; \
LDFLAGS="${LDFLAGS:-} -static-libgcc -static-libstdc++"; \
}; \
[ "$GOARCH" == "amd64" ] || [ "$GOARCH" == "arm64" ] || [ "${ENABLE_PIE:-}" != true ] || ENABLE_STATIC=; \
}; \
WITH_LDFLAGS="${WITH_LDFLAGS:-} -linkmode=external -extld="$CC" -extldflags \"${LDFLAGS:-} ${ENABLE_STATIC:+-static}${ENABLE_PIE:+-pie}\""; \
WITH_TAGS="${WITH_TAGS:-} cgo ${ENABLE_STATIC:+static static_build}"; \
}; \
go build -ldflags "-s -w -v ${WITH_LDFLAGS:-}" -tags "${WITH_TAGS:-} net${WITH_CGO_NET:+c}go osusergo" -o /dist/boot/bin/"$WITH_BUILD_OUTPUT" "$WITH_BUILD_SOURCE"
RUN mkdir -p /dist/boot/lib; \
eval "$(dpkg-architecture -A "$(echo "$TARGETARCH$TARGETVARIANT" | sed -e "s/^armv6$/armel/" -e "s/^armv7$/armhf/" -e "s/^ppc64le$/ppc64el/" -e "s/^386$/i386/")")"; \
cp /usr/lib/"$DEB_TARGET_MULTIARCH"/libunbound.so.8 /dist/boot/lib; \
cp /usr/lib/"$DEB_TARGET_MULTIARCH"/libevent-2.1.so.7 /dist/boot/lib
# XXX whether or not we want these in depends on how slick we want the future runtime
# cp /lib/"$DEB_TARGET_MULTIARCH"/libpthread.so.0 /dist/boot/lib; \
# cp /lib/"$DEB_TARGET_MULTIARCH"/libc.so.6 /dist/boot/lib; \
# go get github.com/coredns/unbound; \
#######################
# Builder assembly, XXX should be auditor
#######################
FROM --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_AUDITOR AS builder
COPY --from=builder-lego /dist /dist
COPY --from=builder-coredns /dist /dist
COPY --from=builder-tools /boot/bin/dns-health /dist/boot/bin
RUN cp /dist/boot/bin/coredns /dist/boot/bin/coredns_no_cap
RUN cp /dist/boot/bin/coredns /dist/boot/bin/coredns_cap+origin
RUN setcap 'cap_net_bind_service+ep' /dist/boot/bin/coredns_cap+origin
# hadolint ignore=SC2016
RUN patchelf --set-rpath '$ORIGIN/../lib' /dist/boot/bin/coredns_cap+origin
# hadolint ignore=SC2016
RUN patchelf --set-rpath '$ORIGIN/../lib' /dist/boot/bin/coredns_no_cap
# XXX https://mail.openjdk.java.net/pipermail/distro-pkg-dev/2010-May/009112.html
# no $ORIGIN rpath expansion with caps
RUN patchelf --set-rpath '/boot/lib' /dist/boot/bin/coredns
RUN patchelf --set-rpath '/boot/lib' /dist/boot/lib/*
RUN patchelf --set-rpath '/boot/lib' /dist/boot/bin/lego
RUN setcap 'cap_net_bind_service+ep' /dist/boot/bin/coredns
RUN chmod 555 /dist/boot/bin/*; \
epoch="$(date --date "$BUILD_CREATED" +%s)"; \
find /dist/boot -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +;
#######################
# Running image
#######################
FROM $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
# Get relevant bits from builder
COPY --from=builder --chown=$BUILD_UID:root /dist /
ENV DNS_OVER_TLS_ENABLED=false
ENV DNS_OVER_TLS_DOMAIN=""
ENV DNS_OVER_TLS_PORT=853
ENV DNS_OVER_TLS_LEGO_PORT=443
ENV DNS_OVER_TLS_LEGO_EMAIL="[email protected]"
ENV DNS_OVER_TLS_LE_USE_STAGING=false
ENV DNS_FORWARD_ENABLED=true
ENV DNS_FORWARD_UPSTREAM_NAME="cloudflare-dns.com"
ENV DNS_FORWARD_UPSTREAM_IP_1="tls://1.1.1.1"
ENV DNS_FORWARD_UPSTREAM_IP_2="tls://1.0.0.1"
ENV DNS_PORT=53
ENV DNS_OVER_GRPC_PORT=553
ENV DNS_STUFF_MDNS=false
ENV METRICS_PORT=9253
# NOTE: this will not be updated at runtime and will always EXPOSE default values
# Either way, EXPOSE does not do anything, except function as a documentation helper
EXPOSE $DNS_PORT/udp
EXPOSE $DNS_OVER_TLS_PORT/tcp
EXPOSE $DNS_OVER_TLS_LEGO_PORT/tcp
EXPOSE $DNS_OVER_GRPC_PORT/tcp
EXPOSE $METRICS_PORT/tcp
# Lego just needs /certs to work
VOLUME /certs
ENV HEALTHCHECK_URL="127.0.0.1:$DNS_PORT"
ENV HEALTHCHECK_QUESTION=dns.autonomous.healthcheck.farcloser.world
ENV HEALTHCHECK_TYPE=udp
HEALTHCHECK --interval=120s --timeout=30s --start-period=10s --retries=1 CMD dns-health || exit 1