Bump

Signed-off-by: dubo-dubon-duponey <[email protected]>

.github/workflows/CI.yml

@@ -20,23 +20,19 @@ jobs:
           path: $GITHUB_WORKSPACE/cache
           key: cache
 
-        # XXX move to container tooling
-      - name: Install hadolint and shellcheck
+      - name: Prepare directories
         run: |
-          curl --proto '=https' --tlsv1.3 -sSfL -o hadolint "https://github.com/hadolint/hadolint/releases/download/v2.6.0/hadolint-$(uname -s)-$(uname -m)"
-          chmod 700 ./hadolint
-          curl --proto '=https' --tlsv1.3 -sSfL -o shellcheck.tar.xz "https://github.com/koalaman/shellcheck/releases/download/v0.7.2/shellcheck-v0.7.2.linux.$(uname -m).tar.xz"
-          tar -xf shellcheck.tar.xz
-          mv ./shellcheck-v0.7.2/shellcheck .
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/apt"
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/certs"
+          sudo mkdir -p "$GITHUB_WORKSPACE/cache/bin"
+          sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/apt"
+          sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/certs"
+          sudo chown -R $(id -u) "$GITHUB_WORKSPACE/cache/bin"
 
-      # XXX update this to a more recent apt proxy
       - name: Start apt proxy
         run: |
           # Hiding the read-only token base64 to avoid github disabling it...
           echo OWMyMGVhYzk4N2NhYWQxYmI3MzhmNTZkODNmOGMwOGJjZjlhNDc4YQo= | base64 -d | docker login ghcr.io -u dubo-dubon-duponey --password-stdin
-          mkdir -p "$GITHUB_WORKSPACE/cache/apt"
-          mkdir -p "$GITHUB_WORKSPACE/cache/certs"
-          sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache"
           docker run --rm -d --expose 443 --expose 80 --pull always \
             --name apt-front \
             --read-only \
@@ -55,37 +51,21 @@ jobs:
 
       - name: test
         run: |
-          # Start buildkit
-          bkaddr="$(./hack/helpers/start-buildkit.sh)"
           # Set the path and install the tools
-          export BIN_LOCATION="$(pwd)"
-          ./hack/helpers/install-tools.sh
-          export PATH="$BIN_LOCATION:$PATH"
-          cd "$GITHUB_WORKSPACE"
+          BIN_LOCATION="$GITHUB_WORKSPACE/cache/bin" source ./hack/helpers/install-tools.sh
+          # Start buildkit
+          bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
           # Sanity check
           echo "Sanity checks"
-          command -v "cue" > /dev/null || {
-            echo "Cue installation had failed"
-            exit 1
-          }
-          which cue
           cue version
-          command -v "buildctl" > /dev/null || {
-            echo "Cue installation had failed"
-            exit 1
-          }
-          which buildctl
-          buildctl --version
-          buildctl --addr "$bkaddr" debug workers
-          which hadolint
           hadolint --version
-          which shellcheck
           shellcheck --version
+          buildctl --version
+          buildctl --addr "$bkaddr" debug workers
           docker logs --tail 200 apt-front
           # Lint
           ./hack/lint.sh
           # Test, with our injected proxy and environment
-          #  --inject apt_proxy="http://$(docker inspect apt-front | jq -rc .[0].NetworkSettings.Networks.bridge.IPAddress):4443"
           ./hack/test.sh \
             --inject bk="$bkaddr" \
             --inject ip="$(docker inspect apt-front | jq -rc .[0].NetworkSettings.Networks.bridge.IPAddress)" \

DEVELOP.md

@@ -10,11 +10,11 @@
 
 ### The what
 
-This image is built using: `ghcr.io/dubo-dubon-duponey/base:builder-bullseye-2021-08-01` 
+This image is built using: `ghcr.io/dubo-dubon-duponey/base:builder-bullseye-2021-09-01` 
 
-The runtime part is based on: `ghcr.io/dubo-dubon-duponey/base:runtime-bullseye-2021-08-01`
+The runtime part is based on: `ghcr.io/dubo-dubon-duponey/base:runtime-bullseye-2021-09-01`
 
-Both these images are built upon: `ghcr.io/dubo-dubon-duponey/debian:bullseye-2021-08-01`, a debootstrapped version of Debian ("bullseye" at this time), built from a snapshot at 2021-08-01.
+Both these images are built upon: `ghcr.io/dubo-dubon-duponey/debian:bullseye-2021-09-01`
 
 You can find out more here:
 

Dockerfile

@@ -1,9 +1,9 @@
 ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
 
-ARG           FROM_IMAGE_BUILDER=base:builder-bullseye-2021-08-01@sha256:a49ab8a07a2da61eee63b7d9d33b091df190317aefb91203ad0ac41af18d5236
-ARG           FROM_IMAGE_AUDITOR=base:auditor-bullseye-2021-08-01@sha256:607d8b42af53ebbeb0064a5fd41895ab34ec670a810a704dbf53a2beb3ab769d
-ARG           FROM_IMAGE_RUNTIME=base:runtime-bullseye-2021-08-01@sha256:3fdb7b859e3fea12a7604ff4ae7e577628784ac1f6ea0d5609de65a4b26e5b3c
-ARG           FROM_IMAGE_TOOLS=tools:linux-bullseye-2021-08-01@sha256:9e54b76442e4d8e1cad76acc3c982a5623b59f395b594af15bef6b489862ceac
+ARG           FROM_IMAGE_BUILDER=base:builder-bullseye-2021-09-01@sha256:12be2a6d0a64b59b1fc44f9b420761ad92efe8188177171163b15148b312481a
+ARG           FROM_IMAGE_AUDITOR=base:auditor-bullseye-2021-09-01@sha256:28d5eddcbbee12bc671733793c8ea8302d7d79eb8ab9ba0581deeacabd307cf5
+ARG           FROM_IMAGE_RUNTIME=base:runtime-bullseye-2021-09-01@sha256:bbd3439247ea1aa91b048e77c8b546369138f910b5083de697f0d36ac21c1a8c
+ARG           FROM_IMAGE_TOOLS=tools:linux-bullseye-2021-09-01@sha256:e5535efb771ca60d2a371cd2ca2eb1a7d6b7b13cc5c4d27d48613df1a041431d
 
 FROM          $FROM_REGISTRY/$FROM_IMAGE_TOOLS                                                                          AS builder-tools
 
@@ -13,8 +13,8 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_TOOLS
 FROM          --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_BUILDER                                              AS fetcher-lego
 
 ARG           GIT_REPO=github.com/go-acme/lego
-ARG           GIT_VERSION=4.2.0
-ARG           GIT_COMMIT=52e6721dca65e1618067db242a61baf523140b71
+ARG           GIT_VERSION=v4.4.0
+ARG           GIT_COMMIT=7c24212e8a1df8547ca6edb6cf630cff60e62f46
 
 ENV           WITH_BUILD_SOURCE="./cmd/lego"
 ENV           WITH_BUILD_OUTPUT="lego"
@@ -68,7 +68,7 @@ RUN           export GOARM="$(printf "%s" "$TARGETVARIANT" | tr -d v)"; \
 FROM          --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_BUILDER                                              AS fetcher-coredns
 
 ARG           GIT_REPO=github.com/coredns/coredns
-ARG           GIT_VERSION=1.8.4
+ARG           GIT_VERSION=v1.8.4
 ARG           GIT_COMMIT=053c4d5ca1772517746a854e87ffa971249df14b
 
 ENV           WITH_BUILD_SOURCE=./coredns.go

README.md

@@ -55,7 +55,7 @@ docker run -d \
     --publish 53:1053/udp \
     --cap-drop ALL \
     --read-only \
-    dubodubonduponey/coredns
+    ghcr.io/dubo-dubon-duponey/dns
 ```
 
 ### TLS server, forwarding
@@ -74,7 +74,7 @@ docker run -d \
     --publish 853:1853/tcp \
     --cap-drop ALL \
     --read-only \
-    dubodubonduponey/coredns
+    ghcr.io/dubo-dubon-duponey/dns
 ```
 
 ### Traditional DNS server, recursive
@@ -85,7 +85,7 @@ docker run -d \
     --publish 53:1053/udp \
     --cap-drop ALL \
     --read-only \
-    dubodubonduponey/coredns
+    ghcr.io/dubo-dubon-duponey/dns
 ```
 
 ### TLS server, recursive
@@ -99,7 +99,7 @@ docker run -d \
     --publish 853:1853/tcp \
     --cap-drop ALL \
     --read-only \
-    dubodubonduponey/coredns
+    ghcr.io/dubo-dubon-duponey/dns
 ```
 
 For TLS, you do need to expose port 443 publicly from your docker host so that LetsEncrypt can issue your certificate,
@@ -123,7 +123,7 @@ docker run -d \
     --publish 853:1853/tcp \
     --cap-drop ALL \
     --read-only \
-    dubodubonduponey/coredns
+    ghcr.io/dubo-dubon-duponey/dns
 ```
 
 ### Networking
@@ -142,7 +142,7 @@ docker run -d \
     --user root \
     --cap-drop ALL \
     --read-only \
-    dubodubonduponey/coredns
+    ghcr.io/dubo-dubon-duponey/dns
 ```
 
 ### Configuration reference

cue.mod/pkg/duponey.cloud/scullery/cake.cue

@@ -34,10 +34,10 @@ import (
 			addr: icing.buildkit.address
 		}
 		tls: {
-			name : icing.buildkit.name
-			ca : icing.buildkit.ca
-			key : icing.buildkit.key
-			cert : icing.buildkit.cert
+			name: icing.buildkit.name
+			ca: icing.buildkit.ca
+			key: icing.buildkit.key
+			cert: icing.buildkit.cert
 		}
 		// XXX this does not work as expected, and is one of the most aggravating things about cue - the inability to have cascading defaults resolve to something (especially with @tags)
 		// If no context was provided at all, default to ./context for buildkit - this means that none of the scullery tooling can operate safely on the value of the context - fine

hack/build.sh

@@ -1,9 +1,12 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-# Get our root
 # shellcheck source=/dev/null
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)/../"
+readonly root
+
+# shellcheck source=/dev/null
+BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" source "$root/hack/helpers/install-tools.sh"
 
 # Build the cue invocation
 params=(cue)

hack/helpers/install-tools.sh

@@ -2,38 +2,42 @@
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
 export SUITE=bullseye
-export DATE=2021-07-01
+export DATE=2021-08-01
 
 export BIN_LOCATION="${BIN_LOCATION:-$HOME/bin}"
 export PATH="$BIN_LOCATION:$PATH"
-readonly IMAGE_TOOLS="${IMAGE_TOOLS:-ghcr.io/dubo-dubon-duponey/tools:$(uname | grep -q Darwin && printf "macos" || printf "linux-dev")-$SUITE-$DATE}"
+readonly IMAGE_TOOLS="${IMAGE_TOOLS:-ghcr.io/dubo-dubon-duponey/tools:$(uname -s | grep -q Darwin && printf "macos" || printf "linux-dev")-$SUITE-$DATE}"
+
+export SHELLCHECK_VERSION=0.7.2
+export HADOLINT_VERSION=2.7.0
 
 setup::tools(){
   local location="$1"
   if  command -v "$location/cue" > /dev/null &&
       command -v "$location/buildctl" > /dev/null &&
-      command -v docker > /dev/null; then
+      command -v "$location/docker" > /dev/null &&
+      command -v "$location/hadolint" > /dev/null &&
+      command -v "$location/shellcheck" > /dev/null; then
     return
   fi
 
   mkdir -p "$location"
-  docker rm -f dubo-tools 2>/dev/null || true
-  docker run --pull always --name dubo-tools "$IMAGE_TOOLS" /boot/bin/cue >/dev/null 2>&1 || true
+  docker rm -f dubo-tools >/dev/null 2>&1 || true
+  docker create --pull always --name dubo-tools "$IMAGE_TOOLS" bash > /dev/null
   docker cp dubo-tools:/boot/bin/cue "$location"
   docker cp dubo-tools:/boot/bin/buildctl "$location"
   docker cp dubo-tools:/boot/bin/docker "$location"
-  docker rm -f dubo-tools 2>/dev/null || true
-}
+  docker rm -f dubo-tools >/dev/null 2>&1
 
-# XXX add hado & shellcheck to the images
-command -v hadolint >/dev/null || {
-  printf >&2 "You need to install hadolint"
-  exit 1
-}
+  # XXX add hado & shellcheck to the dev image
+  curl --proto '=https' --tlsv1.2 -sSfL -o "$location/hadolint" "https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m)"
+  chmod 700 "$location/hadolint"
 
-command -v shellcheck >/dev/null || {
-  printf >&2 "You need to install shellcheck"
-  exit 1
+  curl --proto '=https' --tlsv1.2 -sSfL -o shellcheck.tar.xz "https://github.com/koalaman/shellcheck/releases/download/v$SHELLCHECK_VERSION/shellcheck-v$SHELLCHECK_VERSION.$(uname -s | tr '[:upper:]' '[:lower:]').$(uname -m).tar.xz"
+  tar -xf shellcheck.tar.xz
+  mv ./shellcheck-v$SHELLCHECK_VERSION/shellcheck "$location"
+  rm shellcheck.tar.xz
+  rm -Rf ./shellcheck-v$SHELLCHECK_VERSION
 }
 
 setup::tools "$BIN_LOCATION"

hack/lint.sh

@@ -1,11 +1,13 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-# Get where we are
 # shellcheck source=/dev/null
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)/../"
 readonly root
 
+# shellcheck source=/dev/null
+BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" source "$root/hack/helpers/install-tools.sh"
+
 # Ignore some hadolint warnings that do not make much sense
 # DL3006 is about "dO nOT UsE --platform", which is really ludicrous
 # DL3029 complains about unpinned images (which is not true, we are just using ARGs for that)

hack/recipe.cue

@@ -29,13 +29,13 @@ cakes: {
 
 			output: {
 				images: {
-					names: [...string] | * ["coredns"],
+					names: [...string] | * ["dns"],
 					tags: [...string] | * ["latest"]
 				}
 			}
 
 			metadata: {
-				title: string | * "Dubo CoreDNS",
+				title: string | * "Dubo DNS",
 				description: string | * "A dubo image for CoreDNS",
 			}
 		}
@@ -44,7 +44,7 @@ cakes: {
 
 injectors: {
 	suite: * "bullseye" | =~ "^(?:jessie|stretch|buster|bullseye|sid)$" @tag(suite, type=string)
-	date: * "2021-08-01" | =~ "^[0-9]{4}-[0-9]{2}-[0-9]{2}$" @tag(date, type=string)
+	date: * "2021-09-01" | =~ "^[0-9]{4}-[0-9]{2}-[0-9]{2}$" @tag(date, type=string)
 	platforms: string @tag(platforms, type=string)
 	registry: * "registry.local" | string @tag(registry, type=string)
 }

hack/test.sh

@@ -4,19 +4,16 @@ set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 # shellcheck source=/dev/null
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)/../"
 
-readonly name="${1:-image}"
-shift || true
-
 # Simple no-thrill build tester
 # XXX Currently reduced to a single architecture to avoid using all disk space until we figure out our space efficiency problem (likely the fat builder image getting duplicated over and over)
 # Solution would probably be to do like buildkit and fetch with a lightweight go image while build mount from the previous stage instead of inheriting - annoying but probably the only way
 if ! "$root/hack/build.sh" \
     --inject registry="ghcr.io/dubo-dubon-duponey" \
     --inject progress=plain \
-	  --inject date=2021-08-01 \
+	  --inject date=2021-09-01 \
 	  --inject suite=bullseye \
     --inject platforms=linux/arm64 \
-  	"$name" "$@"; then
+  	"image" "$@"; then
   printf >&2 "Failed building\n"
   exit 1
 fi