Merge pull request #18 from dubo-dubon-duponey/work

Work

.github/workflows/CI.yml

@@ -5,7 +5,7 @@ on: [push, pull_request]
 jobs:
   test:
     # The type of runner that the job will run on
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
@@ -31,8 +31,6 @@ jobs:
 
       - name: Start apt proxy
         run: |
-          # Hiding the read-only token base64 to avoid github disabling it...
-          echo OWMyMGVhYzk4N2NhYWQxYmI3MzhmNTZkODNmOGMwOGJjZjlhNDc4YQo= | base64 -d | docker login ghcr.io -u dubo-dubon-duponey --password-stdin
           docker run --rm -d --expose 443 --expose 80 --pull always \
             --name apt-front \
             --read-only \
@@ -47,12 +45,13 @@ jobs:
             --env ADDITIONAL_DOMAINS=*.debian.org \
             --volume "$GITHUB_WORKSPACE/cache/certs":/certs \
             --volume "$GITHUB_WORKSPACE/cache/apt":/data \
-            ghcr.io/dubo-dubon-duponey/aptutil:bullseye-2021-08-01
+            docker.io/dubodubonduponey/aptutil:bullseye-2021-08-01
 
       - name: test
         run: |
           # Set the path and install the tools
-          BIN_LOCATION="$GITHUB_WORKSPACE/cache/bin" source ./hack/helpers/install-tools.sh
+          export PATH="$GITHUB_WORKSPACE/cache/bin:$PATH"
+          ./hack/helpers/install-tools.sh
           # Start buildkit
           bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
           # Sanity check

.gitignore

@@ -2,3 +2,5 @@
 /.idea
 */cache/*
 cache
+*trace.json
+xxx-*

DEVELOP.md

@@ -10,11 +10,11 @@
 
 ### The what
 
-This image is built using: `ghcr.io/dubo-dubon-duponey/base:builder-bullseye-2021-09-01` 
+This image is built using: `docker.io/dubodubonduponey/base:builder-bullseye-2022-12-01` 
 
-The runtime part is based on: `ghcr.io/dubo-dubon-duponey/base:runtime-bullseye-2021-09-01`
+The runtime part is based on: `docker.io/dubodubonduponey/base:runtime-bullseye-2022-12-01`
 
-Both these images are built upon: `ghcr.io/dubo-dubon-duponey/debian:bullseye-2021-09-01`
+Both these images are built upon: `docker.io/dubodubonduponey/debian:bullseye-2022-12-01`
 
 You can find out more here:
 

Dockerfile

@@ -1,9 +1,9 @@
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
+ARG           FROM_REGISTRY=docker.io/dubodubonduponey
 
-ARG           FROM_IMAGE_BUILDER=base:builder-bullseye-2021-09-01@sha256:12be2a6d0a64b59b1fc44f9b420761ad92efe8188177171163b15148b312481a
-ARG           FROM_IMAGE_AUDITOR=base:auditor-bullseye-2021-09-01@sha256:28d5eddcbbee12bc671733793c8ea8302d7d79eb8ab9ba0581deeacabd307cf5
-ARG           FROM_IMAGE_RUNTIME=base:runtime-bullseye-2021-09-01@sha256:bbd3439247ea1aa91b048e77c8b546369138f910b5083de697f0d36ac21c1a8c
-ARG           FROM_IMAGE_TOOLS=tools:linux-bullseye-2021-09-01@sha256:e5535efb771ca60d2a371cd2ca2eb1a7d6b7b13cc5c4d27d48613df1a041431d
+ARG           FROM_IMAGE_BUILDER=base:builder-bookworm-2023-09-05
+ARG           FROM_IMAGE_AUDITOR=base:auditor-bookworm-2023-09-05
+ARG           FROM_IMAGE_RUNTIME=base:runtime-bookworm-2023-09-05
+ARG           FROM_IMAGE_TOOLS=tools:linux-bookworm-2023-09-05
 
 FROM          $FROM_REGISTRY/$FROM_IMAGE_TOOLS                                                                          AS builder-tools
 
@@ -13,15 +13,15 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_TOOLS
 FROM          --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_BUILDER                                              AS fetcher-lego
 
 ARG           GIT_REPO=github.com/go-acme/lego
-ARG           GIT_VERSION=v4.4.0
-ARG           GIT_COMMIT=7c24212e8a1df8547ca6edb6cf630cff60e62f46
+ARG           GIT_VERSION=v4.15.0
+ARG           GIT_COMMIT=46fe435c2c2e447ae48df712eca8278bbca8986e
 
 ENV           WITH_BUILD_SOURCE="./cmd/lego"
 ENV           WITH_BUILD_OUTPUT="lego"
 
 ENV           CGO_ENABLED=1
 
-RUN           git clone --recurse-submodules git://"$GIT_REPO" .; git checkout "$GIT_COMMIT"
+RUN           git clone --recurse-submodules https://"$GIT_REPO" .; git checkout "$GIT_COMMIT"
 RUN           --mount=type=secret,id=CA \
               --mount=type=secret,id=NETRC \
               [[ "${GOFLAGS:-}" == *-mod=vendor* ]] || go mod download
@@ -40,9 +40,6 @@ ENV           GOARCH=$TARGETARCH
 ENV           CGO_CFLAGS="${CFLAGS:-} ${ENABLE_PIE:+-fPIE}"
 ENV           GOFLAGS="-trimpath ${ENABLE_PIE:+-buildmode=pie} ${GOFLAGS:-}"
 
-# Important cases being handled:
-# - cannot compile statically with PIE but on amd64 and arm64
-# - cannot compile fully statically with NETCGO
 RUN           export GOARM="$(printf "%s" "$TARGETVARIANT" | tr -d v)"; \
               [ "${CGO_ENABLED:-}" != 1 ] || { \
                 eval "$(dpkg-architecture -A "$(echo "$TARGETARCH$TARGETVARIANT" | sed -e "s/^armv6$/armel/" -e "s/^armv7$/armhf/" -e "s/^ppc64le$/ppc64el/" -e "s/^386$/i386/")")"; \
@@ -68,23 +65,24 @@ RUN           export GOARM="$(printf "%s" "$TARGETVARIANT" | tr -d v)"; \
 FROM          --platform=$BUILDPLATFORM $FROM_REGISTRY/$FROM_IMAGE_BUILDER                                              AS fetcher-coredns
 
 ARG           GIT_REPO=github.com/coredns/coredns
-ARG           GIT_VERSION=v1.8.4
-ARG           GIT_COMMIT=053c4d5ca1772517746a854e87ffa971249df14b
+ARG           GIT_VERSION=v1.11.1
+ARG           GIT_COMMIT=ae2bbc29be1aaae0b3ded5d188968a6c97bb3144
 
 ENV           WITH_BUILD_SOURCE=./coredns.go
 ENV           WITH_BUILD_OUTPUT=coredns
 ENV           WITH_LDFLAGS="-X $GIT_REPO/coremain.GitCommit=$GIT_COMMIT"
 
 ENV           CGO_ENABLED=1
 
-RUN           git clone --recurse-submodules git://"$GIT_REPO" .; git checkout "$GIT_COMMIT"
+RUN           git clone --recurse-submodules https://"$GIT_REPO" .; git checkout "$GIT_COMMIT"
 RUN           --mount=type=secret,id=CA \
               --mount=type=secret,id=NETRC \
               [[ "${GOFLAGS:-}" == *-mod=vendor* ]] || go mod download; \
               printf "mdns:github.com/openshift/coredns-mdns\n" >> plugin.cfg; \
               printf "unbound:github.com/coredns/unbound\n" >> plugin.cfg; \
               go generate coredns.go; \
-              go mod tidy
+              go mod tidy -compat=1.17
+
 # XXX how to pin that?
 
 # hadolint ignore=DL3009
@@ -96,11 +94,11 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq; \
-              for architecture in armel armhf arm64 ppc64el i386 s390x amd64; do \
+              for architecture in arm64 amd64; do \
                 apt-get install -qq --no-install-recommends \
-                  libunbound-dev:"$architecture"=1.13.1-1 \
-                  nettle-dev:"$architecture"=3.7.3-1 \
-                  libevent-dev:"$architecture"=2.1.12-stable-1; \
+                  libunbound-dev:"$architecture"=1.17.1-2 \
+                  nettle-dev:"$architecture"=3.8.1-2 \
+                  libevent-dev:"$architecture"=2.1.12-stable-8; \
               done
 
 ##########################
@@ -117,9 +115,6 @@ ENV           GOARCH=$TARGETARCH
 ENV           CGO_CFLAGS="${CFLAGS:-} ${ENABLE_PIE:+-fPIE}"
 ENV           GOFLAGS="-trimpath ${ENABLE_PIE:+-buildmode=pie} ${GOFLAGS:-}"
 
-# Important cases being handled:
-# - cannot compile statically with PIE but on amd64 and arm64
-# - cannot compile fully statically with NETCGO
 RUN           export GOARM="$(printf "%s" "$TARGETVARIANT" | tr -d v)"; \
               [ "${CGO_ENABLED:-}" != 1 ] || { \
                 eval "$(dpkg-architecture -A "$(echo "$TARGETARCH$TARGETVARIANT" | sed -e "s/^armv6$/armel/" -e "s/^armv7$/armhf/" -e "s/^ppc64le$/ppc64el/" -e "s/^386$/i386/")")"; \
@@ -142,10 +137,15 @@ RUN           export GOARM="$(printf "%s" "$TARGETVARIANT" | tr -d v)"; \
 RUN           mkdir -p /dist/boot/lib; \
               eval "$(dpkg-architecture -A "$(echo "$TARGETARCH$TARGETVARIANT" | sed -e "s/^armv6$/armel/" -e "s/^armv7$/armhf/" -e "s/^ppc64le$/ppc64el/" -e "s/^386$/i386/")")"; \
               cp /usr/lib/"$DEB_TARGET_MULTIARCH"/libunbound.so.8    /dist/boot/lib; \
-              cp /lib/"$DEB_TARGET_MULTIARCH"/libpthread.so.0        /dist/boot/lib; \
-              cp /lib/"$DEB_TARGET_MULTIARCH"/libc.so.6              /dist/boot/lib; \
               cp /usr/lib/"$DEB_TARGET_MULTIARCH"/libevent-2.1.so.7  /dist/boot/lib
 
+
+# XXX whether or not we want these in depends on how slick we want the future runtime
+#              cp /lib/"$DEB_TARGET_MULTIARCH"/libpthread.so.0        /dist/boot/lib; \
+#              cp /lib/"$DEB_TARGET_MULTIARCH"/libc.so.6              /dist/boot/lib; \
+
+
+
 #              go get github.com/coredns/unbound; \
 
 #######################
@@ -158,6 +158,22 @@ COPY          --from=builder-coredns  /dist           /dist
 
 COPY          --from=builder-tools  /boot/bin/dns-health    /dist/boot/bin
 
+RUN           cp /dist/boot/bin/coredns /dist/boot/bin/coredns_no_cap
+RUN           cp /dist/boot/bin/coredns /dist/boot/bin/coredns_cap+origin
+RUN           setcap 'cap_net_bind_service+ep'                /dist/boot/bin/coredns_cap+origin
+# hadolint ignore=SC2016
+RUN           patchelf --set-rpath '$ORIGIN/../lib'           /dist/boot/bin/coredns_cap+origin
+# hadolint ignore=SC2016
+RUN           patchelf --set-rpath '$ORIGIN/../lib'           /dist/boot/bin/coredns_no_cap
+
+# XXX https://mail.openjdk.java.net/pipermail/distro-pkg-dev/2010-May/009112.html
+# no $ORIGIN rpath expansion with caps
+RUN           patchelf --set-rpath '/boot/lib'           /dist/boot/bin/coredns
+RUN           patchelf --set-rpath '/boot/lib'           /dist/boot/lib/*
+RUN           patchelf --set-rpath '/boot/lib'           /dist/boot/bin/lego
+
+RUN           setcap 'cap_net_bind_service+ep'                /dist/boot/bin/coredns
+
 RUN           chmod 555 /dist/boot/bin/*; \
               epoch="$(date --date "$BUILD_CREATED" +%s)"; \
               find /dist/boot -newermt "@$epoch" -exec touch --no-dereference --date="@$epoch" '{}' +;
@@ -170,32 +186,37 @@ FROM          $FROM_REGISTRY/$FROM_IMAGE_RUNTIME
 # Get relevant bits from builder
 COPY          --from=builder --chown=$BUILD_UID:root /dist /
 
-ENV           DOMAIN=""
-ENV           EMAIL="[email protected]"
-ENV           UPSTREAM_SERVER_1=""
-ENV           UPSTREAM_SERVER_2=""
-ENV           UPSTREAM_NAME=""
-ENV           STAGING=""
-
-ENV           DNS_PORT=1053
-ENV           TLS_PORT=1853
-ENV           HTTPS_PORT=1443
-ENV           GRPC_PORT=5553
+ENV           DNS_OVER_TLS_ENABLED=false
+ENV           DNS_OVER_TLS_DOMAIN=""
+ENV           DNS_OVER_TLS_PORT=853
+ENV           DNS_OVER_TLS_LEGO_PORT=443
+ENV           DNS_OVER_TLS_LEGO_EMAIL="[email protected]"
+ENV           DNS_OVER_TLS_LE_USE_STAGING=false
+
+ENV           DNS_FORWARD_ENABLED=true
+ENV           DNS_FORWARD_UPSTREAM_NAME="cloudflare-dns.com"
+ENV           DNS_FORWARD_UPSTREAM_IP_1="tls://1.1.1.1"
+ENV           DNS_FORWARD_UPSTREAM_IP_2="tls://1.0.0.1"
+
+ENV           DNS_PORT=53
+ENV           DNS_OVER_GRPC_PORT=553
+ENV           DNS_STUFF_MDNS=false
+
 ENV           METRICS_PORT=9253
 
 # NOTE: this will not be updated at runtime and will always EXPOSE default values
 # Either way, EXPOSE does not do anything, except function as a documentation helper
 EXPOSE        $DNS_PORT/udp
-EXPOSE        $TLS_PORT/tcp
-EXPOSE        $HTTPS_PORT/tcp
-EXPOSE        $GRPC_PORT/tcp
+EXPOSE        $DNS_OVER_TLS_PORT/tcp
+EXPOSE        $DNS_OVER_TLS_LEGO_PORT/tcp
+EXPOSE        $DNS_OVER_GRPC_PORT/tcp
 EXPOSE        $METRICS_PORT/tcp
 
 # Lego just needs /certs to work
 VOLUME        /certs
 
 ENV           HEALTHCHECK_URL="127.0.0.1:$DNS_PORT"
-ENV           HEALTHCHECK_QUESTION=healthcheck-dns.farcloser.world
+ENV           HEALTHCHECK_QUESTION=dns.autonomous.healthcheck.farcloser.world
 ENV           HEALTHCHECK_TYPE=udp
 
 HEALTHCHECK   --interval=120s --timeout=30s --start-period=10s --retries=1 CMD dns-health || exit 1