-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathDockerfile.debian
130 lines (104 loc) · 6.75 KB
/
Dockerfile.debian
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# I am pulling in my debian-s6 image as the base here so I can reuse it for the common buildimage and later in the runtime.
# Initially I used to pull this separately at each stage but that gave errors with docker buildx for the BASE_VERSION argument.
ARG BASE_VERSION=buster-2.2.0.3
FROM rakheshster/debian-s6:${BASE_VERSION} AS mybase
################################### COMMON BUILDIMAGE ####################################
# This image is to be a base where all the build dependencies are installed.
# I can use this in the subsequent stages to build stuff
FROM mybase AS debianbuild
# I realized that the build process doesn't remove this intermediate image automatically so best to LABEL it here and then prune later
# Thanks to https://stackoverflow.com/a/55082473
LABEL stage="debianbuild"
LABEL maintainer="Rakhesh Sasidharan"
# Get the build-dependencies for everything I plan on building later
# common stuff: git build-base libtool xz cmake gnupg (to verify)
# kea: (https://kea.readthedocs.io/en/kea-1.6.2/arm/install.html#build-requirements) build-essential libtool libssl-dev openssl libboost-system-dev libboost-dev liblog4cplus-dev automake
# knot dns: pkgconf libgnutls28-dev liburcu-dev libedit-dev libidn2-dev libfstrm-dev protobuf-c-compiler libprotobuf-c-dev liblmdb-dev
RUN apt-get update && apt-get install -y --no-install-recommends \
git build-essential libtool xz-utils cmake gnupg \
libssl-dev openssl libboost-dev libboost-system-dev liblog4cplus-dev automake \
pkgconf libgnutls28-dev liburcu-dev libedit-dev libidn2-dev libfstrm-dev protobuf-c-compiler libprotobuf-c-dev liblmdb-dev
RUN apt-get -y clean
RUN rm -rf /var/lib/apt/lists/*
################################## KEA DHCP ####################################
# This image is to only build Kea DHCP
FROM debianbuild AS debiankea
# ENV KEA_VERSION 1.7.10
ENV KEA_VERSION 1.8.2
LABEL stage="debiankea"
LABEL maintainer="Rakhesh Sasidharan"
# Download the source & build it
ADD https://downloads.isc.org/isc/kea/${KEA_VERSION}/kea-${KEA_VERSION}.tar.gz /tmp/
ADD https://downloads.isc.org/isc/kea/${KEA_VERSION}/kea-${KEA_VERSION}.tar.gz.asc /tmp/
# Import the PGP key used by ISC (https://www.isc.org/pgpkey/; get from https://downloads.isc.org/isc/pgpkeys/)
# Note to self: Using gpg --recv-keys fails for this key on the Debian version of gpg; see https://superuser.com/questions/1485213/gpg-cant-import-key-new-key-but-contains-no-user-id-skipped
# Workaround is to use the Ubuntu key server or download the key directly and import.
# RUN gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x156890685EA0DF6A1371EF2017CC5DB1F0088407
RUN wget -qO - https://downloads.isc.org/isc/pgpkeys/codesign2021.txt | gpg --import
# Verify the download (exit if it fails)
RUN gpg --status-fd 1 --verify /tmp/kea-${KEA_VERSION}.tar.gz.asc /tmp/kea-${KEA_VERSION}.tar.gz 2>/dev/null | grep -q "GOODSIG 17CC5DB1F0088407" \
|| exit 1
WORKDIR /src
RUN tar xzf /tmp/kea-${KEA_VERSION}.tar.gz -C ./
WORKDIR /src/kea-${KEA_VERSION}
# Configure kea to expect everything in / (--prefix=/) but when installing put everything into /usr/local (via DESTDIR=) (I copy the contents of this to / in the final image)
RUN ./configure --prefix=/ --with-openssl
RUN make && DESTDIR=/usr/local make install
# Disable keactrl as its broken under debian (ps -p does not work) and also it conflicts with s6 if I try to stop etc.
# The only thing I need keactrl for is to reload the config, for that use the included kea-dhcpx-reload script which I provide.
RUN chmod -x /usr/local/sbin/keactrl
################################## BUILD KNOT DNS ####################################
# This image is to only build Knot DNS
FROM debianbuild AS debianknot
ENV KNOTDNS_VERSION 3.0.4
LABEL stage="debianknot"
LABEL maintainer="Rakhesh Sasidharan"
# Download the source & build it
ADD https://secure.nic.cz/files/knot-dns/knot-${KNOTDNS_VERSION}.tar.xz /tmp/
ADD https://secure.nic.cz/files/knot-dns/knot-${KNOTDNS_VERSION}.tar.xz.asc /tmp/
# Import the PGP key used by cz.nic (https://www.knot-dns.cz/download/)
# As above, the import fails on Debian if I download from the default keys.openpgp.org server so use keyserver.ubuntu.com instead
RUN gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x10BB7AF6FEBBD6AB
# Verify the download (exit if it fails)
RUN gpg --status-fd 1 --verify /tmp/knot-${KNOTDNS_VERSION}.tar.xz.asc /tmp/knot-${KNOTDNS_VERSION}.tar.xz 2>/dev/null | grep -q "GOODSIG 10BB7AF6FEBBD6AB" \
|| exit 1
WORKDIR /src
RUN tar xf /tmp/knot-${KNOTDNS_VERSION}.tar.xz -C ./
WORKDIR /src/knot-${KNOTDNS_VERSION}
# Configure knot to expect everything in / (--prefix=/) but when installing put everything into /usr/local (via DESTDIR=) (I copy the contents of this to / in the final image)
RUN ./configure --prefix=/ --enable-dnstap --disable-systemd
RUN make && DESTDIR=/usr/local make install
################################### RUNTIME ENVIRONMENT FOR KEA & KNOT ####################################
# This image has all the runtime dependencies, the built files from the previous stage, and I also create the groups and assign folder permissions etc.
# I got to create the folder after copying the stuff from previous stage so the permissions don't get overwritten
FROM mybase AS debianruntime
# Get the runtimes deps for all
# Kea: (https://kea.readthedocs.io/en/kea-1.6.2/arm/intro.html#required-software)
# Knot: libuv1 libluajit-5.1-2 liblmdb0 gnutls-bin liburcu6 libedit2 libidn2-0 fstrm-bin protobuf-c-compiler
RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates tzdata \
dnsutils \
openssl liblog4cplus-1.1-9 libboost-dev libboost-system-dev \
libuv1 libluajit-5.1-2 liblmdb0 gnutls-bin liburcu6 libedit2 libidn2-0 fstrm-bin protobuf-c-compiler \
nano
RUN apt-get -y clean
RUN rm -rf /var/lib/apt/lists/*
# /usr/local/bin -> /bin etc.
COPY --from=debianknot /usr/local/ /
COPY --from=debiankea /usr/local/ /
RUN addgroup --system knot && adduser --system knot --ingroup knot
RUN mkdir -p /var/lib/knot && chown knot:knot /var/lib/knot
RUN mkdir -p /var/run/knot && chown knot:knot /var/run/knot
################################### FINALIZE ####################################
# This pulls in the previous stage, adds S6. This is my final stage.
FROM debianruntime
LABEL maintainer="Rakhesh Sasidharan"
LABEL org.opencontainers.image.source=https://github.com/rakheshster/docker-kea-knot
# Copy the config files & s6 service files to the correct location
COPY root/ /
# NOTE: s6 overlay doesn't support running as a different user. However, Knot is configured to run as a non-root user in its config. Kea needs to run as root.
EXPOSE 53/udp 53/tcp 8080/tcp
# Knot DNS runs on 53.
# Kea requires 8080 for HA
HEALTHCHECK --interval=5s --timeout=3s --start-period=5s \
CMD dig @127.0.0.1 -p 53 google.com || exit 1
ENTRYPOINT ["/init"]