forked from PowerDNS/pdns
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile-recursor
144 lines (111 loc) · 5.52 KB
/
Dockerfile-recursor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# USAGE
# docker build --build-arg MAKEFLAGS=-j8 -t recursor -f docker/Dockerfile-recursor .
# docker run -p 1053:53 -p 1053:53/udp -ti --rm recursor
# dig a www.example.com @0 -p 1053
# Builder
FROM debian:11-slim AS builder
# Reusable layer for base update
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# sudo apt install cmake gcc libtool libssl-dev make ninja-build git
RUN apt-get install -y --no-install-recommends \
# original requirements
cmake gcc libtool libssl-dev make ninja-build git \
# added by us
astyle python3-pytest python3-pytest-xdist unzip xsltproc doxygen libluajit-5.1-dev liblua5.3-dev \
graphviz apt-transport-https ca-certificates build-essential systemd
WORKDIR /source/
RUN apt remove openssl libssl-dev -y
RUN git clone --branch openssl-3.2.0 https://github.com/openssl/openssl.git openssl-source/
RUN cd openssl-source/ && ./Configure -lm no-docs --libdir=lib
RUN cd openssl-source/ && make
RUN cd openssl-source/ && make install
RUN git clone https://github.com/open-quantum-safe/liboqs.git
RUN cd liboqs && git fetch origin 31bdf13d4b8717b143f9ed584dfb8faceb80ebd9
RUN cd liboqs && git checkout 31bdf13d4b8717b143f9ed584dfb8faceb80ebd9
RUN mkdir liboqs/build/
RUN cd liboqs/build/ && cmake -GNinja -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON ..
RUN cd liboqs/build/ && ninja
RUN cd liboqs/build/ && ninja install
RUN git clone https://github.com/open-quantum-safe/oqs-provider.git
RUN cd oqs-provider/ && git checkout e784ed12c69f0f6a73e185237d4259d566b5ed97
RUN cd oqs-provider/ && cmake -S . -B _build
RUN cd oqs-provider/ && cmake --build _build
RUN cd oqs-provider/ && ctest --test-dir _build
RUN cd oqs-provider/ && cmake --install _build --config DebPack
ENV NO_LUA_JIT="s390x arm64"
# Reusable layer for base update
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# devscripts gives us mk-build-deps (and a lot of other stuff)
RUN apt-get update && apt-get -y dist-upgrade && apt-get install -y --no-install-recommends devscripts equivs git curl && apt-get clean
COPY builder-support /source/builder-support
# TODO: control file is not in tarballs at all right now
RUN mk-build-deps -i -t 'apt-get -y -o Debug::pkgProblemResolver=yes --no-install-recommends' /source/builder-support/debian/recursor/debian-buster/control && \
apt-get clean
WORKDIR /source/
COPY pdns /source/pdns
COPY build-aux /source/build-aux
COPY m4 /source/m4
COPY ext /source/ext
COPY .git /source/.git
# COPY builder/helpers/set-configure-ac-version.sh /usr/local/bin
COPY builder-support/helpers/install_rust.sh /source/install_rust.sh
RUN /source/install_rust.sh
# build and install (TODO: before we hit this line, rearrange /source structure if we are coming from a tarball)
WORKDIR /source/pdns/recursordist
ARG MAKEFLAGS=
ENV MAKEFLAGS ${MAKEFLAGS:--j2}
ARG DOCKER_FAKE_RELEASE=NO
ENV DOCKER_FAKE_RELEASE ${DOCKER_FAKE_RELEASE}
# Manpage deps
# RUN apt-get install -y python3-venv && apt-get clean
# Manpage prevent
RUN touch pdns_recursor.1 rec_control.1 # avoid installing pandoc
RUN if [ "${DOCKER_FAKE_RELEASE}" = "YES" ]; then \
BUILDER_VERSION="$(IS_RELEASE=YES BUILDER_MODULES=recursor ./builder-support/gen-version | sed 's/\([0-9]\+\.[0-9]\+\.[0-9]\+\(\(alpha|beta|rc\)\d\+\)\)?.*/\1/')" set-configure-ac-version.sh;\
fi && \
BUILDER_MODULES=recursor autoreconf -vfi
RUN mkdir /build && \
LUAVER=$([ -z "${NO_LUA_JIT##*$(dpkg --print-architecture)*}" ] && echo 'lua5.3' || echo 'luajit') && \
./configure \
--with-lua=${LUAVER} \
LDFLAGS=-rdynamic \
--sysconfdir=/etc/powerdns \
--enable-option-checking=fatal \
--with-libcrypto=/usr/local && \
make clean && \
make $MAKEFLAGS install DESTDIR=/build && make clean && \
strip /build/usr/local/bin/* /build/usr/local/sbin/*
RUN ldconfig
RUN cd /tmp && mkdir /build/tmp/ && mkdir debian && \
echo 'Source: docker-deps-for-pdns' > debian/control && \
dpkg-shlibdeps --ignore-missing-info /build/usr/local/bin/rec_control /build/usr/local/sbin/pdns_recursor && \
sed 's/^shlibs:Depends=/Depends: /' debian/substvars >> debian/control && \
equivs-build debian/control && \
dpkg-deb -I equivs-dummy_1.0_all.deb && cp equivs-dummy_1.0_all.deb /build/tmp/
# Runtime
#FROM debian:11-slim
# Reusable layer for base update - Should be cached from builder
#RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# Ensure python3 and jinja2 is present (for startup script), and tini for signal management
RUN apt-get update && apt-get install -y python3 python3-jinja2 tini libcap2-bin libc6 && apt-get clean
# Executables from builder
RUN cp -r /build/* /
RUN chmod 1777 /tmp # FIXME: better not use /build/tmp for equivs at all
# Ensure dependencies are present
RUN apt-get install -y /tmp/equivs-dummy_1.0_all.deb && apt-get clean
# Start script
COPY dockerdata/startup.py /usr/local/sbin/pdns_recursor-startup
# Config file(s) from builder
COPY dockerdata/recursor.conf /etc/powerdns/
# Is recursor.d necessary if we copy the config into recursor.conf? (see above)
RUN mkdir -p /etc/powerdns/recursor.d /var/run/pdns-recursor /etc/powerdns/templates.d
# Work with pdns user - not root
RUN adduser --system --disabled-password --disabled-login --no-create-home --group pdns --uid 953
RUN chown pdns:pdns /var/run/pdns-recursor /etc/powerdns/recursor.d /etc/powerdns/templates.d
USER pdns
# Default DNS ports
EXPOSE 53/udp
EXPOSE 53/tcp
# Default webserver port
EXPOSE 8082/tcp
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/sbin/pdns_recursor-startup"]