forked from PowerDNS/pdns
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile-auth
145 lines (117 loc) · 6.13 KB
/
Dockerfile-auth
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# our chosen base image
FROM debian:11-slim AS builder
# Reusable layer for base update
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# sudo apt install cmake gcc libtool libssl-dev make ninja-build git
RUN apt-get install -y --no-install-recommends \
# original requirements
cmake gcc libtool make ninja-build git \
# added by us
astyle python3-pytest python3-pytest-xdist unzip xsltproc doxygen libluajit-5.1-dev liblua5.3-dev \
graphviz apt-transport-https ca-certificates build-essential systemd
# ???
# RUN update-ca-certificates
WORKDIR /source/
RUN apt remove openssl libssl-dev -y
RUN git clone --branch openssl-3.2.0 https://github.com/openssl/openssl.git openssl-source/
RUN cd openssl-source/ && ./Configure -lm no-docs --libdir=lib
RUN cd openssl-source/ && make
RUN cd openssl-source/ && make install
RUN git clone https://github.com/open-quantum-safe/liboqs.git
RUN cd liboqs && git fetch origin 31bdf13d4b8717b143f9ed584dfb8faceb80ebd9
RUN cd liboqs && git checkout 31bdf13d4b8717b143f9ed584dfb8faceb80ebd9
RUN mkdir liboqs/build/
RUN cd liboqs/build/ && cmake -GNinja -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON ..
RUN cd liboqs/build/ && ninja
RUN cd liboqs/build/ && ninja install
RUN git clone https://github.com/open-quantum-safe/oqs-provider.git
ENV LD_LIBRARY_PATH=/usr/local/lib
RUN cd oqs-provider/ && git checkout e784ed12c69f0f6a73e185237d4259d566b5ed97
RUN cd oqs-provider/ && cmake -S . -B _build
RUN cd oqs-provider/ && cmake --build _build
RUN cd oqs-provider/ && ctest --test-dir _build
RUN cd oqs-provider/ && cmake --install _build --config DebPack
ENV NO_LUA_JIT="s390x arm64"
# TODO: make sure /source looks roughly the same from git or tar
# Reusable layer for base update
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# devscripts gives us mk-build-deps (and a lot of other stuff)
RUN apt-get update && apt-get -y dist-upgrade && apt-get install -y --no-install-recommends devscripts dpkg-dev equivs git python3-venv && apt-get clean
# import everything - this could be pdns.git OR an auth tarball!
COPY builder-support /source/builder-support
# TODO: control file is not in tarballs at all right now
RUN mk-build-deps -i -t 'apt-get -y -o Debug::pkgProblemResolver=yes --no-install-recommends' /source/builder-support/debian/authoritative/debian-buster/control && \
apt-get clean
# build and install (TODO: before we hit this line, rearrange /source structure if we are coming from a tarball)
WORKDIR /source/
COPY pdns /source/pdns
COPY modules /source/modules
COPY codedocs /source/codedocs
COPY docs /source/docs
COPY build-aux /source/build-aux
COPY m4 /source/m4
COPY ext /source/ext
COPY .git /source/.git
ADD configure.ac Makefile.am /source/
#COPY builder/helpers/set-configure-ac-version.sh /usr/local/bin
ARG MAKEFLAGS=
ENV MAKEFLAGS ${MAKEFLAGS:--j2}
ARG DOCKER_FAKE_RELEASE=NO
ENV DOCKER_FAKE_RELEASE ${DOCKER_FAKE_RELEASE}
RUN if [ "${DOCKER_FAKE_RELEASE}" = "YES" ]; then \
BUILDER_VERSION="$(IS_RELEASE=YES BUILDER_MODULES=authoritative ./builder-support/gen-version | sed 's/\([0-9]\+\.[0-9]\+\.[0-9]\+\(\(alpha|beta|rc\)\d\+\)\)?.*/\1/')" set-configure-ac-version.sh;\
fi && \
BUILDER_MODULES=authoritative autoreconf -vfi
# simplify repeated -C calls with SUBDIRS?
RUN mkdir /build && \
LUAVER=$([ -z "${NO_LUA_JIT##*$(dpkg --print-architecture)*}" ] && echo 'lua5.3' || echo 'luajit') && \
./configure \
--with-lua=${LUAVER} \
--sysconfdir=/etc/powerdns \
--enable-option-checking=fatal \
--with-dynmodules='bind geoip gmysql godbc gpgsql gsqlite3 ldap lmdb lua2 pipe remote tinydns' \
--enable-tools \
--enable-ixfrdist \
--with-unixodbc-lib=/usr/lib/$(dpkg-architecture -q DEB_BUILD_GNU_TYPE) \
--with-libcrypto=/usr/local && \
make clean && \
make $MAKEFLAGS -C ext && make $MAKEFLAGS -C modules && make $MAKEFLAGS -C pdns && \
make -C pdns install DESTDIR=/build && make -C modules install DESTDIR=/build && make clean && \
strip /build/usr/local/bin/* /build/usr/local/sbin/* /build/usr/local/lib/pdns/*.so
RUN cd /tmp && mkdir /build/tmp/ && mkdir debian && \
echo 'Source: docker-deps-for-pdns' > debian/control && \
dpkg-shlibdeps --ignore-missing-info /build/usr/local/bin/* /build/usr/local/sbin/* /build/usr/local/lib/pdns/*.so && \
sed 's/^shlibs:Depends=/Depends: /' debian/substvars >> debian/control && \
equivs-build debian/control && \
dpkg-deb -I equivs-dummy_1.0_all.deb && cp equivs-dummy_1.0_all.deb /build/tmp/
# Runtime
FROM debian:11-slim
# Reusable layer for base update - Should be cached from builder
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
# Ensure python3 and jinja2 is present (for startup script), and sqlite3 (for db schema), and tini (for signal management),
# and vim (for pdnsutil edit-zone) , and supervisor (for special use cases requiring advanced process management)
RUN apt-get install -y python3 python3-jinja2 sqlite3 tini libcap2-bin vim-tiny supervisor && apt-get clean
# Output from builder
COPY --from=builder /build /
COPY --from=builder /usr/local/ssl /usr/local/ssl
COPY --from=builder /usr/local/include/openssl /usr/local/include/openssl
COPY --from=builder /usr/local/lib /usr/local/lib
RUN chmod 1777 /tmp # FIXME: better not use /build/tmp for equivs at all
# Ensure dependencies are present
RUN apt-get install -y /tmp/equivs-dummy_1.0_all.deb && apt-get clean
# Start script
COPY dockerdata/startup.py /usr/local/sbin/pdns_server-startup
COPY dockerdata/pdns.conf /etc/powerdns/
RUN mkdir -p /etc/powerdns/pdns.d /var/run/pdns /var/lib/powerdns /etc/powerdns/templates.d
# Work with pdns user - not root
RUN adduser --system --disabled-password --disabled-login --no-create-home --group pdns --uid 953
RUN chown pdns:pdns /var/run/pdns /var/lib/powerdns /etc/powerdns/pdns.d /etc/powerdns/templates.d
USER pdns
# Set up database - this needs to be smarter
RUN sqlite3 /var/lib/powerdns/pdns.sqlite3 < /usr/local/share/doc/pdns/schema.sqlite3.sql
# Default DNS ports
EXPOSE 53/udp
EXPOSE 53/tcp
# Default webserver port
EXPOSE 8081/tcp
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/sbin/pdns_server-startup"]