From bcfce27ee2beb735049d4597786b3354930cb771 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Tue, 23 Oct 2018 15:07:49 +0300 Subject: [PATCH] Standarize unbound, prepare for setup inclusion - Use jinja template for configuration file (start.py) - Limit access to the Mailu subnet - Implement health checks --- core/unbound/Dockerfile | 14 -------------- services/unbound/Dockerfile | 18 ++++++++++++++++++ services/unbound/start.py | 9 +++++++++ {core => services}/unbound/unbound.conf | 4 ++-- tests/build.yml | 4 ++-- 5 files changed, 31 insertions(+), 18 deletions(-) delete mode 100644 core/unbound/Dockerfile create mode 100644 services/unbound/Dockerfile create mode 100755 services/unbound/start.py rename {core => services}/unbound/unbound.conf (86%) diff --git a/core/unbound/Dockerfile b/core/unbound/Dockerfile deleted file mode 100644 index 3c7f0e7a..00000000 --- a/core/unbound/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM alpine:3.8 - -RUN apk add --no-cache unbound curl \ - && curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \ - && chown root:unbound /etc/unbound \ - && chmod 775 /etc/unbound \ - && apk del --no-cache curl \ - && /usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key | true - -COPY unbound.conf /etc/unbound/unbound.conf - -EXPOSE 53/udp 53/tcp - -CMD /usr/sbin/unbound diff --git a/services/unbound/Dockerfile b/services/unbound/Dockerfile new file mode 100644 index 00000000..1b84855c --- /dev/null +++ b/services/unbound/Dockerfile @@ -0,0 +1,18 @@ +FROM python:3-alpine + +RUN apk add --no-cache unbound curl bind-tools \ + && pip3 install jinja2 \ + && curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \ + && chown root:unbound /etc/unbound \ + && chmod 775 /etc/unbound \ + && apk del --no-cache curl \ + && /usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key | true + +COPY start.py /start.py +COPY unbound.conf /unbound.conf + +EXPOSE 53/udp 53/tcp + +CMD /start.py + +HEALTHCHECK CMD dig @127.0.0.1 || exit 1 diff --git a/services/unbound/start.py b/services/unbound/start.py new file mode 100755 index 00000000..82e017f7 --- /dev/null +++ b/services/unbound/start.py @@ -0,0 +1,9 @@ +#!/usr/local/bin/python3 + +import jinja2 +import os + +convert = lambda src, dst: open(dst, "w").write(jinja2.Template(open(src).read()).render(**os.environ)) +convert("/unbound.conf", "/etc/unbound/unbound.conf") + +os.execv("/usr/sbin/unbound", ["-c /etc/unbound/unbound.conf"]) diff --git a/core/unbound/unbound.conf b/services/unbound/unbound.conf similarity index 86% rename from core/unbound/unbound.conf rename to services/unbound/unbound.conf index d2d9ce74..d54cbfbc 100644 --- a/core/unbound/unbound.conf +++ b/services/unbound/unbound.conf @@ -8,9 +8,9 @@ server: do-udp: yes do-tcp: yes do-daemonize: no - access-control: 0.0.0.0/0 allow + access-control: {{ SUBNET }} allow directory: "/etc/unbound" - username: unbound + username: root auto-trust-anchor-file: trusted-key.key root-hints: "/etc/unbound/root.hints" hide-identity: yes diff --git a/tests/build.yml b/tests/build.yml index 00323151..8a5cd540 100644 --- a/tests/build.yml +++ b/tests/build.yml @@ -6,8 +6,8 @@ services: image: ${DOCKER_ORG:-mailu}/nginx:${VERSION:-local} build: ../core/nginx - unbound: - image: $DOCKER_ORG/unbound:$VERSION + resolver: + image: ${DOCKER_ORG:-mailu}/unbound:${VERSION:-local} build: ../core/unbound imap: