feat: Support for user, ci/cd fixed (#19)

.github/workflows/ci_cd.yml

@@ -13,6 +13,11 @@ jobs:
  steps:
  - uses: actions/checkout@master
 
+ - name: Set up java for tests execution
+ uses: actions/setup-java@v1
+ with:
+ java-version: 11
+
  - name: "Determine release version"
  uses: codfish/semantic-release-action@master
  env:
@@ -34,6 +39,7 @@ jobs:
  --label "org.label-schema.build-date=$(date '+%F %T')"
 
  - name: Test Docker image
+ if: env.RELEASE_VERSION != ''
  run: chmod 777 example && cd tests && gradle test -Dimage_tag=${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }}
 
  - name: Scan with Phonito Security
@@ -68,6 +74,7 @@ jobs:
  DOCKERHUB_REPOSITORY: ${{ env.IMAGE_NAME }}
 
  - name: "Notify Microbadger to refresh metadata"
+ if: env.RELEASE_VERSION != ''
  uses: wei/curl@master
  with:
  args: -X POST ${{ secrets.MICROBADGER_NOTIFY_URL }}

Dockerfile

@@ -1,12 +1,7 @@
-FROM homecentr/base:1.0.0 as base
-
-FROM alpine:3.11.2
+FROM homecentr/base:2.0.0-alpine
 
 LABEL maintainer="Lukas Holota <[email protected]>"
 
-# Copy S6 overlay and shared scripts
-COPY --from=base / /
-
 # Copy S6 scripts & default configs
 COPY ./fs/ /
 

README.md

@@ -1,16 +1,15 @@
-# HomeCenter - DNS
-This container contains the [BIND9 DNS server](https://www.isc.org/bind/).
+[![Project status](https://img.shields.io/badge/Project%20status-stable%20%26%20actively%20maintaned-green.svg)](https://github.com/homecentr/docker-dns/graphs/commit-activity) 
+[![](https://img.shields.io/github/issues-raw/homecentr/docker-dns/bug?label=open%20bugs)](https://github.com/homecentr/docker-dns/labels/bug) 
+[![](https://images.microbadger.com/badges/version/homecentr/cadvisor.svg)](https://hub.docker.com/repository/docker/homecentr/cadvisor)
+[![](https://img.shields.io/docker/pulls/homecentr/cadvisor.svg)](https://hub.docker.com/repository/docker/homecentr/cadvisor) 
+[![](https://img.shields.io/docker/image-size/homecentr/cadvisor/latest)](https://hub.docker.com/repository/docker/homecentr/cadvisor)
 
-## Project status
+![CI/CD on master](https://github.com/homecentr/docker-dns/workflows/CI/CD%20on%20master/badge.svg)
+![Regular Docker image vulnerability scan](https://github.com/homecentr/docker-dns/workflows/Regular%20Docker%20image%20vulnerability%20scan/badge.svg)
 
-TODO: Remove snyk, replace with Phonito - link to actions
 
-| Project status/quality | Analytics |
-|--------|---------------|
-| [![](https://img.shields.io/github/issues-raw/homecentr/docker-dns/bug?label=open%20bugs)](https://github.com/homecentr/docker-dns/labels/bug) | [![](https://img.shields.io/docker/pulls/homecentr/dns.svg)](https://hub.docker.com/repository/docker/homecentr/dns) |
-| [![](https://img.shields.io/github/license/homecentr/docker-dns)](https://github.com/homecentr/docker-dns/blob/master/LICENSE) | [![](https://images.microbadger.com/badges/version/homecentr/dns.svg)](https://hub.docker.com/repository/docker/homecentr/dns) |
-| [![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/homecentr/docker-dns/graphs/commit-activity) |
-| ![](https://github.com/homecentr/docker-dns/workflows/CI%2FCD%20on%20master/badge.svg) |
+# HomeCenter - DNS
+[BIND9 DNS server](https://www.isc.org/bind/) packed with the usual bells and whistles.
 
 ## Usage
 
@@ -33,10 +32,15 @@ services:
  - "9000:9000/tcp"
 ```
 
-### Configuration
+## Configuration
 See the `example/named.conf` for a quickstart or [BIND9 documentation](https://kb.isc.org/docs/aa-01031) for full configuration reference. The root configuration file (named.conf) is expected to be at `/config/named.conf`. The container contains a piece of built-in configuration which automatically sets up the statistics endpoint and a zone for health check.
 
-> Please note that the directory with zone files must be writable. BIND creates journal files next to the zone files (this cannot be changed) and will fail if it cannot create them. Please refer to the Security section below for details on container UID/GID.
+## Environment variables
+
+| Name | Default value | Description |
+|------|---------------|-------------|
+| PUID | 7077 | UID of the user cadvisor should be running as. The UID must have sufficient rights to read from the Docker socket. |
+| PGID | 7077 | GID of the user cadvisor should be running as. You must set the PUID if you want to set the PGID variable. |
 
 ## Exposed ports
 
@@ -46,17 +50,16 @@ See the `example/named.conf` for a quickstart or [BIND9 documentation](https://k
 | 53/udp | DNS protocol over UDP |
 | 8888/tcp | Default port for statistics, is not opened by default, must be configured in named.conf |
 
-## Security
+## Volumes
 
-### Vulnerabilities
+| Container path | Description |
+|--------------|----------------|
+| /config | BIND9 configuration files. This location **must be writable** by the PUID/PGID user because BIND9 writes journal files next to the zone files. |
 
-The image is periodically (daily) scanned by Phonito.io for possible vulnerabilities. The results are publically available, just check the [output of the daily scan](https://github.com/homecentr/docker-dns/actions?query=workflow%3A%22Regular+Docker+image+vulnerability+scan%22).
+## Security
+The container is regularly scanned for vulnerabilities and updated. Further info can be found in the [Security tab](https://github.com/homecentr/docker-dns/security).
 
 ### Container user
-The container runs as non-root user created during the build with UID and GID **7001**. In case this collides with another image/user, you can rebuild the image using the command below and supply a custom UID and GID.
-
-```bash
-docker build . --build-arg UID=9999 --build-arg GID=8888
-```
+The container supports privilege drop. Even though the container starts as root, it will use the permissions only to perform the initial set up. The cadvisor process runs as UID/GID provided in the PUID and PGID environment variables.
 
-The container will not work if you try to change the UID/GID using the `docker run` because the process would not have access to the required files in the image itself.
+:warning: Do not change the container user directly using the `user` Docker compose property or using the `--user` argument. This would break the privilege drop logic.

SECURITY.md

@@ -0,0 +1,15 @@
+# Security policy
+
+## Disclosure policy
+
+In case you find a security issues with this docker image, please reach out to me at [email protected] and provide 5 business days to release a fixed version.
+
+## Security update policy
+
+Known security issues will be published in GitHub repository's Security / Security advisories.
+
+## Automated processes
+
+The Docker image is scanned for vulnerabilities every 24 hours using [Phonito.io](https://phonito.io/?b=a). You can see the scan status under the actions tab / Regular Docker image vulnerability scan.
+
+The dependencies are automatically scanned using [Dependabot](https://dependabot.com/). Dependencies are regularly updated. You can check for pending dependency updates by listing open Pull requests with the "dependencies" label.

fs/etc/cont-init.d/20-file-permissions.sh

@@ -1,4 +1,4 @@
 #!/usr/bin/with-contenv ash
 
-chown -R nonroot:nonroot /var/run/named
-chown -R nonroot:nonroot /config-default
+chown -R "$PUID:$PGID" /var/run/named
+chown -R "$PUID:$PGID" /config-default

fs/etc/services.d/dns/run

@@ -1,5 +1,3 @@
-#!/usr/bin/execlineb -P
+#!/usr/bin/with-contenv sh
 
-s6-setuidgid nonroot
-
-/usr/sbin/named -f -g -4 -c /config-default/named.conf
+exec s6-setuidgid "$PUID:$PGID" /usr/sbin/named -f -g -4 -c /config-default/named.conf