diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index 8238e4a..f34defd 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -13,6 +13,11 @@ jobs: steps: - uses: actions/checkout@master + - name: Set up java for tests execution + uses: actions/setup-java@v1 + with: + java-version: 11 + - name: "Determine release version" uses: codfish/semantic-release-action@master env: @@ -34,6 +39,7 @@ jobs: --label "org.label-schema.build-date=$(date '+%F %T')" - name: Test Docker image + if: env.RELEASE_VERSION != '' run: chmod 777 example && cd tests && gradle test -Dimage_tag=${{ env.IMAGE_NAME }}:${{ env.RELEASE_VERSION }} - name: Scan with Phonito Security @@ -68,6 +74,7 @@ jobs: DOCKERHUB_REPOSITORY: ${{ env.IMAGE_NAME }} - name: "Notify Microbadger to refresh metadata" + if: env.RELEASE_VERSION != '' uses: wei/curl@master with: args: -X POST ${{ secrets.MICROBADGER_NOTIFY_URL }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index d82d6a3..5c952d4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,7 @@ -FROM homecentr/base:1.0.0 as base - -FROM alpine:3.11.2 +FROM homecentr/base:2.0.0-alpine LABEL maintainer="Lukas Holota " -# Copy S6 overlay and shared scripts -COPY --from=base / / - # Copy S6 scripts & default configs COPY ./fs/ / diff --git a/README.md b/README.md index ed959d2..221ff48 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,15 @@ -# HomeCenter - DNS -This container contains the [BIND9 DNS server](https://www.isc.org/bind/). +[![Project status](https://img.shields.io/badge/Project%20status-stable%20%26%20actively%20maintaned-green.svg)](https://github.com/homecentr/docker-dns/graphs/commit-activity) +[![](https://img.shields.io/github/issues-raw/homecentr/docker-dns/bug?label=open%20bugs)](https://github.com/homecentr/docker-dns/labels/bug) +[![](https://images.microbadger.com/badges/version/homecentr/cadvisor.svg)](https://hub.docker.com/repository/docker/homecentr/cadvisor) +[![](https://img.shields.io/docker/pulls/homecentr/cadvisor.svg)](https://hub.docker.com/repository/docker/homecentr/cadvisor) +[![](https://img.shields.io/docker/image-size/homecentr/cadvisor/latest)](https://hub.docker.com/repository/docker/homecentr/cadvisor) -## Project status +![CI/CD on master](https://github.com/homecentr/docker-dns/workflows/CI/CD%20on%20master/badge.svg) +![Regular Docker image vulnerability scan](https://github.com/homecentr/docker-dns/workflows/Regular%20Docker%20image%20vulnerability%20scan/badge.svg) -TODO: Remove snyk, replace with Phonito - link to actions -| Project status/quality | Analytics | -|--------|---------------| -| [![](https://img.shields.io/github/issues-raw/homecentr/docker-dns/bug?label=open%20bugs)](https://github.com/homecentr/docker-dns/labels/bug) | [![](https://img.shields.io/docker/pulls/homecentr/dns.svg)](https://hub.docker.com/repository/docker/homecentr/dns) | -| [![](https://img.shields.io/github/license/homecentr/docker-dns)](https://github.com/homecentr/docker-dns/blob/master/LICENSE) | [![](https://images.microbadger.com/badges/version/homecentr/dns.svg)](https://hub.docker.com/repository/docker/homecentr/dns) | -| [![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/homecentr/docker-dns/graphs/commit-activity) | -| ![](https://github.com/homecentr/docker-dns/workflows/CI%2FCD%20on%20master/badge.svg) | +# HomeCenter - DNS +[BIND9 DNS server](https://www.isc.org/bind/) packed with the usual bells and whistles. ## Usage @@ -33,10 +32,15 @@ services: - "9000:9000/tcp" ``` -### Configuration +## Configuration See the `example/named.conf` for a quickstart or [BIND9 documentation](https://kb.isc.org/docs/aa-01031) for full configuration reference. The root configuration file (named.conf) is expected to be at `/config/named.conf`. The container contains a piece of built-in configuration which automatically sets up the statistics endpoint and a zone for health check. -> Please note that the directory with zone files must be writable. BIND creates journal files next to the zone files (this cannot be changed) and will fail if it cannot create them. Please refer to the Security section below for details on container UID/GID. +## Environment variables + +| Name | Default value | Description | +|------|---------------|-------------| +| PUID | 7077 | UID of the user cadvisor should be running as. The UID must have sufficient rights to read from the Docker socket. | +| PGID | 7077 | GID of the user cadvisor should be running as. You must set the PUID if you want to set the PGID variable. | ## Exposed ports @@ -46,17 +50,16 @@ See the `example/named.conf` for a quickstart or [BIND9 documentation](https://k | 53/udp | DNS protocol over UDP | | 8888/tcp | Default port for statistics, is not opened by default, must be configured in named.conf | -## Security +## Volumes -### Vulnerabilities +| Container path | Description | +|--------------|----------------| +| /config | BIND9 configuration files. This location **must be writable** by the PUID/PGID user because BIND9 writes journal files next to the zone files. | -The image is periodically (daily) scanned by Phonito.io for possible vulnerabilities. The results are publically available, just check the [output of the daily scan](https://github.com/homecentr/docker-dns/actions?query=workflow%3A%22Regular+Docker+image+vulnerability+scan%22). +## Security +The container is regularly scanned for vulnerabilities and updated. Further info can be found in the [Security tab](https://github.com/homecentr/docker-dns/security). ### Container user -The container runs as non-root user created during the build with UID and GID **7001**. In case this collides with another image/user, you can rebuild the image using the command below and supply a custom UID and GID. - -```bash -docker build . --build-arg UID=9999 --build-arg GID=8888 -``` +The container supports privilege drop. Even though the container starts as root, it will use the permissions only to perform the initial set up. The cadvisor process runs as UID/GID provided in the PUID and PGID environment variables. -The container will not work if you try to change the UID/GID using the `docker run` because the process would not have access to the required files in the image itself. \ No newline at end of file +:warning: Do not change the container user directly using the `user` Docker compose property or using the `--user` argument. This would break the privilege drop logic. \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..432ecf9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,15 @@ +# Security policy + +## Disclosure policy + +In case you find a security issues with this docker image, please reach out to me at security@homecentr.io and provide 5 business days to release a fixed version. + +## Security update policy + +Known security issues will be published in GitHub repository's Security / Security advisories. + +## Automated processes + +The Docker image is scanned for vulnerabilities every 24 hours using [Phonito.io](https://phonito.io/?b=a). You can see the scan status under the actions tab / Regular Docker image vulnerability scan. + +The dependencies are automatically scanned using [Dependabot](https://dependabot.com/). Dependencies are regularly updated. You can check for pending dependency updates by listing open Pull requests with the "dependencies" label. \ No newline at end of file diff --git a/fs/etc/cont-init.d/20-file-permissions.sh b/fs/etc/cont-init.d/20-file-permissions.sh index 5a11997..bff16ad 100644 --- a/fs/etc/cont-init.d/20-file-permissions.sh +++ b/fs/etc/cont-init.d/20-file-permissions.sh @@ -1,4 +1,4 @@ #!/usr/bin/with-contenv ash -chown -R nonroot:nonroot /var/run/named -chown -R nonroot:nonroot /config-default \ No newline at end of file +chown -R "$PUID:$PGID" /var/run/named +chown -R "$PUID:$PGID" /config-default \ No newline at end of file diff --git a/fs/etc/services.d/dns/run b/fs/etc/services.d/dns/run index a8f44e8..f56c502 100644 --- a/fs/etc/services.d/dns/run +++ b/fs/etc/services.d/dns/run @@ -1,5 +1,3 @@ -#!/usr/bin/execlineb -P +#!/usr/bin/with-contenv sh -s6-setuidgid nonroot - -/usr/sbin/named -f -g -4 -c /config-default/named.conf \ No newline at end of file +exec s6-setuidgid "$PUID:$PGID" /usr/sbin/named -f -g -4 -c /config-default/named.conf \ No newline at end of file