Skip to content

Changes for issue #10 #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tcely wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Changes for issue #10 #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ed80ef7
Changes for issue #10
tcely Feb 16, 2018
307f43c
Fixes from build / testing.
tcely Feb 16, 2018
4fa1407
place managed-keys.bind* files in their own directory
tcely Feb 16, 2018
5c17e1c
Add Drone CI configuration.
tcely Feb 16, 2018
7aaed93
Gave Drone CI a distinct tag
tcely Feb 16, 2018
12f73e0
Use my base to rebuild automatically
tcely Jan 4, 2020
9ae97fa
Remove rndc.key created by the package
tcely Jan 4, 2020
e84565f
Do not rebuild with edge base
tcely Jan 4, 2020
f2a77e8
gnupg1 won't install on 3.13
tcely Jul 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .drone.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
labels:
cpus: '1'
ram: '512'
mhz: '2000'
clone:
git:
image: 'plugins/git'
tags: true
pipeline:
edge:
image: 'plugins/docker'
context: 'container'
dockerfile: 'container/Dockerfile'
secrets: ["docker_username", "docker_password"]
repo: '${DRONE_REPO_OWNER}/${DRONE_REPO_NAME##docker-}'
tag: 'edge-droneci'
when:
branch: 'edge'
configs:
image: 'plugins/docker'
context: 'container'
dockerfile: 'container/Dockerfile'
secrets: ["docker_username", "docker_password"]
repo: '${DRONE_REPO_OWNER}/${DRONE_REPO_NAME##docker-}'
tag: 'configs-droneci'
when:
branch: 'config-changes'
27 changes: 27 additions & 0 deletions .drone.yml.sig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">

<meta name="version" content="0.8.4&#43;build.1398">



<script>
window.DRONE_USER = {"id":1,"login":"tcely","email":"chris.ely@gmail.com","avatar_url":"https://avatars3.githubusercontent.com/u/138864?v=4","active":false,"synced":1518756002,"admin":true};
window.DRONE_SYNC = false ;
</script>



<script>
window.DRONE_CSRF = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0IjoidGNlbHkiLCJ0eXBlIjoiY3NyZiJ9.EZqDjB4vo3IolcL4kfGUm9YblkmizbqcNl5hb3YNnLM"
</script>




<link rel="shortcut icon" href="/favicon.png"></head>
<body>
<script type="text/javascript" src="/static/vendor.fc7f2b27186ea985e44c.js"></script><script type="text/javascript" src="/static/bundle.467f73292ec23d1702cb.js"></script></body>
</html>
32 changes: 12 additions & 20 deletions container/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,22 @@
FROM alpine:latest
EXPOSE 53 53/udp
FROM tcely/alpine-stable

RUN apk --update upgrade && apk add bind
EXPOSE 53 53/udp
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]

# /etc/bind needs to be owned by root, group owned by "bind", and chmod 750
# since we are mounting, do it manually
# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
# &
# /var/bind needs to be owned by root, group owned by "bind", and chmod 770
# since we are mounting, do it manually
# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
# &
# Get latest bind.keys
RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \
mkdir -m 0770 -p /var/bind && chown -R root:named /var/cache ; \
wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \
rndc-confgen -a -r /dev/urandom
RUN apk --update upgrade && \
apk add bind ca-certificates curl gnupg && \
rm -rf /etc/bind/rndc.key /var/cache/apk/* && \
chmod g-w /var/bind && \
Copy link
Owner

@ventz ventz Feb 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default alpine bind install sets up:

drwxrwx---    5 root     named       4.0K Feb 16 02:19 bind

Any reason you are removing group writes?

Also - they do not setup a /var/cache/bind at all in alpine.

So the question here really is do we follow "standards" (and again, I am using this loosely, since there don't seem be any official ones, but mostly popular opinion/common deployments), or do we go with what alpine sets up by default?

Copy link
Contributor Author

@tcely tcely Feb 16, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm removing the group write because I don't want anything running as named writing to this directory.

I don't know why you are so fixated on using /var/bind at all. Is it just because whoever created the alpline package moved the files there? All we need is a directory that named can write to, so that's what I created.

We could use either /var/bind/sec or /var/bind/dyn for the same purpose, but neither of these are as "standard" as using the /var/cache/bind directory.

Copy link
Owner

@ventz ventz Feb 16, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are using dynamic zones, you need to have the group with write permissions if that's where the zones will live.

I am not fixated on using /var/bind -- in fact, it's very much going against what feels correct to me. Every production service we run (and have run for the past 15+ years) is using /var/cache/bind, but again for better or worse, this is what the OS/maintainers have chosen as their standard. Personally - I would like to stick something that's generally accepted among deployments, or at least within the OS used.

Imo - that's /etc/bind for all configs, and /var/cache/bind for all zones. I've been told that /var/cache/bind is not used outside of Debian/Ubuntu, and that '/var/bind' is used as a default (RHEL, CentOS, Alpine, etc). OpenBSD still uses /var/named.

So for example, one thing that everyone agrees on is that the run pid should be:
/var/run/named/named.pid

see for ref:

(ubuntu and debian -> /var/cache/bind)
https://wiki.debian.org/Bind9
https://help.ubuntu.com/community/BIND9ServerHowto

vs

(rhel/centos/openbsd-> /var/named)
https://man.openbsd.org/OpenBSD-5.5/named.8
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s2-bind-zone
(and in this case, they even explicitly mention bind is now allowed to write to it -- so no dynamic zones in the same dir)

Copy link
Contributor Author

@tcely tcely Feb 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the PID path already. We could really be odd and just use /var/bind/cache if you want.

Copy link
Owner

@ventz ventz Feb 16, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:)

Give me some time to go through everything (in the middle of leaving for a vacation). There are just a couple of things I think we should change, but the rest looks good. I really like some of the suggestions. Thanks for the time/input/work and for going through everything!

cp -p /etc/bind/bind.keys /var/bind/ && \
install -d -m 0770 -o named -g named /var/cache/bind && \
ln -s ../../var/run/named/rndc.key /etc/bind/rndc.key

COPY configs/. /etc/bind/

# Mounts
# NOTE: Per Dockerfile manual -->
# "if any build steps change the data within the volume
# after it has been declared, those changes will be discarded."
VOLUME ["/etc/bind"]
VOLUME ["/var/bind"]
VOLUME ["/etc/bind", "/var/cache/bind"]

COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
5 changes: 4 additions & 1 deletion container/configs/README
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,5 @@
You should add your zones to: named.conf.local
Generally, that's the only file you will need to modify
If you want to change server options edit: named.conf.options.local
To add ACLs for use in either of the above files edit: named.conf.acls

Generally, these are the only files you will need to modify
12 changes: 0 additions & 12 deletions container/configs/default-zones/db.255
View file
Open in desktop

This file was deleted.

0 container/configs/default-zones/db.local → container/configs/default-zones/db.localhost
View file
Open in desktop
File renamed without changes.
0 container/configs/default-zones/db.root → container/configs/default-zones/named.cache
View file
Open in desktop
File renamed without changes.
0 container/configs/default-zones/db.127 → container/configs/default-zones/rev.127
View file
Open in desktop
File renamed without changes.
0 container/configs/default-zones/db.0 → ...ainer/configs/default-zones/rev.broadcast
View file
Open in desktop
File renamed without changes.
20 changes: 0 additions & 20 deletions container/configs/example-configs/README
View file
Open in desktop

This file was deleted.

56 changes: 0 additions & 56 deletions container/configs/example-configs/authoritative/named.conf.options
View file
Open in desktop

This file was deleted.

104 changes: 0 additions & 104 deletions container/configs/example-configs/recursive-resolver/named.conf.options
View file
Open in desktop

This file was deleted.

5 changes: 1 addition & 4 deletions container/configs/named.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,13 @@
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

include "/etc/bind/rndc.key";
include "/etc/bind/named.conf.acls";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

10 changes: 10 additions & 0 deletions container/configs/named.conf.acls
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
// Default ACLs defined by bind
//
// any - Matches all hosts.
// none - Matches no hosts.
// localhost - Matches the IPv4 and IPv6 addresses of all network interfaces on the system.
// localnets - Matches any host on an IPv4 or IPv6 network for which the system has an interface.

acl "recursors" {
127.0.0.1;
};
18 changes: 13 additions & 5 deletions container/configs/named.conf.default-zones
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,36 @@
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/default-zones/db.root";
file "/etc/bind/default-zones/named.cache";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/default-zones/db.local";
file "/etc/bind/default-zones/db.localhost";
allow-update { none; };
notify no;
};

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/default-zones/db.127";
file "/etc/bind/default-zones/rev.127";
allow-update { none; };
notify no;
};

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/default-zones/db.0";
file "/etc/bind/default-zones/rev.broadcast";
allow-update { none; };
notify no;
};

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/default-zones/db.255";
file "/etc/bind/default-zones/rev.broadcast";
allow-update { none; };
notify no;
};
6 changes: 3 additions & 3 deletions container/configs/named.conf.local
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ include "/etc/bind/named.conf.default-zones";

// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/named.conf.rfc1918";
//include "/etc/bind/named.conf.rfc1918";

///////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////
Expand All @@ -22,7 +22,7 @@ include "/etc/bind/named.conf.rfc1918";
# example reverse zone: 1.2.3.4/24
//zone "4.3.2.1.in-addr.arpa" {
// type master;
// file "/var/bind/1.2.3.4.rev";
// file "/etc/bind/zones/rev.1.2.3.4";
// notify yes;
//};

Expand All @@ -33,7 +33,7 @@ include "/etc/bind/named.conf.rfc1918";
# example "forward" (domain) zone: domain.tld
//zone "domain.tld" {
// type master;
// file "/var/bind/domain.tld";
// file "/etc/bind/zones/db.domain.tld";
// notify yes;
// #also-notify { a.b.c.d; };
// #allow-transfer { localhost; a.b.c.d; };
Expand Down
Loading