Skip to content

Commit f27f502

Browse files
aessingaessing
authored
Initial Commit (#1)
* Added container * Added continer description * Added docker to Dependabot * Added Github Action * Added Vulnerability Scanning * Comply with trivy * Added Kubernetes deployment file
1 parent 9c01af1 commit f27f502

17 files changed

+1080
-9
lines changed

.github/dependabot.yml

+20
Original file line numberDiff line numberDiff line change
@@ -19,3 +19,23 @@ updates:
1919
separator: '-'
2020
reviewers:
2121
- 'aessing'
22+
23+
# Maintain dependencies for docker images
24+
- package-ecosystem: 'docker'
25+
directory: '/'
26+
schedule:
27+
interval: 'daily'
28+
time: '06:00'
29+
timezone: 'Europe/Berlin'
30+
assignees:
31+
- 'aessing'
32+
commit-message:
33+
prefix: 'Docker'
34+
include: 'scope'
35+
labels:
36+
- 'dependencies'
37+
open-pull-requests-limit: 10
38+
pull-request-branch-name:
39+
separator: '-'
40+
reviewers:
41+
- 'aessing'

.github/workflows/container-build.yml

+77
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
name: Container Build
2+
3+
on:
4+
push:
5+
tags:
6+
- v*
7+
pull_request:
8+
branches:
9+
- 'main'
10+
11+
env:
12+
IMAGE_NAME: 'aessing/bind'
13+
14+
permissions:
15+
packages: write
16+
17+
jobs:
18+
build:
19+
name: Build container
20+
runs-on: ubuntu-latest
21+
steps:
22+
- name: Set release date
23+
run: |
24+
echo "RELEASE_DATE=$(date -u '+%Y-%m-%dT%H:%M:%S%z')" >> ${GITHUB_ENV}
25+
26+
- name: Checkout code
27+
uses: actions/checkout@v3
28+
29+
# https://github.com/docker/setup-qemu-action
30+
- name: Set up QEMU
31+
uses: docker/setup-qemu-action@v2
32+
33+
# https://github.com/docker/setup-buildx-action
34+
- name: Set up Docker Buildx
35+
uses: docker/setup-buildx-action@v2
36+
37+
# https://github.com/docker/login-action
38+
- name: Login to GHCR
39+
if: github.event_name != 'pull_request'
40+
uses: docker/login-action@v2
41+
with:
42+
registry: ghcr.io
43+
username: ${{ github.repository_owner }}
44+
password: ${{ secrets.GITHUB_TOKEN }}
45+
- name: Login to Docker Hub
46+
if: github.event_name != 'pull_request'
47+
uses: docker/login-action@v2
48+
with:
49+
username: ${{ secrets.DOCKERHUB_USERNAME }}
50+
password: ${{ secrets.DOCKERHUB_TOKEN }}
51+
52+
# https://github.com/docker/metadata-action
53+
- name: Set container meta
54+
id: meta
55+
uses: docker/metadata-action@v4
56+
with:
57+
images: |
58+
${{ env.IMAGE_NAME }}
59+
ghcr.io/${{ env.IMAGE_NAME }}
60+
tags: |
61+
type=schedule,pattern={{date 'YYYYMMDD-HHmmss' tz='UTC'}}
62+
type=semver,pattern={{version}}
63+
type=semver,pattern={{major}}.{{minor}}
64+
type=semver,pattern={{major}}
65+
type=sha
66+
67+
# https://github.com/docker/build-push-action
68+
- name: Build and push
69+
id: build
70+
uses: docker/build-push-action@v4
71+
with:
72+
context: .
73+
platforms: linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64/v8, linux/ppc64le, linux/s390x
74+
build-args: BUILD_DATE=${{ env.RELEASE_DATE }}
75+
push: ${{ github.event_name != 'pull_request' }}
76+
tags: ${{ steps.meta.outputs.tags }}
77+
labels: ${{ steps.meta.outputs.labels }}

.github/workflows/trivy.yml

+51
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
# This workflow uses actions that are not certified by GitHub.
2+
# They are provided by a third-party and are governed by
3+
# separate terms of service, privacy policy, and support
4+
# documentation.
5+
6+
name: Trivy vulnerability scan
7+
8+
on:
9+
push:
10+
branches: ['main']
11+
pull_request:
12+
# The branches below must be a subset of the branches above
13+
branches: ['main']
14+
schedule:
15+
- cron: '32 5 * * 2'
16+
17+
env:
18+
IMAGE_NAME: 'aessing/bind'
19+
20+
permissions:
21+
contents: read
22+
23+
jobs:
24+
build:
25+
name: Trivy vulnerability scan
26+
permissions:
27+
contents: read # for actions/checkout to fetch code
28+
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
29+
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
30+
runs-on: 'ubuntu-latest'
31+
steps:
32+
- name: Checkout code
33+
uses: actions/checkout@v3
34+
35+
- name: Build an image from Dockerfile
36+
run: |
37+
docker build -t docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }} .
38+
39+
- name: Run Trivy vulnerability scanner
40+
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
41+
with:
42+
image-ref: 'docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }}'
43+
format: 'template'
44+
template: '@/contrib/sarif.tpl'
45+
output: 'trivy-results.sarif'
46+
severity: 'CRITICAL,HIGH'
47+
48+
- name: Upload Trivy scan results to GitHub Security tab
49+
uses: github/codeql-action/upload-sarif@v2
50+
with:
51+
sarif_file: 'trivy-results.sarif'

Dockerfile

+64
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# =============================================================================
2+
# Dockerfile
3+
# Bind Name Server Container
4+
# https://github.com/aessing/bind-container
5+
# -----------------------------------------------------------------------------
6+
# Developer.......: Andre Essing (https://github.com/aessing)
7+
# (https://www.linkedin.com/in/aessing/)
8+
# -----------------------------------------------------------------------------
9+
# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
10+
# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
11+
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
12+
# =============================================================================
13+
14+
###############################################################################
15+
# Get the base Linux image
16+
FROM alpine:3.18
17+
18+
###############################################################################
19+
# Set parameters
20+
ARG BUILD_DATE
21+
ENV TZ='UTC'
22+
EXPOSE 53/tcp \
23+
53/udp \
24+
80/tcp \
25+
443/tcp \
26+
853/tcp
27+
VOLUME ["/etc/bind", "/var/lib/bind"]
28+
29+
###############################################################################
30+
# Set some information
31+
LABEL org.opencontainers.image.created=${BUILD_DATE} \
32+
org.opencontainers.image.authors="Andre Essing" \
33+
org.opencontainers.image.description="BIND is an open source DNS software system including an authoritative server or a recursive resolver." \
34+
org.opencontainers.image.documentation="https://github.com/aessing/bind-container" \
35+
org.opencontainers.image.licenses="MIT" \
36+
org.opencontainers.image.title="Bind Name Server Container" \
37+
org.opencontainers.image.url="https://github.com/aessing/bind-container" \
38+
org.opencontainers.image.vendor="Andre Essing"
39+
40+
################################################### ############################
41+
# Install chronyd and necessary packages
42+
RUN apk add --update --no-cache bind ca-certificates tzdata \
43+
&& update-ca-certificates \
44+
&& cp /usr/share/zoneinfo/${TZ} /etc/localtime \
45+
&& echo $TZ > /etc/timezone \
46+
&& mkdir -p /etc/bind /var/cache/bind/run /var/lib/bind/zones
47+
48+
###############################################################################
49+
# Copy files
50+
COPY container-files/named.conf /etc/bind/named.conf
51+
COPY container-files/db.* /var/lib/bind/zones/
52+
RUN chown -R named:named /etc/bind /var/cache/bind /var/lib/bind \
53+
&& chmod -R o-rwx /etc/bind /var/cache/bind /var/lib/bind
54+
55+
###############################################################################
56+
# Healthcheck
57+
HEALTHCHECK CMD dig +norecurse +short +retry=0 @127.0.0.1 localhost || exit 1
58+
59+
###############################################################################
60+
# Start chronyd
61+
CMD [ "/usr/sbin/named", "-u named", "-c /etc/bind/named.conf", "-g"]
62+
63+
###############################################################################
64+
#EOF

README.md

+30-9
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,37 @@
1-
# Project Title
1+
# Bind Name Server Container
22

3-
A README file, along with a repository license, contribution guidelines, and a code of conduct, helps you communicate expectations and manage contributions to your project.
3+
[BIND](https://bind.isc.org/) BIND is an open source DNS software system including an authoritative server or a recursive resolver.
44

5-
A README is often the first item a visitor will see when visiting your repository. README files typically include information on:
5+
As the ISC only published a container with BIND9 DNS server for AMD64, this repository builds a Docker container for other architectures / platforms, based on [Alpine Linux](https://www.alpinelinux.org).
66

7-
- What the project does?
8-
- Why the project is useful?
9-
- How can users get started with the project?
10-
- Where can users get help with your project?
11-
- Who maintains and contributes to the project?
7+
### :hammer_and_wrench: Configuration
128

13-
:exclamation: Please also have a look at the [license](LICENSE) and if the license fits the needs of your project. :exclamation:
9+
You can mount the following volumes:
10+
11+
| Volume | Description |
12+
| --------------- | --------------------------------------------------------- |
13+
| /etc/bind | For the server configuration (your named.conf lives here) |
14+
| /var/cache/bind | This is the working directory |
15+
| /var/lib/bind | This is the place where the secondary zones are placed |
16+
17+
You can expose the following ports:
18+
19+
| Port | Description |
20+
| ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
21+
| 53/udp | The most popular port and protocol of DNS is UDP 53 |
22+
| 53/tcp | Is used as fallback. Bind9 uses TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet. |
23+
| 443/tcp | If you want to use DNS over HTTPS (DoH), you can expose this port. To get this running, you have to configure it in your named.conf and provide the certificates. |
24+
| 80/tcp | You can also use DNS over HTTPS (DoH) without certificates over port 80. To get this running, you have to configure it in your named.conf. Please note, that the traffic is not encrypted. This is only for testing purposes, or when you offload the encryption to a reverse proxy. |
25+
| 853/tcp | If you want to use DNS over TLS (DoT), you can expose this port. To get this running, you have to configure it in your named.conf and provide the certificates. |
26+
27+
## :eyeglasses: Documentation
28+
29+
For further information, how to configure Bind9, please visit the [Bind9 documentation](https://bind9.readthedocs.io/en/latest/).
30+
31+
## :rocket: Deployment
32+
33+
I added a Kubernetes deployment file to deploy the container to a Kubernetes cluster. You can find the file in the `kubernetes` folder.
34+
The deployment.yaml file is just an example and uses Traefik as a reverse proxy. You can and probably have to change the deployment file to your needs.
1435

1536
---
1637

build.sh

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
#!/bin/bash
2+
# =============================================================================
3+
# Script to build the Docker image
4+
# Bind Name Server Container
5+
# https://github.com/aessing/bind-container
6+
# -----------------------------------------------------------------------------
7+
# Developer.......: Andre Essing (https://github.com/aessing)
8+
# (https://www.linkedin.com/in/aessing/)
9+
# -----------------------------------------------------------------------------
10+
# THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
11+
# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
12+
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
13+
# =============================================================================
14+
15+
source vars
16+
DOCKER=$(which docker)
17+
BUILD_DATE=$(date -u '+%Y-%m-%dT%H:%M:%S%z')
18+
19+
# build image
20+
$DOCKER build --pull \
21+
--tag ${IMAGE_NAME}:Manual \
22+
--build-arg BUILD_DATE=${BUILD_DATE} \
23+
.

container-files/db.0

+15
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
;
2+
; BIND reverse data file for broadcast zone
3+
;
4+
$TTL 604800
5+
@ IN SOA localhost. root.localhost. (
6+
1 ; Serial
7+
604800 ; Refresh
8+
86400 ; Retry
9+
2419200 ; Expire
10+
604800 ) ; Negative Cache TTL
11+
;
12+
@ IN NS localhost.
13+
14+
; -----------------------------------------------------------------------------
15+
; EOF

container-files/db.10.in-addr.arpa

+21
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
$ORIGIN 10.in-addr.arpa.
2+
$TTL 3600
3+
4+
@ IN SOA nameserver.example.com. hostmaster.example.com. (
5+
2023070101 ; Serial
6+
604800 ; Refresh
7+
86400 ; Retry
8+
2419200 ; Expire
9+
86400 ) ; Negative Cache TTL
10+
;
11+
12+
@ 3600 IN NS ns01.example.com.
13+
@ 3600 IN NS ns02.example.com.
14+
15+
0.0.132 3600 IN PTR ns01.example.com.
16+
3.53.10 3600 IN PTR ns02.example.com..
17+
129.31.124 3600 IN PTR server01.example.com.
18+
13.235.221 3600 IN PTR server02.example.com.
19+
20+
; -----------------------------------------------------------------------------
21+
; EOF

container-files/db.127

+16
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
;
2+
; BIND reverse data file for local loopback interface
3+
;
4+
$TTL 604800
5+
@ IN SOA localhost. root.localhost. (
6+
1 ; Serial
7+
604800 ; Refresh
8+
86400 ; Retry
9+
2419200 ; Expire
10+
604800 ) ; Negative Cache TTL
11+
;
12+
@ IN NS localhost.
13+
1.0.0 IN PTR localhost.
14+
15+
; -----------------------------------------------------------------------------
16+
; EOF

container-files/db.255

+15
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
;
2+
; BIND reverse data file for broadcast zone
3+
;
4+
$TTL 604800
5+
@ IN SOA localhost. root.localhost. (
6+
1 ; Serial
7+
604800 ; Refresh
8+
86400 ; Retry
9+
2419200 ; Expire
10+
604800 ) ; Negative Cache TTL
11+
;
12+
@ IN NS localhost.
13+
14+
; -----------------------------------------------------------------------------
15+
; EOF

container-files/db.empty

+17
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
; BIND reverse data file for empty rfc1918 zone
2+
;
3+
; DO NOT EDIT THIS FILE - it is used for multiple zones.
4+
; Instead, copy it, edit named.conf, and use that copy.
5+
;
6+
$TTL 86400
7+
@ IN SOA localhost. root.localhost. (
8+
1 ; Serial
9+
604800 ; Refresh
10+
86400 ; Retry
11+
2419200 ; Expire
12+
86400 ) ; Negative Cache TTL
13+
;
14+
@ IN NS localhost.
15+
16+
; -----------------------------------------------------------------------------
17+
; EOF

0 commit comments

Comments
 (0)