docker: add image release on tag and periodic vulnerability scan

2020-08-17 12:08:42 +02:00 · 2020-08-17 12:08:42 +02:00 · 617fbf538b
parent 5cce42f4c7
commit 617fbf538b
5 changed files with 112 additions and 3 deletions
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@ -0,0 +1,26 @@
+---
+name: cd
+
+on:
+  push:
+    tags:
+    - 'v*.*.*'
+
+jobs:
+  release-dockerimage:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v1
+    - name: Extract dyndnsd version from tag name
+      run: |
+        echo ::set-env name=DYNDNSD_VERSION::${GITHUB_REF#refs/*/v}
+    # https://github.com/marketplace/actions/build-and-push-docker-images
+    - name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }}
+      uses: docker/build-push-action@v1
+      with:
+        username: cmur2
+        password: ${{ secrets.DOCKER_TOKEN }}
+        repository: cmur2/dyndnsd
+        path: docker
+        build_args: DYNDNSD_VERSION=${{ env.DYNDNSD_VERSION }}
+        tag_with_ref: true
--- a/.github/workflows/vulnscan.yml
+++ b/.github/workflows/vulnscan.yml
@ -0,0 +1,42 @@
+---
+name: vulnscan
+
+on:
+  schedule:
+  - cron: '7 4 * * 4'  # weekly on thursday morning
+
+jobs:
+  scan-released-dockerimages:
+    runs-on: ubuntu-latest
+    env:
+      TRIVY_LIGHT: 'true'
+      TRIVY_IGNORE_UNFIXED: 'true'
+      TRIVY_REMOVED_PKGS: 'true'
+    steps:
+    - name: Install Trivy
+      run: |
+        mkdir -p $GITHUB_WORKSPACE/bin
+        echo "::add-path::$GITHUB_WORKSPACE/bin"
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
+    - name: Download Trivy DB
+      run: |
+        trivy image --download-db-only
+    - name: Scan vulnerabilities using Trivy
+      run: |
+        trivy --version
+
+        ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sort -r)"
+        EXIT_CODE=0
+        set -e
+        for major_version in $(seq 1 10); do
+          for image in $ALL_IMAGES; do
+            if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
+              echo -n "\nScanning newest patch release $image of major v$major_version...\n"
+              if ! trivy image --skip-update --exit-code 1 "$image"; then
+                EXIT_CODE=1
+              fi
+              break
+            fi
+          done
+        done
+        exit "$EXIT_CODE"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,11 @@
 # Changelog

+## 3.1.0
+
+IMPROVEMENTS:
+
+- Add officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd)
+
 ## 3.0.0 (July 29, 2020)

 IMPROVEMENTS:
--- a/README.md
+++ b/README.md
@ -64,7 +64,42 @@ users:

 Run dyndnsd.rb by:

-	dyndnsd /path/to/config.yaml
+```bash
+dyndnsd /path/to/config.yml
+```
+
+
+### Docker image
+
+There is an officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd) available at Dockerhub. The goal is to have a minimal secured image available (currently based on Alpine) that works well for the `zone_transfer_server` updater use case.
+
+Users can make extensions by deriving from the official Docker image or building their own.
+
+The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. the following YAML should be used as a base and extended with user's settings:
+
+```yaml
+host: "0.0.0.0"
+port: 8080
+# omit the logfile: option so logging to STDOUT will happen automatically
+db: "/var/lib/db.json"
+
+# User's settings for updater and permissions follow here!
+```
+
+more ports might be needed depending on if DNS zone transfer is needed
+
+Run the Docker image exposing the DynDNS-API on host port 8080 via:
+
+```bash
+docker run -d --name dyndnsd \
+           -p 8080:8080 \
+           -v /host/path/to/dyndnsd/config.yml:/etc/dyndnsd/config.yml \
+           -v /host/path/to/dyndnsd/db.json:/var/lib/db.json \
+           cmur2/dyndnsd:vX.Y.Z
+```
+
+*Note*: You may need to expose more then just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.
+


 ## Using dyndnsd.rb with any nameserver via DNS zone transfers (AXFR)
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -2,12 +2,12 @@ FROM alpine:3.12

 EXPOSE 5353 8080

-ENV VERSION=3.0.0
+ARG DYNDNSD_VERSION=3.0.0

 RUN apk --no-cache add openssl ca-certificates && \
    apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
    apk --no-cache add --virtual .build-deps ruby-dev build-base tzdata && \
-    gem install --no-document dyndnsd -v ${VERSION} && \
+    gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \
    # set timezone to Berlin
    cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
    apk del .build-deps