Browse Source

docker: add image release on tag and periodic vulnerability scan

tags/v3.1.0.rc1
cn 1 month ago
committed by Christian Nicolai
parent
commit
617fbf538b
5 changed files with 112 additions and 3 deletions
  1. +26
    -0
      .github/workflows/cd.yml
  2. +42
    -0
      .github/workflows/vulnscan.yml
  3. +6
    -0
      CHANGELOG.md
  4. +36
    -1
      README.md
  5. +2
    -2
      docker/Dockerfile

+ 26
- 0
.github/workflows/cd.yml View File

@@ -0,0 +1,26 @@
---
name: cd

on:
push:
tags:
- 'v*.*.*'

jobs:
release-dockerimage:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Extract dyndnsd version from tag name
run: |
echo ::set-env name=DYNDNSD_VERSION::${GITHUB_REF#refs/*/v}
# https://github.com/marketplace/actions/build-and-push-docker-images
- name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }}
uses: docker/build-push-action@v1
with:
username: cmur2
password: ${{ secrets.DOCKER_TOKEN }}
repository: cmur2/dyndnsd
path: docker
build_args: DYNDNSD_VERSION=${{ env.DYNDNSD_VERSION }}
tag_with_ref: true

+ 42
- 0
.github/workflows/vulnscan.yml View File

@@ -0,0 +1,42 @@
---
name: vulnscan

on:
schedule:
- cron: '7 4 * * 4' # weekly on thursday morning

jobs:
scan-released-dockerimages:
runs-on: ubuntu-latest
env:
TRIVY_LIGHT: 'true'
TRIVY_IGNORE_UNFIXED: 'true'
TRIVY_REMOVED_PKGS: 'true'
steps:
- name: Install Trivy
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "::add-path::$GITHUB_WORKSPACE/bin"
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
- name: Download Trivy DB
run: |
trivy image --download-db-only
- name: Scan vulnerabilities using Trivy
run: |
trivy --version

ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sort -r)"
EXIT_CODE=0
set -e
for major_version in $(seq 1 10); do
for image in $ALL_IMAGES; do
if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
echo -n "\nScanning newest patch release $image of major v$major_version...\n"
if ! trivy image --skip-update --exit-code 1 "$image"; then
EXIT_CODE=1
fi
break
fi
done
done
exit "$EXIT_CODE"

+ 6
- 0
CHANGELOG.md View File

@@ -1,5 +1,11 @@
# Changelog

## 3.1.0

IMPROVEMENTS:

- Add officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd)

## 3.0.0 (July 29, 2020)

IMPROVEMENTS:


+ 36
- 1
README.md View File

@@ -64,7 +64,42 @@ users:

Run dyndnsd.rb by:

dyndnsd /path/to/config.yaml
```bash
dyndnsd /path/to/config.yml
```


### Docker image

There is an officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd) available at Dockerhub. The goal is to have a minimal secured image available (currently based on Alpine) that works well for the `zone_transfer_server` updater use case.

Users can make extensions by deriving from the official Docker image or building their own.

The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. the following YAML should be used as a base and extended with user's settings:

```yaml
host: "0.0.0.0"
port: 8080
# omit the logfile: option so logging to STDOUT will happen automatically
db: "/var/lib/db.json"

# User's settings for updater and permissions follow here!
```

more ports might be needed depending on if DNS zone transfer is needed

Run the Docker image exposing the DynDNS-API on host port 8080 via:

```bash
docker run -d --name dyndnsd \
-p 8080:8080 \
-v /host/path/to/dyndnsd/config.yml:/etc/dyndnsd/config.yml \
-v /host/path/to/dyndnsd/db.json:/var/lib/db.json \
cmur2/dyndnsd:vX.Y.Z
```

*Note*: You may need to expose more then just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.



## Using dyndnsd.rb with any nameserver via DNS zone transfers (AXFR)


docs/Dockerfile → docker/Dockerfile View File

@@ -2,12 +2,12 @@ FROM alpine:3.12

EXPOSE 5353 8080

ENV VERSION=3.0.0
ARG DYNDNSD_VERSION=3.0.0

RUN apk --no-cache add openssl ca-certificates && \
apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
apk --no-cache add --virtual .build-deps ruby-dev build-base tzdata && \
gem install --no-document dyndnsd -v ${VERSION} && \
gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \
# set timezone to Berlin
cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
apk del .build-deps

Loading…
Cancel
Save