From 617fbf538b71a28483d9764a09dc3e73c0486490 Mon Sep 17 00:00:00 2001 From: cn Date: Mon, 17 Aug 2020 12:08:42 +0200 Subject: [PATCH] docker: add image release on tag and periodic vulnerability scan --- .github/workflows/cd.yml | 26 +++++++++++++++++++++ .github/workflows/vulnscan.yml | 42 ++++++++++++++++++++++++++++++++++ CHANGELOG.md | 6 +++++ README.md | 37 +++++++++++++++++++++++++++++- {docs => docker}/Dockerfile | 4 ++-- 5 files changed, 112 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/cd.yml create mode 100644 .github/workflows/vulnscan.yml rename {docs => docker}/Dockerfile (81%) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml new file mode 100644 index 0000000..980d66b --- /dev/null +++ b/.github/workflows/cd.yml @@ -0,0 +1,26 @@ +--- +name: cd + +on: + push: + tags: + - 'v*.*.*' + +jobs: + release-dockerimage: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Extract dyndnsd version from tag name + run: | + echo ::set-env name=DYNDNSD_VERSION::${GITHUB_REF#refs/*/v} + # https://github.com/marketplace/actions/build-and-push-docker-images + - name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }} + uses: docker/build-push-action@v1 + with: + username: cmur2 + password: ${{ secrets.DOCKER_TOKEN }} + repository: cmur2/dyndnsd + path: docker + build_args: DYNDNSD_VERSION=${{ env.DYNDNSD_VERSION }} + tag_with_ref: true diff --git a/.github/workflows/vulnscan.yml b/.github/workflows/vulnscan.yml new file mode 100644 index 0000000..527a8ef --- /dev/null +++ b/.github/workflows/vulnscan.yml @@ -0,0 +1,42 @@ +--- +name: vulnscan + +on: + schedule: + - cron: '7 4 * * 4' # weekly on thursday morning + +jobs: + scan-released-dockerimages: + runs-on: ubuntu-latest + env: + TRIVY_LIGHT: 'true' + TRIVY_IGNORE_UNFIXED: 'true' + TRIVY_REMOVED_PKGS: 'true' + steps: + - name: Install Trivy + run: | + mkdir -p $GITHUB_WORKSPACE/bin + echo "::add-path::$GITHUB_WORKSPACE/bin" + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin + - name: Download Trivy DB + run: | + trivy image --download-db-only + - name: Scan vulnerabilities using Trivy + run: | + trivy --version + + ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sort -r)" + EXIT_CODE=0 + set -e + for major_version in $(seq 1 10); do + for image in $ALL_IMAGES; do + if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then + echo -n "\nScanning newest patch release $image of major v$major_version...\n" + if ! trivy image --skip-update --exit-code 1 "$image"; then + EXIT_CODE=1 + fi + break + fi + done + done + exit "$EXIT_CODE" diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c453bc..33b5799 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## 3.1.0 + +IMPROVEMENTS: + +- Add officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd) + ## 3.0.0 (July 29, 2020) IMPROVEMENTS: diff --git a/README.md b/README.md index 856ad9d..2890e19 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,42 @@ users: Run dyndnsd.rb by: - dyndnsd /path/to/config.yaml +```bash +dyndnsd /path/to/config.yml +``` + + +### Docker image + +There is an officially maintained [Docker image for dyndnsd](https://hub.docker.com/r/cmur2/dyndnsd) available at Dockerhub. The goal is to have a minimal secured image available (currently based on Alpine) that works well for the `zone_transfer_server` updater use case. + +Users can make extensions by deriving from the official Docker image or building their own. + +The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. the following YAML should be used as a base and extended with user's settings: + +```yaml +host: "0.0.0.0" +port: 8080 +# omit the logfile: option so logging to STDOUT will happen automatically +db: "/var/lib/db.json" + +# User's settings for updater and permissions follow here! +``` + +more ports might be needed depending on if DNS zone transfer is needed + +Run the Docker image exposing the DynDNS-API on host port 8080 via: + +```bash +docker run -d --name dyndnsd \ + -p 8080:8080 \ + -v /host/path/to/dyndnsd/config.yml:/etc/dyndnsd/config.yml \ + -v /host/path/to/dyndnsd/db.json:/var/lib/db.json \ + cmur2/dyndnsd:vX.Y.Z +``` + +*Note*: You may need to expose more then just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command. + ## Using dyndnsd.rb with any nameserver via DNS zone transfers (AXFR) diff --git a/docs/Dockerfile b/docker/Dockerfile similarity index 81% rename from docs/Dockerfile rename to docker/Dockerfile index c138b7d..9d313b4 100644 --- a/docs/Dockerfile +++ b/docker/Dockerfile @@ -2,12 +2,12 @@ FROM alpine:3.12 EXPOSE 5353 8080 -ENV VERSION=3.0.0 +ARG DYNDNSD_VERSION=3.0.0 RUN apk --no-cache add openssl ca-certificates && \ apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \ apk --no-cache add --virtual .build-deps ruby-dev build-base tzdata && \ - gem install --no-document dyndnsd -v ${VERSION} && \ + gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \ # set timezone to Berlin cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \ apk del .build-deps