cn/dyndnsd
1
0
Fork 0
mirror of https://github.com/cmur2/dyndnsd.git synced 2024-06-26 10:34:39 +02:00
Code Releases Activity

Compare commits

base: cn:master
Branches Tags
cn:master
cn:renovate-aquasecurity-trivy-0.52.x
cn:dependabot-bundler-opentelemetry-instrumentation-rack-gte-0.22-and-lt-0.25
cn:dependabot-bundler-opentelemetry-sdk-gte-1.2-and-lt-1.5
cn:dependabot-bundler-async-gte-1.31-and-lt-2.12
cn:dependabot-bundler-opentelemetry-exporter-jaeger-gte-0.22-and-lt-0.24
cn:depfu-update-rubocop-rspec-2.29.2
cn:depfu-update-rubocop-1.63.5
cn:depfu-update-async-2.11.0
cn:update-3.3
cn:try-rbs
cn:dyndnsd-2.x
cn:try-s2
cn:try-sorbet
cn:dyndnsd-1.x
cn:v3.10.0
cn:v3.9.2
cn:v3.9.1
cn:v3.9.0
cn:v3.8.2
cn:v3.8.1
cn:v3.8.0
cn:v3.7.3
cn:v3.7.2
cn:v3.7.1
cn:v3.7.0
cn:v3.6.2
cn:v3.6.1
cn:v3.6.0
cn:v3.5.3
cn:v3.5.2
cn:v3.5.1
cn:v3.5.0
cn:v3.4.8
cn:v3.4.7
cn:v3.4.6
cn:v3.4.5
cn:v3.4.4
cn:v3.4.3
cn:v3.4.2
cn:v3.4.1
cn:v3.4.0
cn:v3.3.3
cn:v3.3.2
cn:v3.3.2.rc1
cn:v3.3.1
cn:v3.3.0
cn:v3.2.0
cn:v3.1.3
cn:v3.1.2
cn:v3.1.1
cn:v3.1.0
cn:v3.1.0.rc1
cn:v3.0.0
cn:v2.3.1
cn:v2.3.0
cn:v2.2.0
cn:v2.1.1
cn:v2.1.0
cn:v2.0.0
cn:v2.0.0.rc2
cn:v2.0.0.rc1
cn:v1.6.1
cn:v1.6.0
cn:v1.5.0
cn:v1.4.0
cn:v1.3.0
cn:v1.2.2
cn:v1.2.1
cn:v1.2.0
cn:v1.1.0
cn:v1.0.0
cn:v0.0.4
cn:v0.0.3
cn:v0.0.2
..
compare: cn:v3.4.0
Branches Tags
cn:master
cn:renovate-aquasecurity-trivy-0.52.x
cn:dependabot-bundler-opentelemetry-instrumentation-rack-gte-0.22-and-lt-0.25
cn:dependabot-bundler-opentelemetry-sdk-gte-1.2-and-lt-1.5
cn:dependabot-bundler-async-gte-1.31-and-lt-2.12
cn:dependabot-bundler-opentelemetry-exporter-jaeger-gte-0.22-and-lt-0.24
cn:depfu-update-rubocop-rspec-2.29.2
cn:depfu-update-rubocop-1.63.5
cn:depfu-update-async-2.11.0
cn:update-3.3
cn:try-rbs
cn:dyndnsd-2.x
cn:try-s2
cn:try-sorbet
cn:dyndnsd-1.x
cn:v3.10.0
cn:v3.9.2
cn:v3.9.1
cn:v3.9.0
cn:v3.8.2
cn:v3.8.1
cn:v3.8.0
cn:v3.7.3
cn:v3.7.2
cn:v3.7.1
cn:v3.7.0
cn:v3.6.2
cn:v3.6.1
cn:v3.6.0
cn:v3.5.3
cn:v3.5.2
cn:v3.5.1
cn:v3.5.0
cn:v3.4.8
cn:v3.4.7
cn:v3.4.6
cn:v3.4.5
cn:v3.4.4
cn:v3.4.3
cn:v3.4.2
cn:v3.4.1
cn:v3.4.0
cn:v3.3.3
cn:v3.3.2
cn:v3.3.2.rc1
cn:v3.3.1
cn:v3.3.0
cn:v3.2.0
cn:v3.1.3
cn:v3.1.2
cn:v3.1.1
cn:v3.1.0
cn:v3.1.0.rc1
cn:v3.0.0
cn:v2.3.1
cn:v2.3.0
cn:v2.2.0
cn:v2.1.1
cn:v2.1.0
cn:v2.0.0
cn:v2.0.0.rc2
cn:v2.0.0.rc1
cn:v1.6.1
cn:v1.6.0
cn:v1.5.0
cn:v1.4.0
cn:v1.3.0
cn:v1.2.2
cn:v1.2.1
cn:v1.2.0
cn:v1.1.0
cn:v1.0.0
cn:v0.0.4
cn:v0.0.3
cn:v0.0.2

No commits in common. "master" and "v3.4.0" have entirely different histories.
master ... v3.4.0

23 changed files with 111 additions and 528 deletions
Show Stats Expand all files Collapse all files

17
.github/actionlint-matcher.json vendored
View File

@ -1,17 +0,0 @@
{
"problemMatcher": [
{
"owner": "actionlint",
"pattern": [
{
"regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
"file": 1,
"line": 2,
"column": 3,
"message": 4,
"code": 5
}
]
}
]
}

13
.github/dependabot.yml vendored
View File

@ -1,13 +0,0 @@
---
version: 2
updates:
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: "weekly"
commit-message:
prefix: "gems"
labels: ["dependabot"]
open-pull-requests-limit: 10
pull-request-branch-name:
separator: "-"

42
.github/renovate.json5 vendored
View File

@ -1,42 +0,0 @@
{
extends: [
"config:recommended",
":dependencyDashboard",
":prHourlyLimitNone",
":prConcurrentLimitNone",
":label(dependency-upgrade)",
],
schedule: ["before 8am on thursday"],
branchPrefix: "renovate-",
dependencyDashboardHeader: "View repository job log [here](https://app.renovatebot.com/dashboard#github/cmur2/dyndnsd).",
separateMinorPatch: true,
commitMessagePrefix: "project: ",
commitMessageAction: "update",
commitMessageTopic: "{{depName}}",
commitMessageExtra: "to {{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}",
packageRules: [
// Ruby dependencies are managed by depfu
{
matchManagers: ["bundler"],
enabled: false,
},
// Commit message formats
{
matchDatasources: ["docker"],
commitMessagePrefix: "docker: ",
},
{
matchManagers: ["github-actions"],
commitMessagePrefix: "ci: ",
},
],
customManagers: [
{
customType: "regex",
fileMatch: ["\.rb$", "^Rakefile$"],
matchStrings: [
"renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s.*_version = '(?<currentValue>.*)'\\s"
]
},
],
}

26
.github/workflows/cd.yml vendored
View File

@ -1,4 +1,3 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
---
name: cd
@ -11,38 +10,23 @@ jobs:
release-dockerimage:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v2
- name: Extract dyndnsd version from tag name
run: |
echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> "$GITHUB_ENV"
- name: Wait for dyndnsd ${{ env.DYNDNSD_VERSION }} gem to be available
run: |
set +e
for retry in $(seq 1 5); do
echo "Checking if dyndnsd $DYNDNSD_VERSION gem is retrievable from rubygems.org (try #$retry)..."
sudo gem install dyndnsd -v "$DYNDNSD_VERSION"
# shellcheck disable=SC2181
if [ $? -eq 0 ]; then
exit 0
fi
sleep 60
done
exit 1
echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV
# https://github.com/marketplace/actions/build-and-push-docker-images
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@v1
- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@v1
with:
username: cmur2
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }}
uses: docker/build-push-action@v6
uses: docker/build-push-action@v2
with:
context: docker
build-args: |

36
.github/workflows/ci.yml vendored
View File

@ -1,4 +1,3 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
---
name: ci
@ -15,41 +14,28 @@ jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
ruby-version:
- '2.5'
- '2.6'
- '2.7'
- '3.0'
- '3.1'
- '3.2'
- '3.3'
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v2
- name: Set up Ruby ${{ matrix.ruby-version }}
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
- name: Lint and Test
run: |
bundle exec rake ci
actionlint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check workflow files
run: |
echo "::add-matcher::.github/actionlint-matcher.json"
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
./actionlint
# https://github.com/marketplace/actions/build-and-push-docker-images
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
renovate-config-validator:
runs-on: ubuntu-latest
container:
image: ghcr.io/renovatebot/renovate
options: --user root
steps:
- uses: actions/checkout@v4
- name: Check Renovate config
run: renovate-config-validator --strict
- name: Test building Docker image for dyndnsd
uses: docker/build-push-action@v2
with:
context: docker

1
.github/workflows/dockerhub.yml vendored
View File

@ -1,4 +1,3 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
---
name: dockerhub

8
.github/workflows/vulnscan.yml vendored
View File

@ -1,4 +1,3 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
---
name: vulnscan
@ -11,14 +10,15 @@ jobs:
scan-released-dockerimages:
runs-on: ubuntu-latest
env:
TRIVY_LIGHT: 'true'
TRIVY_IGNORE_UNFIXED: 'true'
TRIVY_REMOVED_PKGS: 'true'
steps:
- name: Install Trivy
run: |
mkdir -p "$GITHUB_WORKSPACE/bin"
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH"
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b "$GITHUB_WORKSPACE/bin"
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
- name: Download Trivy DB
run: |
trivy image --download-db-only
@ -36,7 +36,7 @@ jobs:
for image in $ALL_IMAGES; do
if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
echo -e "\nScanning newest patch release $image of major v$major_version...\n"
if ! trivy image --skip-db-update --scanners vuln --exit-code 1 "$image"; then
if ! trivy image --skip-update --exit-code 1 "$image"; then
EXIT_CODE=1
fi
break

2
.gitignore vendored
View File

@ -2,5 +2,3 @@
*.lock
pkg/*
.yardoc
hadolint
trivy

8
.rubocop.yml
View File

@ -3,15 +3,9 @@ require:
- rubocop-rspec
AllCops:
TargetRubyVersion: '3.0'
TargetRubyVersion: '2.5'
NewCops: enable
Gemspec/DevelopmentDependencies:
EnforcedStyle: gemspec
Gemspec/RequireMFA:
Enabled: false
Layout/EmptyLineAfterGuardClause:
Enabled: false

179
CHANGELOG.md
View File

@ -1,182 +1,5 @@
# Changelog
## 3.10.0
IMPROVEMENTS:
- add Ruby 3.3 support
OTHER:
- update base of Docker image to Alpine 3.19.0 (from 3.18.3 before)
## 3.9.2 (August 10th, 2023)
OTHER:
- update base of Docker image to Alpine 3.18.3 (from 3.18.2 before)
## 3.9.1 (July 6, 2023)
OTHER:
- update base of Docker image to Alpine 3.18.2 (from 3.18.0 before)
## 3.9.0 (June 8, 2023)
IMPROVEMENTS:
- Drop EOL Ruby 2.7 support, now minimum version supported is Ruby 3.0
## 3.8.2 (April 1st, 2023)
OTHER:
- update base of Docker image to Alpine 3.17.3 (from 3.17.2 before)
## 3.8.1 (March 2nd, 2023)
OTHER:
- update base of Docker image to Alpine 3.17.2 (from 3.17.1 before)
## 3.8.0 (January 13th, 2023)
IMPROVEMENTS:
- add Ruby 3.2 support
OTHER:
- update base of Docker image to Alpine 3.17.1 (from 3.17.0 before)
## 3.7.3 (December 29th, 2022)
OTHER:
- update base of Docker image to Alpine 3.17.0 (from 3.16.2 before)
## 3.7.2 (November 10th, 2022)
OTHER:
- re-release 3.7.1 to rebuild Docker image with security vulnerabilities fixes
## 3.7.1 (September 20th, 2022)
IMPROVEMENTS:
- fix [TypeError](https://github.com/cmur2/dyndnsd/issues/205) when user has no hosts configured
## 3.7.0 (September 16th, 2022)
IMPROVEMENTS:
- Update to Rack 3
## 3.6.2 (August 11th, 2022)
OTHER:
- update base of Docker image to Alpine 3.16.2 (from 3.16.1 before)
## 3.6.1 (July 21st, 2022)
OTHER:
- update base of Docker image to Alpine 3.16.1 (from 3.16.0 before)
## 3.6.0 (June 2nd, 2022)
IMPROVEMENTS:
- Drop EOL Ruby 2.6 and lower support, now minimum version supported is Ruby 2.7
OTHER:
- update base of Docker image to Alpine 3.16 (from 3.15.7 before)
## 3.5.3 (May 5th, 2022)
OTHER:
- re-release 3.5.2 to rebuild Docker image with security vulnerabilities fixes
## 3.5.2 (April 7th, 2022)
OTHER:
- re-release 3.5.1 to rebuild Docker image with security vulnerabilities fixes
## 3.5.1 (February 17th, 2022)
OTHER:
- re-release 3.5.0 to rebuild Docker image with security vulnerabilities fixes
## 3.5.0 (January 8th, 2022)
IMPROVEMENTS:
- add Ruby 3.1 support
OTHER:
- update base of Docker image to Alpine 3.15 (from 3.13.7 before, **Note:** please be aware of the quirks around [Alpine 3.14](https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2))
## 3.4.8 (December 11th, 2021)
OTHER:
- re-release 3.4.7 to rebuild Docker image with security vulnerabilities fixes
## 3.4.7 (November 19th, 2021)
OTHER:
- re-release 3.4.6 to rebuild Docker image with security vulnerabilities fixes
## 3.4.6 (November 19th, 2021)
OTHER:
- re-release 3.4.5 to rebuild Docker image with security vulnerabilities fixes
## 3.4.5 (August 26th, 2021)
OTHER:
- re-release 3.4.4 to rebuild Docker image with security vulnerabilities fixes
## 3.4.4 (August 26th, 2021)
OTHER:
- re-release 3.4.3 to rebuild Docker image with security vulnerabilities fixes
## 3.4.3 (August 20th, 2021)
OTHER:
- re-release 3.4.2 to rebuild Docker image with security vulnerabilities fixes
## 3.4.2 (July 30, 2021)
IMPROVEMENTS:
- move from OpenTracing to OpenTelemetry for experimental tracing feature
OTHER:
- re-release 3.4.1 to rebuild Docker image with security vulnerabilities fixes
- adopt Renovate for dependency updates
## 3.4.1 (April 15, 2021)
OTHER:
- update base of Docker image to Alpine 3.13.5 to fix security vulnerabilities
## 3.4.0 (April 2, 2021)
IMPROVEMENTS:
@ -346,7 +169,7 @@ IMPROVEMENTS:
IMPROVEMENTS:
- Support dropping privileges on startup, also affects external commands run
- Support dropping priviliges on startup, also affects external commands run
- Add [metriks](https://github.com/eric/metriks) support for basic metrics in the process title
- Detach from child processes running external commands to avoid zombie processes

46
README.md
View File

@ -1,6 +1,6 @@
# dyndnsd.rb
![ci](https://github.com/cmur2/dyndnsd/workflows/ci/badge.svg)
![ci](https://github.com/cmur2/dyndnsd/workflows/ci/badge.svg) [![Dependencies](https://badges.depfu.com/badges/4f25da8493f7a29f652ac892fbf9227b/overview.svg)](https://depfu.com/github/cmur2/dyndnsd)
A small, lightweight and extensible DynDNS server written with Ruby and Rack.
@ -75,7 +75,7 @@ There is an officially maintained [Docker image for dyndnsd](https://hub.docker.
Users can make extensions by deriving from the official Docker image or building their own.
The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. The following YAML should be used as a base and extended with user's settings:
The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. the following YAML should be used as a base and extended with user's settings:
```yaml
host: "0.0.0.0"
@ -98,7 +98,7 @@ docker run -d --name dyndnsd \
cmur2/dyndnsd:vX.Y.Z
```
*Note*: You may need to expose more than just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.
*Note*: You may need to expose more then just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.
@ -106,7 +106,7 @@ docker run -d --name dyndnsd \
By using [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) any secondary nameserver can retrieve the DNS zone contents from dyndnsd.rb and serve them to clients.
To speedup propagation after changes dyndnsd.rb can issue a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) to inform the nameserver that the DNS zone contents changed and should be fetched even before the time indicated in the SOA record is up.
Currently, dyndnsd.rb does not support any authentication for incoming DNS zone transfer request, so it should be isolated from the internet on these ports.
Currently dyndnsd.rb does not support any authentication for incoming DNS zone transfer requests so it should be isolated from the internet on these ports.
This approach has several advantages:
- dyndnsd.rb can be used in *hidden primary* fashion isolated from client's DNS traffic and does not need to implement full nameserver features
@ -151,7 +151,7 @@ users:
NSD is a nice, open source, authoritative-only, low-memory DNS server that reads BIND-style zone files (and converts them into its own database) and has a simple configuration file.
A feature NSD is lacking is the [Dynamic DNS update (RFC2136)](https://tools.ietf.org/html/rfc2136) functionality BIND offers, but one can fake it using the following dyndnsd.rb configuration:
A feature NSD is lacking is the [Dynamic DNS update (RFC2136)](https://tools.ietf.org/html/rfc2136) functionality BIND offers but one can fake it using the following dyndnsd.rb configuration:
```yaml
host: "0.0.0.0"
@ -197,29 +197,29 @@ The update URL you want to tell your clients (humans or scripts ^^) consists of
where:
* the protocol depends on your (web server/proxy) settings
* `USER` and `PASSWORD` are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml
* `DOMAIN` should match what you defined in your config.yaml as domain but may be anything else when using a web server as proxy
* `PORT` depends on your (web server/proxy) settings
* `HOSTNAMES` is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
* `MYIP` is optional and the HTTP client's IP address will be used if missing
* `MYIP6` is optional but if present also requires presence of `MYIP`
* the protocol depends on your (webserver/proxy) settings
* USER and PASSWORD are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml
* DOMAIN should match what you defined in your config.yaml as domain but may be anything else when using a webserver as proxy
* PORT depends on your (webserver/proxy) settings
* HOSTNAMES is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
* MYIP is optional and the HTTP client's IP address will be used if missing
* MYIP6 is optional but if present also requires presence of MYIP
### IP address determination
The following rules apply:
* use any IP address provided via the `myip` parameter when present, or
* use any IP address provided via the `X-Real-IP` header e.g. when used behind HTTP reverse proxy such as nginx, or
* use any IP address provided via the myip parameter when present, or
* use any IP address provided via the X-Real-IP header e.g. when used behind HTTP reverse proxy such as nginx, or
* use any IP address used by the connecting HTTP client
If you want to provide an additional IPv6 address as myip6 parameter, the `myip` parameter containing an IPv4 address has to be present, too! No automatism is applied then.
If you want to provide an additional IPv6 address as myip6 parameter, the myip parameter containing an IPv4 address has to be present, too! No automatism is applied then.
### SSL, multiple listen ports
Use a web server as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443.
Use a webserver as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443.
### Startup
@ -231,7 +231,7 @@ The [Debian 6 init.d script](docs/debian-6-init-dyndnsd) assumes that dyndnsd.rb
### Monitoring
For monitoring dyndnsd.rb uses the [metriks](https://github.com/eric/metriks) framework and exposes several metrics like the number of unauthenticated requests, requests that did (not) update a hostname, etc. By default, the most important metrics are shown in the [proctitle](https://github.com/eric/metriks#proc-title-reporter, butt you can also configure a [Graphite](https://graphiteapp.org/) backend for central monitoring or the [textfile_reporter](https://github.com/prometheus/node_exporter/#textfile-collector) which outputs Graphite-style metrics that are also compatible with Prometheus to a file.
For monitoring dyndnsd.rb uses the [metriks](https://github.com/eric/metriks) framework and exposes several metrics like the number of unauthenticated requests, requests that did (not) update a hostname, etc. By default the most important metrics are shown in the [proctitle](https://github.com/eric/metriks#proc-title-reporter) but you can also configure a [Graphite](https://graphiteapp.org/) backend for central monitoring or the [textfile_reporter](https://github.com/prometheus/node_exporter/#textfile-collector) which outputs Graphite-style metrics that are also compatible with Prometheus to a file.
```yaml
host: "0.0.0.0"
@ -271,9 +271,9 @@ users:
### Tracing (experimental)
For tracing, dyndnsd.rb is instrumented using the [OpenTelemetry](https://opentelemetry.io/docs/ruby/) framework and will emit span tracing data for the most important operations happening during the request/response cycle. Using an [instrumentation for Rack](https://github.com/open-telemetry/opentelemetry-ruby/tree/main/instrumentation/rack) allows handling incoming OpenTelemetry parent span information properly (when desired, turned off by default to reduce attack surface).
For tracing, dyndnsd.rb is instrumented using the [OpenTracing](http://opentracing.io/) framework and will emit span tracing data for the most important operations happening during the request/response cycle. Using a middleware for Rack allows handling incoming OpenTracing span information properly.
Currently, the [OpenTelemetry trace exporter](https://github.com/open-telemetry/opentelemetry-ruby/tree/main/exporter/jaeger) for [CNCF Jaeger](https://github.com/jaegertracing/jaeger) can be enabled via dyndnsd.rb configuration. Alternatively, you can also enable other exporters via the environment variable `OTEL_TRACES_EXPORTER`, e.g. `OTEL_TRACES_EXPORTER=console`.
Currently only one OpenTracing-compatible tracer implementation named [CNCF Jaeger](https://github.com/jaegertracing/jaeger) can be configured to use with dyndnsd.rb.
```yaml
host: "0.0.0.0"
@ -282,9 +282,11 @@ db: "/opt/dyndnsd/db.json"
domain: "dyn.example.org"
# enable and configure tracing using the (currently only) tracer jaeger
tracing:
trust_incoming_span: false # default value, change to accept incoming OpenTelemetry spans as parents
service_name: "my.dyndnsd.identifier" # default unset, will be populated by OpenTelemetry
jaeger: true # enables the Jaeger AgentExporter
trust_incoming_span: false # default value, change to accept incoming OpenTracing spans as parents
jaeger:
host: 127.0.0.1 # defaults for host and port of local jaeger-agent
port: 6831
service_name: "my.dyndnsd.identifier"
# configure the updater, here we use command_with_bind_zone, params are updater-specific
updater:
name: "command_with_bind_zone"

60
Rakefile
View File

@ -14,61 +14,19 @@ task :solargraph do
sh 'solargraph typecheck'
end
# renovate: datasource=github-tags depName=hadolint/hadolint
hadolint_version = 'v2.12.0'
# renovate: datasource=github-tags depName=aquasecurity/trivy
trivy_version = 'v0.52.0'
namespace :docker do
ci_image = 'cmur2/dyndnsd:ci'
desc 'Lint Dockerfile'
task :lint do
sh "if [ ! -e ./hadolint ]; then wget -q -O ./hadolint https://github.com/hadolint/hadolint/releases/download/#{hadolint_version}/hadolint-Linux-x86_64; fi"
sh 'chmod a+x ./hadolint'
sh './hadolint --ignore DL3018 docker/Dockerfile'
sh './hadolint --ignore DL3018 --ignore DL3028 docker/ci/Dockerfile'
namespace :solargraph do
desc 'Should be run by developer once to prepare initial solargraph usage (fill caches etc.)'
task :init do
sh 'solargraph download-core'
end
end
desc 'Build CI Docker image'
task :build do
sh 'docker build -t cmur2/dyndnsd:ci -f docker/ci/Dockerfile .'
end
desc 'Scan CI Docker image for vulnerabilities'
task :scan do
ver = trivy_version.gsub('v', '')
sh "if [ ! -e ./trivy ]; then wget -q -O - https://github.com/aquasecurity/trivy/releases/download/v#{ver}/trivy_#{ver}_Linux-64bit.tar.gz | tar -xzf - trivy; fi"
sh "./trivy image #{ci_image}"
end
desc 'End-to-end test the CI Docker image'
task :e2e do
sh <<~SCRIPT
echo -n '{}' > e2e/db.json
chmod a+w e2e/db.json
SCRIPT
sh "docker run -d --name=dyndnsd-ci -v $(pwd)/e2e:/etc/dyndnsd -p 8080:8080 -p 5353:5353 #{ci_image}"
sh 'sleep 5'
puts '----------------------------------------'
# `dig` needs `sudo apt-get install -y -q dnsutils`
sh <<~SCRIPT
curl -s -o /dev/null -w '%{http_code}' 'http://localhost:8080/' | grep -q '401'
curl -s 'http://foo:secret@localhost:8080/nic/update?hostname=foo.dyn.example.org&myip=1.2.3.4' | grep -q 'good'
curl -s 'http://foo:secret@localhost:8080/nic/update?hostname=foo.dyn.example.org&myip=1.2.3.4' | grep -q 'nochg'
dig +short AXFR 'dyn.example.org' @127.0.0.1 -p 5353 | grep -q '1.2.3.4'
SCRIPT
puts '----------------------------------------'
sh <<~SCRIPT
docker logs dyndnsd-ci
docker container rm -f -v dyndnsd-ci
rm e2e/db.json
SCRIPT
end
desc 'Run hadolint for Dockerfile linting'
task :hadolint do
sh 'docker run --rm -i hadolint/hadolint:v1.18.0 hadolint --ignore DL3018 - < docker/Dockerfile'
end
task default: [:rubocop, :spec, 'bundle:audit', :solargraph]
desc 'Run all tasks desired for CI'
task ci: [:default, 'docker:lint', :build, 'docker:build', 'docker:e2e']
task ci: ['solargraph:init', :default, :hadolint]

5
docker/Dockerfile
View File

@ -1,14 +1,13 @@
FROM alpine:3.20.0
FROM alpine:3.13.4
EXPOSE 5353 8080
ARG DYNDNSD_VERSION
ARG DYNDNSD_VERSION=3.4.0
RUN apk --no-cache add openssl ca-certificates && \
apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \
gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \
rm -rf /usr/lib/ruby/gems/*/cache/ && \
# set timezone to Berlin
cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
apk del .build-deps

22
docker/ci/Dockerfile
View File

@ -1,22 +0,0 @@
FROM alpine:3.20.0
EXPOSE 5353 8080
COPY pkg/dyndnsd-*.gem /tmp/dyndnsd.gem
RUN apk --no-cache add openssl ca-certificates && \
apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \
gem install --no-document /tmp/dyndnsd.gem && \
rm -rf /usr/lib/ruby/gems/*/cache/ && \
# set timezone to Berlin
cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
apk del .build-deps
# Follow the principle of least privilege: run as unprivileged user.
# Running as non-root enables running this image in platforms like OpenShift
# that do not allow images running as root.
# User ID 65534 is usually user 'nobody'.
USER 65534
ENTRYPOINT ["dyndnsd", "/etc/dyndnsd/config.yml"]

24
dyndnsd.gemspec
View File

@ -25,25 +25,23 @@ Gem::Specification.new do |s|
s.executables = ['dyndnsd']
s.extra_rdoc_files = Dir['README.md', 'CHANGELOG.md', 'LICENSE']
s.required_ruby_version = '>= 3.0'
s.required_ruby_version = '>= 2.5'
s.add_runtime_dependency 'async', '~> 1.31.0'
s.add_runtime_dependency 'async-dns', '~> 1.3.0'
s.add_runtime_dependency 'async-dns', '~> 1.2.0'
s.add_runtime_dependency 'jaeger-client', '~> 1.1.0'
s.add_runtime_dependency 'metriks'
s.add_runtime_dependency 'opentelemetry-exporter-jaeger', '~> 0.22.0'
s.add_runtime_dependency 'opentelemetry-instrumentation-rack', '~> 0.22.0'
s.add_runtime_dependency 'opentelemetry-sdk', '~> 1.2.0'
s.add_runtime_dependency 'rack', '~> 3.0'
s.add_runtime_dependency 'rackup', '~> 2'
s.add_runtime_dependency 'opentracing', '~> 0.5.0'
s.add_runtime_dependency 'rack', '~> 2.0'
s.add_runtime_dependency 'rack-tracer', '~> 0.9.0'
s.add_runtime_dependency 'webrick', '>= 1.6.1'
s.add_development_dependency 'bundler'
s.add_development_dependency 'bundler-audit', '~> 0.9.0'
s.add_development_dependency 'bundler-audit', '~> 0.8.0'
s.add_development_dependency 'rack-test'
s.add_development_dependency 'rake'
s.add_development_dependency 'rspec'
s.add_development_dependency 'rubocop', '~> 1.64.0'
s.add_development_dependency 'rubocop-rake', '~> 0.6.0'
s.add_development_dependency 'rubocop-rspec', '~> 3.0.1'
s.add_development_dependency 'solargraph', '~> 0.49.0'
s.add_development_dependency 'rubocop', '~> 1.12.0'
s.add_development_dependency 'rubocop-rake', '~> 0.5.1'
s.add_development_dependency 'rubocop-rspec', '~> 2.2.0'
s.add_development_dependency 'solargraph', '~> 0.40.0'
end

31
e2e/config.yml
View File

@ -1,31 +0,0 @@
---
host: "0.0.0.0"
port: 8080
db: /etc/dyndnsd/db.json
debug: false
domain: dyn.example.org
#responder: RestStyle
updater:
name: zone_transfer_server
params:
server_listens:
- 0.0.0.0@5353
#send_notifies:
#- 10.0.2.15@53
zone_ttl: 300 # 5m
zone_nameservers:
- dns1.example.org.
- dns2.example.org.
zone_email_address: admin.example.org.
zone_additional_ips:
- "127.0.0.1"
- "::1"
users:
foo:
password: "secret"
hosts:
- foo.dyn.example.org
- bar.dyn.example.org

60
lib/dyndnsd.rb
View File

@ -7,11 +7,10 @@ require 'ipaddr'
require 'json'
require 'yaml'
require 'rack'
require 'rackup'
require 'metriks'
require 'opentelemetry/instrumentation/rack'
require 'opentelemetry/sdk'
require 'metriks/reporter/graphite'
require 'opentracing'
require 'rack/tracer'
require 'dyndnsd/generator/bind'
require 'dyndnsd/updater/command_with_bind_zone'
@ -70,7 +69,7 @@ module Dyndnsd
# @return [Boolean]
def authorized?(username, password)
Helper.span('check_authorized') do |span|
span.set_attribute('enduser.id', username)
span.set_tag('dyndnsd.user', username)
allow = Helper.user_allowed?(username, password, @users)
if !allow
@ -107,13 +106,13 @@ module Dyndnsd
puts "DynDNSd version #{Dyndnsd::VERSION}"
puts "Using config file #{config_file}"
config = YAML.safe_load_file(config_file)
config = YAML.safe_load(File.open(config_file, 'r', &:read))
setup_logger(config)
Dyndnsd.logger.info 'Starting...'
# drop privileges as soon as possible
# drop priviliges as soon as possible
# NOTE: first change group than user
if config['group']
group = Etc.getgrnam(config['group'])
@ -171,7 +170,7 @@ module Dyndnsd
def process_changes(hostnames, myips)
changes = []
Helper.span('process_changes') do |span|
span.set_attribute('dyndnsd.hostnames', hostnames.join(','))
span.set_tag('dyndnsd.hostnames', hostnames.join(','))
hostnames.each do |hostname|
# myips order is always deterministic
@ -215,11 +214,10 @@ module Dyndnsd
invalid_hostnames = hostnames.select { |h| !Helper.fqdn_valid?(h, @domain) }
return [422, {'X-DynDNS-Response' => 'hostname_malformed'}, []] if invalid_hostnames.any?
# we can trust this information since user was authorized by middleware
user = env['REMOTE_USER']
# check for hostnames that the user does not own
forbidden_hostnames = hostnames - @users[user].fetch('hosts', [])
forbidden_hostnames = hostnames - @users[user]['hosts']
return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []] if forbidden_hostnames.any?
if params['offline'] == 'YES'
@ -254,17 +252,15 @@ module Dyndnsd
Dyndnsd.logger.progname = 'dyndnsd'
Dyndnsd.logger.formatter = LogFormatter.new
Dyndnsd.logger.level = config['debug'] ? Logger::DEBUG : Logger::INFO
OpenTelemetry.logger = Dyndnsd.logger
end
# @return [void]
private_class_method def self.setup_traps
Signal.trap('INT') do
Rackup::Handler::WEBrick.shutdown
Rack::Handler::WEBrick.shutdown
end
Signal.trap('TERM') do
Rackup::Handler::WEBrick.shutdown
Rack::Handler::WEBrick.shutdown
end
end
@ -300,31 +296,16 @@ module Dyndnsd
# @param config [Hash{String => Object}]
# @return [void]
private_class_method def self.setup_tracing(config)
# by default do not try to emit any traces until the user opts in
ENV['OTEL_TRACES_EXPORTER'] ||= 'none'
# configure OpenTracing
if config.dig('tracing', 'jaeger')
require 'jaeger/client'
# configure OpenTelemetry
OpenTelemetry::SDK.configure do |c|
if config.dig('tracing', 'jaeger')
require 'opentelemetry/exporter/jaeger'
c.add_span_processor(
OpenTelemetry::SDK::Trace::Export::BatchSpanProcessor.new(
OpenTelemetry::Exporter::Jaeger::AgentExporter.new
)
)
end
if config.dig('tracing', 'service_name')
c.service_name = config['tracing']['service_name']
end
c.service_version = Dyndnsd::VERSION
c.use('OpenTelemetry::Instrumentation::Rack')
end
if !config.dig('tracing', 'trust_incoming_span')
OpenTelemetry.propagation = OpenTelemetry::Context::Propagation::NoopTextMapPropagator.new
host = config['tracing']['jaeger']['host'] || '127.0.0.1'
port = config['tracing']['jaeger']['port'] || 6831
service_name = config['tracing']['jaeger']['service_name'] || 'dyndnsd'
OpenTracing.global_tracer = Jaeger::Client.build(
host: host, port: port, service_name: service_name, flush_interval: 1
)
end
end
@ -350,9 +331,10 @@ module Dyndnsd
app = Responder::DynDNSStyle.new(app)
end
app = OpenTelemetry::Instrumentation::Rack::Middlewares::TracerMiddleware.new(app)
trust_incoming_span = config.dig('tracing', 'trust_incoming_span') || false
app = Rack::Tracer.new(app, trust_incoming_span: trust_incoming_span)
Rackup::Handler::WEBrick.run app, Host: config['host'], Port: config['port']
Rack::Handler::WEBrick.run app, Host: config['host'], Port: config['port']
end
end
end

23
lib/dyndnsd/helper.rb
View File

@ -45,17 +45,24 @@ module Dyndnsd
# @param block [Proc]
# @return [void]
def self.span(operation, &block)
tracer = OpenTelemetry.tracer_provider.tracer(Dyndnsd.name, Dyndnsd::VERSION)
tracer.in_span(
operation,
attributes: {'component' => 'dyndnsd'},
kind: :server
) do |span|
Dyndnsd.logger.debug "Creating span ID #{span.context.hex_span_id} for trace ID #{span.context.hex_trace_id}"
scope = OpenTracing.start_active_span(operation)
span = scope.span
span.set_tag('component', 'dyndnsd')
span.set_tag('span.kind', 'server')
begin
block.call(span)
rescue StandardError => e
span.record_exception(e)
span.set_tag('error', true)
span.log_kv(
event: 'error',
'error.kind': e.class.to_s,
'error.object': e,
message: e.message,
stack: e.backtrace&.join("\n") || ''
)
raise e
ensure
scope.close
end
end
end

4
lib/dyndnsd/updater/command_with_bind_zone.rb
View File

@ -18,10 +18,10 @@ module Dyndnsd
return if !db.changed?
Helper.span('updater_update') do |span|
span.set_attribute('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
span.set_tag('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
# write zone file in bind syntax
File.write(@zone_file, @generator.generate(db))
File.open(@zone_file, 'w') { |f| f.write(@generator.generate(db)) }
# call user-defined command
pid = fork do
exec @command

2
lib/dyndnsd/updater/zone_transfer_server.rb
View File

@ -35,7 +35,7 @@ module Dyndnsd
# @return [void]
def update(db)
Helper.span('updater_update') do |span|
span.set_attribute('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
span.set_tag('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
soa_rr = Resolv::DNS::Resource::IN::SOA.new(
@zone_nameservers[0], @zone_email_address,

2
lib/dyndnsd/version.rb
View File

@ -1,5 +1,5 @@
# frozen_string_literal: true
module Dyndnsd
VERSION = '3.9.2'
VERSION = '3.4.0'
end

15
spec/dyndnsd/daemon_spec.rb
View File

@ -15,9 +15,6 @@ describe Dyndnsd::Daemon do
'test' => {
'password' => 'secret',
'hosts' => ['foo.example.org', 'bar.example.org']
},
'test2' => {
'password' => 'ihavenohosts'
}
}
}
@ -27,7 +24,9 @@ describe Dyndnsd::Daemon do
app = Rack::Auth::Basic.new(daemon, 'DynDNS', &daemon.method(:authorized?))
Dyndnsd::Responder::DynDNSStyle.new(app)
app = Dyndnsd::Responder::DynDNSStyle.new(app)
Rack::Tracer.new(app, trust_incoming_span: false)
end
it 'requires authentication' do
@ -102,14 +101,6 @@ describe Dyndnsd::Daemon do
expect(last_response.body).to eq('notfqdn')
end
it 'rejects request if user does not own any hostnames' do
authorize 'test2', 'ihavenohosts'
get '/nic/update?hostname=doesnotexisthost.example.org'
expect(last_response).to be_ok
expect(last_response.body).to eq('nohost')
end
it 'rejects request if user does not own one hostname' do
authorize 'test', 'secret'

13
upgrade-version.sh
View File

@ -1,13 +0,0 @@
#!/bin/bash -eux
sed -i "s/$1/$2/g" lib/dyndnsd/version.rb
release_date=$(LC_ALL=en_US.utf8 date +"%B %-d, %Y")
if grep "## $2 (" CHANGELOG.md; then
true
elif grep "## $2" CHANGELOG.md; then
sed -i "s/## $2/## $2 ($release_date)/g" CHANGELOG.md
else
echo "## $2 ($release_date)" >> CHANGELOG.md
fi