cn/dyndnsd
1
0
Fork 0
mirror of https://github.com/cmur2/dyndnsd.git synced 2024-06-29 08:34:39 +02:00
Code Releases Activity

Compare commits

base: cn:master
Branches Tags
cn:master
cn:renovate-aquasecurity-trivy-0.52.x
cn:dependabot-bundler-opentelemetry-instrumentation-rack-gte-0.22-and-lt-0.25
cn:dependabot-bundler-opentelemetry-sdk-gte-1.2-and-lt-1.5
cn:dependabot-bundler-async-gte-1.31-and-lt-2.12
cn:dependabot-bundler-opentelemetry-exporter-jaeger-gte-0.22-and-lt-0.24
cn:depfu-update-rubocop-rspec-2.29.2
cn:depfu-update-rubocop-1.63.5
cn:depfu-update-async-2.11.0
cn:update-3.3
cn:try-rbs
cn:dyndnsd-2.x
cn:try-s2
cn:try-sorbet
cn:dyndnsd-1.x
cn:v3.10.0
cn:v3.9.2
cn:v3.9.1
cn:v3.9.0
cn:v3.8.2
cn:v3.8.1
cn:v3.8.0
cn:v3.7.3
cn:v3.7.2
cn:v3.7.1
cn:v3.7.0
cn:v3.6.2
cn:v3.6.1
cn:v3.6.0
cn:v3.5.3
cn:v3.5.2
cn:v3.5.1
cn:v3.5.0
cn:v3.4.8
cn:v3.4.7
cn:v3.4.6
cn:v3.4.5
cn:v3.4.4
cn:v3.4.3
cn:v3.4.2
cn:v3.4.1
cn:v3.4.0
cn:v3.3.3
cn:v3.3.2
cn:v3.3.2.rc1
cn:v3.3.1
cn:v3.3.0
cn:v3.2.0
cn:v3.1.3
cn:v3.1.2
cn:v3.1.1
cn:v3.1.0
cn:v3.1.0.rc1
cn:v3.0.0
cn:v2.3.1
cn:v2.3.0
cn:v2.2.0
cn:v2.1.1
cn:v2.1.0
cn:v2.0.0
cn:v2.0.0.rc2
cn:v2.0.0.rc1
cn:v1.6.1
cn:v1.6.0
cn:v1.5.0
cn:v1.4.0
cn:v1.3.0
cn:v1.2.2
cn:v1.2.1
cn:v1.2.0
cn:v1.1.0
cn:v1.0.0
cn:v0.0.4
cn:v0.0.3
cn:v0.0.2
..
compare: cn:v3.4.0
Branches Tags
cn:master
cn:renovate-aquasecurity-trivy-0.52.x
cn:dependabot-bundler-opentelemetry-instrumentation-rack-gte-0.22-and-lt-0.25
cn:dependabot-bundler-opentelemetry-sdk-gte-1.2-and-lt-1.5
cn:dependabot-bundler-async-gte-1.31-and-lt-2.12
cn:dependabot-bundler-opentelemetry-exporter-jaeger-gte-0.22-and-lt-0.24
cn:depfu-update-rubocop-rspec-2.29.2
cn:depfu-update-rubocop-1.63.5
cn:depfu-update-async-2.11.0
cn:update-3.3
cn:try-rbs
cn:dyndnsd-2.x
cn:try-s2
cn:try-sorbet
cn:dyndnsd-1.x
cn:v3.10.0
cn:v3.9.2
cn:v3.9.1
cn:v3.9.0
cn:v3.8.2
cn:v3.8.1
cn:v3.8.0
cn:v3.7.3
cn:v3.7.2
cn:v3.7.1
cn:v3.7.0
cn:v3.6.2
cn:v3.6.1
cn:v3.6.0
cn:v3.5.3
cn:v3.5.2
cn:v3.5.1
cn:v3.5.0
cn:v3.4.8
cn:v3.4.7
cn:v3.4.6
cn:v3.4.5
cn:v3.4.4
cn:v3.4.3
cn:v3.4.2
cn:v3.4.1
cn:v3.4.0
cn:v3.3.3
cn:v3.3.2
cn:v3.3.2.rc1
cn:v3.3.1
cn:v3.3.0
cn:v3.2.0
cn:v3.1.3
cn:v3.1.2
cn:v3.1.1
cn:v3.1.0
cn:v3.1.0.rc1
cn:v3.0.0
cn:v2.3.1
cn:v2.3.0
cn:v2.2.0
cn:v2.1.1
cn:v2.1.0
cn:v2.0.0
cn:v2.0.0.rc2
cn:v2.0.0.rc1
cn:v1.6.1
cn:v1.6.0
cn:v1.5.0
cn:v1.4.0
cn:v1.3.0
cn:v1.2.2
cn:v1.2.1
cn:v1.2.0
cn:v1.1.0
cn:v1.0.0
cn:v0.0.4
cn:v0.0.3
cn:v0.0.2

No commits in common. "master" and "v3.4.0" have entirely different histories.
master ... v3.4.0

23 changed files with 111 additions and 528 deletions
Show Stats Expand all files Collapse all files

17
.github/actionlint-matcher.json vendored
View File

@ -1,17 +0,0 @@
{
"problemMatcher": [
{
"owner": "actionlint",
"pattern": [
{
"regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
"file": 1,
"line": 2,
"column": 3,
"message": 4,
"code": 5
}
]
}
]
}

13
.github/dependabot.yml vendored
View File

@ -1,13 +0,0 @@
---
version: 2
updates:
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: "weekly"
commit-message:
prefix: "gems"
labels: ["dependabot"]
open-pull-requests-limit: 10
pull-request-branch-name:
separator: "-"

42
.github/renovate.json5 vendored
View File

@ -1,42 +0,0 @@
{
extends: [
"config:recommended",
":dependencyDashboard",
":prHourlyLimitNone",
":prConcurrentLimitNone",
":label(dependency-upgrade)",
],
schedule: ["before 8am on thursday"],
branchPrefix: "renovate-",
dependencyDashboardHeader: "View repository job log [here](https://app.renovatebot.com/dashboard#github/cmur2/dyndnsd).",
separateMinorPatch: true,
commitMessagePrefix: "project: ",
commitMessageAction: "update",
commitMessageTopic: "{{depName}}",
commitMessageExtra: "to {{#if isSingleVersion}}v{{{newVersion}}}{{else}}{{{newValue}}}{{/if}}",
packageRules: [
// Ruby dependencies are managed by depfu
{
matchManagers: ["bundler"],
enabled: false,
},
// Commit message formats
{
matchDatasources: ["docker"],
commitMessagePrefix: "docker: ",
},
{
matchManagers: ["github-actions"],
commitMessagePrefix: "ci: ",
},
],
customManagers: [
{
customType: "regex",
fileMatch: ["\.rb$", "^Rakefile$"],
matchStrings: [
"renovate: datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s.*_version = '(?<currentValue>.*)'\\s"
]
},
],
}

26
.github/workflows/cd.yml vendored
View File

@ -1,4 +1,3 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
--- ---
name: cd name: cd
@ -11,38 +10,23 @@ jobs:
release-dockerimage: release-dockerimage:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v2
- name: Extract dyndnsd version from tag name - name: Extract dyndnsd version from tag name
run: | run: |
echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> "$GITHUB_ENV" echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV
- name: Wait for dyndnsd ${{ env.DYNDNSD_VERSION }} gem to be available
run: |
set +e
for retry in $(seq 1 5); do
echo "Checking if dyndnsd $DYNDNSD_VERSION gem is retrievable from rubygems.org (try #$retry)..."
sudo gem install dyndnsd -v "$DYNDNSD_VERSION"
# shellcheck disable=SC2181
if [ $? -eq 0 ]; then
exit 0
fi
sleep 60
done
exit 1
# https://github.com/marketplace/actions/build-and-push-docker-images # https://github.com/marketplace/actions/build-and-push-docker-images
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3 uses: docker/setup-buildx-action@v1
- name: Login to Docker Hub - name: Login to Docker Hub
uses: docker/login-action@v3 uses: docker/login-action@v1
with: with:
username: cmur2 username: cmur2
password: ${{ secrets.DOCKER_TOKEN }} password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }} - name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }}
uses: docker/build-push-action@v6 uses: docker/build-push-action@v2
with: with:
context: docker context: docker
build-args: | build-args: |

36
.github/workflows/ci.yml vendored
View File

@ -1,4 +1,3 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
--- ---
name: ci name: ci
@ -15,41 +14,28 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:
fail-fast: false
matrix: matrix:
ruby-version: ruby-version:
- '2.5'
- '2.6'
- '2.7'
- '3.0' - '3.0'
- '3.1'
- '3.2'
- '3.3'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v2
- name: Set up Ruby ${{ matrix.ruby-version }} - name: Set up Ruby ${{ matrix.ruby-version }}
uses: ruby/setup-ruby@v1 uses: ruby/setup-ruby@v1
with: with:
ruby-version: ${{ matrix.ruby-version }} ruby-version: ${{ matrix.ruby-version }}
bundler-cache: true # runs 'bundle install' and caches installed gems automatically bundler-cache: true # runs 'bundle install' and caches installed gems automatically
- name: Lint and Test - name: Lint and Test
run: | run: |
bundle exec rake ci bundle exec rake ci
actionlint: # https://github.com/marketplace/actions/build-and-push-docker-images
runs-on: ubuntu-latest - name: Set up Docker Buildx
steps: uses: docker/setup-buildx-action@v1
- uses: actions/checkout@v4
- name: Check workflow files
run: |
echo "::add-matcher::.github/actionlint-matcher.json"
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
./actionlint
renovate-config-validator: - name: Test building Docker image for dyndnsd
runs-on: ubuntu-latest uses: docker/build-push-action@v2
container: with:
image: ghcr.io/renovatebot/renovate context: docker
options: --user root
steps:
- uses: actions/checkout@v4
- name: Check Renovate config
run: renovate-config-validator --strict

1
.github/workflows/dockerhub.yml vendored
View File

@ -1,4 +1,3 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
--- ---
name: dockerhub name: dockerhub

8
.github/workflows/vulnscan.yml vendored
View File

@ -1,4 +1,3 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
--- ---
name: vulnscan name: vulnscan
@ -11,14 +10,15 @@ jobs:
scan-released-dockerimages: scan-released-dockerimages:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
TRIVY_LIGHT: 'true'
TRIVY_IGNORE_UNFIXED: 'true' TRIVY_IGNORE_UNFIXED: 'true'
TRIVY_REMOVED_PKGS: 'true' TRIVY_REMOVED_PKGS: 'true'
steps: steps:
- name: Install Trivy - name: Install Trivy
run: | run: |
mkdir -p "$GITHUB_WORKSPACE/bin" mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH" echo "$GITHUB_WORKSPACE/bin" >> "$GITHUB_PATH"
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b "$GITHUB_WORKSPACE/bin" curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
- name: Download Trivy DB - name: Download Trivy DB
run: | run: |
trivy image --download-db-only trivy image --download-db-only
@ -36,7 +36,7 @@ jobs:
for image in $ALL_IMAGES; do for image in $ALL_IMAGES; do
if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
echo -e "\nScanning newest patch release $image of major v$major_version...\n" echo -e "\nScanning newest patch release $image of major v$major_version...\n"
if ! trivy image --skip-db-update --scanners vuln --exit-code 1 "$image"; then if ! trivy image --skip-update --exit-code 1 "$image"; then
EXIT_CODE=1 EXIT_CODE=1
fi fi
break break

2
.gitignore vendored
View File

@ -2,5 +2,3 @@
*.lock *.lock
pkg/* pkg/*
.yardoc .yardoc
hadolint
trivy

8
.rubocop.yml
View File

@ -3,15 +3,9 @@ require:
- rubocop-rspec - rubocop-rspec
AllCops: AllCops:
TargetRubyVersion: '3.0' TargetRubyVersion: '2.5'
NewCops: enable NewCops: enable
Gemspec/DevelopmentDependencies:
EnforcedStyle: gemspec
Gemspec/RequireMFA:
Enabled: false
Layout/EmptyLineAfterGuardClause: Layout/EmptyLineAfterGuardClause:
Enabled: false Enabled: false

179
CHANGELOG.md
View File

@ -1,182 +1,5 @@
# Changelog # Changelog
## 3.10.0
IMPROVEMENTS:
- add Ruby 3.3 support
OTHER:
- update base of Docker image to Alpine 3.19.0 (from 3.18.3 before)
## 3.9.2 (August 10th, 2023)
OTHER:
- update base of Docker image to Alpine 3.18.3 (from 3.18.2 before)
## 3.9.1 (July 6, 2023)
OTHER:
- update base of Docker image to Alpine 3.18.2 (from 3.18.0 before)
## 3.9.0 (June 8, 2023)
IMPROVEMENTS:
- Drop EOL Ruby 2.7 support, now minimum version supported is Ruby 3.0
## 3.8.2 (April 1st, 2023)
OTHER:
- update base of Docker image to Alpine 3.17.3 (from 3.17.2 before)
## 3.8.1 (March 2nd, 2023)
OTHER:
- update base of Docker image to Alpine 3.17.2 (from 3.17.1 before)
## 3.8.0 (January 13th, 2023)
IMPROVEMENTS:
- add Ruby 3.2 support
OTHER:
- update base of Docker image to Alpine 3.17.1 (from 3.17.0 before)
## 3.7.3 (December 29th, 2022)
OTHER:
- update base of Docker image to Alpine 3.17.0 (from 3.16.2 before)
## 3.7.2 (November 10th, 2022)
OTHER:
- re-release 3.7.1 to rebuild Docker image with security vulnerabilities fixes
## 3.7.1 (September 20th, 2022)
IMPROVEMENTS:
- fix [TypeError](https://github.com/cmur2/dyndnsd/issues/205) when user has no hosts configured
## 3.7.0 (September 16th, 2022)
IMPROVEMENTS:
- Update to Rack 3
## 3.6.2 (August 11th, 2022)
OTHER:
- update base of Docker image to Alpine 3.16.2 (from 3.16.1 before)
## 3.6.1 (July 21st, 2022)
OTHER:
- update base of Docker image to Alpine 3.16.1 (from 3.16.0 before)
## 3.6.0 (June 2nd, 2022)
IMPROVEMENTS:
- Drop EOL Ruby 2.6 and lower support, now minimum version supported is Ruby 2.7
OTHER:
- update base of Docker image to Alpine 3.16 (from 3.15.7 before)
## 3.5.3 (May 5th, 2022)
OTHER:
- re-release 3.5.2 to rebuild Docker image with security vulnerabilities fixes
## 3.5.2 (April 7th, 2022)
OTHER:
- re-release 3.5.1 to rebuild Docker image with security vulnerabilities fixes
## 3.5.1 (February 17th, 2022)
OTHER:
- re-release 3.5.0 to rebuild Docker image with security vulnerabilities fixes
## 3.5.0 (January 8th, 2022)
IMPROVEMENTS:
- add Ruby 3.1 support
OTHER:
- update base of Docker image to Alpine 3.15 (from 3.13.7 before, **Note:** please be aware of the quirks around [Alpine 3.14](https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2))
## 3.4.8 (December 11th, 2021)
OTHER:
- re-release 3.4.7 to rebuild Docker image with security vulnerabilities fixes
## 3.4.7 (November 19th, 2021)
OTHER:
- re-release 3.4.6 to rebuild Docker image with security vulnerabilities fixes
## 3.4.6 (November 19th, 2021)
OTHER:
- re-release 3.4.5 to rebuild Docker image with security vulnerabilities fixes
## 3.4.5 (August 26th, 2021)
OTHER:
- re-release 3.4.4 to rebuild Docker image with security vulnerabilities fixes
## 3.4.4 (August 26th, 2021)
OTHER:
- re-release 3.4.3 to rebuild Docker image with security vulnerabilities fixes
## 3.4.3 (August 20th, 2021)
OTHER:
- re-release 3.4.2 to rebuild Docker image with security vulnerabilities fixes
## 3.4.2 (July 30, 2021)
IMPROVEMENTS:
- move from OpenTracing to OpenTelemetry for experimental tracing feature
OTHER:
- re-release 3.4.1 to rebuild Docker image with security vulnerabilities fixes
- adopt Renovate for dependency updates
## 3.4.1 (April 15, 2021)
OTHER:
- update base of Docker image to Alpine 3.13.5 to fix security vulnerabilities
## 3.4.0 (April 2, 2021) ## 3.4.0 (April 2, 2021)
IMPROVEMENTS: IMPROVEMENTS:
@ -346,7 +169,7 @@ IMPROVEMENTS:
IMPROVEMENTS: IMPROVEMENTS:
- Support dropping privileges on startup, also affects external commands run - Support dropping priviliges on startup, also affects external commands run
- Add [metriks](https://github.com/eric/metriks) support for basic metrics in the process title - Add [metriks](https://github.com/eric/metriks) support for basic metrics in the process title
- Detach from child processes running external commands to avoid zombie processes - Detach from child processes running external commands to avoid zombie processes

46
README.md
View File

@ -1,6 +1,6 @@
# dyndnsd.rb # dyndnsd.rb
![ci](https://github.com/cmur2/dyndnsd/workflows/ci/badge.svg) ![ci](https://github.com/cmur2/dyndnsd/workflows/ci/badge.svg) [![Dependencies](https://badges.depfu.com/badges/4f25da8493f7a29f652ac892fbf9227b/overview.svg)](https://depfu.com/github/cmur2/dyndnsd)
A small, lightweight and extensible DynDNS server written with Ruby and Rack. A small, lightweight and extensible DynDNS server written with Ruby and Rack.
@ -75,7 +75,7 @@ There is an officially maintained [Docker image for dyndnsd](https://hub.docker.
Users can make extensions by deriving from the official Docker image or building their own. Users can make extensions by deriving from the official Docker image or building their own.
The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. The following YAML should be used as a base and extended with user's settings: The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. the following YAML should be used as a base and extended with user's settings:
```yaml ```yaml
host: "0.0.0.0" host: "0.0.0.0"
@ -98,7 +98,7 @@ docker run -d --name dyndnsd \
cmur2/dyndnsd:vX.Y.Z cmur2/dyndnsd:vX.Y.Z
``` ```
*Note*: You may need to expose more than just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command. *Note*: You may need to expose more then just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.
@ -106,7 +106,7 @@ docker run -d --name dyndnsd \
By using [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) any secondary nameserver can retrieve the DNS zone contents from dyndnsd.rb and serve them to clients. By using [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) any secondary nameserver can retrieve the DNS zone contents from dyndnsd.rb and serve them to clients.
To speedup propagation after changes dyndnsd.rb can issue a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) to inform the nameserver that the DNS zone contents changed and should be fetched even before the time indicated in the SOA record is up. To speedup propagation after changes dyndnsd.rb can issue a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) to inform the nameserver that the DNS zone contents changed and should be fetched even before the time indicated in the SOA record is up.
Currently, dyndnsd.rb does not support any authentication for incoming DNS zone transfer request, so it should be isolated from the internet on these ports. Currently dyndnsd.rb does not support any authentication for incoming DNS zone transfer requests so it should be isolated from the internet on these ports.
This approach has several advantages: This approach has several advantages:
- dyndnsd.rb can be used in *hidden primary* fashion isolated from client's DNS traffic and does not need to implement full nameserver features - dyndnsd.rb can be used in *hidden primary* fashion isolated from client's DNS traffic and does not need to implement full nameserver features
@ -151,7 +151,7 @@ users:
NSD is a nice, open source, authoritative-only, low-memory DNS server that reads BIND-style zone files (and converts them into its own database) and has a simple configuration file. NSD is a nice, open source, authoritative-only, low-memory DNS server that reads BIND-style zone files (and converts them into its own database) and has a simple configuration file.
A feature NSD is lacking is the [Dynamic DNS update (RFC2136)](https://tools.ietf.org/html/rfc2136) functionality BIND offers, but one can fake it using the following dyndnsd.rb configuration: A feature NSD is lacking is the [Dynamic DNS update (RFC2136)](https://tools.ietf.org/html/rfc2136) functionality BIND offers but one can fake it using the following dyndnsd.rb configuration:
```yaml ```yaml
host: "0.0.0.0" host: "0.0.0.0"
@ -197,29 +197,29 @@ The update URL you want to tell your clients (humans or scripts ^^) consists of
where: where:
* the protocol depends on your (web server/proxy) settings * the protocol depends on your (webserver/proxy) settings
* `USER` and `PASSWORD` are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml * USER and PASSWORD are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml
* `DOMAIN` should match what you defined in your config.yaml as domain but may be anything else when using a web server as proxy * DOMAIN should match what you defined in your config.yaml as domain but may be anything else when using a webserver as proxy
* `PORT` depends on your (web server/proxy) settings * PORT depends on your (webserver/proxy) settings
* `HOSTNAMES` is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update * HOSTNAMES is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
* `MYIP` is optional and the HTTP client's IP address will be used if missing * MYIP is optional and the HTTP client's IP address will be used if missing
* `MYIP6` is optional but if present also requires presence of `MYIP` * MYIP6 is optional but if present also requires presence of MYIP
### IP address determination ### IP address determination
The following rules apply: The following rules apply:
* use any IP address provided via the `myip` parameter when present, or * use any IP address provided via the myip parameter when present, or
* use any IP address provided via the `X-Real-IP` header e.g. when used behind HTTP reverse proxy such as nginx, or * use any IP address provided via the X-Real-IP header e.g. when used behind HTTP reverse proxy such as nginx, or
* use any IP address used by the connecting HTTP client * use any IP address used by the connecting HTTP client
If you want to provide an additional IPv6 address as myip6 parameter, the `myip` parameter containing an IPv4 address has to be present, too! No automatism is applied then. If you want to provide an additional IPv6 address as myip6 parameter, the myip parameter containing an IPv4 address has to be present, too! No automatism is applied then.
### SSL, multiple listen ports ### SSL, multiple listen ports
Use a web server as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443. Use a webserver as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443.
### Startup ### Startup
@ -231,7 +231,7 @@ The [Debian 6 init.d script](docs/debian-6-init-dyndnsd) assumes that dyndnsd.rb
### Monitoring ### Monitoring
For monitoring dyndnsd.rb uses the [metriks](https://github.com/eric/metriks) framework and exposes several metrics like the number of unauthenticated requests, requests that did (not) update a hostname, etc. By default, the most important metrics are shown in the [proctitle](https://github.com/eric/metriks#proc-title-reporter, butt you can also configure a [Graphite](https://graphiteapp.org/) backend for central monitoring or the [textfile_reporter](https://github.com/prometheus/node_exporter/#textfile-collector) which outputs Graphite-style metrics that are also compatible with Prometheus to a file. For monitoring dyndnsd.rb uses the [metriks](https://github.com/eric/metriks) framework and exposes several metrics like the number of unauthenticated requests, requests that did (not) update a hostname, etc. By default the most important metrics are shown in the [proctitle](https://github.com/eric/metriks#proc-title-reporter) but you can also configure a [Graphite](https://graphiteapp.org/) backend for central monitoring or the [textfile_reporter](https://github.com/prometheus/node_exporter/#textfile-collector) which outputs Graphite-style metrics that are also compatible with Prometheus to a file.
```yaml ```yaml
host: "0.0.0.0" host: "0.0.0.0"
@ -271,9 +271,9 @@ users:
### Tracing (experimental) ### Tracing (experimental)
For tracing, dyndnsd.rb is instrumented using the [OpenTelemetry](https://opentelemetry.io/docs/ruby/) framework and will emit span tracing data for the most important operations happening during the request/response cycle. Using an [instrumentation for Rack](https://github.com/open-telemetry/opentelemetry-ruby/tree/main/instrumentation/rack) allows handling incoming OpenTelemetry parent span information properly (when desired, turned off by default to reduce attack surface). For tracing, dyndnsd.rb is instrumented using the [OpenTracing](http://opentracing.io/) framework and will emit span tracing data for the most important operations happening during the request/response cycle. Using a middleware for Rack allows handling incoming OpenTracing span information properly.
Currently, the [OpenTelemetry trace exporter](https://github.com/open-telemetry/opentelemetry-ruby/tree/main/exporter/jaeger) for [CNCF Jaeger](https://github.com/jaegertracing/jaeger) can be enabled via dyndnsd.rb configuration. Alternatively, you can also enable other exporters via the environment variable `OTEL_TRACES_EXPORTER`, e.g. `OTEL_TRACES_EXPORTER=console`. Currently only one OpenTracing-compatible tracer implementation named [CNCF Jaeger](https://github.com/jaegertracing/jaeger) can be configured to use with dyndnsd.rb.
```yaml ```yaml
host: "0.0.0.0" host: "0.0.0.0"
@ -282,9 +282,11 @@ db: "/opt/dyndnsd/db.json"
domain: "dyn.example.org" domain: "dyn.example.org"
# enable and configure tracing using the (currently only) tracer jaeger # enable and configure tracing using the (currently only) tracer jaeger
tracing: tracing:
trust_incoming_span: false # default value, change to accept incoming OpenTelemetry spans as parents trust_incoming_span: false # default value, change to accept incoming OpenTracing spans as parents
service_name: "my.dyndnsd.identifier" # default unset, will be populated by OpenTelemetry jaeger:
jaeger: true # enables the Jaeger AgentExporter host: 127.0.0.1 # defaults for host and port of local jaeger-agent
port: 6831
service_name: "my.dyndnsd.identifier"
# configure the updater, here we use command_with_bind_zone, params are updater-specific # configure the updater, here we use command_with_bind_zone, params are updater-specific
updater: updater:
name: "command_with_bind_zone" name: "command_with_bind_zone"

60
Rakefile
View File

@ -14,61 +14,19 @@ task :solargraph do
sh 'solargraph typecheck' sh 'solargraph typecheck'
end end
# renovate: datasource=github-tags depName=hadolint/hadolint namespace :solargraph do
hadolint_version = 'v2.12.0' desc 'Should be run by developer once to prepare initial solargraph usage (fill caches etc.)'
task :init do
# renovate: datasource=github-tags depName=aquasecurity/trivy sh 'solargraph download-core'
trivy_version = 'v0.52.0'
namespace :docker do
ci_image = 'cmur2/dyndnsd:ci'
desc 'Lint Dockerfile'
task :lint do
sh "if [ ! -e ./hadolint ]; then wget -q -O ./hadolint https://github.com/hadolint/hadolint/releases/download/#{hadolint_version}/hadolint-Linux-x86_64; fi"
sh 'chmod a+x ./hadolint'
sh './hadolint --ignore DL3018 docker/Dockerfile'
sh './hadolint --ignore DL3018 --ignore DL3028 docker/ci/Dockerfile'
end end
end
desc 'Build CI Docker image' desc 'Run hadolint for Dockerfile linting'
task :build do task :hadolint do
sh 'docker build -t cmur2/dyndnsd:ci -f docker/ci/Dockerfile .' sh 'docker run --rm -i hadolint/hadolint:v1.18.0 hadolint --ignore DL3018 - < docker/Dockerfile'
end
desc 'Scan CI Docker image for vulnerabilities'
task :scan do
ver = trivy_version.gsub('v', '')
sh "if [ ! -e ./trivy ]; then wget -q -O - https://github.com/aquasecurity/trivy/releases/download/v#{ver}/trivy_#{ver}_Linux-64bit.tar.gz | tar -xzf - trivy; fi"
sh "./trivy image #{ci_image}"
end
desc 'End-to-end test the CI Docker image'
task :e2e do
sh <<~SCRIPT
echo -n '{}' > e2e/db.json
chmod a+w e2e/db.json
SCRIPT
sh "docker run -d --name=dyndnsd-ci -v $(pwd)/e2e:/etc/dyndnsd -p 8080:8080 -p 5353:5353 #{ci_image}"
sh 'sleep 5'
puts '----------------------------------------'
# `dig` needs `sudo apt-get install -y -q dnsutils`
sh <<~SCRIPT
curl -s -o /dev/null -w '%{http_code}' 'http://localhost:8080/' | grep -q '401'
curl -s 'http://foo:secret@localhost:8080/nic/update?hostname=foo.dyn.example.org&myip=1.2.3.4' | grep -q 'good'
curl -s 'http://foo:secret@localhost:8080/nic/update?hostname=foo.dyn.example.org&myip=1.2.3.4' | grep -q 'nochg'
dig +short AXFR 'dyn.example.org' @127.0.0.1 -p 5353 | grep -q '1.2.3.4'
SCRIPT
puts '----------------------------------------'
sh <<~SCRIPT
docker logs dyndnsd-ci
docker container rm -f -v dyndnsd-ci
rm e2e/db.json
SCRIPT
end
end end
task default: [:rubocop, :spec, 'bundle:audit', :solargraph] task default: [:rubocop, :spec, 'bundle:audit', :solargraph]
desc 'Run all tasks desired for CI' desc 'Run all tasks desired for CI'
task ci: [:default, 'docker:lint', :build, 'docker:build', 'docker:e2e'] task ci: ['solargraph:init', :default, :hadolint]

5
docker/Dockerfile
View File

@ -1,14 +1,13 @@
FROM alpine:3.20.1 FROM alpine:3.13.4
EXPOSE 5353 8080 EXPOSE 5353 8080
ARG DYNDNSD_VERSION ARG DYNDNSD_VERSION=3.4.0
RUN apk --no-cache add openssl ca-certificates && \ RUN apk --no-cache add openssl ca-certificates && \
apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \ apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \ apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \
gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \ gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \
rm -rf /usr/lib/ruby/gems/*/cache/ && \
# set timezone to Berlin # set timezone to Berlin
cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \ cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
apk del .build-deps apk del .build-deps

22
docker/ci/Dockerfile
View File

@ -1,22 +0,0 @@
FROM alpine:3.20.1
EXPOSE 5353 8080
COPY pkg/dyndnsd-*.gem /tmp/dyndnsd.gem
RUN apk --no-cache add openssl ca-certificates && \
apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \
gem install --no-document /tmp/dyndnsd.gem && \
rm -rf /usr/lib/ruby/gems/*/cache/ && \
# set timezone to Berlin
cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
apk del .build-deps
# Follow the principle of least privilege: run as unprivileged user.
# Running as non-root enables running this image in platforms like OpenShift
# that do not allow images running as root.
# User ID 65534 is usually user 'nobody'.
USER 65534
ENTRYPOINT ["dyndnsd", "/etc/dyndnsd/config.yml"]

24
dyndnsd.gemspec
View File

@ -25,25 +25,23 @@ Gem::Specification.new do |s|
s.executables = ['dyndnsd'] s.executables = ['dyndnsd']
s.extra_rdoc_files = Dir['README.md', 'CHANGELOG.md', 'LICENSE'] s.extra_rdoc_files = Dir['README.md', 'CHANGELOG.md', 'LICENSE']
s.required_ruby_version = '>= 3.0' s.required_ruby_version = '>= 2.5'
s.add_runtime_dependency 'async', '~> 1.31.0' s.add_runtime_dependency 'async-dns', '~> 1.2.0'
s.add_runtime_dependency 'async-dns', '~> 1.3.0' s.add_runtime_dependency 'jaeger-client', '~> 1.1.0'
s.add_runtime_dependency 'metriks' s.add_runtime_dependency 'metriks'
s.add_runtime_dependency 'opentelemetry-exporter-jaeger', '~> 0.22.0' s.add_runtime_dependency 'opentracing', '~> 0.5.0'
s.add_runtime_dependency 'opentelemetry-instrumentation-rack', '~> 0.22.0' s.add_runtime_dependency 'rack', '~> 2.0'
s.add_runtime_dependency 'opentelemetry-sdk', '~> 1.2.0' s.add_runtime_dependency 'rack-tracer', '~> 0.9.0'
s.add_runtime_dependency 'rack', '~> 3.0'
s.add_runtime_dependency 'rackup', '~> 2'
s.add_runtime_dependency 'webrick', '>= 1.6.1' s.add_runtime_dependency 'webrick', '>= 1.6.1'
s.add_development_dependency 'bundler' s.add_development_dependency 'bundler'
s.add_development_dependency 'bundler-audit', '~> 0.9.0' s.add_development_dependency 'bundler-audit', '~> 0.8.0'
s.add_development_dependency 'rack-test' s.add_development_dependency 'rack-test'
s.add_development_dependency 'rake' s.add_development_dependency 'rake'
s.add_development_dependency 'rspec' s.add_development_dependency 'rspec'
s.add_development_dependency 'rubocop', '~> 1.64.0' s.add_development_dependency 'rubocop', '~> 1.12.0'
s.add_development_dependency 'rubocop-rake', '~> 0.6.0' s.add_development_dependency 'rubocop-rake', '~> 0.5.1'
s.add_development_dependency 'rubocop-rspec', '~> 3.0.1' s.add_development_dependency 'rubocop-rspec', '~> 2.2.0'
s.add_development_dependency 'solargraph', '~> 0.49.0' s.add_development_dependency 'solargraph', '~> 0.40.0'
end end

31
e2e/config.yml
View File

@ -1,31 +0,0 @@
---
host: "0.0.0.0"
port: 8080
db: /etc/dyndnsd/db.json
debug: false
domain: dyn.example.org
#responder: RestStyle
updater:
name: zone_transfer_server
params:
server_listens:
- 0.0.0.0@5353
#send_notifies:
#- 10.0.2.15@53
zone_ttl: 300 # 5m
zone_nameservers:
- dns1.example.org.
- dns2.example.org.
zone_email_address: admin.example.org.
zone_additional_ips:
- "127.0.0.1"
- "::1"
users:
foo:
password: "secret"
hosts:
- foo.dyn.example.org
- bar.dyn.example.org

60
lib/dyndnsd.rb
View File

@ -7,11 +7,10 @@ require 'ipaddr'
require 'json' require 'json'
require 'yaml' require 'yaml'
require 'rack' require 'rack'
require 'rackup'
require 'metriks' require 'metriks'
require 'opentelemetry/instrumentation/rack'
require 'opentelemetry/sdk'
require 'metriks/reporter/graphite' require 'metriks/reporter/graphite'
require 'opentracing'
require 'rack/tracer'
require 'dyndnsd/generator/bind' require 'dyndnsd/generator/bind'
require 'dyndnsd/updater/command_with_bind_zone' require 'dyndnsd/updater/command_with_bind_zone'
@ -70,7 +69,7 @@ module Dyndnsd
# @return [Boolean] # @return [Boolean]
def authorized?(username, password) def authorized?(username, password)
Helper.span('check_authorized') do |span| Helper.span('check_authorized') do |span|
span.set_attribute('enduser.id', username) span.set_tag('dyndnsd.user', username)
allow = Helper.user_allowed?(username, password, @users) allow = Helper.user_allowed?(username, password, @users)
if !allow if !allow
@ -107,13 +106,13 @@ module Dyndnsd
puts "DynDNSd version #{Dyndnsd::VERSION}" puts "DynDNSd version #{Dyndnsd::VERSION}"
puts "Using config file #{config_file}" puts "Using config file #{config_file}"
config = YAML.safe_load_file(config_file) config = YAML.safe_load(File.open(config_file, 'r', &:read))
setup_logger(config) setup_logger(config)
Dyndnsd.logger.info 'Starting...' Dyndnsd.logger.info 'Starting...'
# drop privileges as soon as possible # drop priviliges as soon as possible
# NOTE: first change group than user # NOTE: first change group than user
if config['group'] if config['group']
group = Etc.getgrnam(config['group']) group = Etc.getgrnam(config['group'])
@ -171,7 +170,7 @@ module Dyndnsd
def process_changes(hostnames, myips) def process_changes(hostnames, myips)
changes = [] changes = []
Helper.span('process_changes') do |span| Helper.span('process_changes') do |span|
span.set_attribute('dyndnsd.hostnames', hostnames.join(',')) span.set_tag('dyndnsd.hostnames', hostnames.join(','))
hostnames.each do |hostname| hostnames.each do |hostname|
# myips order is always deterministic # myips order is always deterministic
@ -215,11 +214,10 @@ module Dyndnsd
invalid_hostnames = hostnames.select { |h| !Helper.fqdn_valid?(h, @domain) } invalid_hostnames = hostnames.select { |h| !Helper.fqdn_valid?(h, @domain) }
return [422, {'X-DynDNS-Response' => 'hostname_malformed'}, []] if invalid_hostnames.any? return [422, {'X-DynDNS-Response' => 'hostname_malformed'}, []] if invalid_hostnames.any?
# we can trust this information since user was authorized by middleware
user = env['REMOTE_USER'] user = env['REMOTE_USER']
# check for hostnames that the user does not own # check for hostnames that the user does not own
forbidden_hostnames = hostnames - @users[user].fetch('hosts', []) forbidden_hostnames = hostnames - @users[user]['hosts']
return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []] if forbidden_hostnames.any? return [422, {'X-DynDNS-Response' => 'host_forbidden'}, []] if forbidden_hostnames.any?
if params['offline'] == 'YES' if params['offline'] == 'YES'
@ -254,17 +252,15 @@ module Dyndnsd
Dyndnsd.logger.progname = 'dyndnsd' Dyndnsd.logger.progname = 'dyndnsd'
Dyndnsd.logger.formatter = LogFormatter.new Dyndnsd.logger.formatter = LogFormatter.new
Dyndnsd.logger.level = config['debug'] ? Logger::DEBUG : Logger::INFO Dyndnsd.logger.level = config['debug'] ? Logger::DEBUG : Logger::INFO
OpenTelemetry.logger = Dyndnsd.logger
end end
# @return [void] # @return [void]
private_class_method def self.setup_traps private_class_method def self.setup_traps
Signal.trap('INT') do Signal.trap('INT') do
Rackup::Handler::WEBrick.shutdown Rack::Handler::WEBrick.shutdown
end end
Signal.trap('TERM') do Signal.trap('TERM') do
Rackup::Handler::WEBrick.shutdown Rack::Handler::WEBrick.shutdown
end end
end end
@ -300,31 +296,16 @@ module Dyndnsd
# @param config [Hash{String => Object}] # @param config [Hash{String => Object}]
# @return [void] # @return [void]
private_class_method def self.setup_tracing(config) private_class_method def self.setup_tracing(config)
# by default do not try to emit any traces until the user opts in # configure OpenTracing
ENV['OTEL_TRACES_EXPORTER'] ||= 'none' if config.dig('tracing', 'jaeger')
require 'jaeger/client'
# configure OpenTelemetry host = config['tracing']['jaeger']['host'] || '127.0.0.1'
OpenTelemetry::SDK.configure do |c| port = config['tracing']['jaeger']['port'] || 6831
if config.dig('tracing', 'jaeger') service_name = config['tracing']['jaeger']['service_name'] || 'dyndnsd'
require 'opentelemetry/exporter/jaeger' OpenTracing.global_tracer = Jaeger::Client.build(
host: host, port: port, service_name: service_name, flush_interval: 1
c.add_span_processor( )
OpenTelemetry::SDK::Trace::Export::BatchSpanProcessor.new(
OpenTelemetry::Exporter::Jaeger::AgentExporter.new
)
)
end
if config.dig('tracing', 'service_name')
c.service_name = config['tracing']['service_name']
end
c.service_version = Dyndnsd::VERSION
c.use('OpenTelemetry::Instrumentation::Rack')
end
if !config.dig('tracing', 'trust_incoming_span')
OpenTelemetry.propagation = OpenTelemetry::Context::Propagation::NoopTextMapPropagator.new
end end
end end
@ -350,9 +331,10 @@ module Dyndnsd
app = Responder::DynDNSStyle.new(app) app = Responder::DynDNSStyle.new(app)
end end
app = OpenTelemetry::Instrumentation::Rack::Middlewares::TracerMiddleware.new(app) trust_incoming_span = config.dig('tracing', 'trust_incoming_span') || false
app = Rack::Tracer.new(app, trust_incoming_span: trust_incoming_span)
Rackup::Handler::WEBrick.run app, Host: config['host'], Port: config['port'] Rack::Handler::WEBrick.run app, Host: config['host'], Port: config['port']
end end
end end
end end

23
lib/dyndnsd/helper.rb
View File

@ -45,17 +45,24 @@ module Dyndnsd
# @param block [Proc] # @param block [Proc]
# @return [void] # @return [void]
def self.span(operation, &block) def self.span(operation, &block)
tracer = OpenTelemetry.tracer_provider.tracer(Dyndnsd.name, Dyndnsd::VERSION) scope = OpenTracing.start_active_span(operation)
tracer.in_span( span = scope.span
operation, span.set_tag('component', 'dyndnsd')
attributes: {'component' => 'dyndnsd'}, span.set_tag('span.kind', 'server')
kind: :server begin
) do |span|
Dyndnsd.logger.debug "Creating span ID #{span.context.hex_span_id} for trace ID #{span.context.hex_trace_id}"
block.call(span) block.call(span)
rescue StandardError => e rescue StandardError => e
span.record_exception(e) span.set_tag('error', true)
span.log_kv(
event: 'error',
'error.kind': e.class.to_s,
'error.object': e,
message: e.message,
stack: e.backtrace&.join("\n") || ''
)
raise e raise e
ensure
scope.close
end end
end end
end end

4
lib/dyndnsd/updater/command_with_bind_zone.rb
View File

@ -18,10 +18,10 @@ module Dyndnsd
return if !db.changed? return if !db.changed?
Helper.span('updater_update') do |span| Helper.span('updater_update') do |span|
span.set_attribute('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None') span.set_tag('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
# write zone file in bind syntax # write zone file in bind syntax
File.write(@zone_file, @generator.generate(db)) File.open(@zone_file, 'w') { |f| f.write(@generator.generate(db)) }
# call user-defined command # call user-defined command
pid = fork do pid = fork do
exec @command exec @command

2
lib/dyndnsd/updater/zone_transfer_server.rb
View File

@ -35,7 +35,7 @@ module Dyndnsd
# @return [void] # @return [void]
def update(db) def update(db)
Helper.span('updater_update') do |span| Helper.span('updater_update') do |span|
span.set_attribute('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None') span.set_tag('dyndnsd.updater.name', self.class.name&.split('::')&.last || 'None')
soa_rr = Resolv::DNS::Resource::IN::SOA.new( soa_rr = Resolv::DNS::Resource::IN::SOA.new(
@zone_nameservers[0], @zone_email_address, @zone_nameservers[0], @zone_email_address,

2
lib/dyndnsd/version.rb
View File

@ -1,5 +1,5 @@
# frozen_string_literal: true # frozen_string_literal: true
module Dyndnsd module Dyndnsd
VERSION = '3.9.2' VERSION = '3.4.0'
end end

15
spec/dyndnsd/daemon_spec.rb
View File

@ -15,9 +15,6 @@ describe Dyndnsd::Daemon do
'test' => { 'test' => {
'password' => 'secret', 'password' => 'secret',
'hosts' => ['foo.example.org', 'bar.example.org'] 'hosts' => ['foo.example.org', 'bar.example.org']
},
'test2' => {
'password' => 'ihavenohosts'
} }
} }
} }
@ -27,7 +24,9 @@ describe Dyndnsd::Daemon do
app = Rack::Auth::Basic.new(daemon, 'DynDNS', &daemon.method(:authorized?)) app = Rack::Auth::Basic.new(daemon, 'DynDNS', &daemon.method(:authorized?))
Dyndnsd::Responder::DynDNSStyle.new(app) app = Dyndnsd::Responder::DynDNSStyle.new(app)
Rack::Tracer.new(app, trust_incoming_span: false)
end end
it 'requires authentication' do it 'requires authentication' do
@ -102,14 +101,6 @@ describe Dyndnsd::Daemon do
expect(last_response.body).to eq('notfqdn') expect(last_response.body).to eq('notfqdn')
end end
it 'rejects request if user does not own any hostnames' do
authorize 'test2', 'ihavenohosts'
get '/nic/update?hostname=doesnotexisthost.example.org'
expect(last_response).to be_ok
expect(last_response.body).to eq('nohost')
end
it 'rejects request if user does not own one hostname' do it 'rejects request if user does not own one hostname' do
authorize 'test', 'secret' authorize 'test', 'secret'

13
upgrade-version.sh
View File

@ -1,13 +0,0 @@
#!/bin/bash -eux
sed -i "s/$1/$2/g" lib/dyndnsd/version.rb
release_date=$(LC_ALL=en_US.utf8 date +"%B %-d, %Y")
if grep "## $2 (" CHANGELOG.md; then
true
elif grep "## $2" CHANGELOG.md; then
sed -i "s/## $2/## $2 ($release_date)/g" CHANGELOG.md
else
echo "## $2 ($release_date)" >> CHANGELOG.md
fi