release: 3.4.1

- now seems to need linux-headers, see https://github.com/socketry/nio4r/issues/225

.github/workflows/cd.yml

@@ -11,16 +11,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+
+    - run: sleep 30
+
     - name: Extract dyndnsd version from tag name
       run: |
         echo "DYNDNSD_VERSION=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV
+
     # https://github.com/marketplace/actions/build-and-push-docker-images
-    - name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }}
-      uses: docker/build-push-action@v1
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: Login to Docker Hub
+      uses: docker/login-action@v1
       with:
         username: cmur2
         password: ${{ secrets.DOCKER_TOKEN }}
-        repository: cmur2/dyndnsd
-        path: docker
-        build_args: DYNDNSD_VERSION=${{ env.DYNDNSD_VERSION }}
-        tag_with_ref: true
+
+    - name: Build and push Docker image for dyndnsd ${{ env.DYNDNSD_VERSION }}
+      uses: docker/build-push-action@v2
+      with:
+        context: docker
+        build-args: |
+          DYNDNSD_VERSION=${{ env.DYNDNSD_VERSION }}
+        push: true
+        tags: cmur2/dyndnsd:v${{ env.DYNDNSD_VERSION }}

.github/workflows/ci.yml

@@ -19,15 +19,23 @@ jobs:
         - '2.5'
         - '2.6'
         - '2.7'
+        - '3.0'
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby-version }}
-    - name: Install dependencies
-      run: |
-        bundle
-    - name: Test
+        bundler-cache: true  # runs 'bundle install' and caches installed gems automatically
+    - name: Lint and Test
       run: |
         bundle exec rake ci
+
+    # https://github.com/marketplace/actions/build-and-push-docker-images
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: Test building Docker image for dyndnsd
+      uses: docker/build-push-action@v2
+      with:
+        context: docker

.rubocop.yml

@@ -1,3 +1,7 @@
+require:
+- rubocop-rake
+- rubocop-rspec
+
 AllCops:
   TargetRubyVersion: '2.5'
   NewCops: enable
@@ -86,3 +90,9 @@ Style/SymbolArray:
 
 Style/TrailingCommaInArrayLiteral:
   Enabled: false
+
+RSpec/ExampleLength:
+  Max: 20
+
+RSpec/MultipleExpectations:
+  Max: 20

CHANGELOG.md

@@ -1,5 +1,47 @@
 # Changelog
 
+## 3.4.1 (April 15, 2021)
+
+OTHER:
+
+- update base of Docker image to Alpine 3.13.5 to fix security vulnerabilities
+
+## 3.4.0 (April 2, 2021)
+
+IMPROVEMENTS:
+
+- **change** Docker image to run as non-root user `65534` by default, limits attack surface for security and gives OpenShift compatibility
+
+## 3.3.3 (April 1, 2021)
+
+OTHER:
+
+- update base of Docker image to Alpine 3.13.4 to fix security vulnerabilities
+
+## 3.3.2 (February 20, 2021)
+
+OTHER:
+
+- update to use `docker/build-push-action@v2` for releasing Docker image in GHA
+
+## 3.3.1 (February 18, 2021)
+
+OTHER:
+
+- update base of Docker image to Alpine 3.13.2 to fix security vulnerabilities
+
+## 3.3.0 (January 18, 2021)
+
+OTHER:
+
+- update base of Docker image to Alpine 3.13
+
+## 3.2.0 (January 14, 2021)
+
+IMPROVEMENTS:
+
+- Add Ruby 3.0 support
+
 ## 3.1.3 (December 20, 2020)
 
 OTHER:
@@ -133,7 +175,7 @@ IMPROVEMENTS:
 
 IMPROVEMENTS:
 
-- Support dropping priviliges on startup, also affects external commands run
+- Support dropping privileges on startup, also affects external commands run
 - Add [metriks](https://github.com/eric/metriks) support for basic metrics in the process title
 - Detach from child processes running external commands to avoid zombie processes
 

Gemfile

@@ -3,5 +3,3 @@
 source 'https://rubygems.org'
 
 gemspec
-
-gem 'solargraph', git: 'https://github.com/zaratan/solargraph.git', branch: 'fix_rubocop_1_0'

README.md

@@ -75,7 +75,7 @@ There is an officially maintained [Docker image for dyndnsd](https://hub.docker.
 
 Users can make extensions by deriving from the official Docker image or building their own.
 
-The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. the following YAML should be used as a base and extended with user's settings:
+The Docker image consumes the same configuration file in YAML format as the gem, inside the container it needs to be mounted/available as `/etc/dyndnsd/config.yml`. The following YAML should be used as a base and extended with user's settings:
 
 ```yaml
 host: "0.0.0.0"
@@ -98,7 +98,7 @@ docker run -d --name dyndnsd \
            cmur2/dyndnsd:vX.Y.Z
 ```
 
-*Note*: You may need to expose more then just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.
+*Note*: You may need to expose more than just port 8080 e.g. if you use the `zone_transfer_server` which can be done by appending additional `-p 5353:5353` flags to the `docker run` command.
 
 
 
@@ -106,7 +106,7 @@ docker run -d --name dyndnsd \
 
 By using [DNS zone transfers via AXFR (RFC5936)](https://tools.ietf.org/html/rfc5936) any secondary nameserver can retrieve the DNS zone contents from dyndnsd.rb and serve them to clients.
 To speedup propagation after changes dyndnsd.rb can issue a [DNS NOTIFY (RFC1996)](https://tools.ietf.org/html/rfc1996) to inform the nameserver that the DNS zone contents changed and should be fetched even before the time indicated in the SOA record is up.
-Currently dyndnsd.rb does not support any authentication for incoming DNS zone transfer requests so it should be isolated from the internet on these ports.
+Currently, dyndnsd.rb does not support any authentication for incoming DNS zone transfer request, so it should be isolated from the internet on these ports.
 
 This approach has several advantages:
 - dyndnsd.rb can be used in *hidden primary* fashion isolated from client's DNS traffic and does not need to implement full nameserver features
@@ -151,7 +151,7 @@ users:
 
 NSD is a nice, open source, authoritative-only, low-memory DNS server that reads BIND-style zone files (and converts them into its own database) and has a simple configuration file.
 
-A feature NSD is lacking is the [Dynamic DNS update (RFC2136)](https://tools.ietf.org/html/rfc2136) functionality BIND offers but one can fake it using the following dyndnsd.rb configuration:
+A feature NSD is lacking is the [Dynamic DNS update (RFC2136)](https://tools.ietf.org/html/rfc2136) functionality BIND offers, but one can fake it using the following dyndnsd.rb configuration:
 
 ```yaml
 host: "0.0.0.0"
@@ -197,29 +197,29 @@ The update URL you want to tell your clients (humans or scripts ^^) consists of
 
 where:
 
-* the protocol depends on your (webserver/proxy) settings
-* USER and PASSWORD are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml
-* DOMAIN should match what you defined in your config.yaml as domain but may be anything else when using a webserver as proxy
-* PORT depends on your (webserver/proxy) settings
-* HOSTNAMES is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
-* MYIP is optional and the HTTP client's IP address will be used if missing
-* MYIP6 is optional but if present also requires presence of MYIP
+* the protocol depends on your (web server/proxy) settings
+* `USER` and `PASSWORD` are needed for HTTP Basic Auth and valid combinations are defined in your config.yaml
+* `DOMAIN` should match what you defined in your config.yaml as domain but may be anything else when using a web server as proxy
+* `PORT` depends on your (web server/proxy) settings
+* `HOSTNAMES` is a required list of comma-separated FQDNs (they all have to end with your config.yaml domain) the user wants to update
+* `MYIP` is optional and the HTTP client's IP address will be used if missing
+* `MYIP6` is optional but if present also requires presence of `MYIP`
 
 
 ### IP address determination
 
 The following rules apply:
 
-* use any IP address provided via the myip parameter when present, or
-* use any IP address provided via the X-Real-IP header e.g. when used behind HTTP reverse proxy such as nginx, or
+* use any IP address provided via the `myip` parameter when present, or
+* use any IP address provided via the `X-Real-IP` header e.g. when used behind HTTP reverse proxy such as nginx, or
 * use any IP address used by the connecting HTTP client
 
-If you want to provide an additional IPv6 address as myip6 parameter, the myip parameter containing an IPv4 address has to be present, too! No automatism is applied then.
+If you want to provide an additional IPv6 address as myip6 parameter, the `myip` parameter containing an IPv4 address has to be present, too! No automatism is applied then.
 
 
 ### SSL, multiple listen ports
 
-Use a webserver as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443.
+Use a web server as a proxy to handle SSL and/or multiple listen addresses and ports. DynDNS.com provides HTTP on port 80 and 8245 and HTTPS on port 443.
 
 
 ### Startup
@@ -231,7 +231,7 @@ The [Debian 6 init.d script](docs/debian-6-init-dyndnsd) assumes that dyndnsd.rb
 
 ### Monitoring
 
-For monitoring dyndnsd.rb uses the [metriks](https://github.com/eric/metriks) framework and exposes several metrics like the number of unauthenticated requests, requests that did (not) update a hostname, etc. By default the most important metrics are shown in the [proctitle](https://github.com/eric/metriks#proc-title-reporter) but you can also configure a [Graphite](https://graphiteapp.org/) backend for central monitoring or the [textfile_reporter](https://github.com/prometheus/node_exporter/#textfile-collector) which outputs Graphite-style metrics that are also compatible with Prometheus to a file.
+For monitoring dyndnsd.rb uses the [metriks](https://github.com/eric/metriks) framework and exposes several metrics like the number of unauthenticated requests, requests that did (not) update a hostname, etc. By default, the most important metrics are shown in the [proctitle](https://github.com/eric/metriks#proc-title-reporter, butt you can also configure a [Graphite](https://graphiteapp.org/) backend for central monitoring or the [textfile_reporter](https://github.com/prometheus/node_exporter/#textfile-collector) which outputs Graphite-style metrics that are also compatible with Prometheus to a file.
 
 ```yaml
 host: "0.0.0.0"
@@ -273,7 +273,7 @@ users:
 
 For tracing, dyndnsd.rb is instrumented using the [OpenTracing](http://opentracing.io/) framework and will emit span tracing data for the most important operations happening during the request/response cycle. Using a middleware for Rack allows handling incoming OpenTracing span information properly.
 
-Currently only one OpenTracing-compatible tracer implementation named [CNCF Jaeger](https://github.com/jaegertracing/jaeger) can be configured to use with dyndnsd.rb.
+Currently, only one OpenTracing-compatible tracer implementation named [CNCF Jaeger](https://github.com/jaegertracing/jaeger) can be configured to use with dyndnsd.rb.
 
 ```yaml
 host: "0.0.0.0"

Rakefile

@@ -28,4 +28,5 @@ end
 
 task default: [:rubocop, :spec, 'bundle:audit', :solargraph]
 
+desc 'Run all tasks desired for CI'
 task ci: ['solargraph:init', :default, :hadolint]

docker/Dockerfile

@@ -1,15 +1,21 @@
-FROM alpine:3.12
+FROM alpine:3.13.5
 
 EXPOSE 5353 8080
 
-ARG DYNDNSD_VERSION=3.0.0
+ARG DYNDNSD_VERSION=3.4.1
 
 RUN apk --no-cache add openssl ca-certificates && \
     apk --no-cache add ruby ruby-etc ruby-io-console ruby-json ruby-webrick && \
-    apk --no-cache add --virtual .build-deps ruby-dev build-base tzdata && \
+    apk --no-cache add --virtual .build-deps linux-headers ruby-dev build-base tzdata && \
     gem install --no-document dyndnsd -v ${DYNDNSD_VERSION} && \
     # set timezone to Berlin
     cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime && \
     apk del .build-deps
 
+# Follow the principle of least privilege: run as unprivileged user.
+# Running as non-root enables running this image in platforms like OpenShift
+# that do not allow images running as root.
+# User ID 65534 is usually user 'nobody'.
+USER 65534
+
 ENTRYPOINT ["dyndnsd", "/etc/dyndnsd/config.yml"]

dyndnsd.gemspec

@@ -36,10 +36,12 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'webrick', '>= 1.6.1'
 
   s.add_development_dependency 'bundler'
-  s.add_development_dependency 'bundler-audit', '~> 0.7.0'
+  s.add_development_dependency 'bundler-audit', '~> 0.8.0'
   s.add_development_dependency 'rack-test'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec'
-  s.add_development_dependency 'rubocop', '~> 1.6.1'
-  # s.add_development_dependency 'solargraph', '~> 0.39.0'
+  s.add_development_dependency 'rubocop', '~> 1.12.0'
+  s.add_development_dependency 'rubocop-rake', '~> 0.5.1'
+  s.add_development_dependency 'rubocop-rspec', '~> 2.2.0'
+  s.add_development_dependency 'solargraph', '~> 0.40.0'
 end

lib/dyndnsd/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dyndnsd
-  VERSION = '3.1.3'
+  VERSION = '3.4.1'
 end

spec/dyndnsd/daemon_spec.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative 'spec_helper'
+require_relative '../spec_helper'
 
 describe Dyndnsd::Daemon do
   include Rack::Test::Methods