switch to buildx and gcr.io/distroless/base image

.github/workflows/deploy.yml

@@ -0,0 +1,30 @@
+name: deploy
+
+on:
+  push:
+    branches:
+      - master
+      - 'releases/**'
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: install
+        run: curl -fsSL get.docker.com | sh
+
+      - name: checkout
+        uses: actions/checkout@v1
+
+      - name: build
+        run: make build DOCKER_REPO=${{ secrets.DOCKER_REPO }}
+
+      - name: login
+        run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
+
+      - name: buildx
+        run: make buildx DOCKER_REPO=${{ secrets.DOCKER_REPO }} BUILD_OPTIONS=--push
+
+      - name: inspect
+        run: make inspect DOCKER_REPO=${{ secrets.DOCKER_REPO }}

.github/workflows/test.yml

@@ -4,16 +4,18 @@ on:
   pull_request:
 
 jobs:
-  ARCH:
+  test:
     runs-on: ubuntu-latest
 
-    strategy:
-      matrix:
-        ARCH: [amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le]
-
     steps:
+      - name: install
+        run: curl -fsSL get.docker.com | sh
+
       - name: checkout
         uses: actions/checkout@v1
 
       - name: build
-        run: make build ARCH=${{ matrix.ARCH }}
+        run: make build
+
+      - name: buildx
+        run: make buildx

Dockerfile

@@ -1,26 +1,21 @@
-ARG ARCH=amd64
-
-# ----------------------------------------------------------------------------
-
-FROM ${ARCH}/golang:1.12.10-alpine3.10 as gobuild
+FROM golang:1.12 as builder
 
 ARG PACKAGE_VERSION="2.0.28"
 ARG PACKAGE_URL="https://github.com/DNSCrypt/dnscrypt-proxy"
 
 # https://github.com/hadolint/hadolint/wiki/DL4006
-SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-RUN apk add --no-cache build-base=0.5-r1 curl=7.66.0-r0 \
-	&& curl -fsSL "${PACKAGE_URL}/archive/${PACKAGE_VERSION}.tar.gz" | tar xz --strip 1 -C "${GOPATH}/src"
+RUN curl -fsSL "${PACKAGE_URL}/archive/${PACKAGE_VERSION}.tar.gz" | tar xz --strip 1 -C "${GOPATH}/src"
 
 WORKDIR ${GOPATH}/src/dnscrypt-proxy
 
 RUN go build -v -ldflags="-s -w" -o "${GOPATH}/app/dnscrypt-proxy" \
-	&& cp -a example-* "${GOPATH}/app/"
+	&& cp -av example-* "${GOPATH}/app/"
 
 # ----------------------------------------------------------------------------
 
-FROM ${ARCH}/alpine:3.10.2
+FROM gcr.io/distroless/base
 
 ARG BUILD_DATE
 ARG BUILD_VERSION
@@ -32,24 +27,14 @@ LABEL org.label-schema.name="klutchell/dnscrypt-proxy"
 LABEL org.label-schema.description="dnscrypt-proxy is a flexible DNS proxy, with support for encrypted DNS protocols"
 LABEL org.label-schema.url="https://github.com/DNSCrypt/dnscrypt-proxy"
 LABEL org.label-schema.vcs-url="https://github.com/klutchell/dnscrypt-proxy"
-LABEL org.label-schema.docker.cmd="docker run -p 53:5053/udp klutchell/dnscrypt-proxy"
+LABEL org.label-schema.docker.cmd="docker run --rm klutchell/dnscrypt-proxy --help"
 LABEL org.label-schema.build-date="${BUILD_DATE}"
 LABEL org.label-schema.version="${BUILD_VERSION}"
 LABEL org.label-schema.vcs-ref="${VCS_REF}"
 
-COPY --from=gobuild /go/app /app
-COPY entrypoint.sh /
-
-RUN apk add --no-cache ca-certificates=20190108-r0 drill=1.7.0-r2 tzdata=2019c-r0 \
-	&& chmod +x /entrypoint.sh
-
-ENV PATH "/app:${PATH}"
-
-ENV DNSCRYPT_LISTEN_ADDRESSES "['0.0.0.0:5053']"
-
-HEALTHCHECK --interval=5s --timeout=3s --start-period=10s \
-	CMD drill -p 5053 sigok.verteiltesysteme.net @127.0.0.1 | grep NOERROR
+COPY --from=builder /go/app /app
+COPY dnscrypt-proxy.toml /app
 
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/app/dnscrypt-proxy"]
 
 CMD [""]

Makefile

@@ -1,95 +1,46 @@
 DOCKER_REPO := klutchell/dnscrypt-proxy
-ARCH := amd64
 TAG := 2.0.28
-BUILD_OPTIONS +=
+PLATFORM := linux/amd64,linux/arm64,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7
+BUILD_OPTIONS += --pull
 
 BUILD_DATE := $(strip $(shell docker run --rm busybox date -u +'%Y-%m-%dT%H:%M:%SZ'))
 BUILD_VERSION := ${TAG}-$(strip $(shell git describe --tags --always --dirty))
 VCS_REF := $(strip $(shell git rev-parse HEAD))
 
+DOCKER_CLI_EXPERIMENTAL := enabled
+
 .EXPORT_ALL_VARIABLES:
 
 .DEFAULT_GOAL := build
 
-.PHONY: build push clean all build-all push-all clean-all manifest help
+.PHONY: build buildx inspect help
 
-build: qemu-user-static ## Build an image with the provided ARCH
+build:	## build and test on the host OS architecture
 	docker build ${BUILD_OPTIONS} \
-		--build-arg ARCH \
 		--build-arg BUILD_VERSION \
 		--build-arg BUILD_DATE \
 		--build-arg VCS_REF \
-		--tag ${DOCKER_REPO}:${ARCH}-${TAG} .
-	docker run --rm --entrypoint /bin/sh ${DOCKER_REPO}:${ARCH}-${TAG} \
-		-c '(/entrypoint.sh &) && sleep 10  \
-		&& drill -p 5053 sigok.verteiltesysteme.net @127.0.0.1 | grep NOERROR'
-
-push: ## Push an image with the provided ARCH (requires docker login)
-	docker push ${DOCKER_REPO}:${ARCH}-${TAG}
-
-clean: ## Remove cached image with the provided ARCH
-	-docker image rm ${DOCKER_REPO}:${ARCH}-${TAG}
-
-all: build-all
+		--tag ${DOCKER_REPO} .
+	docker run --rm ${DOCKER_REPO} --check
 
-build-all: ## Build images for all supported architectures
-	make build ARCH=amd64
-	make build ARCH=arm32v6
-	make build ARCH=arm32v7`
-	make build ARCH=arm64v8
-	make build ARCH=i386
-	make build ARCH=ppc64le
-
-push-all: ## Push images for all supported architectures (requires docker login)
-	make push ARCH=amd64
-	make push ARCH=arm32v6
-	make push ARCH=arm32v7
-	make push ARCH=arm64v8
-	make push ARCH=i386
-	make push ARCH=ppc64le
+buildx: builder	## cross-build multiarch manifest(s) with configured platforms
+	docker buildx build ${BUILD_OPTIONS} \
+		--platform ${PLATFORM} \
+		--build-arg BUILD_VERSION \
+		--build-arg BUILD_DATE \
+		--build-arg VCS_REF \
+		--tag ${DOCKER_REPO}:${TAG} \
+		--tag ${DOCKER_REPO}:latest .
 
-clean-all: ## Clean images for all supported architectures
-	make clean ARCH=amd64
-	make clean ARCH=arm32v6
-	make clean ARCH=arm32v7
-	make clean ARCH=arm64v8
-	make clean ARCH=i386
-	make clean ARCH=ppc64le
+inspect:	## inspect manifest contents
+	docker buildx imagetools inspect ${DOCKER_REPO}:${TAG}
 
-manifest: ## Create and push a multiarch manifest to the docker repo (requires docker login)
-	-docker manifest push --purge ${DOCKER_REPO}:${TAG}
-	docker manifest create ${DOCKER_REPO}:${TAG} \
-		${DOCKER_REPO}:amd64-${TAG} \
-		${DOCKER_REPO}:arm32v6-${TAG} \
-		${DOCKER_REPO}:arm32v7-${TAG} \
-		${DOCKER_REPO}:arm64v8-${TAG} \
-		${DOCKER_REPO}:i386-${TAG} \
-		${DOCKER_REPO}:ppc64le-${TAG}
-	docker manifest annotate ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:amd64-${TAG} --os linux --arch amd64
-	docker manifest annotate ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:arm32v6-${TAG} --os linux --arch arm --variant v6
-	docker manifest annotate ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:arm32v7-${TAG} --os linux --arch arm --variant v7
-	docker manifest annotate ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:arm64v8-${TAG} --os linux --arch arm64 --variant v8
-	docker manifest annotate ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:i386-${TAG} --os linux --arch 386
-	docker manifest annotate ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:ppc64le-${TAG} --os linux --arch ppc64le
-	docker manifest push --purge ${DOCKER_REPO}:${TAG}
-	-docker manifest push --purge ${DOCKER_REPO}:latest
-	docker manifest create ${DOCKER_REPO}:latest \
-		${DOCKER_REPO}:amd64-${TAG} \
-		${DOCKER_REPO}:arm32v6-${TAG} \
-		${DOCKER_REPO}:arm32v7-${TAG} \
-		${DOCKER_REPO}:arm64v8-${TAG} \
-		${DOCKER_REPO}:i386-${TAG} \
-		${DOCKER_REPO}:ppc64le-${TAG}
-	docker manifest annotate ${DOCKER_REPO}:latest ${DOCKER_REPO}:amd64-${TAG} --os linux --arch amd64
-	docker manifest annotate ${DOCKER_REPO}:latest ${DOCKER_REPO}:arm32v6-${TAG} --os linux --arch arm --variant v6
-	docker manifest annotate ${DOCKER_REPO}:latest ${DOCKER_REPO}:arm32v7-${TAG} --os linux --arch arm --variant v7
-	docker manifest annotate ${DOCKER_REPO}:latest ${DOCKER_REPO}:arm64v8-${TAG} --os linux --arch arm64 --variant v8
-	docker manifest annotate ${DOCKER_REPO}:latest ${DOCKER_REPO}:i386-${TAG} --os linux --arch 386
-	docker manifest annotate ${DOCKER_REPO}:latest ${DOCKER_REPO}:ppc64le-${TAG} --os linux --arch ppc64le
-	docker manifest push --purge ${DOCKER_REPO}:latest
+builder: binfmt
+	-docker buildx create --use --name ci
+	docker buildx inspect --bootstrap
 
-qemu-user-static:
-	docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+binfmt:
+	docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d
 
-help: ## Display available commands
+help: ## display available commands
 	@grep -E '^[0-9a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

README.md

@@ -21,65 +21,54 @@ These tags including rolling updates, so from time to time the associated image
 
 ## Architectures
 
-Simply pulling `klutchell/dnscrypt-proxy:2.0.28` should retrieve the correct image for your arch, but you can also pull specific arch images via tags.
+Simply pulling `klutchell/dnscrypt-proxy` should retrieve the correct image for your arch.
 
 The architectures supported by this image are:
 
-- `amd64-2.0.28`
-- `arm32v6-2.0.28`
-- `arm32v7-2.0.28`
-- `arm64v8-2.0.28`
-- `i386-2.0.28`
-- `ppc64le-2.0.28`
-- ~~`s390x-2.0.28`~~
-
-## Deployment
-
-```bash
-# eg. run a DNS over HTTPS proxy server on port 53
-docker run -p 53:5053/udp klutchell/dnscrypt-proxy
-
-# eg. mount a custom configuration directory
-docker run -p 53:5053/udp -v "/path/to/config:/config" klutchell/dnscrypt-proxy
-
-# eg. bind directly to port 53 on the host without docker nat
-docker run --network host -e "DNSCRYPT_LISTEN_ADDRESSES=['127.0.0.1:53']" --no-healthcheck klutchell/dnscrypt-proxy
-
-# eg. use custom upstream resolvers
-docker run -p 53:5053/udp -e "DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare']" klutchell/dnscrypt-proxy
-```
-
-## Parameters
-
-- `-p 53:5053/udp` - publish udp port 5053 on the container to udp port 53 on the host
-- `-v /path/to/config:/config` - (optional) mount a custom configuration directory
-- `-e "DNSCRYPT_SERVER_NAMES=['scaleway-fr','google','yandex','cloudflare']"` - _(optional)_ specify a custom range of upstream [public resolvers](https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md)
-- `-e "DNSCRYPT_LISTEN_ADDRESSES=['0.0.0.0:5053']"` - _(optional)_ specify a custom range of addresses/ports for binding (note that this requires `--no-healthcheck` or a custom `--healthcheck-cmd`)
+- `linux/amd64`
+- `linux/arm64`
+- `linux/ppc64le`
+- `linux/s390x`
+- `linux/386`
+- `linux/arm/v7`
 
 ## Building
 
 ```bash
-# print makefile usage
+# display available commands
 make help
 
-# ARCH can be amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le
-# and is emulated on top of any host architechture with qemu
-make build ARCH=arm32v6
+# build and test on the host OS architecture
+make build BUILD_OPTIONS=--no-cache
 
-# appending -all to the make target will run the task
-# for all supported architectures and may take a long time
-make build-all BUILD_OPTIONS=--no-cache
+# cross-build multiarch manifest(s) with configured platforms
+make buildx BUILD_OPTIONS=--push
+
+# inspect manifest contents
+make inspect
 ```
 
 ## Usage
 
 Official project wiki: <https://github.com/DNSCrypt/dnscrypt-proxy/wiki>
 
 ```bash
+# print version info
+docker run --rm klutchell/dnscrypt-proxy --version
+
 # print general usage
 docker run --rm klutchell/dnscrypt-proxy --help
+
+# run dnscrypt proxy server on host port 53
+docker run -p 53:5053/tcp -p 53:5053/udp klutchell/dnscrypt-proxy
+
+# run dnscrypt proxy server with external configuration file
+docker run -v /path/to/config:/config klutchell/dnscrypt-proxy -c /config/dnscrypt-proxy.toml
 ```
 
+Note that environment variables `DNSCRYPT_SERVER_NAMES` and `DNSCRYPT_LISTEN_ADDRESSES` have been depricated.
+Going forward it is recommended to provide an external configuration file as shown above.
+
 ## Author
 
 Kyle Harding: <https://klutchell.dev>