From 4f020c3d025a85cdd7e3da7c5f3fb2ab1fe01082 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=CF=BA=CE=9BD=D0=98VTT=CE=9BH?= Date: Thu, 11 Apr 2024 14:54:44 +0200 Subject: [PATCH] Improvements The OpenSSL buildenv version will be checked via API instead of the repos buildvars file Changed security scan schedule to once per day --- .../workflows/cd-build-canary-unbound.yaml | 2 +- .github/workflows/cd-build-unbound.yaml | 12 ++++++---- .../workflows/cd-check-unbound-release.yaml | 2 -- .github/workflows/cd-security-scan.yaml | 2 +- .github/workflows/manually-build-unbound.yaml | 8 +++++-- README.md | 2 +- buildvars | 3 +-- doc/DETAILS.md | 22 +++++++++---------- 8 files changed, 28 insertions(+), 25 deletions(-) diff --git a/.github/workflows/cd-build-canary-unbound.yaml b/.github/workflows/cd-build-canary-unbound.yaml index 053036a..45c407c 100644 --- a/.github/workflows/cd-build-canary-unbound.yaml +++ b/.github/workflows/cd-build-canary-unbound.yaml @@ -35,7 +35,7 @@ jobs: id: SET_BUILDVARS run: | echo IMAGE_BUILD_DATE=$(date -u) >> $GITHUB_OUTPUT - cat buildvars | grep OPENSSL_BUILDENV_VERSION >> $GITHUB_OUTPUT + echo OPENSSL_BUILDENV_VERSION="$(curl -s https://api.github.com/repos/madnuttah/openssl-buildenv/releases | jq '.[0] | .name' -r)" >> $GITHUB_OUTPUT - name: Build and push uses: docker/build-push-action@v5 diff --git a/.github/workflows/cd-build-unbound.yaml b/.github/workflows/cd-build-unbound.yaml index d099e01..ce4c40d 100644 --- a/.github/workflows/cd-build-unbound.yaml +++ b/.github/workflows/cd-build-unbound.yaml @@ -15,7 +15,7 @@ jobs: UNBOUND_DOCKER_IMAGE_VERSION: ${{ steps.IMPORT_BUILDVARS.outputs.UNBOUND_DOCKER_IMAGE_VERSION }} UNBOUND_VERSION: ${{ steps.IMPORT_BUILDVARS.outputs.UNBOUND_VERSION }} UNBOUND_SHA256: ${{ steps.IMPORT_BUILDVARS.outputs.UNBOUND_SHA256 }} - OPENSSL_BUILDENV_VERSION: ${{ steps.IMPORT_BUILDVARS.outputs.OPENSSL_BUILDENV_VERSION }} + OPENSSL_BUILDENV_VERSION: ${{ steps.GET_OPENSSL_BUILDENV_VERSION.outputs.OPENSSL_BUILDENV_VERSION }} steps: - name: Checkout source @@ -29,8 +29,12 @@ jobs: cat buildvars | grep UNBOUND_DOCKER_IMAGE_VERSION >> $GITHUB_OUTPUT cat buildvars | grep IMAGE_BUILD_DATE >> $GITHUB_OUTPUT cat buildvars | grep UNBOUND_VERSION >> $GITHUB_OUTPUT - cat buildvars | grep UNBOUND_SHA256 >> $GITHUB_OUTPUT - cat buildvars | grep OPENSSL_BUILDENV_VERSION >> $GITHUB_OUTPUT + cat buildvars | grep UNBOUND_SHA256 >> $GITHUB_OUTPUT + + - name: Get OpenSSL buildenv version + id: GET_OPENSSL_BUILDENV_VERSION + run: | + echo OPENSSL_BUILDENV_VERSION="$(curl -s https://api.github.com/repos/madnuttah/openssl-buildenv/releases | jq '.[0] | .name' -r)" >> $GITHUB_OUTPUT build: runs-on: ubuntu-latest @@ -74,4 +78,4 @@ jobs: provenance: ${{ github.event_name != 'pull_request' }} tags: | ${{ env.DOCKERHUB_SLUG }}:${{ needs.buildvars.outputs.UNBOUND_DOCKER_IMAGE_VERSION }} - ${{ env.DOCKERHUB_SLUG }}:latest + ${{ env.DOCKERHUB_SLUG }}:latest \ No newline at end of file diff --git a/.github/workflows/cd-check-unbound-release.yaml b/.github/workflows/cd-check-unbound-release.yaml index 3f766c0..ec4ec20 100644 --- a/.github/workflows/cd-check-unbound-release.yaml +++ b/.github/workflows/cd-check-unbound-release.yaml @@ -20,7 +20,6 @@ jobs: echo UNBOUND_VERSION="$(curl -s https://api.github.com/repos/NLnetLabs/unbound/releases | jq '.[0] | .name' -r | grep -Eo '([0-9]+)(\.?[0-9]+)*' | head -1)" >> $GITHUB_OUTPUT echo UNBOUND_DOCKER_VERSION="$(curl -s https://api.github.com/repos/madnuttah/unbound-docker/releases | jq '.[0] | .name' -r | grep -Eo '([0-9]+)(\.?[0-9]+)*' | head -1)" >> $GITHUB_OUTPUT echo UNBOUND_DOCKER_IMAGE_VERSION="$(curl -s https://api.github.com/repos/madnuttah/unbound-docker/releases | jq '.[0] | .name' -r)" >> $GITHUB_OUTPUT - echo OPENSSL_BUILDENV_VERSION="$(curl -s https://api.github.com/repos/madnuttah/openssl-buildenv/releases | jq '.[0] | .name' -r)" >> $GITHUB_OUTPUT fi - name: Is update available @@ -65,7 +64,6 @@ jobs: echo UNBOUND_VERSION="$UNBOUND_VERSION" >> buildvars echo UNBOUND_SHA256="$UNBOUND_SHA256" >> buildvars echo UNBOUND_DOCKER_IMAGE_VERSION="${UNBOUND_VERSION}-0" >> buildvars - echo OPENSSL_BUILDENV_VERSION=${{ steps.GET_VERSIONS.outputs.OPENSSL_BUILDENV_VERSION }} >> buildvars git add buildvars git commit buildvars -m "Updated buildvars" git push origin main diff --git a/.github/workflows/cd-security-scan.yaml b/.github/workflows/cd-security-scan.yaml index 116cc98..0cd0242 100644 --- a/.github/workflows/cd-security-scan.yaml +++ b/.github/workflows/cd-security-scan.yaml @@ -2,7 +2,7 @@ name: CD Security Scan on: schedule: - - cron: '0 */12 * * *' + - cron: '0 */24 * * *' jobs: scan: diff --git a/.github/workflows/manually-build-unbound.yaml b/.github/workflows/manually-build-unbound.yaml index 05f7f27..2138bf2 100644 --- a/.github/workflows/manually-build-unbound.yaml +++ b/.github/workflows/manually-build-unbound.yaml @@ -10,7 +10,7 @@ jobs: IMAGE_BUILD_DATE: ${{ steps.IMPORT_BUILDVARS.outputs.IMAGE_BUILD_DATE }} UNBOUND_VERSION: ${{ steps.IMPORT_BUILDVARS.outputs.UNBOUND_VERSION }} UNBOUND_SHA256: ${{ steps.IMPORT_BUILDVARS.outputs.UNBOUND_SHA256 }} - OPENSSL_BUILDENV_VERSION: ${{ steps.IMPORT_BUILDVARS.outputs.OPENSSL_BUILDENV_VERSION }} + OPENSSL_BUILDENV_VERSION: ${{ steps.GET_OPENSSL_BUILDENV_VERSION.outputs.OPENSSL_BUILDENV_VERSION }} steps: - name: Checkout source @@ -24,7 +24,11 @@ jobs: echo IMAGE_BUILD_DATE=$(date -u) >> $GITHUB_OUTPUT cat buildvars | grep UNBOUND_VERSION >> $GITHUB_OUTPUT cat buildvars | grep UNBOUND_SHA256 >> $GITHUB_OUTPUT - cat buildvars | grep OPENSSL_BUILDENV_VERSION >> $GITHUB_OUTPUT + + - name: Get OpenSSL buildenv version + id: GET_OPENSSL_BUILDENV_VERSION + run: | + echo OPENSSL_BUILDENV_VERSION="$(curl -s https://api.github.com/repos/madnuttah/openssl-buildenv/releases | jq '.[0] | .name' -r)" >> $GITHUB_OUTPUT build: runs-on: ubuntu-latest diff --git a/README.md b/README.md index cd9f188..cdaf016 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,6 @@ Please note that this is a work of a private contributor and I'm neither affilia In case you would like to donate money, please rather spend it on the upstream projects this image relies on. -If you endorse what I do and if you find this image protecting your privacy and giving back your DNS liberty useful - consider becoming a stargazer ⭐ on Docker Hub and GitHub. Thank you for your support! +If you like what I do and if you find this image protecting your privacy and giving back your DNS liberty useful - consider becoming a stargazer ⭐ on Docker Hub and GitHub. Thank you for your support! **Some things in life are free**. ❤️ diff --git a/buildvars b/buildvars index 01fbf1d..d115439 100644 --- a/buildvars +++ b/buildvars @@ -1,5 +1,4 @@ IMAGE_BUILD_DATE=Thu Mar 14 15:03:28 UTC 2024 UNBOUND_VERSION=1.19.3 UNBOUND_SHA256=3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9 -UNBOUND_DOCKER_IMAGE_VERSION=1.19.3-0 -OPENSSL_BUILDENV_VERSION=3.3.0-0 +UNBOUND_DOCKER_IMAGE_VERSION=1.19.3-0 \ No newline at end of file diff --git a/doc/DETAILS.md b/doc/DETAILS.md index 4528ff9..c7d24ce 100644 --- a/doc/DETAILS.md +++ b/doc/DETAILS.md @@ -88,7 +88,7 @@ All components as well as the Internic files (root.hints and root.zone) are veri When NLnet Labs publishes a new stable Unbound release, the image will be built, pushed to Docker Hub, tagged and released -including the required signing by my bot [`@madnuttah-bot`](https://github.com/madnuttah-bot) according to the repo's strict security policies- to GitHub on a week-daily schedule without sacrificing security measures like SHA256 verification of the downloaded source tarball. As I take your network security serious, I am still able and very commited to manually update the image as soon as security fixes of the images components were released. The same applies to the OpenSSL build environment when an OpenSSL update got released. -The `latest` image is scanned for vulnerabilities using the [Aqua Security Trivy](https://trivy.dev/) and [Docker Scout](https://docs.docker.com/scout/) vulnerability scan on a recurring 12 hour schedule. If vulnerabilities have been detected, they'll show up in the `scan` of [CD Security Scan](https://github.com/madnuttah/unbound-docker/actions/workflows/cd-security-scan.yaml). You need to be logged into GitHub to see the log files. The `canary` build shows the results in the workflow's run details. +The `latest` image is scanned for vulnerabilities using the [Aqua Security Trivy](https://trivy.dev/) and [Docker Scout](https://docs.docker.com/scout/) vulnerability scan on a recurring 12 hour schedule. If vulnerabilities have been detected, they'll show up in the `scan` of [CD Security Scan](https://github.com/madnuttah/unbound-docker/actions/workflows/cd-security-scan.yaml). The `canary` build shows the results in the workflow's run details. You need to be logged into GitHub to see the log files. ## Installation @@ -209,13 +209,13 @@ export set wait ### Usage -The most elegant way to get started is using [docker-compose](https://docs.docker.com/compose/). I have provided combined Pi-hole/Unbound [`docker-compose.yaml`](https://github.com/madnuttah/unbound-docker/tree/main/doc/examples/) samples which I'm using in slightly modified form that makes use of a combined [MACVLAN/Bridge](https://docs.docker.com/network/macvlan/) and a shim [Bridge](https://docs.docker.com/network/bridge/) network which must be adapted to your network environment and to suit your needs. **Especially all entries in angle brackets (<>) needs your very attention!** +The most elegant way to get started is using [docker-compose](https://docs.docker.com/compose/). I have provided combined Pi-hole/Unbound [`docker-compose.yaml`](https://github.com/madnuttah/unbound-docker/tree/main/doc/examples/) samples which I'm using in slightly modified form that makes use of a combined [MACVLAN](https://docs.docker.com/network/macvlan/)/shim [Bridge](https://docs.docker.com/network/bridge/) network which must be adapted to your network environment and to suit your needs. **Especially all entries in angle brackets (<>) needs your very attention!** *I prefer using a combined MACVLAN/Bridge network configuration, but other network configurations will run as well.* -You'll need an additional custom bridge network so your host is able communicate with the container and vice versa (updating the Docker host, etc.). If you don't like to have an additional shim network, take a look at [this workaround](https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/). +You'll probably want an additional custom bridge network so your host is able communicate with the container and vice versa (for updating the Docker host, etc.). If you don't like to have an additional shim network, take a look at [this workaround](https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/). -Anyway, you can also spin up the container with the following command, `sudo` may apply: +Anyway, you can also spin up the container with the following command: ``` docker run --name unbound -d \ @@ -242,7 +242,7 @@ Create a new mountpoint like `../unbound-db/`, make it available via `fstab` and Create a new entry for cachedb in your `unbound.conf` with the content of this [`cachedb.conf`](https://raw.githubusercontent.com/madnuttah/unbound-docker/main/doc/examples/redis/cachedb.conf) or put the file in your `conf.d` directory if you use the structured directories. -You can verify the connection to redis in the `unbound.log` or by typing `sudo docker logs unbound` in the shell: +You can verify the connection to redis in the `unbound.log` or by typing `docker logs unbound` in the shell: ``` ... @@ -318,7 +318,7 @@ Not in the console but rather in Portainer (and here on this page of course) the ### Updating the Image -**Even I use it for less important services myself, I don't recommend using solutions like [watchtower](https://github.com/containrrr/watchtower) to update critical services like your production DNS infrastructure automatically. Imagine your network went down due to an update of the image not working as expected. Please always test before rolling out an update even I do my best not to break something.** +**Even I use it for less important services myself, I don't recommend using solutions like [Watchtower](https://github.com/containrrr/watchtower) to update critical services like your production DNS infrastructure automatically. Imagine your network went down due to an update of the image not working as expected. Please always test before rolling out an update even I do my best not to break something.** **Absolutely no question, keeping all the things up-to-date is top priority nowadays, so a notification service like [DIUN](https://github.com/crazy-max/diun) can inform you when an update has been released so you can take appropriate action if needed.** @@ -326,8 +326,6 @@ If you want to update to the `latest` version available on Docker Hub, just pull Pulling the latest image without a compose file can be done by `docker pull madnuttah/unbound:latest`. -`sudo` may apply. - ### Unbound Statistics

@@ -339,11 +337,11 @@ I also created a [`companion project`](https://github.com/madnuttah/unbound-dock # Known Issues - There's a difference between 'vanilla' Docker and the variant Synology uses. If the container won't spin up -when trying to use a privileged port like `53 tcp/udp` you might need to set `user: root` in the compose file's Unbound service section. See issue #62. +when trying to use a privileged port like `53 tcp/udp` you might need to set `user: root` in the compose file's Unbound service section. See [issue #62](https://github.com/madnuttah/unbound-docker/issues/62). # Troubleshooting -* You'd like to use a different `unbound.conf` than the one [`included`](https://raw.githubusercontent.com/madnuttah/unbound-docker/main/unbound/root/usr/local/unbound/unbound.conf)? No problem at all, just make sure to change at least the following settings and fix crucial paths, otherwise the container will fail to start: +* You'd like to use a different `unbound.conf` than the one [`included`](https://raw.githubusercontent.com/madnuttah/unbound-docker/main/unbound/root/usr/local/unbound/unbound.conf)? No problem, just make sure to change at least the following settings and fix crucial paths, otherwise the container will fail to start: ``` server: @@ -374,7 +372,7 @@ unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53 * If you see the warning `unbound[1:0] warning: unbound is already running as pid 1`, executing `docker-compose down && docker compose up -d` will remove the PID and also the warnings in the log. -* This is no issue but rather something good, it means that Unbound is using DNSSEC: +* This is no issue and shows that Unbound is doing trust anchor signaling to the root name servers. See [this URL](https://tools.ietf.org/html/rfc8145) for more details. > `... unbound[0:1] info: generate keytag query _ta-4f66. NULL IN` @@ -382,4 +380,4 @@ unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53 # Documentation -In-depth documentation for NLnet Labs Unbound is available on the [Unbound documentation website](https://unbound.docs.nlnetlabs.nl/en/latest/) and [here](https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/) goes a direct link to the documentation of the default unbound.conf file. +In-depth documentation for NLnet Labs Unbound is available on the [Unbound documentation website](https://unbound.docs.nlnetlabs.nl/en/latest/) and [here](https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/) goes a direct link to the documentation of the default unbound.conf file. \ No newline at end of file