-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
125 lines (107 loc) · 5.6 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Copyright (c) 2024 SIDN Labs
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
# list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# First stage: the builder image
ARG UBUNTU_VERSION=22.04
FROM ubuntu:${UBUNTU_VERSION} as build
# This is the PowerDNS version that is Labs-supported, as in: we have a patchfile for it.
ARG PDNS_VERSION=master-20240605
ARG PDNS_COMMIT=9cae233bdc121564af63521a0b862d7f64d911dd
# Use PQClean commit (currently most recent in master at time of writing)
ARG PQCLEAN_COMMIT=0cdedc78dc429ef3dd251257d9f2634e725d0536
ARG SQISIGN_COMMIT=ff34a8cd18b6b131021f5027e2000eb54b98fd1c
ARG MAYO_COMMIT=fc9079fb5ac5cd4af98e3e0f094a0a3cf2a01499
ARG DIRECTORY=/build/workspace
# Two lines to prevent tzdata from blocking us
ARG DEBIAN_FRONTEND=noninteractive
ENV TZ=Europe/Amsterdam
# Install dependencies
RUN apt update && apt install -y --no-install-recommends git build-essential libboost-all-dev libtool make \
pkg-config default-libmysqlclient-dev libssl-dev libluajit-5.1-dev python3-venv curl \
autoconf automake ragel bison flex libcurl4-openssl-dev luajit lua-yaml-dev libyaml-cpp-dev \
libtolua-dev lua5.3 libboost-all-dev libtool lua-yaml-dev libyaml-cpp-dev libcurl4 gawk libsqlite3-dev \
cmake libgmp-dev cargo
ADD patches/patch-powerdns-${PDNS_VERSION}.diff ${DIRECTORY}/patch-powerdns-${PDNS_VERSION}.diff
# Show informative message with number of cores
RUN echo Currently running on $(nproc) cores
# First, clone relevant repositories of PowerDNS and Falcon
RUN mkdir -p ${DIRECTORY}
RUN mkdir -p ~/.ssh && ssh-keyscan -t rsa gitlab.sidnlabs.nl >> ~/.ssh/known_hosts
# Clone PowerDNS repository, checkout VERSION and apply patch
RUN git clone https://github.com/PowerDNS/pdns.git ${DIRECTORY}/pdns
# Clone our own PowerDNS-patched version
RUN cd ${DIRECTORY}/pdns && git fetch --tags && \
git checkout ${PDNS_COMMIT} && \
git apply ${DIRECTORY}/patch-powerdns-${PDNS_VERSION}.diff
# Now use PQClean
RUN git clone https://github.com/PQClean/PQClean ${DIRECTORY}/PQClean
RUN cd ${DIRECTORY}/PQClean && git checkout ${PQCLEAN_COMMIT}
# Obtain SQIsign
RUN git clone https://github.com/SQISign/the-sqisign ${DIRECTORY}/sqisign
RUN cd ${DIRECTORY}/sqisign && git checkout ${SQISIGN_COMMIT}
# Obtain Mayo
RUN git clone https://github.com/PQCMayo/MAYO-C ${DIRECTORY}/mayo
RUN cd ${DIRECTORY}/mayo && git checkout ${MAYO_COMMIT}
RUN mkdir -p /usr/lib/patad-testbed && mkdir -p /usr/include/patad-testbed
ADD buildscripts/build-falcon.sh ${DIRECTORY}/build-falcon.sh
ADD buildscripts/build-sqisign.sh ${DIRECTORY}/build-sqisign.sh
ADD buildscripts/build-mayo.sh ${DIRECTORY}/build-mayo.sh
# Now build PQClean: compile Falcon-512
RUN cd ${DIRECTORY} && ./build-falcon.sh
# Now build SQIsign-1
RUN cd ${DIRECTORY} && ./build-sqisign.sh
# Now build Mayo-2
RUN cd ${DIRECTORY} && ./build-mayo.sh
# Now that all PQC algorithms are compiled, lets compile the patched PowerDNS version
RUN cd ${DIRECTORY}/pdns && autoreconf -vi
RUN cd ${DIRECTORY}/pdns && \
./configure \
--with-modules="bind gsqlite3" \
--with-sqlite3 \
--with-falcon \
--with-mayo \
--with-sqisign \
--disable-lua-records \
--sysconfdir=/var/lib/powerdns
# Do not build Docs/ (caused too many problems in the past)
ADD buildscripts/Makefile.empty ${DIRECTORY}/pdns/docs/Makefile
RUN cd ${DIRECTORY}/pdns && make -j $(nproc)
RUN cd ${DIRECTORY}/pdns && make -C pdns install DESTDIR=/build/artifacts && make -C modules install DESTDIR=/build/artifacts
# building the production image
FROM debian:12-slim as pdnsimage
# Install dependencies
RUN apt-get update && apt-get -y dist-upgrade && apt-get clean
RUN apt-get install -y --no-install-recommends python3-jinja2 sqlite3 tini libcap2-bin libssl3 luajit2 libboost-program-options-dev wait-for-it dnsutils python3-requests && apt-get clean
# Copy over relevant powerdns files from build stage, and 'install' them
COPY --from=build /build/artifacts /build/
RUN ln -s /build/usr/local/bin/* /usr/local/bin/
RUN ln -s /build/usr/local/sbin/pdns_server /usr/local/sbin/pdns_server
RUN mkdir /usr/local/lib/pdns/ && ln -s /build/usr/local/lib/pdns/* /usr/local/lib/pdns/
# Expose port that powerdns is configured to run on
# This can always be changed later.
EXPOSE 53/tcp
EXPOSE 53/udp
ENTRYPOINT ["pdns_server", "--daemon=no"]