Ubuntu Docker Images

Merge ~bryce/ubuntu-docker-images/+git/bind9:initial-implementation into ~ubuntu-docker-images/ubuntu-docker-images/+git/bind9:main

  1. Git
  2. lp:~bryce/ubuntu-docker-images/+git/bind9
  3. initial-implementation
  4. Merge into main
Proposed by Bryce Harrington
Status: Merged
Merge reported by: Bryce Harrington
Merged at revision: 772fbd3e8e5e3378c1b11af8dadce6b274d7ed49
Proposed branch: ~bryce/ubuntu-docker-images/+git/bind9:initial-implementation
Merge into: ~ubuntu-docker-images/ubuntu-docker-images/+git/bind9:main
Diff against target: 456 lines (+390/-0)
11 files modified
Dockerfile (+28/-0)
HACKING.md (+55/-0)
Makefile (+26/-0)
README.md (+86/-0)
data/bind9.yaml (+40/-0)
docker-entrypoint.sh (+20/-0)
examples/README.md (+43/-0)
examples/bind9-deployment.yml (+35/-0)
examples/caching-nameserver/README.md (+24/-0)
examples/caching-nameserver/named.conf.options (+26/-0)
examples/docker-compose.yml (+7/-0)
Reviewer Review Type Date Requested Status
Sergio Durigan Junior Approve
Canonical Server Pending
Review via email: mp+408328@code.launchpad.net

Description of the change

Initial OCI for bind9.

I also have a bind9_test.sh prepared for oci-unit-tests however it appears to expect the image to exist in a remote repository in order to run it. At least, I haven't sorted out how to run it entirely locally. So that is still TBD, and may require some adjustments to this image once it does run. That said, I *think* this image is more or less ready for review.

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, Bryce.

I found some spots that need fixing/adjustments, so I'm leaving comments where applicable. I haven't tested the microk8s service; will do that later.

As for your comment regarding running the unit tests using locally-built images, you can use the DOCKER_IMAGE variable to do that:

# DOCKER_IMAGE=test/bind9 sh bind9_test.sh

review: Needs Fixing
Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for the review, I've made the changes as suggested.
It looks like a lot of the containers use ports in the 3xxxx range so am using 30053 for the external port.

I noticed the link to the example files was also incorrect (yay cargo culting) and have updated it to point at where the example config will be.

Revision history for this message
Bryce Harrington (bryce) wrote :

I've also updated the copyright holder in the license, but let me know if it should be done differently.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Bryce.

Re. the copyright holder, I think that's the right thing to do but IANAL. I'll talk to Valentin, because some of our other images have the same problem. Meanwhile, could you please remove the LICENSE file from the commit? I'm not even sure if we want to license this work using BSD-3-Clause or if we'll use another license...

As for the other changes, they look good now modulo a few nits. I wasn't able to build the Impish version of the image, but I did build the Hirsute one and it looks fine. Looking forward to running the unit tests for it.

+1, LGTM.

review: Approve
Revision history for this message
Bryce Harrington (bryce) wrote :
Download full text (5.9 KiB)

On Thu, Sep 09, 2021 at 08:10:25PM -0000, Sergio Durigan Junior wrote:
> Review: Approve
>
> Thanks, Bryce.
>
> Re. the copyright holder, I think that's the right thing to do but IANAL. I'll talk to Valentin, because some of our other images have the same problem. Meanwhile, could you please remove the LICENSE file from the commit? I'm not even sure if we want to license this work using BSD-3-Clause or if we'll use another license...
>

Sure. Looks like this was just inherited from deriving off memcached.
Looking at some of the other OCI files, looks like this generally is
just the license of the packaged software itself. For bind9 that
appears to be MPLv2.0. In some cases where the OCI image derives from a
pre-existing docker image's git repo that might make sense but leaves
inconsistency across the packages.

It'll be good to get Valentin's direction, this isn't something I'd be
comfortable deciding either. But having a policy established would be
of value going forward.

> As for the other changes, they look good now modulo a few nits. I wasn't able to build the Impish version of the image, but I did build the Hirsute one and it looks fine. Looking forward to running the unit tests for it.
>
> +1, LGTM.

Thanks. I've added the suggested changes and will land to the main
repo.

Bryce

> Diff comments:
>
> > diff --git a/Dockerfile b/Dockerfile
> > new file mode 100644
> > index 0000000..1d001d6
> > --- /dev/null
> > +++ b/Dockerfile
> > @@ -0,0 +1,30 @@
> > +FROM ubuntu:impish
> > +
> > +ENV TZ UTC
> > +ENV BIND_USER bind
>
> No need for BIND_USER here.
>
> > +
> > +RUN set -eux; \
> > +# installation
> > + apt-get update; \
> > + DEBIAN_FRONTEND=noninteractive apt-get full-upgrade -y; \
> > + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
> > + bind9 \
> > + bind9-utils \
> > + tzdata \
> > + ; \
> > + DEBIAN_FRONTEND=noninteractive apt-get remove --purge --auto-remove -y; \
> > + rm -rf /var/lib/apt/lists/*; \
> > +# smoke test
> > + named -v; \
> > +# create manifest
> > + mkdir -p /usr/share/rocks; \
> > + (echo "# os-release" && cat /etc/os-release && echo "# dpkg-query" && dpkg-query -f '${db:Status-Abbrev},${binary:Package},${Version},${source:Package},${Source:Version}\n' -W) > /usr/share/rocks/dpkg.query
> > +
> > +USER bind
> > +VOLUME ["/var/cache/bind", "/var/lib/bind"]
> > +
> > +EXPOSE 53
> > +
> > +COPY docker-entrypoint.sh /usr/local/bin/
> > +ENTRYPOINT ["docker-entrypoint.sh"]
> > +CMD docker-entrypoint.sh
>
> You don't need the CMD statement here.
>
> > diff --git a/data/bind9.yaml b/data/bind9.yaml
> > new file mode 100644
> > index 0000000..45b6dfc
> > --- /dev/null
> > +++ b/data/bind9.yaml
> > @@ -0,0 +1,34 @@
> > +application: Bind9
> > +main: true
> > +repo: bind9
> > +description: >
> > + BIND 9 provides software for Domain Name System (DNS) management including both defining domain names authoritatively for a given DNS zone, and recursively resolving domain names to their IP addresses.
> > + In addition to BIND 9's DNS server itself, `named`, this container also includes tools for performing DNS queries and dynamic updates.
> > + Read more on the [BIND 9 webs...

Read more...

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/Dockerfile b/Dockerfile
2new file mode 100644
3index 0000000..9f84af0
4--- /dev/null
5+++ b/Dockerfile
6@@ -0,0 +1,28 @@
7+FROM ubuntu:impish
8+
9+ENV TZ UTC
10+
11+RUN set -eux; \
12+# installation
13+ apt-get update; \
14+ DEBIAN_FRONTEND=noninteractive apt-get full-upgrade -y; \
15+ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
16+ bind9 \
17+ bind9-utils \
18+ tzdata \
19+ ; \
20+ DEBIAN_FRONTEND=noninteractive apt-get remove --purge --auto-remove -y; \
21+ rm -rf /var/lib/apt/lists/*; \
22+# smoke test
23+ named -v; \
24+# create manifest
25+ mkdir -p /usr/share/rocks; \
26+ (echo "# os-release" && cat /etc/os-release && echo "# dpkg-query" && dpkg-query -f '${db:Status-Abbrev},${binary:Package},${Version},${source:Package},${Source:Version}\n' -W) > /usr/share/rocks/dpkg.query
27+
28+USER bind
29+VOLUME ["/var/cache/bind", "/var/lib/bind"]
30+
31+EXPOSE 53
32+
33+COPY docker-entrypoint.sh /usr/local/bin/
34+ENTRYPOINT ["docker-entrypoint.sh"]
35diff --git a/HACKING.md b/HACKING.md
36new file mode 100644
37index 0000000..26ac0d9
38--- /dev/null
39+++ b/HACKING.md
40@@ -0,0 +1,55 @@
41+# Contributing
42+
43+In Ubuntu, Bind9 is available as a `.deb` package. For this reason,
44+this image was built by installing the Bind9 Ubuntu 21.10 package
45+inside a docker container.
46+
47+In order to contribute to the Bind9 OCI image, do the following:
48+
49+* Create a new branch.
50+
51+* Make your changes. Keep your commits logically separated. If it is
52+ fixing a bug do not forget to mention it in the commit message.
53+
54+* Build a new image with your changes. You can use the following command:
55+
56+```
57+$ docker build -t ubuntu/bind9:test .
58+```
59+
60+* Test the new image. Run it in some way that exercises your changes,
61+ you can also check the README.md file.
62+
63+* If everything goes well submit a merge proposal.
64+
65+# Generating the documentation
66+
67+The documentation (`README.md`) is generated using templates. In
68+order to do that, you need to follow some steps.
69+
70+```
71+$ pwd
72+~/work/bind9
73+$ cd ..
74+$ git clone https://github.com/misterw97/RenderDown
75+$ cd bind9
76+$ make all-doc
77+```
78+
79+If you already have the `RenderDown` repository cloned somewhere else,
80+you can tell `make` about it:
81+
82+```
83+$ RENDERDOWN=/path/to/renderdown.py make all-doc
84+```
85+
86+# Hacking the documentation templates
87+
88+The repository containing the templates is located at:
89+
90+https://code.launchpad.net/~canonical-server/ubuntu-docker-images/+git/templates
91+
92+The specific data for this image's template can be found inside the
93+`data/` directory, in the image's own repository.
94+
95+
96diff --git a/Makefile b/Makefile
97new file mode 100644
98index 0000000..ea11f99
99--- /dev/null
100+++ b/Makefile
101@@ -0,0 +1,26 @@
102+RENDERDOWN ?= ../RenderDown/renderdown.py
103+PYTHON ?= python3
104+
105+README_TEMPLATE = templates/README_DOCKERHUB.md
106+
107+HACKING_TEMPLATE = templates/HACKING_deb.md
108+
109+all: all-doc
110+
111+all-doc: clean-doc readme
112+
113+get-templates:
114+ wget -nv -e "robots=off" -nd -r -np -P templates https://git.launchpad.net/~canonical-server/ubuntu-docker-images/+git/templates/plain/templates/
115+
116+readme: get-templates
117+ mv -v $(README_TEMPLATE) templates/README.md
118+ mv -v $(HACKING_TEMPLATE) templates/HACKING.md
119+ $(PYTHON) $(RENDERDOWN) templates/README.md > README.md
120+ $(PYTHON) $(RENDERDOWN) templates/HACKING.md > HACKING.md
121+
122+clean: clean-doc
123+
124+clean-doc:
125+ rm -frv templates/ README.md
126+
127+.PHONY: readme clean clean-doc all all-doc get-templates
128diff --git a/README.md b/README.md
129new file mode 100644
130index 0000000..aa9e1d8
131--- /dev/null
132+++ b/README.md
133@@ -0,0 +1,86 @@
134+# Bind9 | Ubuntu
135+
136+Current Bind9 Docker Image from Ubuntu. Receives security updates and rolls to newer Bind9 or Ubuntu LTS. This repository is exempted from per-user rate limits. For [LTS Docker Image](https://ubuntu.com/security/docker-images) versions of this image, see `lts/bind9`.
137+
138+
139+## About Bind9
140+
141+BIND 9 provides software for Domain Name System (DNS) management including both defining domain names authoritatively for a given DNS zone, and recursively resolving domain names to their IP addresses. In addition to BIND 9's DNS server itself, `named`, this container also includes tools for performing DNS queries and dynamic updates. Read more on the [BIND 9 website](https://www.isc.org/bind/).
142+
143+
144+## Tags and Architectures
145+![LTS](https://assets.ubuntu.com/v1/0a5ff561-LTS%402x.png?h=17)
146+Up to 5 years free security maintenance `from lts/bind9`.
147+
148+![ESM](https://assets.ubuntu.com/v1/572f3fbd-ESM%402x.png?h=17)
149+Up to 10 years customer security maintenance `from store/canonical/bind9`.
150+
151+_Tags in italics are not available in ubuntu/bind9 but are shown here for completeness._
152+
153+| Channel Tag | | | Currently | Architectures |
154+|---|---|---|---|---|
155+| **`9.16-21.10_beta`**    | | | Bind9 9.16.15 on Ubuntu 21.10 | `amd64`, `arm64`, `ppc64el`, `s390x` |
156+| _`track_risk`_ |
157+
158+Channel tag shows the most stable channel for that track ordered `stable`, `candidate`, `beta`, `edge`. More risky channels are always implicitly available. So if `beta` is listed, you can also pull `edge`. If `candidate` is listed, you can pull `beta` and `edge`. When `stable` is listed, all four are available. Images are guaranteed to progress through the sequence `edge`, `beta`, `candidate` before `stable`.
159+
160+
161+## Usage
162+
163+Launch this image locally:
164+
165+```sh
166+docker run -d --name bind9-container -e TZ=UTC -p 30053:53 ubuntu/bind9:9.16-21.10_beta
167+```
168+Access your Bind9 server at `localhost:30053`
169+
170+#### Parameters
171+
172+| Parameter | Description |
173+|---|---|
174+| `-e TZ=UTC` | Timezone. |
175+| `-p 1803233` | Expose bind9 on `localhost:30053`. |
176+| `-v /path/to/bind/configuration:/etc/bind/named.conf` | Local [configuration file](https://bind9.readthedocs.io/en/latest/reference.html) `named.conf` (try [this example](https://git.launchpad.net/~canonical-server/ubuntu-docker-images/+git/bind9/plain/examples/caching-nameserver/named.conf.options)). |
177+
178+
179+#### Testing/Debugging
180+
181+To debug the container:
182+
183+```sh
184+docker logs -f bind9-container
185+```
186+
187+To get an interactive shell:
188+
189+```sh
190+docker exec -it bind9-container /bin/bash
191+```
192+
193+
194+## Deploy with Kubernetes
195+
196+Works with any Kubernetes; if you don't have one, we recommend you [install MicroK8s](https://microk8s.io/) and `microk8s.enable dns storage` then `snap alias microk8s.kubectl kubectl`.
197+
198+Download
199+[bind9-deployment.yml](https://git.launchpad.net/~canonical-server/ubuntu-docker-images/+git/bind9/plain/examples/bind9-deployment.yml) and set `containers.bind9.image` in `bind9-deployment.yml` to your chosen channel tag (e.g. `ubuntu/bind9:9.16-21.10_beta`), then:
200+
201+```sh
202+kubectl apply -f bind9-deployment.yml
203+```
204+
205+You will now be able to connect to the Bind9 server on localhost:30053`.
206+
207+## Bugs and feature requests
208+
209+If you find a bug in our image or want to request a specific feature, please file a bug here:
210+
211+[https://bugs.launchpad.net/ubuntu-docker-images/+filebug](https://bugs.launchpad.net/ubuntu-docker-images/+filebug)
212+
213+Please title the bug "`bind9: <issue summary>`". Make sure to include the digest of the image you are using, from:
214+
215+```sh
216+docker images --no-trunc --quiet ubuntu/bind9:<tag>
217+```
218+
219+
220diff --git a/data/bind9.yaml b/data/bind9.yaml
221new file mode 100644
222index 0000000..ce30737
223--- /dev/null
224+++ b/data/bind9.yaml
225@@ -0,0 +1,40 @@
226+application: Bind9
227+main: true
228+repo: bind9
229+description: >
230+ BIND 9 provides software for Domain Name System (DNS) management including both defining domain names authoritatively for a given DNS zone, and recursively resolving domain names to their IP addresses.
231+ In addition to BIND 9's DNS server itself, `named`, this container also includes tools for performing DNS queries and dynamic updates.
232+ Read more on the [BIND 9 website](https://www.isc.org/bind/).
233+version: "9.16.15"
234+base: Ubuntu 21.10
235+architectures:
236+ - amd64
237+ - arm64
238+ - ppc64el
239+ - s390x
240+docker:
241+ parameters:
242+ - -p 30053:53
243+ access: Access your Bind9 server at `localhost:30053`
244+parameters:
245+ - type: -e
246+ value: TZ=UTC
247+ description: Timezone.
248+ - type: -p
249+ value: 30053:53
250+ description: Expose bind9 on `localhost:30053`.
251+ - type: -v
252+ value: /path/to/bind/configuration:/etc/bind/named.conf
253+ description: Local [configuration file](https://bind9.readthedocs.io/en/latest/reference.html) `named.conf` (try [this example](https://git.launchpad.net/~canonical-server/ubuntu-docker-images/+git/bind9/plain/examples/caching-nameserver/named.conf.options)).
254+ - type: -v
255+ value: /path/to/cached/data:/var/cache/bind
256+ description: Location where locally cached data can be dumped.
257+ - type: -v
258+ value: /path/to/resource/records:/var/lib/bind
259+ description: Location of Resource Records defining various domain information.
260+debug:
261+ - nothing
262+microk8s:
263+ deploy:
264+ link: https://git.launchpad.net/~canonical-server/ubuntu-docker-images/+git/bind9/plain/examples/bind9-deployment.yml
265+ access: You will now be able to connect to the Bind9 server on localhost:30053`.
266diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
267new file mode 100755
268index 0000000..c0cf2fd
269--- /dev/null
270+++ b/docker-entrypoint.sh
271@@ -0,0 +1,20 @@
272+#!/bin/bash
273+set -e
274+
275+# allow arguments to be passed to named
276+if [[ "${1:0:1}" == '-' ]]; then
277+ EXTRA_ARGS="${*}"
278+ set --
279+elif [[ "${1}" == "named" || "${1}" == "$(command -v named)" ]]; then
280+ EXTRA_ARGS="${*:2}"
281+ set --
282+fi
283+
284+# default behaviour is to launch named
285+if [[ -z "${1}" ]]; then
286+ echo "Starting named..."
287+ echo "exec $(which named) -g \"${EXTRA_ARGS}\""
288+ exec $(command -v named) -g ${EXTRA_ARGS}
289+else
290+ exec "${@}"
291+fi
292diff --git a/examples/README.md b/examples/README.md
293new file mode 100644
294index 0000000..d69b8a8
295--- /dev/null
296+++ b/examples/README.md
297@@ -0,0 +1,43 @@
298+# Running the examples
299+
300+## docker-compose
301+
302+Install `docker-compose` from the Ubuntu archive:
303+
304+```
305+$ sudo apt install -y docker-compose
306+```
307+
308+Call `docker-compose` from the examples directory:
309+
310+```
311+$ docker-compose up -f docker-compose.yml -d
312+```
313+
314+Bind9 will be listening on port `53` in your host. To stop it run:
315+
316+```
317+$ docker-compose -f docker.compose.yml down
318+```
319+
320+# Microk8s
321+
322+Install microk8s from snap:
323+
324+```
325+$ snap install microk8s --classic
326+```
327+
328+With microk8s running, enable the `dns` and `storage` add-ons:
329+
330+```
331+$ microk8s enable dns storage
332+```
333+
334+Apply the `microk8s-deployments.yml`:
335+
336+```
337+$ microk8s kubectl apply -f microk8s-deployments.yml
338+```
339+
340+Bind9 will be listening on port `53` in your host.
341diff --git a/examples/bind9-deployment.yml b/examples/bind9-deployment.yml
342new file mode 100644
343index 0000000..72cc563
344--- /dev/null
345+++ b/examples/bind9-deployment.yml
346@@ -0,0 +1,35 @@
347+---
348+apiVersion: v1
349+kind: Service
350+metadata:
351+ name: bind9-service
352+ labels:
353+ app: bind9
354+spec:
355+ selector:
356+ app: bind9
357+ ports:
358+ - port: 53
359+---
360+apiVersion: apps/v1
361+kind: Deployment
362+metadata:
363+ name: bind9-deployment
364+spec:
365+ replicas: 1
366+ selector:
367+ matchLabels:
368+ app: bind9
369+ template:
370+ metadata:
371+ labels:
372+ app: bind9
373+ spec:
374+ containers:
375+ - name: bind9
376+ image: ubuntu/bind9:edge
377+ env:
378+ ports:
379+ - containerPort: 53
380+ name: bind9
381+ protocol: TCP
382diff --git a/examples/caching-nameserver/README.md b/examples/caching-nameserver/README.md
383new file mode 100644
384index 0000000..7709c01
385--- /dev/null
386+++ b/examples/caching-nameserver/README.md
387@@ -0,0 +1,24 @@
388+## Caching Nameserver
389+
390+When configured as a caching nameserver BIND9 will find the answer to name queries and remember the answer when the domain is queried again.
391+
392+The default configuration acts as a caching server. Simply uncomment and edit `/etc/bind/named.conf.options` to set the IP addresses of your ISP’s DNS servers:
393+
394+```
395+forwarders {
396+ 1.2.3.4;
397+ 5.6.7.8;
398+};
399+```
400+
401+> ** Note**
402+>
403+> Replace `1.2.3.4` and `5.6.7.8` with the IP Addresses of actual nameservers.
404+
405+To enable the new configuration, restart the DNS server. From a terminal prompt:
406+
407+ sudo systemctl restart bind9.service
408+
409+See [dig](https://ubuntu.com/server/docs/service-domain-name-service-dns#heading--dns-primarymaster-configuration) for information on testing a caching DNS server.
410+
411+For full documentation about configuring Ubuntu's bind9 service, please see the [Ubuntu Server Guide - Domain Name Service](https://ubuntu.com/server/docs/service-domain-name-service-dns).
412diff --git a/examples/caching-nameserver/named.conf.options b/examples/caching-nameserver/named.conf.options
413new file mode 100644
414index 0000000..f989298
415--- /dev/null
416+++ b/examples/caching-nameserver/named.conf.options
417@@ -0,0 +1,26 @@
418+options {
419+ directory "/var/cache/bind";
420+
421+ // If there is a firewall between you and nameservers you want
422+ // to talk to, you may need to fix the firewall to allow multiple
423+ // ports to talk. See http://www.kb.cert.org/vuls/id/800113
424+
425+ // If your ISP provided one or more IP addresses for stable
426+ // nameservers, you probably want to use them as forwarders.
427+ // Uncomment the following block, and insert the addresses replacing
428+ // the all-0's placeholder.
429+
430+ // Set the IP addresses of your ISP's DNS servers:
431+ // forwarders {
432+ // 1.2.3.4;
433+ // 5.6.7.8;
434+ // };
435+
436+ //========================================================================
437+ // If BIND logs error messages about the root key being expired,
438+ // you will need to update your keys. See https://www.isc.org/bind-keys
439+ //========================================================================
440+ dnssec-validation auto;
441+
442+ listen-on-v6 { any; };
443+};
444diff --git a/examples/docker-compose.yml b/examples/docker-compose.yml
445new file mode 100644
446index 0000000..c28d76d
447--- /dev/null
448+++ b/examples/docker-compose.yml
449@@ -0,0 +1,7 @@
450+version: '3'
451+
452+services:
453+ bind9:
454+ image: ubuntu/bind9:edge
455+ ports:
456+ - '53:53'

Subscribers

People subscribed via source and target branches