-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
97 lines (88 loc) · 2.96 KB
/
Dockerfile
File metadata and controls
97 lines (88 loc) · 2.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
FROM alpine:3 AS builder
ARG TARGETARCH
ARG UNBOUND_VERSION=1.24.2
ARG UPX_VERSION=5.1.0
RUN apk add --no-cache \
build-base \
git \
autoconf \
automake \
libtool \
musl-dev \
linux-headers \
openssl \
openssl-dev \
openssl-libs-static \
libevent-dev \
libevent-static \
expat-dev \
expat-static \
wget \
xz \
curl \
ca-certificates && \
update-ca-certificates
WORKDIR /tmp
COPY unbound-${UNBOUND_VERSION}.tar.gz .
RUN tar xzf unbound-${UNBOUND_VERSION}.tar.gz
RUN curl -L -o /tmp/upx.tar.xz "https://github.com/upx/upx/releases/download/v${UPX_VERSION}/upx-${UPX_VERSION}-${TARGETARCH}_linux.tar.xz" && \
tar -xJf /tmp/upx.tar.xz -C /tmp && \
mv /tmp/upx-${UPX_VERSION}-${TARGETARCH}_linux/upx /usr/local/bin/upx && \
chmod +x /usr/local/bin/upx && \
rm -rf /tmp/upx*
RUN rm -f /usr/lib/libssl.so* /usr/lib/libcrypto.so* /usr/lib/libevent.so* /usr/lib/libexpat.so*
WORKDIR /tmp/unbound-${UNBOUND_VERSION}
RUN ./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--with-pthreads \
--with-libevent \
--with-ssl=/usr \
--enable-static \
--disable-shared \
--enable-fully-static \
--disable-flto \
--disable-rpath \
CFLAGS="-Os -ffunction-sections -fdata-sections -static" \
LDFLAGS="-static -Wl,--gc-sections -Wl,-s" && \
make -j$(nproc) && \
make install DESTDIR=/tmp/unbound-install && \
strip -s /tmp/unbound-install/usr/sbin/unbound && \
upx --best --lzma /tmp/unbound-install/usr/sbin/unbound
FROM --platform=$BUILDPLATFORM watchdg/zig:v0.15.2 AS builder-zig
ARG TARGETOS
ARG TARGETARCH
WORKDIR /build
COPY unbound-zig.zig .
RUN case "${TARGETARCH}" in \
amd64) ARCH="x86_64" ;; \
arm64) ARCH="aarch64" ;; \
*) ARCH="${TARGETARCH}" ;; \
esac && \
zig build-exe \
unbound-zig.zig \
-O ReleaseSmall \
-target ${ARCH}-${TARGETOS}-musl \
-lc \
-fstrip \
--name unbound-zig && \
cp unbound-zig /unbound-zig
FROM --platform=$BUILDPLATFORM alpine:3 AS scratch-prepare
RUN echo "unbound:x:1000:1000:unbound user:/:/sbin/nologin" > /etc/passwd && \
echo "unbound:x:1000:" > /etc/group && \
mkdir -p /etc/unbound /var/unbound
FROM scratch
COPY --from=scratch-prepare /etc/passwd /etc/passwd
COPY --from=scratch-prepare /etc/group /etc/group
COPY --from=scratch-prepare --chown=1000:1000 /etc/unbound /etc/unbound
COPY --from=scratch-prepare --chown=1000:1000 /var/unbound /var/unbound
COPY --from=builder --chown=1000:1000 /tmp/unbound-install/usr/sbin/unbound /usr/sbin/unbound
COPY --from=builder-zig --chown=1000:1000 /unbound-zig /unbound-zig
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --chown=1000:1000 unbound/unbound.conf /etc/unbound/unbound.conf.template
ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
ENV SSL_CERT_DIR=/etc/ssl/certs
USER unbound
EXPOSE 5353/udp 5353/tcp
ENTRYPOINT ["/unbound-zig"]