unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

[FR] Provide Dockerfile to build from source

Open pataquets opened this issue 2 years ago • 3 comments

Describe the desired feature An official, built-in Dockerfile which allows to build a Docker image directly from source. I wanted to try unbound, but building is quite an involved process for me, and my host OS' packages are quite outdated and do not reflect current unbound's code.

Potential use-case

  • Running: With a proper Dockerfile, you could just issue a docker build -t unbound github.com/NLnetLabs/unbound#master to locally build a Docker image ready to run with a simple docker run. No build tools needed, no packaging, not even cloning the repo! And it would be straight from source (any desired branch or tag).
  • Development: You can start hacking right away with just Docker installertd without needing any further toolchain on your system, since the only thing needed to test your code is docker build ...
  • Documentation: since the Dockerfile should install all required build tools, libraries and other packages and would require also to run all the required build commands, it would serve as reference to the build process.

pataquets avatar May 22 '22 17:05 pataquets

There are many unofficial Dockerfile projects compiling Unbound from source. Two among them:

  1. https://github.com/MatthewVance/unbound-docker maintained by @MatthewVance since 6 years
  2. https://github.com/jedisct1/dnscrypt-server-docker enhanced by @jedisct1 to automatically configure DNSCrypt v2, Anonymized DNS, DNS over HTTP (DoH)...

olibre avatar Jun 07 '22 15:06 olibre

Thanks for the links, @olibre, much appreciated :smile:. I've reviewed MatthewVance's and looks very good, indeed.

However, a Dockerfile present in the repo which allows to build from source would be better in terms of trust, since third-party repos should be audited/verified in scenarios with strict security requirements on traceability. Also, they don't solve the development workflow, too.

pataquets avatar Jun 07 '22 19:06 pataquets

If you'd like to give it a shot, I would shamelessly suggest my Docker image (which is built with 💚 from source) when it comes to traceability and trust:

The image is completely built online via a GitHub Action with hardened runners and not locally on my systems. All components as well as the Internic files (root.hints and root.zone) are verified with their corresponding PGP keys and signature files if available to guarantee maximum security and trust.

Madnuttah's Unofficial Unbound Docker Image

Edit: If you like to read and learn about my motivation, here's a link to my HN post.

madnuttah avatar Jun 08 '22 06:06 madnuttah