docker/unbound: unbound with modified unbound_exporter

Author: hanazuki

.github/workflows/docker-build-simple.libsonnet

@@ -0,0 +1,52 @@
+// Convention:
+//   Workflow definition: .github/workflow/docker-#{name}.yml
+//   Docker manifest docker/#{name}/Dockerfile
+//   ECR repository: #{name}
+
+function(name) {
+  name: std.format('docker-%s', name),
+  on: {
+    push: {
+      branches: ['master', 'test'],
+      paths: [
+        std.format('docker/%s/**', name),
+        std.format('.github/workflows/docker-%s.yml', name),
+      ],
+    },
+  },
+  jobs: {
+    build: {
+      name: 'build',
+      'runs-on': 'ubuntu-latest',
+      permissions: { 'id-token': 'write', contents: 'read' },
+      steps: [
+        { uses: 'docker/setup-qemu-action@v2' },
+        { uses: 'docker/setup-buildx-action@v2' },
+        {
+          uses: 'aws-actions/configure-aws-credentials@v1',
+          with: {
+            'aws-region': 'ap-northeast-1',
+            'role-to-assume': 'arn:aws:iam::005216166247:role/GhaDockerPush',
+            'role-skip-session-tagging': true,
+          },
+        },
+        {
+          uses: 'aws-actions/amazon-ecr-login@v1',
+          id: 'login-ecr',
+        },
+        {
+          uses: 'docker/build-push-action@v3',
+          with: {
+            context: std.format('{{defaultContext}}:docker/%s', name),
+            platforms: std.join(',', ['linux/arm64']),
+            tags: std.join(',', [
+              std.format('${{ steps.login-ecr.outputs.registry }}/%s:${{ github.sha }}', name),
+              std.format('${{ steps.login-ecr.outputs.registry }}/%s:latest', name),
+            ]),
+            push: true,
+          },
+        },
+      ],
+    },
+  },
+}

.github/workflows/docker-fluentd.jsonnet

@@ -1,47 +1 @@
-{
-  name: 'docker-fluentd',
-  on: {
-    push: {
-      branches: ['master', 'test'],
-      paths: [
-        'docker/fluentd/**',
-        '.github/workflows/docker-fluentd.jsonnet',
-      ],
-    },
-  },
-  jobs: {
-    build: {
-      name: 'build',
-      'runs-on': 'ubuntu-latest',
-      permissions: { 'id-token': 'write', contents: 'read' },
-      steps: [
-        { uses: 'docker/setup-qemu-action@v2' },
-        { uses: 'docker/setup-buildx-action@v2' },
-        {
-          uses: 'aws-actions/configure-aws-credentials@v1',
-          with: {
-            'aws-region': 'ap-northeast-1',
-            'role-to-assume': 'arn:aws:iam::005216166247:role/GhaDockerPush',
-            'role-skip-session-tagging': true,
-          },
-        },
-        {
-          uses: 'aws-actions/amazon-ecr-login@v1',
-          id: 'login-ecr',
-        },
-        {
-          uses: 'docker/build-push-action@v3',
-          with: {
-            context: '{{defaultContext}}:docker/fluentd',
-            platforms: std.join(',', ['linux/arm64']),
-            tags: std.join(',', [
-              '${{ steps.login-ecr.outputs.registry }}/fluentd:${{ github.sha }}',
-              '${{ steps.login-ecr.outputs.registry }}/fluentd:latest',
-            ]),
-            push: true,
-          },
-        },
-      ],
-    },
-  },
-}
+(import './docker-build-simple.libsonnet')('fluentd')

.github/workflows/docker-unbound.jsonnet

@@ -0,0 +1 @@
+(import './docker-build-simple.libsonnet')('unbound')

.github/workflows/docker-unbound.yml

@@ -0,0 +1,54 @@
+{
+   "jobs": {
+      "build": {
+         "name": "build",
+         "permissions": {
+            "contents": "read",
+            "id-token": "write"
+         },
+         "runs-on": "ubuntu-latest",
+         "steps": [
+            {
+               "uses": "docker/setup-qemu-action@v2"
+            },
+            {
+               "uses": "docker/setup-buildx-action@v2"
+            },
+            {
+               "uses": "aws-actions/configure-aws-credentials@v1",
+               "with": {
+                  "aws-region": "ap-northeast-1",
+                  "role-skip-session-tagging": true,
+                  "role-to-assume": "arn:aws:iam::005216166247:role/GhaDockerPush"
+               }
+            },
+            {
+               "id": "login-ecr",
+               "uses": "aws-actions/amazon-ecr-login@v1"
+            },
+            {
+               "uses": "docker/build-push-action@v3",
+               "with": {
+                  "context": "{{defaultContext}}:docker/unbound",
+                  "platforms": "linux/arm64",
+                  "push": true,
+                  "tags": "${{ steps.login-ecr.outputs.registry }}/unbound:${{ github.sha }},${{ steps.login-ecr.outputs.registry }}/unbound:latest"
+               }
+            }
+         ]
+      }
+   },
+   "name": "docker-unbound",
+   "on": {
+      "push": {
+         "branches": [
+            "master",
+            "test"
+         ],
+         "paths": [
+            "docker/unbound/**",
+            ".github/workflows/docker-unbound.jsonnet"
+         ]
+      }
+   }
+}

unbound/Dockerfile

@@ -0,0 +1,20 @@
+FROM public.ecr.aws/docker/library/golang:1.19-bullseye as build
+
+RUN go install github.com/hanazuki/unbound_exporter@f275b66dd1eff4b7f225455c22cfae31fc9c95fc
+
+###
+
+FROM public.ecr.aws/debian/debian:bullseye-slim
+
+RUN apt-get update -qq && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends unbound dns-root-data dumb-init
+
+COPY --from=build /go/bin/unbound_exporter /usr/local/bin/
+
+RUN /usr/lib/unbound/package-helper root_trust_anchor_update
+RUN rm /etc/unbound/unbound_*.key /etc/unbound/unbound_*.pem
+
+COPY entrypoint.sh /
+RUN chmod +x entrypoint.sh
+
+ENTRYPOINT ["dumb-init", "/entrypoint.sh"]

unbound/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -eu -o pipefail
+
+if [[ ${1:-} = /* ]]; then
+    exec "$@"
+fi
+
+conffile=/etc/unbound/unbound.conf
+for i in $(seq 1 $(( $# - 1 ))); do
+    if [[ ${!i} = -c ]]; then
+        : $(( ++i ))
+        conffile="${!i}"
+        break
+    fi
+done
+
+echo "conffile: $conffile"
+echo ====
+cat "$conffile"
+echo ====
+
+sock=$(unbound-checkconf -o control-interface "$conffile")
+if [[ $sock != /* ]]; then
+    echo "control-interface is expected to be an absolute path: $sock" >&2
+    exit 1
+fi
+
+/usr/local/bin/unbound_exporter --unbound.host "unix://$sock" &
+/usr/sbin/unbound "$@"