add knot-secondary container

This commit is contained in:
Miraty 2024-12-19 15:50:52 +01:00
parent 30ffd732c3
commit bebfe9d6fb
15 changed files with 161 additions and 13 deletions

10
.gitignore vendored
View file

@ -1,5 +1,4 @@
/*.tar.gz
/data/servnest.db
/logs/certbot/letsencrypt.log*
/data/certbot/live/*/*.pem
/data/certbot/archive/*/*.pem
@ -19,13 +18,22 @@
/logs/nginx/servnest-access.log
/logs/nginx/error.log
/logs/apache/error.log
/logs/knot/knot.log
/logs/knot-secondary/knot.log
/data/certbot/accounts/acme-staging-v02.api.letsencrypt.org/directory/*/*.json
/sock/knot/knot.pid
/sock/knot-secondary/knot.pid
/data/knot/*/*.mdb
/data/knot/keys/quic_key.pem
/data/knot/keys/keys/*.pem
/data/knot/servnest.test.invalid.zone
/data/knot-secondary/*.zone
/data/knot-secondary/*/*.mdb
/data/knot-secondary/keys/quic_key.pem
/tmp/tor/*
/tmp/cronie/cron.reboot
/tmp/php/exec.txt
/tmp/php/index.html
/tmp/php/sess_*
/tmp/php/cookie-*
/tmp/*/*.pid

View file

@ -11,12 +11,7 @@ no_hosts=true
```
```shell
knotc --confdb data/knot/confdb conf-import conf/knot.conf
cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone
chmod u=rwX,g=rX,o=rX -R conf core
chmod u=rwX,g=rwX,o=rwX logs/sftpgo logs/php sock/php logs/apache logs/nginx sock/tor-client sock/nginx-onion sock/knot data/knot data/knot/confdb data/knot/confdb/*.mdb tmp/nginx tmp/certbot tmp/acme tmp/apache tmp/nginx-run tmp/php data/reg data/reg/*.zone core/db core/db/servnest.db
chmod u=rwX,g=rX,o= sock/tor-control
./reset.sh
wget https://dl-cdn.alpinelinux.org/alpine/v3.21/releases/x86_64/alpine-minirootfs-3.21.0-x86_64.tar.gz
wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.4.tar.gz -O sftpgo-v2.6.4.tar.gz
sha256sum -c sha256sums
@ -32,6 +27,8 @@ podman-compose build # build services images
### Run
```shell
podman-compose up knot knot-secondary # generate QUIC keys
./setup-xoq.sh # setup mutual XFR over QUIC
podman-compose up # start containers
podman-compose exec php php /srv/servnest/core/jobs/check.php # test main features
```

View file

@ -39,13 +39,35 @@ services:
build:
dockerfile: knot.Containerfile
ports:
- "[::1]:42053:42053/udp"
- "[::1]:42053:42053/tcp"
- "[::1]:42053:53/udp"
- "[::1]:42053:53/tcp"
- "[::1]:42853:853/udp"
volumes:
- ./data/reg/:/srv/servnest/reg/:rw
- ./data/ns/:/srv/servnest/ns/:rw
- ./data/knot/:/var/lib/knot/:rw
- ./logs/knot/:/var/log/knot/:rw
- ./sock/knot/:/run/knot/:rw
networks:
snet:
ipv4_address: 10.5.0.51
knot-secondary:
extends:
file: base.yaml
service: base
build:
dockerfile: knot.Containerfile
ports:
- "[::1]:42054:53/udp"
- "[::1]:42054:53/tcp"
- "[::1]:42854:853/udp"
volumes:
- ./data/knot-secondary/:/var/lib/knot/:rw
- ./logs/knot-secondary/:/var/log/knot/:rw
- ./sock/knot-secondary/:/run/knot/:rw
networks:
snet:
ipv4_address: 10.5.0.52
apache:
extends:
file: base.yaml
@ -90,6 +112,7 @@ services:
- ./sock/tor-client/:/run/tor-client/:rw
- ./sock/tor-control/:/run/tor-control/:rw
- ./sock/knot/:/run/knot/:rw
- ./sock/knot-secondary/:/run/knot-secondary/:rw
- ./logs/php/:/var/log/php83/:rw
- ./logs/certbot/:/var/log/letsencrypt/:rw
- ./tmp/acme/:/srv/servnest/acme/:rw
@ -134,3 +157,10 @@ services:
- ./tmp/nginx/:/var/lib/nginx/tmp/:rw
- ./tmp/nginx-run/:/run/nginx/:rw
- ./tmp/acme/:/srv/servnest/acme/:ro
networks:
snet:
driver: bridge
ipam:
config:
- subnet: 10.5.0.0/16
gateway: 10.5.0.1

33
conf/knot-secondary.conf Normal file
View file

@ -0,0 +1,33 @@
server:
version: ""
nsid: ""
rundir: "/run/knot"
listen: [ "::@53", "0.0.0.0@53", "/run/knot/dns.sock" ]
listen-quic: [ "::@853", "0.0.0.0@853" ]
automatic-acl: "on"
log:
- target: stderr
any: warning
- target: "/var/log/knot/knot.log"
any: debug
database:
storage: "/var/lib/knot"
remote:
- id: "primary"
address: [ "10.5.0.51@853" ]
quic: on
cert-key: "0000000000000000000000000000000000000000000=" # will be replaced by setup-xoq.sh
template:
- id: "servnest"
storage: "/var/lib/knot"
master: "primary"
zone:
- domain: "servnest.test.invalid."
master: "primary"
catalog-role: interpret
catalog-template: "servnest"

View file

@ -2,12 +2,15 @@ server:
version: ""
nsid: ""
rundir: "/run/knot"
# user: "knot:knot"
listen: [ "::1@42053", "127.0.0.1@42053", "/run/knot/dns.sock" ]
listen: [ "::@53", "0.0.0.0@53", "/run/knot/dns.sock" ]
listen-quic: [ "::@853", "0.0.0.0@853" ]
automatic-acl: "on"
log:
- target: stderr
any: warning
- target: "/var/log/knot/knot.log"
any: debug
database:
storage: "/var/lib/knot"
@ -21,10 +24,16 @@ policy:
delete-delay: 60d
dnskey-management: "incremental"
remote:
- id: "secondary"
address: [ "10.5.0.52@853" ]
quic: on
cert-key: "1111111111111111111111111111111111111111111=" # will be replaced by setup-xoq.sh
template:
- id: "servnest"
storage: "/srv/servnest/ns"
file: "%s.zone"
notify: "secondary"
zonefile-load: "whole"
journal-content: "all"
dnssec-signing: "on"
@ -34,6 +43,7 @@ template:
zone:
- domain: "servnest.test.invalid."
notify: "secondary"
zonefile-load: "whole"
journal-content: "all"
catalog-role: "generate"

View file

View file

View file

View file

View file

View file

@ -1,4 +1,4 @@
FROM servnest-alpine
RUN apk add knot
RUN apk add knot knot-utils
USER knot
CMD ["knotd", "--confdb", "/var/lib/knot/confdb/"]

0
logs/knot/.gitkeep Normal file
View file

42
permissions.sh Executable file
View file

@ -0,0 +1,42 @@
#!/usr/bin/env bash
chmod u=rwX,g=rX,o=rX -R conf core
chmod u=rwX,g=rwX,o=rwX \
logs/sftpgo \
logs/php \
sock/php \
logs/apache \
logs/nginx \
logs/knot \
logs/knot-secondary \
sock/tor-client \
sock/nginx-onion \
sock/knot \
sock/knot-secondary \
data/ht/fs \
data/knot \
data/knot-secondary \
data/knot/journal \
data/knot-secondary/journal \
data/knot/confdb \
data/knot-secondary/confdb \
data/knot/confdb/*.mdb \
data/knot-secondary/confdb/*.mdb \
data/knot/keys \
data/knot-secondary/keys \
data/knot/keys/keys \
data/knot-secondary/keys/keys \
tmp/nginx \
tmp/certbot \
tmp/acme \
tmp/apache \
tmp/nsd \
tmp/nsd-run \
tmp/nsd-run/nsd \
tmp/nginx-run \
tmp/php \
data/reg \
data/reg/*.zone \
core/db \
core/db/servnest.db
chmod u=rwX,g=rX,o= sock/tor-control

15
reset.sh Executable file
View file

@ -0,0 +1,15 @@
#!/usr/bin/env bash
rm -f data/knot/*/*.mdb
rm -f data/knot/keys/keys/*.pem
rm -f data/knot/keys/quic_key.pem
rm -f data/reg/servnest.test.zone
rm -f data/reg/test.servnest.test.zone
rm -f data/knot-secondary/*/*.mdb
rm -f data/knot-secondary/keys/keys/*.pem
rm -f data/knot-secondary/keys/quic_key.pem
knotc --confdb data/knot/confdb conf-import conf/knot.conf
knotc --confdb data/knot-secondary/confdb conf-import conf/knot-secondary.conf
cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone

13
setup-xoq.sh Executable file
View file

@ -0,0 +1,13 @@
#!/usr/bin/env bash
ENGINE="docker"
$ENGINE-compose exec knot-secondary knotc conf-begin
$ENGINE-compose exec knot-secondary knotc conf-unset remote[primary].cert-key
$ENGINE-compose exec knot-secondary knotc conf-set remote[primary].cert-key $($ENGINE-compose exec knot cat /var/log/knot/knot.log | grep "certificate public key" | cut -d " " -f 7 | tail -1)
$ENGINE-compose exec knot-secondary knotc conf-commit
$ENGINE-compose exec knot knotc conf-begin
$ENGINE-compose exec knot knotc conf-unset remote[secondary].cert-key
$ENGINE-compose exec knot knotc conf-set remote[secondary].cert-key $($ENGINE-compose exec knot-secondary cat /var/log/knot/knot.log | grep "certificate public key" | cut -d " " -f 7 | tail -1)
$ENGINE-compose exec knot knotc conf-commit