fickit: include local pkg
This commit is contained in:
parent
bcbf5b35cf
commit
5d644fa366
|
@ -0,0 +1,3 @@
|
|||
FROM alpine:latest
|
||||
|
||||
COPY init.sh /init
|
|
@ -0,0 +1 @@
|
|||
image: boot
|
|
@ -0,0 +1,24 @@
|
|||
#!/bin/sh
|
||||
|
||||
# /proc/cmdline parser (from Gentoo Wiki)
|
||||
cmdline() {
|
||||
local value
|
||||
value=" $(cat /proc/cmdline) "
|
||||
value="${value##* $1=}"
|
||||
value="${value%% *}"
|
||||
[ "$value" != "" ] && echo "$value"
|
||||
}
|
||||
|
||||
mount -t devtmpfs none /dev
|
||||
mount -t proc none /proc
|
||||
|
||||
mount -o ro /dev/sda1 /boot
|
||||
|
||||
mount -o loop -t squashfs /boot/imgs/$(cmdline root) /mnt || /bin/sh
|
||||
|
||||
umount /dev
|
||||
umount /proc
|
||||
mount --move /boot /mnt/boot
|
||||
|
||||
# Switch
|
||||
exec switch_root /mnt /init
|
|
@ -0,0 +1,11 @@
|
|||
FROM alpine AS mirror
|
||||
|
||||
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
|
||||
RUN apk add --no-cache --initdb -p /out \
|
||||
mdadm
|
||||
RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
|
||||
|
||||
FROM scratch
|
||||
COPY --from=mirror /out/ /
|
||||
COPY etc/ /etc/
|
||||
CMD ["/sbin/mdadm", "--monitor", "--scan"]
|
|
@ -0,0 +1,10 @@
|
|||
image: mdadm
|
||||
network: true
|
||||
config:
|
||||
binds:
|
||||
- /dev:/dev
|
||||
capabilities:
|
||||
- CAP_SYS_ADMIN
|
||||
- CAP_MKNOD
|
||||
net: new
|
||||
ipc: new
|
|
@ -0,0 +1,3 @@
|
|||
#!/bin/sh
|
||||
|
||||
mdadm --assemble /dev/md0 /dev/sda3 /dev/sdb3
|
|
@ -0,0 +1,26 @@
|
|||
FROM alpine:latest AS mirror
|
||||
|
||||
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
|
||||
RUN apk add --no-cache --initdb -p /out \
|
||||
alpine-baselayout \
|
||||
apk-tools \
|
||||
busybox \
|
||||
ca-certificates \
|
||||
musl \
|
||||
openssh-server \
|
||||
openssh-client \
|
||||
rsync \
|
||||
tini \
|
||||
util-linux \
|
||||
&& true
|
||||
#RUN mv /out/etc/apk/repositories.upstream /out/etc/apk/repositories
|
||||
|
||||
FROM scratch
|
||||
ENTRYPOINT []
|
||||
WORKDIR /
|
||||
COPY --from=mirror /out/ /
|
||||
COPY etc/ /etc/
|
||||
COPY usr/ /usr/
|
||||
RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh
|
||||
CMD ["/sbin/tini", "/usr/bin/ssh.sh"]
|
||||
LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}'
|
|
@ -0,0 +1,2 @@
|
|||
image: rsync
|
||||
network: true
|
|
@ -0,0 +1,4 @@
|
|||
Welcome to LinuxKit!
|
||||
|
||||
NOTE: This system is namespaced.
|
||||
The namespace you are currently in may not be the root.
|
|
@ -0,0 +1 @@
|
|||
export PS1="(ns: sshd) $PS1"
|
|
@ -0,0 +1,144 @@
|
|||
# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
|
||||
|
||||
# This is the sshd server system-wide configuration file. See
|
||||
# sshd_config(5) for more information.
|
||||
|
||||
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
||||
|
||||
# The strategy used for options in the default sshd_config shipped with
|
||||
# OpenSSH is to specify options with their default value where
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
# The default requires explicit activation of protocol 1
|
||||
#Protocol 2
|
||||
|
||||
# HostKey for protocol version 1
|
||||
#HostKey /etc/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
#ServerKeyBits 1024
|
||||
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
#PermitRootLogin prohibit-password
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication no
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#UseLogin no
|
||||
#UsePrivilegeSeparation sandbox
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS no
|
||||
#PidFile /run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# Default of no subsystems
|
||||
#Subsystem sftp /usr/lib/ssh/sftp-server
|
||||
|
||||
# the following are HPN related configuration options
|
||||
# tcp receive buffer polling. disable in non autotuning kernels
|
||||
#TcpRcvBufPoll yes
|
||||
|
||||
# disable hpn performance boosts
|
||||
#HPNDisabled no
|
||||
|
||||
# buffer size for hpn to non-hpn connections
|
||||
#HPNBufferSize 2048
|
||||
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
|
@ -0,0 +1,6 @@
|
|||
#!/bin/sh
|
||||
|
||||
KEYS=$(find /etc/ssh -name 'ssh_host_*_key')
|
||||
[ -z "$KEYS" ] && ssh-keygen -A >/dev/null 2>/dev/null
|
||||
|
||||
exec /usr/sbin/sshd -D -e
|
|
@ -0,0 +1,10 @@
|
|||
FROM alpine AS mirror
|
||||
|
||||
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
|
||||
RUN apk add --no-cache --initdb -p /out \
|
||||
dosfstools \
|
||||
syslinux
|
||||
RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
|
||||
|
||||
FROM scratch
|
||||
COPY --from=mirror /out/ /
|
|
@ -0,0 +1,8 @@
|
|||
image: syslinux
|
||||
network: true
|
||||
config:
|
||||
binds:
|
||||
- /dev:/dev
|
||||
capabilities:
|
||||
- CAP_SYS_ADMIN
|
||||
ipc: new
|
|
@ -0,0 +1,11 @@
|
|||
FROM alpine AS mirror
|
||||
|
||||
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
|
||||
RUN apk add --no-cache --initdb -p /out \
|
||||
unbound
|
||||
RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
|
||||
RUN wget -O /out/etc/unbound/root.hints ftp://ftp.internic.net/domain/named.cache
|
||||
|
||||
FROM scratch
|
||||
COPY --from=mirror /out/ /
|
||||
COPY etc/unbound/ /etc/unbound
|
|
@ -0,0 +1,8 @@
|
|||
image: unbound
|
||||
network: true
|
||||
config:
|
||||
capabilities:
|
||||
- CAP_NET_BIND_SERVICE
|
||||
ipc: new
|
||||
pid: new
|
||||
uts: new
|
|
@ -0,0 +1,132 @@
|
|||
server:
|
||||
verbosity: 1
|
||||
|
||||
# number of threads to create. 1 disables threading.
|
||||
# num-threads: 1
|
||||
|
||||
# specify the interfaces to answer queries from by ip-address.
|
||||
interface: 0.0.0.0
|
||||
interface: ::0
|
||||
|
||||
# Detach from the terminal, run in background, "yes" or "no".
|
||||
# Set the value to "no" when unbound runs as systemd service.
|
||||
do-daemonize: no
|
||||
|
||||
# control which clients are allowed to make (recursive) queries
|
||||
# to this server. Specify classless netblocks with /size and action.
|
||||
# By default everything is refused, except for localhost.
|
||||
# Choose deny (drop message), refuse (polite error reply),
|
||||
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
|
||||
# deny_non_local (drop queries unless can be answered from local-data)
|
||||
# refuse_non_local (like deny_non_local but polite error reply).
|
||||
#access-control: 172.23.0.0/16 allow
|
||||
|
||||
# if given, user privileges are dropped (after binding port),
|
||||
# and the given username is assumed. Default is user "unbound".
|
||||
# If you give "" no privileges are dropped.
|
||||
# username: "unbound"
|
||||
|
||||
# print one line with time, IP, name, type, class for every query.
|
||||
# log-queries: no
|
||||
log-queries: yes
|
||||
|
||||
# print one line per reply, with time, IP, name, type, class, rcode,
|
||||
# timetoresolve, fromcache and responsesize.
|
||||
# log-replies: no
|
||||
log-replies: yes
|
||||
|
||||
# log the local-zone actions, like local-zone type inform is enabled
|
||||
# also for the other local zone types.
|
||||
# log-local-actions: no
|
||||
|
||||
# print log lines that say why queries return SERVFAIL to clients.
|
||||
log-servfail: yes
|
||||
|
||||
# file to read root hints from.
|
||||
# get one from https://www.internic.net/domain/named.cache
|
||||
# root-hints: ""
|
||||
root-hints: "root.hints"
|
||||
|
||||
# enable to not answer id.server and hostname.bind queries.
|
||||
# hide-identity: no
|
||||
hide-identity: yes
|
||||
|
||||
# enable to not answer version.server and version.bind queries.
|
||||
# hide-version: no
|
||||
hide-version: yes
|
||||
|
||||
# enable to not answer trustanchor.unbound queries.
|
||||
# hide-trustanchor: no
|
||||
|
||||
# Sent minimum amount of information to upstream servers to enhance
|
||||
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||
# to NS when possible.
|
||||
qname-minimisation: yes
|
||||
|
||||
# Enforce privacy of these addresses. Strips them away from answers.
|
||||
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
||||
# Only 'private-domain' and 'local-data' names are allowed to have
|
||||
# these private addresses. No default.
|
||||
# private-address: 10.0.0.0/8
|
||||
# private-address: 172.16.0.0/12
|
||||
# private-address: 192.168.0.0/16
|
||||
# private-address: 169.254.0.0/16
|
||||
# private-address: fd00::/8
|
||||
# private-address: fe80::/10
|
||||
# private-address: ::ffff:0:0/96
|
||||
|
||||
# if yes, Unbound rotates RRSet order in response.
|
||||
rrset-roundrobin: yes
|
||||
|
||||
# if yes, Unbound doesn't insert authority/additional sections
|
||||
# into response messages when those sections are not required.
|
||||
minimal-responses: yes
|
||||
|
||||
# true to disable DNSSEC lameness check in iterator.
|
||||
# disable-dnssec-lame-check: no
|
||||
|
||||
# module configuration of the server. A string with identifiers
|
||||
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
||||
module-config: "validator iterator"
|
||||
|
||||
# File with trusted keys, kept uptodate using RFC5011 probes,
|
||||
# initial file like trust-anchor-file, then it stores metadata.
|
||||
# Use several entries, one per domain name, to track multiple zones.
|
||||
#
|
||||
# If you want to perform DNSSEC validation, run unbound-anchor before
|
||||
# you start unbound (i.e. in the system boot scripts). And enable:
|
||||
# Please note usage of unbound-anchor root anchor is at your own risk
|
||||
# and under the terms of our LICENSE (see that file in the source).
|
||||
#auto-trust-anchor-file: "var/root-anchors.txt"
|
||||
|
||||
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
||||
# trust-anchor-signaling: yes
|
||||
|
||||
# File with DLV trusted keys. Same format as trust-anchor-file.
|
||||
# There can be only one DLV configured, it is trusted from root down.
|
||||
# DLV is going to be decommissioned. Please do not use it any more.
|
||||
# dlv-anchor-file: "dlv.isc.org.key"
|
||||
|
||||
# File with trusted keys for validation. Specify more than one file
|
||||
# with several entries, one file per entry.
|
||||
# Zone file format, with DS and DNSKEY entries.
|
||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||
# trust-anchor-file: "/etc/dnssec/root-anchors.txt"
|
||||
trust-anchor-file: "root-anchors.txt"
|
||||
|
||||
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
||||
# single line, surrounded by "". TTL is ignored. class is IN default.
|
||||
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||
# (These examples are from August 2007 and may not be valid anymore).
|
||||
# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
|
||||
# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
|
||||
|
||||
# Turn permissive mode on to permit bogus messages. Thus, messages
|
||||
# for which security checks failed will be returned to clients,
|
||||
# instead of SERVFAIL. It still performs the security checks, which
|
||||
# result in interesting log files and possibly the AD bit in
|
||||
# replies if the message is found secure. The default is off.
|
||||
#val-permissive-mode: yes
|
||||
|
||||
include: /etc/unbound/unbound.d/*.conf
|
Loading…
Reference in New Issue