fickit: include local pkg
This commit is contained in:
parent
bcbf5b35cf
commit
5d644fa366
|
@ -0,0 +1,3 @@
|
||||||
|
FROM alpine:latest
|
||||||
|
|
||||||
|
COPY init.sh /init
|
|
@ -0,0 +1 @@
|
||||||
|
image: boot
|
|
@ -0,0 +1,24 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# /proc/cmdline parser (from Gentoo Wiki)
|
||||||
|
cmdline() {
|
||||||
|
local value
|
||||||
|
value=" $(cat /proc/cmdline) "
|
||||||
|
value="${value##* $1=}"
|
||||||
|
value="${value%% *}"
|
||||||
|
[ "$value" != "" ] && echo "$value"
|
||||||
|
}
|
||||||
|
|
||||||
|
mount -t devtmpfs none /dev
|
||||||
|
mount -t proc none /proc
|
||||||
|
|
||||||
|
mount -o ro /dev/sda1 /boot
|
||||||
|
|
||||||
|
mount -o loop -t squashfs /boot/imgs/$(cmdline root) /mnt || /bin/sh
|
||||||
|
|
||||||
|
umount /dev
|
||||||
|
umount /proc
|
||||||
|
mount --move /boot /mnt/boot
|
||||||
|
|
||||||
|
# Switch
|
||||||
|
exec switch_root /mnt /init
|
|
@ -0,0 +1,11 @@
|
||||||
|
FROM alpine AS mirror
|
||||||
|
|
||||||
|
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
|
||||||
|
RUN apk add --no-cache --initdb -p /out \
|
||||||
|
mdadm
|
||||||
|
RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
|
||||||
|
|
||||||
|
FROM scratch
|
||||||
|
COPY --from=mirror /out/ /
|
||||||
|
COPY etc/ /etc/
|
||||||
|
CMD ["/sbin/mdadm", "--monitor", "--scan"]
|
|
@ -0,0 +1,10 @@
|
||||||
|
image: mdadm
|
||||||
|
network: true
|
||||||
|
config:
|
||||||
|
binds:
|
||||||
|
- /dev:/dev
|
||||||
|
capabilities:
|
||||||
|
- CAP_SYS_ADMIN
|
||||||
|
- CAP_MKNOD
|
||||||
|
net: new
|
||||||
|
ipc: new
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
mdadm --assemble /dev/md0 /dev/sda3 /dev/sdb3
|
|
@ -0,0 +1,26 @@
|
||||||
|
FROM alpine:latest AS mirror
|
||||||
|
|
||||||
|
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
|
||||||
|
RUN apk add --no-cache --initdb -p /out \
|
||||||
|
alpine-baselayout \
|
||||||
|
apk-tools \
|
||||||
|
busybox \
|
||||||
|
ca-certificates \
|
||||||
|
musl \
|
||||||
|
openssh-server \
|
||||||
|
openssh-client \
|
||||||
|
rsync \
|
||||||
|
tini \
|
||||||
|
util-linux \
|
||||||
|
&& true
|
||||||
|
#RUN mv /out/etc/apk/repositories.upstream /out/etc/apk/repositories
|
||||||
|
|
||||||
|
FROM scratch
|
||||||
|
ENTRYPOINT []
|
||||||
|
WORKDIR /
|
||||||
|
COPY --from=mirror /out/ /
|
||||||
|
COPY etc/ /etc/
|
||||||
|
COPY usr/ /usr/
|
||||||
|
RUN mkdir -p /etc/ssh /root/.ssh && chmod 0700 /root/.ssh
|
||||||
|
CMD ["/sbin/tini", "/usr/bin/ssh.sh"]
|
||||||
|
LABEL org.mobyproject.config='{"pid": "host", "binds": ["/root/.ssh:/root/.ssh", "/etc/resolv.conf:/etc/resolv.conf", "/run:/run", "/tmp:/tmp", "/etc:/hostroot/etc", "/usr/bin/ctr:/usr/bin/ctr", "/usr/bin/runc:/usr/bin/runc", "/containers:/containers","/var/log:/var/log","/dev:/dev","/sys:/sys"], "capabilities": ["all"]}'
|
|
@ -0,0 +1,2 @@
|
||||||
|
image: rsync
|
||||||
|
network: true
|
|
@ -0,0 +1,4 @@
|
||||||
|
Welcome to LinuxKit!
|
||||||
|
|
||||||
|
NOTE: This system is namespaced.
|
||||||
|
The namespace you are currently in may not be the root.
|
|
@ -0,0 +1 @@
|
||||||
|
export PS1="(ns: sshd) $PS1"
|
|
@ -0,0 +1,144 @@
|
||||||
|
# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
|
||||||
|
|
||||||
|
# This is the sshd server system-wide configuration file. See
|
||||||
|
# sshd_config(5) for more information.
|
||||||
|
|
||||||
|
# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
||||||
|
|
||||||
|
# The strategy used for options in the default sshd_config shipped with
|
||||||
|
# OpenSSH is to specify options with their default value where
|
||||||
|
# possible, but leave them commented. Uncommented options override the
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
#Port 22
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
#ListenAddress ::
|
||||||
|
|
||||||
|
# The default requires explicit activation of protocol 1
|
||||||
|
#Protocol 2
|
||||||
|
|
||||||
|
# HostKey for protocol version 1
|
||||||
|
#HostKey /etc/ssh/ssh_host_key
|
||||||
|
# HostKeys for protocol version 2
|
||||||
|
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||||
|
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
|
||||||
|
# Lifetime and size of ephemeral version 1 server key
|
||||||
|
#KeyRegenerationInterval 1h
|
||||||
|
#ServerKeyBits 1024
|
||||||
|
|
||||||
|
# Ciphers and keying
|
||||||
|
#RekeyLimit default none
|
||||||
|
|
||||||
|
# Logging
|
||||||
|
# obsoletes QuietMode and FascistLogging
|
||||||
|
#SyslogFacility AUTH
|
||||||
|
#LogLevel INFO
|
||||||
|
|
||||||
|
# Authentication:
|
||||||
|
|
||||||
|
#LoginGraceTime 2m
|
||||||
|
#PermitRootLogin prohibit-password
|
||||||
|
#StrictModes yes
|
||||||
|
#MaxAuthTries 6
|
||||||
|
#MaxSessions 10
|
||||||
|
|
||||||
|
#RSAAuthentication yes
|
||||||
|
#PubkeyAuthentication yes
|
||||||
|
|
||||||
|
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
#AuthorizedPrincipalsFile none
|
||||||
|
|
||||||
|
#AuthorizedKeysCommand none
|
||||||
|
#AuthorizedKeysCommandUser nobody
|
||||||
|
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
#RhostsRSAAuthentication no
|
||||||
|
# similar for protocol version 2
|
||||||
|
#HostbasedAuthentication no
|
||||||
|
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||||
|
# RhostsRSAAuthentication and HostbasedAuthentication
|
||||||
|
#IgnoreUserKnownHosts no
|
||||||
|
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||||
|
#IgnoreRhosts yes
|
||||||
|
|
||||||
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
|
PasswordAuthentication no
|
||||||
|
#PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# Change to no to disable s/key passwords
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
|
||||||
|
# Kerberos options
|
||||||
|
#KerberosAuthentication no
|
||||||
|
#KerberosOrLocalPasswd yes
|
||||||
|
#KerberosTicketCleanup yes
|
||||||
|
#KerberosGetAFSToken no
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
#GSSAPIAuthentication no
|
||||||
|
#GSSAPICleanupCredentials yes
|
||||||
|
|
||||||
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
|
# be allowed through the ChallengeResponseAuthentication and
|
||||||
|
# PasswordAuthentication. Depending on your PAM configuration,
|
||||||
|
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||||
|
# the setting of "PermitRootLogin without-password".
|
||||||
|
# If you just want the PAM account and session checks to run without
|
||||||
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
#UsePAM no
|
||||||
|
|
||||||
|
#AllowAgentForwarding yes
|
||||||
|
#AllowTcpForwarding yes
|
||||||
|
#GatewayPorts no
|
||||||
|
#X11Forwarding no
|
||||||
|
#X11DisplayOffset 10
|
||||||
|
#X11UseLocalhost yes
|
||||||
|
#PermitTTY yes
|
||||||
|
#PrintMotd yes
|
||||||
|
#PrintLastLog yes
|
||||||
|
#TCPKeepAlive yes
|
||||||
|
#UseLogin no
|
||||||
|
#UsePrivilegeSeparation sandbox
|
||||||
|
#PermitUserEnvironment no
|
||||||
|
#Compression delayed
|
||||||
|
#ClientAliveInterval 0
|
||||||
|
#ClientAliveCountMax 3
|
||||||
|
#UseDNS no
|
||||||
|
#PidFile /run/sshd.pid
|
||||||
|
#MaxStartups 10:30:100
|
||||||
|
#PermitTunnel no
|
||||||
|
#ChrootDirectory none
|
||||||
|
#VersionAddendum none
|
||||||
|
|
||||||
|
# no default banner path
|
||||||
|
#Banner none
|
||||||
|
|
||||||
|
# Default of no subsystems
|
||||||
|
#Subsystem sftp /usr/lib/ssh/sftp-server
|
||||||
|
|
||||||
|
# the following are HPN related configuration options
|
||||||
|
# tcp receive buffer polling. disable in non autotuning kernels
|
||||||
|
#TcpRcvBufPoll yes
|
||||||
|
|
||||||
|
# disable hpn performance boosts
|
||||||
|
#HPNDisabled no
|
||||||
|
|
||||||
|
# buffer size for hpn to non-hpn connections
|
||||||
|
#HPNBufferSize 2048
|
||||||
|
|
||||||
|
|
||||||
|
# Example of overriding settings on a per-user basis
|
||||||
|
#Match User anoncvs
|
||||||
|
# X11Forwarding no
|
||||||
|
# AllowTcpForwarding no
|
||||||
|
# PermitTTY no
|
||||||
|
# ForceCommand cvs server
|
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
KEYS=$(find /etc/ssh -name 'ssh_host_*_key')
|
||||||
|
[ -z "$KEYS" ] && ssh-keygen -A >/dev/null 2>/dev/null
|
||||||
|
|
||||||
|
exec /usr/sbin/sshd -D -e
|
|
@ -0,0 +1,10 @@
|
||||||
|
FROM alpine AS mirror
|
||||||
|
|
||||||
|
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
|
||||||
|
RUN apk add --no-cache --initdb -p /out \
|
||||||
|
dosfstools \
|
||||||
|
syslinux
|
||||||
|
RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
|
||||||
|
|
||||||
|
FROM scratch
|
||||||
|
COPY --from=mirror /out/ /
|
|
@ -0,0 +1,8 @@
|
||||||
|
image: syslinux
|
||||||
|
network: true
|
||||||
|
config:
|
||||||
|
binds:
|
||||||
|
- /dev:/dev
|
||||||
|
capabilities:
|
||||||
|
- CAP_SYS_ADMIN
|
||||||
|
ipc: new
|
|
@ -0,0 +1,11 @@
|
||||||
|
FROM alpine AS mirror
|
||||||
|
|
||||||
|
RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
|
||||||
|
RUN apk add --no-cache --initdb -p /out \
|
||||||
|
unbound
|
||||||
|
RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
|
||||||
|
RUN wget -O /out/etc/unbound/root.hints ftp://ftp.internic.net/domain/named.cache
|
||||||
|
|
||||||
|
FROM scratch
|
||||||
|
COPY --from=mirror /out/ /
|
||||||
|
COPY etc/unbound/ /etc/unbound
|
|
@ -0,0 +1,8 @@
|
||||||
|
image: unbound
|
||||||
|
network: true
|
||||||
|
config:
|
||||||
|
capabilities:
|
||||||
|
- CAP_NET_BIND_SERVICE
|
||||||
|
ipc: new
|
||||||
|
pid: new
|
||||||
|
uts: new
|
|
@ -0,0 +1,132 @@
|
||||||
|
server:
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
# number of threads to create. 1 disables threading.
|
||||||
|
# num-threads: 1
|
||||||
|
|
||||||
|
# specify the interfaces to answer queries from by ip-address.
|
||||||
|
interface: 0.0.0.0
|
||||||
|
interface: ::0
|
||||||
|
|
||||||
|
# Detach from the terminal, run in background, "yes" or "no".
|
||||||
|
# Set the value to "no" when unbound runs as systemd service.
|
||||||
|
do-daemonize: no
|
||||||
|
|
||||||
|
# control which clients are allowed to make (recursive) queries
|
||||||
|
# to this server. Specify classless netblocks with /size and action.
|
||||||
|
# By default everything is refused, except for localhost.
|
||||||
|
# Choose deny (drop message), refuse (polite error reply),
|
||||||
|
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
|
||||||
|
# deny_non_local (drop queries unless can be answered from local-data)
|
||||||
|
# refuse_non_local (like deny_non_local but polite error reply).
|
||||||
|
#access-control: 172.23.0.0/16 allow
|
||||||
|
|
||||||
|
# if given, user privileges are dropped (after binding port),
|
||||||
|
# and the given username is assumed. Default is user "unbound".
|
||||||
|
# If you give "" no privileges are dropped.
|
||||||
|
# username: "unbound"
|
||||||
|
|
||||||
|
# print one line with time, IP, name, type, class for every query.
|
||||||
|
# log-queries: no
|
||||||
|
log-queries: yes
|
||||||
|
|
||||||
|
# print one line per reply, with time, IP, name, type, class, rcode,
|
||||||
|
# timetoresolve, fromcache and responsesize.
|
||||||
|
# log-replies: no
|
||||||
|
log-replies: yes
|
||||||
|
|
||||||
|
# log the local-zone actions, like local-zone type inform is enabled
|
||||||
|
# also for the other local zone types.
|
||||||
|
# log-local-actions: no
|
||||||
|
|
||||||
|
# print log lines that say why queries return SERVFAIL to clients.
|
||||||
|
log-servfail: yes
|
||||||
|
|
||||||
|
# file to read root hints from.
|
||||||
|
# get one from https://www.internic.net/domain/named.cache
|
||||||
|
# root-hints: ""
|
||||||
|
root-hints: "root.hints"
|
||||||
|
|
||||||
|
# enable to not answer id.server and hostname.bind queries.
|
||||||
|
# hide-identity: no
|
||||||
|
hide-identity: yes
|
||||||
|
|
||||||
|
# enable to not answer version.server and version.bind queries.
|
||||||
|
# hide-version: no
|
||||||
|
hide-version: yes
|
||||||
|
|
||||||
|
# enable to not answer trustanchor.unbound queries.
|
||||||
|
# hide-trustanchor: no
|
||||||
|
|
||||||
|
# Sent minimum amount of information to upstream servers to enhance
|
||||||
|
# privacy. Only sent minimum required labels of the QNAME and set QTYPE
|
||||||
|
# to NS when possible.
|
||||||
|
qname-minimisation: yes
|
||||||
|
|
||||||
|
# Enforce privacy of these addresses. Strips them away from answers.
|
||||||
|
# It may cause DNSSEC validation to additionally mark it as bogus.
|
||||||
|
# Protects against 'DNS Rebinding' (uses browser as network proxy).
|
||||||
|
# Only 'private-domain' and 'local-data' names are allowed to have
|
||||||
|
# these private addresses. No default.
|
||||||
|
# private-address: 10.0.0.0/8
|
||||||
|
# private-address: 172.16.0.0/12
|
||||||
|
# private-address: 192.168.0.0/16
|
||||||
|
# private-address: 169.254.0.0/16
|
||||||
|
# private-address: fd00::/8
|
||||||
|
# private-address: fe80::/10
|
||||||
|
# private-address: ::ffff:0:0/96
|
||||||
|
|
||||||
|
# if yes, Unbound rotates RRSet order in response.
|
||||||
|
rrset-roundrobin: yes
|
||||||
|
|
||||||
|
# if yes, Unbound doesn't insert authority/additional sections
|
||||||
|
# into response messages when those sections are not required.
|
||||||
|
minimal-responses: yes
|
||||||
|
|
||||||
|
# true to disable DNSSEC lameness check in iterator.
|
||||||
|
# disable-dnssec-lame-check: no
|
||||||
|
|
||||||
|
# module configuration of the server. A string with identifiers
|
||||||
|
# separated by spaces. Syntax: "[dns64] [validator] iterator"
|
||||||
|
module-config: "validator iterator"
|
||||||
|
|
||||||
|
# File with trusted keys, kept uptodate using RFC5011 probes,
|
||||||
|
# initial file like trust-anchor-file, then it stores metadata.
|
||||||
|
# Use several entries, one per domain name, to track multiple zones.
|
||||||
|
#
|
||||||
|
# If you want to perform DNSSEC validation, run unbound-anchor before
|
||||||
|
# you start unbound (i.e. in the system boot scripts). And enable:
|
||||||
|
# Please note usage of unbound-anchor root anchor is at your own risk
|
||||||
|
# and under the terms of our LICENSE (see that file in the source).
|
||||||
|
#auto-trust-anchor-file: "var/root-anchors.txt"
|
||||||
|
|
||||||
|
# trust anchor signaling sends a RFC8145 key tag query after priming.
|
||||||
|
# trust-anchor-signaling: yes
|
||||||
|
|
||||||
|
# File with DLV trusted keys. Same format as trust-anchor-file.
|
||||||
|
# There can be only one DLV configured, it is trusted from root down.
|
||||||
|
# DLV is going to be decommissioned. Please do not use it any more.
|
||||||
|
# dlv-anchor-file: "dlv.isc.org.key"
|
||||||
|
|
||||||
|
# File with trusted keys for validation. Specify more than one file
|
||||||
|
# with several entries, one file per entry.
|
||||||
|
# Zone file format, with DS and DNSKEY entries.
|
||||||
|
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||||
|
# trust-anchor-file: "/etc/dnssec/root-anchors.txt"
|
||||||
|
trust-anchor-file: "root-anchors.txt"
|
||||||
|
|
||||||
|
# Trusted key for validation. DS or DNSKEY. specify the RR on a
|
||||||
|
# single line, surrounded by "". TTL is ignored. class is IN default.
|
||||||
|
# Note this gets out of date, use auto-trust-anchor-file please.
|
||||||
|
# (These examples are from August 2007 and may not be valid anymore).
|
||||||
|
# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
|
||||||
|
# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
|
||||||
|
|
||||||
|
# Turn permissive mode on to permit bogus messages. Thus, messages
|
||||||
|
# for which security checks failed will be returned to clients,
|
||||||
|
# instead of SERVFAIL. It still performs the security checks, which
|
||||||
|
# result in interesting log files and possibly the AD bit in
|
||||||
|
# replies if the message is found secure. The default is off.
|
||||||
|
#val-permissive-mode: yes
|
||||||
|
|
||||||
|
include: /etc/unbound/unbound.d/*.conf
|
Loading…
Reference in New Issue