diff --git a/Dockerfile b/Dockerfile index b7db3ad..5dc0b68 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ FROM alpine:3.15.5 -ARG UNBOUND_VERSION=1.16.1 +ARG UNBOUND_VERSION=1.16.2 -# Install dependencies and build unbound (and install bind-tools for dig in healthcheck), clean up after -RUN apk --update add --no-cache alpine-sdk bind-tools dns-root-hints expat-dev git openssl-dev && \ +# Install dependencies and build unbound, clean up after +RUN apk --update add --no-cache alpine-sdk dns-root-hints expat-dev git openssl-dev && \ # Clone tag and build unbound source (https://github.com/NLnetLabs/unbound) git clone --depth 1 --branch "release-${UNBOUND_VERSION}" https://github.com/NLnetLabs/unbound.git /tmp/unbound && \ cd /tmp/unbound && \ @@ -17,10 +17,13 @@ RUN apk --update add --no-cache alpine-sdk bind-tools dns-root-hints expat-dev g # Prepare image COPY entrypoint.sh / +COPY healthcheck.sh /srv/ + +## Prepare unbound RUN addgroup -S unbound RUN adduser -S -G unbound unbound RUN mkdir -p /srv/unbound/conf COPY unbound.conf /srv/unbound/unbound.conf -HEALTHCHECK --interval=60s --timeout=3s --retries=2 CMD dig ns1.gkcld.net @127.0.0.1 +dnssec || exit 1 +HEALTHCHECK --interval=30s --timeout=2s --retries=1 CMD sh /srv/healthcheck.sh ENTRYPOINT ["sh", "/entrypoint.sh"] diff --git a/changelog.md b/changelog.md index de46de3..a3883b2 100644 --- a/changelog.md +++ b/changelog.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +## [1.16.2] +- Updated Unbound to version `1.16.2` +- Added local healthcheck record and new healthcheck script + ## [1.16.1] - Updated Unbound to version `1.16.1` diff --git a/entrypoint.sh b/entrypoint.sh index 3fc6921..4ac61c8 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh echo 'Starting unbound...' unbound -V diff --git a/healthcheck.sh b/healthcheck.sh new file mode 100644 index 0000000..746b7bf --- /dev/null +++ b/healthcheck.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +HEALTHCHECK_RECORD=healthcheck-record.gkcld +EXPECTED_VALUE=10.10.10.10 + +RESOLVED_IP=$(nslookup "${HEALTHCHECK_RECORD}" 127.0.0.1 | awk -F':' '/^Address: / { matched = 1 } matched { print $2}' | xargs) +if [ "${RESOLVED_IP}" != "${EXPECTED_VALUE}" ]; then + echo "[ERR] ${HEALTHCHECK_RECORD} lookup failed" + exit 1 +fi + +echo "[OK] ${HEALTHCHECK_RECORD} == ${RESOLVED_IP}" diff --git a/unbound.conf b/unbound.conf index c8dc1c4..f215518 100644 --- a/unbound.conf +++ b/unbound.conf @@ -51,3 +51,6 @@ server: # Allow from adguard subnet (see docker-compose adguard network) access-control: 0.0.0.0/0 allow + + # Local A record used for container healthcheck + local-data: "healthcheck-record.gkcld. A 10.10.10.10" \ No newline at end of file