Multiple additions and fixes #12

- Unbound ran as `nonrootuser` - Readme updated - auth.conf replaced by `USER` and `PASSWORD` env variables - Removed Nginx section from readme for now - Reworked entrypoint with more checks - Malicious IPs and hostnames building is done at Docker build to gain time at launch - docker-compose updated to reflect changes
2018-11-14 14:38:10 +02:00
parent 3c79ba33bb
commit d3dc6c74d8
5 changed files with 170 additions and 187 deletions
--- a/49
+++ b/49
@@ -11,22 +11,24 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
      org.label-schema.url="https://github.com/qdm12/private-internet-access-docker" \
      org.label-schema.vcs-description="VPN client to tunnel to private internet access servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux" \
      org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
-      org.label-schema.docker.cmd="docker run -d -v ./auth.conf:/auth.conf:ro --cap-add=NET_ADMIN --device=/dev/net/tun qmcgaw/private-internet-access" \
-      org.label-schema.docker.cmd.devel="docker run -it --rm -v ./auth.conf:/auth.conf:ro --cap-add=NET_ADMIN --device=/dev/net/tun qmcgaw/private-internet-access" \
-      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp or tcp,ENCRYPTION=strong or normal,BLOCK_MALICIOUS=on or off" \
+      org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
+      org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
+      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \
      org.label-schema.version="" \
-      image-size="17.1MB" \
+      image-size="20MB" \
      ram-usage="13MB to 80MB" \
-      cpu-usage="Low"
-ENV ENCRYPTION=strong \
-    PROTOCOL=tcp \
+      cpu-usage="Low to Medium"
+ENV USER= \
+    PASSWORD= \
+    ENCRYPTION=strong \
+    PROTOCOL=udp \
    REGION="CA Montreal" \
-    BLOCK_MALICIOUS=off
+    BLOCK_MALICIOUS=off \
+    EXTRA_SUBNETS=
+ENTRYPOINT /entrypoint.sh
 HEALTHCHECK --interval=5m --timeout=15s --start-period=10s --retries=2 \
            CMD [ "$(wget -qqO- 'https://duckduckgo.com/?q=what+is+my+ip' | grep -ow 'Your IP address is [0-9.]*[0-9]' | grep -ow '[0-9][0-9.]*')" != "$INITIAL_IP" ] || exit 1
-RUN V_ALPINE="v$(cat /etc/alpine-release | grep -oE '[0-9]+\.[0-9]+')" && \
-    echo https://dl-3.alpinelinux.org/alpine/$V_ALPINE/main > /etc/apk/repositories && \
-    apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
+RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
    wget -q https://www.privateinternetaccess.com/openvpn/openvpn.zip \
            https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip \
            https://www.privateinternetaccess.com/openvpn/openvpn-tcp.zip \
@@ -37,13 +39,26 @@ RUN V_ALPINE="v$(cat /etc/alpine-release | grep -oE '[0-9]+\.[0-9]+')" && \
    unzip -q openvpn-strong-tcp.zip -d /openvpn-tcp-strong && \
    apk del -q --progress --purge unzip && \
    rm -rf /*.zip /var/cache/apk/* /etc/unbound/unbound.conf && \
-    adduser -S nonrootuser
+    addgroup nonrootgroup --gid 1000 && \
+    adduser nonrootuser -G nonrootgroup -D -H --uid 1000
 COPY --from=qmcgaw/dns-trustanchor /named.root /etc/unbound/root.hints
 COPY --from=qmcgaw/dns-trustanchor /root.key /etc/unbound/root.key
-COPY --from=qmcgaw/malicious-hostnames /malicious-hostnames.bz2 /etc/unbound/malicious-hostnames.bz2
-COPY --from=qmcgaw/malicious-ips /malicious-ips.bz2 /etc/unbound/malicious-ips.bz2
+COPY --from=qmcgaw/malicious-hostnames /malicious-hostnames.bz2 /tmp/malicious-hostnames.bz2
+COPY --from=qmcgaw/malicious-ips /malicious-ips.bz2 /tmp/malicious-ips.bz2
+RUN cd /tmp && \
+    tar -xjf malicious-hostnames.bz2 && \
+    tar -xjf malicious-ips.bz2 && \
+    while read hostname; do echo "local-zone: \""$hostname"\" static" >> blocks-malicious.conf; done < malicious-hostnames && \
+    while read ip; do echo "private-address: $ip" >> blocks-malicious.conf; done < malicious-ips && \
+    tar -cjf /etc/unbound/blocks-malicious.bz2 blocks-malicious.conf && \
+    rm -f /tmp/*
 COPY unbound.conf /etc/unbound/unbound.conf
 COPY entrypoint.sh /entrypoint.sh
-RUN chown unbound /etc/unbound/root.key && \
-    chmod 700 /entrypoint.sh
-ENTRYPOINT /entrypoint.sh
+RUN chown nonrootuser:nonrootgroup -R /etc/unbound && \
+    chmod 700 /etc/unbound && \
+    chmod 500 /entrypoint.sh && \
+    chmod 400 \
+        /etc/unbound/root.hints \
+        /etc/unbound/root.key \
+        /etc/unbound/unbound.conf \
+        /etc/unbound/blocks-malicious.bz2