diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d72e7db..a2c8cc3 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -53,8 +53,8 @@ People _love_ thorough bug reports. I'm not even kidding. 1. Optionally update root hints before building ```bash -rm rootfs_overlay/etc/unbound/root.hints -wget https://www.internic.net/domain/named.root -O rootfs_overlay/etc/unbound/root.hints +rm rootfs_overlay/var/unbound/root.hints +wget https://www.internic.net/domain/named.root -O rootfs_overlay/var/unbound/root.hints ``` 2. Enable docker buildkit and experimental mode diff --git a/Dockerfile b/Dockerfile index 0351edf..218241f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -72,8 +72,11 @@ RUN echo "${UNBOUND_SHA256} unbound.tar.gz" | sha256sum -c - \ # https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/installation.html#building-from-source-compiling RUN ./configure \ --prefix=/opt/usr \ - --sysconfdir=/etc \ - --localstatedir=/var \ + --with-conf-file=/etc/unbound/unbound.conf \ + --with-run-dir=/var/unbound \ + --with-chroot-dir=/var/unbound \ + --with-pidfile=/var/unbound/unbound.pid \ + --with-rootkey-file=/var/unbound/root.key \ --disable-static \ --disable-shared \ --disable-rpath \ @@ -110,10 +113,8 @@ COPY --from=unbound /opt/usr/sbin/ /usr/sbin/ COPY --from=ldns /opt/usr/bin/ /usr/bin/ -COPY --chown=unbound:unbound rootfs_overlay/ / - -# TODO: run as non-root on port 5053 -# USER unbound +COPY --chown=unbound:unbound rootfs_overlay/etc/unbound/ /etc/unbound/ +COPY --chown=unbound:unbound rootfs_overlay/var/unbound/ /var/unbound/ RUN [ "unbound", "-V" ] # hadolint ignore=DL3059 diff --git a/rootfs_overlay/etc/unbound/unbound.conf b/rootfs_overlay/etc/unbound/unbound.conf index 3de1642..792cf55 100644 --- a/rootfs_overlay/etc/unbound/unbound.conf +++ b/rootfs_overlay/etc/unbound/unbound.conf @@ -115,14 +115,14 @@ server: # nameserver names and addresses only. The default may become outdated, # when servers change, therefore it is good practice to use a root-hints # file. get one from https://www.internic.net/domain/named.root - root-hints: /etc/unbound/root.hints + root-hints: root.hints # File with trust anchor for one zone, which is tracked with RFC5011 probes. # The probes are several times per month, thus the machine must be online frequently. # The initial file can be one with contents as described in trust-anchor-file. # The file is written to when the anchor is updated, so the unbound user must # have write permission. - auto-trust-anchor-file: /etc/unbound/root.key + auto-trust-anchor-file: root.key # Number of ports to open. This number of file descriptors can be opened per thread. # Must be at least 1. Default depends on compile options. Larger numbers need extra diff --git a/rootfs_overlay/etc/unbound/root.hints b/rootfs_overlay/var/unbound/root.hints similarity index 100% rename from rootfs_overlay/etc/unbound/root.hints rename to rootfs_overlay/var/unbound/root.hints diff --git a/rootfs_overlay/etc/unbound/root.key b/rootfs_overlay/var/unbound/root.key similarity index 100% rename from rootfs_overlay/etc/unbound/root.key rename to rootfs_overlay/var/unbound/root.key