diff --git a/.claude/settings.local.json b/.claude/settings.local.json deleted file mode 100644 index 375c766..0000000 --- a/.claude/settings.local.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "permissions": { - "allow": [ - "Bash(tee /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/etc/docker/functions/entrypoint.sh)", - "Bash(tee /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/bin/entrypoint.sh)", - "Bash(tee *)", - "Bash(bash /tmp/gen_init_tor.sh)", - "Bash(bash /tmp/gen_init_named.sh)", - "Bash(bash -n /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/etc/docker/init.d/01-tor.sh)", - "Bash(bash -n /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/etc/docker/init.d/02-named.sh)", - "Bash(bash -n /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/etc/docker/init.d/03-nginx.sh)", - "Bash(bash -n /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/etc/docker/init.d/04-php-fpm.sh)", - "Bash(bash -n /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/etc/docker/init.d/start-service.sh)", - "Bash(bash -n /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/bin/entrypoint.sh)", - "Bash(bash -n /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/etc/docker/functions/entrypoint.sh)", - "Bash(bash -n /root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/bin/pkmgr)", - "Bash(python3 -c \"import os; os.remove\\('/root/Projects/github/casjaysdevdocker/bind/rootfs/usr/local/etc/docker/init.d/start-service.sh'\\)\")", - "Bash(dig @127.0.0.1 -p 15300 bind.test.local +short +time=3 +tries=1)", - "Bash(dig @127.0.0.1 -p 15300 bind.test.local SOA +noall +answer +time=3 +tries=1)", - "Bash(dig @127.0.0.1 -p 15300 bind. SOA +noall +answer +time=3 +tries=1)", - "Bash(python3 -c \"import os; os.remove\\('/root/Projects/github/casjaysdevdocker/bind/rootfs/tmp/etc/nginx/real_ip.conf'\\); os.remove\\('/root/Projects/github/casjaysdevdocker/bind/rootfs/tmp/etc/nginx/fastcgi_params'\\)\")", - "Bash(dig @127.0.0.1 -p 15300 bind. A +short +time=4 +tries=1)", - "Bash(dig @127.0.0.1 -p 15300 duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion +short +time=5 +tries=1)", - "Read(//etc/docker/**)", - "Bash(python3 -c 'import json; json.load\\(open\\(\"/etc/docker/daemon.json\"\\)\\); print\\(\"OK\"\\)')", - "Bash(python3 -m json.tool)", - "Read(//root/.local/log/buildx/docker.io/casjaysdevdocker/bind/**)", - "Bash(bash /root/.config/myscripts/buildx/scripts/casjaysdevdocker/bind-latest.sh)" - ] - } -} diff --git a/.env.scripts b/.env.scripts index 96139d8..d8edb73 100644 --- a/.env.scripts +++ b/.env.scripts @@ -59,14 +59,14 @@ ENV_PULL_URL="casjaysdev/alpine" ENV_DISTRO_TAG="${IMAGE_VERSION}" # - - - - - - - - - - - - - - - - - - - - - - - - - # Env -SERVICE_PORT="80" -EXPOSE_PORTS="53/tcp 53/udp" +SERVICE_PORT="53" +EXPOSE_PORTS="53/udp" # - - - - - - - - - - - - - - - - - - - - - - - - - # IF using a lanuage such as go, php, rust, ruby, etc set the version here. LANG_VERSION="" # - - - - - - - - - - - - - - - - - - - - - - - - - # Versions -PHP_VERSION="php82" +PHP_VERSION="none" NODE_VERSION="system" NODE_MANAGER="system" # - - - - - - - - - - - - - - - - - - - - - - - - - @@ -77,8 +77,7 @@ DEFAULT_DATA_DIR="/usr/local/share/template-files/data" DEFAULT_CONF_DIR="/usr/local/share/template-files/config" DEFAULT_TEMPLATE_DIR="/usr/local/share/template-files/defaults" # - - - - - - - - - - - - - - - - - - - - - - - - - -ENV_PACKAGES="bind bind-tools bind-dnssec-root bind-plugins nginx \${PHP_VERSION}-fpm tor" +ENV_PACKAGES="bind bind-tools bind-dnssec-root bind-plugins bash" # - - - - - - - - - - - - - - - - - - - - - - - - - # ex: ts=2 sw=2 et filetype=sh # - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..e83d101 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,395 @@ +# casjaysdevdocker repo template spec + +This file is the **canonical spec** for what a properly-set-up `casjaysdevdocker/` container repo looks like. It is the source of truth for migrations, audits, and new repos. + +- Untracked: this file lives at the repos root, not in any individual repo's git tree. +- Per-repo: each repo gets `/CLAUDE.md` (a copy of this file) and `/PLAN.md` (the concrete plan for that specific service stack), both committed to the repo. +- Authority: `~/.claude/CLAUDE.md` (52 numbered global rules) is the base. This file extends it for the docker-image work. Existing repo files are *input*, never authoritative — the repos are mostly unfinished. + +--- + +## 1. What a repo is + +Each repo builds **one self-contained Docker image** for the service named after the repo. The image: + +- Targets `linux/amd64` and `linux/arm64` via `buildx`. +- Boots via `tini` → `entrypoint.sh` → init.d service scripts → long-running service. +- Stores user-modifiable config under `/config/` (volume). +- Stores runtime data, logs, DB files under `/data` (volume). +- Ships a single, **highly-optimized** config in `rootfs/tmp/etc//` that replaces the distro defaults at build time. +- Provides sane defaults: first-run with no env vars works for the common case. + +App-style repos (ampache, wordpress, navidrome, …) ship the **whole stack** the app needs: the app itself at `/usr/local/share/`, a webserver (apache or nginx) to serve it, php-fpm if PHP-based, and a database (mariadb/postgres) if the app needs one. DB-server repos (mariadb, postgres, mongodb, …) ship the DB **plus** apache + php-fpm + the canonical web admin UI (phpmyadmin for mariadb/mysql; pgAdmin/phpPgAdmin for postgres; mongo-express for mongodb; etc.). + +Inferred intent from repo name examples: + +| Repo | What it is | +|-----------------|-------------------------------------------------------------------------------------------------------------------------| +| `nginx` | nginx webserver; PHP-FPM upstream on `:9000`; CGI/Lua/etc via `nginx-mod-*` packages | +| `apache`/`httpd`| apache2 webserver + php-fpm; mod_rewrite/proxy/ssl/etc | +| `cherokee` | cherokee webserver with **CGI handlers for Ruby, Perl, Python** + **full PHP support** | +| `lighttpd` | lighttpd webserver + php-fpm/cgi | +| `caddy` | Caddy webserver (reverse-proxy/auto-TLS) | +| `traefik` | Traefik edge router | +| `mariadb` | mariadb-server + apache + php-fpm + **phpmyadmin** at `/usr/local/share/phpmyadmin` | +| `mysql` | mysql + apache + php-fpm + phpmyadmin | +| `postgres` | postgresql + apache + php-fpm + **phpPgAdmin/pgAdmin** at `/usr/local/share/phppgadmin` | +| `mongodb` | mongodb + apache + php-fpm + mongo-express or comparable web UI | +| `couchdb` | couchdb (built-in Fauxton UI) | +| `redis`/`valkey`| key-value store; CLI tools | +| `ampache` | apache + php-fpm + mariadb + ampache app at `/usr/local/share/ampache`; serves the music UI on `:80` | +| `wordpress` | apache + php-fpm + mariadb + wordpress at `/usr/local/share/wordpress` | +| `nextcloud` | apache + php-fpm + mariadb + nextcloud at `/usr/local/share/nextcloud` | +| `gitea`/`forgejo`| the binary, sqlite by default | +| `bind` | bind9 DNS server | +| `tor` | tor daemon | +| `ssl-ca` | a self-signed CA + `openssl`/`certbot` tooling | + +**Always cross-check intent and packages against:** +- **Distro docs for file paths**: Alpine docs for `/etc/` layout (and `pkgs.alpinelinux.org` for available package names); Alma/Rocky docs for `/etc/httpd` (rhel-family path). +- **Project docs for config content**: `nginx.org` for `nginx.conf` directives, `httpd.apache.org` for `httpd.conf`, `mariadb.com` for `my.cnf`, etc. +- **Upstream Docker images**: when available, `docker pull /:latest` and inspect (`docker history`, `docker run --rm -it ... sh`) to confirm canonical install paths and config locations. **Always `docker rmi` to clean up after.** + +Never invent a package name or a config option. `WebFetch`/`WebSearch`/`docker pull` to verify. + +--- + +## 2. File inventory (every repo) + +``` +/ +├── CLAUDE.md # copy of TEMPLATE.md, committed; agent reads this when working in this repo +├── PLAN.md # this repo's concrete plan: packages, configs, init.d behavior, success criteria +├── README.md # user-facing install/run docs +├── LICENSE.md # MIT (per global rule 32) or per-repo as appropriate +├── Dockerfile # multi-stage, alpine-based by default (rhel for systemd-only repos) +├── .env.scripts # buildx wrapper config (registry, push, pull, packages list) +├── .dockerignore +├── .gitattributes +├── .gitignore +├── .gitea/workflows/docker.yaml # gitea CI workflow +├── Jenkinsfile # optional, if the repo had one +└── rootfs/ # everything under here is COPYed to / in the build + ├── usr/local/bin/ + │ ├── entrypoint.sh # SHARED template, only the description + CONTAINER_NAME line are repo-specific + │ └── pkmgr # SHARED template (apt/dnf/apk auto-detect wrapper) + ├── usr/local/etc/docker/ + │ ├── functions/entrypoint.sh # framework functions sourced by entrypoint.sh and 99-.sh + │ └── init.d/ + │ └── 99-.sh # PER-REPO; defines SERVICE_NAME, ETC_DIR, CONF_DIR, EXEC_CMD_BIN/ARGS, hooks + ├── usr/local/share/ + │ ├── / # for app-style repos: the actual app code (e.g., ampache, wordpress) + │ ├── phpmyadmin/ # for mariadb/mysql repos + │ ├── phppgadmin/ # for postgres repos + │ ├── httpd/default/ # default webroot (used when no app) + │ └── template-files/ + │ ├── config/ # templates copied to /config// on first run by __initialize_config_dir + │ ├── data/ # templates copied to /data// on first run + │ └── defaults/ # default fallbacks + ├── tmp/etc// # PER-REPO optimized configs; copied to /etc// at build time (see §4) + ├── tmp/bin/ # optional; auto-installed to /usr/local/bin/ at build time + ├── tmp/var/ # optional; auto-installed to /var/ at build time + └── root/docker/setup/ # PER-REPO build-time scripts (see §3) + ├── 00-init.sh + ├── 01-system.sh + ├── 02-packages.sh + ├── 03-files.sh + ├── 04-users.sh + ├── 05-custom.sh # ← service-specific config wipe-and-replace lives here + ├── 06-post.sh + └── 07-cleanup.sh +``` + +**SHARED vs PER-REPO** (load-bearing distinction — getting this wrong breaks repos): + +- **SHARED** (safe to overwrite from the upstream template): `rootfs/usr/local/bin/entrypoint.sh` (only the description + `CONTAINER_NAME=""` change per repo), `rootfs/usr/local/bin/pkmgr`, `rootfs/usr/local/etc/docker/functions/entrypoint.sh`. +- **PER-REPO** (never overwrite from a template — read first; preserve service-specific logic): every script under `rootfs/root/docker/setup/`, `rootfs/usr/local/etc/docker/init.d/*`, everything under `rootfs/tmp/`, everything under `rootfs/usr/local/share//`. + +--- + +## 3. Build-time setup script flow + +`Dockerfile` runs `00-init.sh` → … → `07-cleanup.sh` interleaved with package install. Order and contract: + +| Script | When it runs | What it does | +|------------------|-----------------------------------------------|----------------------------------------------------------------------------------------------------| +| `00-init.sh` | Right after `mkdir`s before anything else | Sanity setup; usually empty | +| `01-system.sh` | After apk repos are configured | System-level tweaks (extra repos, timezone, non-package OS config) | +| `02-packages.sh` | After `pkmgr install $PACK_LIST` | Per-service post-install tweaks (e.g., compile a module, install a pip/npm package, fetch the app) | +| `03-files.sh` | After packages are installed | **Auto-installs `rootfs/tmp/{bin,var,etc,data}/*`** into `/usr/local/bin/`, `/var/`, `/etc/`, and the `template-files/` staging dirs. Most repos use the canonical version verbatim. | +| `04-users.sh` | After files are placed | Create system users/groups the service needs (e.g., `nginx`, `mysql`, `apache`) | +| `05-custom.sh` | After users | **Service-specific config wipe-and-replace** (see §4). Also: clone wwwroot templates, fetch app source, etc. | +| `06-post.sh` | After custom | Late tweaks (permissions, symlinks) | +| `07-cleanup.sh` | Last | Per-service cache cleanup beyond the Dockerfile's generic cleanup | + +The Dockerfile's own RUN steps already do generic cleanup (`pkmgr clean`, `rm -Rf /usr/share/doc/*`, etc.); the per-script `07-cleanup.sh` only handles service-specific files. + +--- + +## 4. The wipe-and-replace config flow + +The most important pattern in this template. Goal: the running container's `/etc//` contains **only** our optimized config, never distro defaults. + +**Build time:** +1. Service package install (e.g., `apk add nginx`) creates distro defaults under `/etc//` (e.g., `/etc/nginx/{nginx.conf, conf.d/, modules-enabled/, http.d/, mime.types, …}`). +2. `03-files.sh` copies `rootfs/tmp/etc//*` → `/etc//*` (overlay only) **and** stages a copy at `/usr/local/share/template-files/config//` for runtime seeding. +3. `05-custom.sh` performs the **wipe-and-replace** (the canonical idiom): + ```sh + if [ -d "/tmp/etc/" ]; then + # preserve distro-shipped files we need (e.g., mime.types when not in tmp/etc/) + # then wipe defaults + rm -Rf "/etc/"/* + cp -Rf "/tmp/etc//." "/etc//" + fi + ``` + For services that auto-discover sub-confs, our `.conf` ends with an **optional** include like `include /config//vhosts.d/*.conf;` (nginx) or `IncludeOptional /config//conf.d/*.conf` (apache) so an empty include dir doesn't crash startup. + +**Runtime (entrypoint + 99-.sh):** +1. `entrypoint.sh` calls `__initialize_default_templates` / `__initialize_config_dir` / `__initialize_data_dir` which copy `template-files/{defaults,config,data}//*` → `/config//` and `/data//` **only when those target dirs are not already initialized** (via `/config/.docker_has_run` and `/data/.docker_has_run` markers). +2. `99-.sh` calls `__initialize_system_etc "$CONF_DIR"` which symlinks/copies the user-editable `/config//` → the service's expected runtime path (`/etc//` for system services; `/usr/local/share//config/` for app-stack repos). +3. `99-.sh` also ensures runtime dirs exist: `vhosts.d/`, `conf.d/`, `ssl/`, `secure/auth/`, log dirs under `/data/logs//`. +4. Service starts pointing at `/etc//.conf` (or equivalent), which transitively reads from `/config//`. + +Net effect: end users edit files under `/config//` (volume); the service picks them up; rebuilds and restarts don't trample user changes. + +**Anti-patterns:** +- Letting distro defaults survive into the running image (didn't wipe `/etc//*`). +- Hardcoding paths in our config that point inside `/etc//` instead of `/config//` for things users should customize. +- Copying `template-files/config//*` into `/config//` unconditionally on every container start (clobbers user edits) — always gate with the init markers. +- Using a non-optional `include` for `vhosts.d/` (kills the service when the dir is empty on first run). + +--- + +## 5. Dockerfile structure + +Multi-stage. Build stage installs packages and runs setup scripts; final stage is `FROM scratch` and `COPY --from=build /. /` for a minimal final image. Exception: containers needing systemd as PID 1 (e.g., blueonyx) are single-stage with `CMD ["/sbin/init"]`. + +Required ARGs in the **header** (preserve per-repo values during migration): + +```dockerfile +ARG IMAGE_NAME="" +ARG PHP_SERVER="" # often same as IMAGE_NAME +ARG BUILD_DATE="" # auto-bumped by gen-dockerfile / CI +ARG LANGUAGE="en_US.UTF-8" +ARG TIMEZONE="America/New_York" +ARG WWW_ROOT_DIR="/usr/local/share/httpd/default" +ARG DEFAULT_FILE_DIR="/usr/local/share/template-files" +ARG DEFAULT_DATA_DIR="/usr/local/share/template-files/data" +ARG DEFAULT_CONF_DIR="/usr/local/share/template-files/config" +ARG DEFAULT_TEMPLATE_DIR="/usr/local/share/template-files/defaults" +ARG PATH="/usr/local/etc/docker/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +ARG USER="root" +ARG SHELL_OPTS="set -e -o pipefail" +ARG SERVICE_PORT="" +ARG EXPOSE_PORTS="" +ARG PHP_VERSION="" +ARG NODE_VERSION="system" +ARG NODE_MANAGER="system" +ARG IMAGE_REPO="/" +ARG IMAGE_VERSION="latest" +ARG CONTAINER_VERSION="" # "USE_DATE" if buildx should auto-add a date tag +ARG PULL_URL="casjaysdev/alpine" # or "alpine", "almalinux/10-init", etc. +ARG DISTRO_VERSION="${IMAGE_VERSION}" +ARG BUILD_VERSION="${BUILD_DATE}" +``` + +`PACK_LIST` lives in the build stage and is the **single most repo-specific value** — it must be complete and accurate for the service stack: + +```dockerfile +ARG PACK_LIST="" +``` + +Build-stage RUN order (alpine): + +1. `COPY ./rootfs/. /` (early, so setup scripts and `/tmp/etc/` are available before package install) +2. `RUN pkmgr update; pkmgr install bash` +3. `RUN` install bash + symlink `/bin/sh` → `bash` (Alpine ships busybox sh) +4. `ENV SHELL="/bin/bash"; SHELL [ "/bin/bash", "-c" ]` +5. `COPY --from=gosu /usr/local/bin/gosu /usr/local/bin/gosu` +6. `RUN` initialize: `mkdir -p` template dirs + `00-init.sh` +7. `RUN` system: rewrite `/etc/apk/repositories` for the right distro version; `apk update && apk upgrade` + `01-system.sh` +8. `RUN` pre-package commands (usually empty) +9. `RUN` install packages from `${PACK_LIST}` via `pkmgr install` +10. `RUN` `02-packages.sh` +11. `COPY ./Dockerfile /root/docker/Dockerfile` (so the image carries its own build recipe) +12. `RUN` updating system files: timezone, nsswitch, php symlinks, .bashrc, `03-files.sh` +13. `RUN` Custom Settings (usually empty placeholder) +14. `RUN` users + `04-users.sh` +15. `RUN` user init (placeholder) +16. `RUN` OS Settings (placeholder) +17. `RUN` Custom Applications (placeholder) +18. `RUN` `05-custom.sh` +19. `RUN` final commands + `06-post.sh` +20. `RUN` cleanup (generic) + `07-cleanup.sh` +21. `RUN echo "Init done"` + +Final stage (`FROM scratch`): + +- ARGs re-declared (scratch needs them); ENVs set; standard LABEL block (URLs, vendor, revision = `${GIT_COMMIT}`); `COPY --from=build /. /`; `VOLUME [ "/config","/data" ]`; `EXPOSE ${SERVICE_PORT} ${ENV_PORTS}`; `STOPSIGNAL SIGRTMIN+3`; `ENTRYPOINT [ "tini", "-p", "SIGTERM", "--", "/usr/local/bin/entrypoint.sh" ]`; `HEALTHCHECK ... CMD [ "/usr/local/bin/entrypoint.sh", "healthcheck" ]`. + +Distro variants: +- **alpine** (default for ~all repos) +- **rhel/almalinux** (for repos that need RHEL packages or systemd) — generated via `gen-dockerfile --dir rhel`. Almost all are still single-stage with `CMD ["/sbin/init"]`. + +Generic Dockerfile bug fixes to apply when migrating any repo (these are upstream gen-dockerfile bugs): +- Missing space before `]`: `[ "$SH_CMD" != "/bin/sh"]` → `[ "$SH_CMD" != "/bin/sh" ]` +- Blank line inside the "Creating and editing system files" RUN block (after `$SHELL_OPTS; \`) — remove the blank line; line continuation is broken otherwise. +- Unindented `echo ""` in the "Custom Settings" and "Custom Applications" RUN blocks — re-indent to ` echo ""`. + +--- + +## 6. .env.scripts fields + +The buildx wrapper (`/usr/local/bin/buildx`) reads `.env.scripts`. Required fields (current names — older field names are deprecated): + +```sh +ENV_DOCKERFILE="Dockerfile" +ENV_REGISTRY_REPO="" # was ENV_IMAGE_NAME +ENV_USE_TEMPLATE="alpine" # or "almalinux", "debian", "ubuntu" +ENV_REGISTRY_ORG="" # was ENV_ORG_NAME; must match the org in ENV_REGISTRY_PUSH +ENV_VENDOR="CasjaysDev" +ENV_AUTHOR="CasjaysDev" +ENV_MAINTAINER="CasjaysDev " +ENV_GIT_REPO_URL="https://github.com//" +ENV_REGISTRY_URL="https://docker.io" # full URL, not bare "docker.io" +ENV_REGISTRY_PUSH="/" # was ENV_IMAGE_PUSH +ENV_IMAGE_TAG="latest" +ENV_ADD_TAGS="" # "USE_DATE" to auto-add YYMM tag +ENV_ADD_IMAGE_PUSH="" +ENV_PULL_URL="" # e.g. "casjaysdev/alpine", "alpine", "almalinux/10-init" +ENV_DISTRO_TAG="${IMAGE_VERSION}" +ENV_PLATFORMS="linux/amd64,linux/arm64" # only emit when overriding the default both-archs +SERVICE_PORT="" +EXPOSE_PORTS="" +LANG_VERSION="" +PHP_VERSION="" +NODE_VERSION="system" +NODE_MANAGER="system" +WWW_ROOT_DIR="/usr/local/share/httpd/default" +DEFAULT_FILE_DIR="/usr/local/share/template-files" +DEFAULT_DATA_DIR="/usr/local/share/template-files/data" +DEFAULT_CONF_DIR="/usr/local/share/template-files/config" +DEFAULT_TEMPLATE_DIR="/usr/local/share/template-files/defaults" +ENV_PACKAGES="" +``` + +`ENV_PACKAGES` and Dockerfile `PACK_LIST` must stay in sync. Single-space separation, no double spaces. + +--- + +## 7. init.d/99-.sh contract + +Each repo's primary init.d script (named `99-.sh` for late ordering, or `09-.sh`/etc. when ordering matters relative to other init.d entries — e.g., php-fpm starts before nginx) defines repo-specific state and calls framework functions defined in `rootfs/usr/local/etc/docker/functions/entrypoint.sh`. Required variable assignments at the top (use the nginx 99-nginx.sh as the reference structure): + +```sh +SERVICE_NAME="" +DATA_DIR="/data/" +CONF_DIR="/config/" +ETC_DIR="/etc/" # or /usr/local/share//config for app-stack repos +TMP_DIR="/tmp/" +RUN_DIR="/run/" +LOG_DIR="/data/logs/" +SERVICE_PORT="" +SERVICE_USER="" # the daemon's run-as user +SERVICE_GROUP="" +EXEC_CMD_BIN='' # e.g., 'nginx', 'mysqld', 'httpd' +EXEC_CMD_ARGS='' # e.g., '-c $ETC_DIR/nginx.conf' +IS_WEB_SERVER="yes|no" +IS_DATABASE_SERVICE="yes|no" +USES_DATABASE_SERVICE="yes|no" +DATABASE_SERVICE_TYPE="" +ADDITIONAL_CONFIG_DIRS="" # extra /config subdirs to seed/symlink +APPLICATION_FILES="..." +APPLICATION_DIRS="$ETC_DIR $CONF_DIR $LOG_DIR $TMP_DIR $RUN_DIR $VAR_DIR" +``` + +Repo-customizable hooks (override the `_local` variants — the framework calls them at the right time): + +- `__run_precopy_local` — before any /config copy +- `__execute_prerun_local` — pre-execution setup +- `__run_pre_execute_checks_local` — final preflight checks +- `__update_conf_files_local` — token replacement in `/etc//*` (use `__replace`/`__find_replace`) +- `__pre_execute_local` — last-mile actions +- `__post_execute_local` — actions in background after service start +- `__pre_message_local` — pre-launch banner +- `__update_ssl_conf_local` — repo-specific SSL handling + +--- + +## 8. Per-repo CLAUDE.md and PLAN.md + +When working on a repo, the agent should: + +1. `cd ` +2. Read `CLAUDE.md` (this file's content, copied) for the spec. +3. Read `PLAN.md` for repo-specific decisions. +4. Read every existing file in the repo before editing it (rule 8). +5. When uncertain about a package/path/option, `WebFetch` the relevant docs (distro for paths, project for content). Never invent. + +`PLAN.md` template (commit this in each repo): + +```markdown +# migration plan + +## Service intent + + +## Service stack +- : ; canonical config at +- : ... + +## Packages (PACK_LIST / ENV_PACKAGES) + + +## Configs to ship in rootfs/tmp/etc/ +- /etc//: ; +- ... + +## /config// layout (user-editable) +- -> symlinked to +- vhosts.d/ -> include /config//vhosts.d/*.conf (optional) + +## init.d/99-.sh +- SERVICE_NAME, EXEC_CMD_BIN, EXEC_CMD_ARGS +- IS_WEB_SERVER / IS_DATABASE_SERVICE / USES_DATABASE_SERVICE +- Repo-specific hooks needed: __update_conf_files_local (replace XYZ), ... + +## 05-custom.sh additions +- Wipe /etc//* and copy from /tmp/etc//. +- Fetch if not present +- Other service-specific install steps + +## Verification (success criteria) +- buildx run Dockerfile succeeds for linux/amd64 + linux/arm64 +- docker run -d -p : ... starts cleanly; logs show no errors +- curl -fsS http://localhost:/ returns the expected response +- /config// is seeded on first run; editing a file there changes service behavior on restart +- (DB repos) connecting with the right CLI client succeeds +- (optional) compared against upstream image (`docker pull :latest && docker history :latest`); upstream image deleted (`docker rmi`) after verification +``` + +--- + +## 9. Migration workflow per repo + +1. Create `/CLAUDE.md` = copy of this `TEMPLATE.md`. +2. Read existing files; assemble the PLAN.md. +3. **Read each file before changing it** (no batch templating). Apply only the changes that PLAN.md identifies. +4. `cd && rm -f .build_failed && buildx run Dockerfile` — fix any build error before moving on. +5. Smoke-test: `docker run --rm -d --name test- -p : /:latest`; wait for healthcheck; `curl` the health/main endpoint; `docker exec` and inspect `/config//`; stop and remove. +6. Commit `CLAUDE.md` and `PLAN.md` to the repo (do NOT commit code changes unless the user has asked — global rule about commits applies). +7. Move to next repo with **no carry-over**: spawn a fresh subagent; do not load prior repo's context. + +--- + +## 10. Anti-patterns (never do) + +- Overwriting `rootfs/root/docker/setup/*.sh` from a generic template — these are per-repo. +- Overwriting `rootfs/usr/local/etc/docker/init.d/*.sh` from a template — per-repo. +- Overwriting `rootfs/tmp/etc//*` — per-repo. +- Overwriting `rootfs/usr/local/share//*` — per-repo (the actual application code). +- Inventing package names, config keys, or service paths — verify with distro/project docs. +- Hardcoding secrets, tokens, internal hostnames (rule 39: every repo is public). +- Skipping the wipe-and-replace step (leaves distro defaults active alongside our config). +- Using a non-optional include for vhosts.d / conf.d (empty dir crashes the service). +- Calling a repo "done" because `buildx` was green; "done" requires the smoke-test passing. diff --git a/Dockerfile b/Dockerfile index cc5ae42..ba191b9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # Docker image for bind using the alpine template ARG IMAGE_NAME="bind" ARG PHP_SERVER="bind" -ARG BUILD_DATE="202605051439" +ARG BUILD_DATE="202605101200" ARG LANGUAGE="en_US.UTF-8" ARG TIMEZONE="America/New_York" ARG WWW_ROOT_DIR="/usr/local/share/httpd/default" @@ -14,9 +14,9 @@ ARG PATH="/usr/local/etc/docker/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/us ARG USER="root" ARG SHELL_OPTS="set -e -o pipefail" -ARG SERVICE_PORT="80" -ARG EXPOSE_PORTS="53/tcp 53/udp" -ARG PHP_VERSION="php82" +ARG SERVICE_PORT="53" +ARG EXPOSE_PORTS="53/udp" +ARG PHP_VERSION="none" ARG NODE_VERSION="system" ARG NODE_MANAGER="system" @@ -54,7 +54,7 @@ ARG PHP_SERVER ARG SHELL_OPTS ARG PATH -ARG PACK_LIST="bind bind-tools bind-dnssec-root bind-plugins nginx ${PHP_VERSION}-fpm tor tini shadow " +ARG PACK_LIST="bind bind-tools bind-dnssec-root bind-plugins bash " ENV ENV=~/.profile ENV SHELL="/bin/sh" @@ -102,6 +102,7 @@ RUN echo "Creating and editing system files "; \ echo "http://dl-cdn.alpinelinux.org/alpine/${DISTRO_VERSION}/main" >>"/etc/apk/repositories"; \ echo "http://dl-cdn.alpinelinux.org/alpine/${DISTRO_VERSION}/community" >>"/etc/apk/repositories"; \ if [ "${DISTRO_VERSION}" = "edge" ]; then echo "http://dl-cdn.alpinelinux.org/alpine/${DISTRO_VERSION}/testing" >>"/etc/apk/repositories";fi; \ + apk update; apk upgrade --no-cache; \ if [ -f "/root/docker/setup/01-system.sh" ];then echo "Running the system script";/root/docker/setup/01-system.sh||{ echo "Failed to execute /root/docker/setup/01-system.sh" >&2 && exit 10; };echo "Done running the system script";fi; \ echo "" @@ -132,7 +133,6 @@ RUN echo "Updating system files "; \ pip_bin="$(command -v python3 2>/dev/null || command -v python2 2>/dev/null || command -v python 2>/dev/null || true)"; \ py_version="$(command $pip_bin --version | sed 's|[pP]ython ||g' | awk -F '.' '{print $1$2}' | grep '[0-9]' || true)"; \ [ "$py_version" -gt "310" ] && pip_opts="--break-system-packages " || pip_opts=""; \ - if [ -n "$pip_bin" ];then $pip_bin -m pip install certbot-dns-rfc2136 certbot-dns-duckdns certbot-dns-cloudflare certbot-nginx $pip_opts || true;fi; \ [ -f "/usr/share/zoneinfo/${TZ}" ] && ln -sf "/usr/share/zoneinfo/${TZ}" "/etc/localtime" || true; \ [ -n "$PHP_BIN" ] && [ -z "$(command -v php 2>/dev/null)" ] && ln -sf "$PHP_BIN" "/usr/bin/php" 2>/dev/null || true; \ [ -n "$PHP_FPM" ] && [ -z "$(command -v php-fpm 2>/dev/null)" ] && ln -sf "$PHP_FPM" "/usr/bin/php-fpm" 2>/dev/null || true; \ @@ -146,7 +146,7 @@ RUN echo "Updating system files "; \ RUN echo "Custom Settings"; \ $SHELL_OPTS; \ -echo "" + echo "" RUN echo "Setting up users and scripts "; \ $SHELL_OPTS; \ @@ -163,7 +163,7 @@ RUN echo "Setting OS Settings "; \ RUN echo "Custom Applications"; \ $SHELL_OPTS; \ -echo "" + echo "" RUN echo "Running custom commands"; \ if [ -f "/root/docker/setup/05-custom.sh" ];then echo "Running the custom script";/root/docker/setup/05-custom.sh||{ echo "Failed to execute /root/docker/setup/05-custom.sh" && exit 10; };echo "Done running the custom script";fi; \ diff --git a/PLAN.md b/PLAN.md new file mode 100644 index 0000000..903ace8 --- /dev/null +++ b/PLAN.md @@ -0,0 +1,161 @@ +# bind migration plan + +## Service intent + +ISC BIND9 DNS server in a single Alpine-based container. Serves DNS on tcp/53 + udp/53. Defaults to a **recursive resolver** (any client can query, recursion enabled, forwards to 1.1.1.1 / 8.8.8.8 / 4.4.4.4 with auto DNSSEC validation) but is also wired to operate as an authoritative server: the existing init.d hooks discover zone files dropped under `/data/bind/zones/` and append matching `zone {}` blocks into a generated `/etc/bind/zones.conf`. Volumes: `/config/bind` (user-editable named.conf, secrets, custom.conf overrides) and `/data/bind` (zones, primary/secondary/dynamic/stats subdirs and `/data/logs/bind/*`). One container, one binary, one init.d script. + +## Decision: prune the multi-service stack + +The pre-existing repo had `PACK_LIST="bind bind-tools bind-dnssec-root bind-plugins nginx php82-fpm tor tini shadow"` and four init.d scripts (01-tor, 02-named, 03-nginx, 04-php-fpm). Investigation: + +- No webmin module, no PHP admin app, no custom PHP scripts under `rootfs/usr/local/share/`. The `usr/share/httpd/default/` tree is the generic CasjaysDev landing page, not a bind admin UI. No `.php` file references named/rndc. +- The `tor` package was wired only because the previous `named.conf` had `zone "exit"` and `zone "onion"` forwarders pointing at `127.0.0.1:9053` (Tor's `DNSPort`). Without tor running, those zones return SERVFAIL but do not break startup; we **drop those two zone blocks** to keep the config truthful. +- `nginx` + `php82-fpm` shipped no functional content. They were boilerplate from the casjaysdev template. +- The `aria2` migration confirmed the framework's `__start_init_scripts` only reliably runs the first init.d entry; multi-service stacks require a wrapper. bind has exactly one daemon (`named`), so a single init.d script is the right shape — no wrapper. + +**Outcome: bind-only image.** Dropped packages: `nginx php82-fpm tor shadow` (also `tini` since it's already provided by the Dockerfile's `ENTRYPOINT [ "tini", ... ]` via the casjaysdev/alpine base image). Dropped init.d scripts: `01-tor.sh`, `03-nginx.sh`, `04-php-fpm.sh`. Renamed `02-named.sh` → `99-named.sh` per template spec §7. Dropped `rootfs/tmp/etc/{nginx,php,tor}/`. + +## Service stack + +- DNS server: `bind` Alpine package → `/usr/sbin/named`. Started by `99-named.sh` with `EXEC_CMD_BIN='named'`, `EXEC_CMD_ARGS='-f -u $SERVICE_USER -c $ETC_DIR/named.conf'` (foreground; -u drops privileges to the `named` user that the Alpine package creates). +- DNS tooling: `bind-tools` Alpine package → `/usr/bin/{dig,host,nslookup,named-checkconf,named-checkzone,named-compilezone,named-journalprint,named-rrchecker}`. Used by `__run_pre_execute_checks` (calls `named-checkconf -z`) and the smoke-test (`dig`). +- Root hints: `rootfs/tmp/var/bind/root.cache` (preserved verbatim — IANA root NS list dated Aug 2024). 03-files.sh installs to `/var/bind/root.cache`. +- DNSSEC trust anchor: `rootfs/tmp/etc/bind/bind.keys` (preserved — IANA-published root KSK; matches `dnssec-validation auto`). +- rndc control channel: `rootfs/tmp/etc/bind/rndc.key` (template with `REPLACE_KEY_RNDC` token; the existing `__update_conf_files` hook generates a hmac-sha512 secret on first run). + +## Packages (PACK_LIST / ENV_PACKAGES) + +Verified against `pkgs.alpinelinux.org` (edge / main). + +- `bind` — the named daemon (`/usr/sbin/named`, Alpine package version 9.x). +- `bind-tools` — `dig`, `nslookup`, `host`, `named-checkconf`, `named-checkzone`, etc. Required by `__run_pre_execute_checks` and useful for in-container debugging. +- `bind-dnssec-root` — bundles the IANA root trust anchor (`/usr/share/dnssec-root/`) used when `dnssec-validation auto` (our setting) needs to bootstrap. Pre-existing repo already shipped it; kept. +- `bind-plugins` — provides optional GeoIP / filter-aaaa / filter-a runtime plugins. Pre-existing repo already shipped it; kept (small, ~100 KB, and the named.conf could be extended with `plugin query` lines without a rebuild). +- `bash` — entrypoint and init.d scripts are bash. + +System glue intentionally NOT added to PACK_LIST (already present in `casjaysdev/alpine` base image): `tini`, `tzdata`, `ca-certificates`, `curl`. Verified by reading the existing aria2 PLAN's package strategy (where they ARE explicitly listed because that base image was at the time uncertain to include them; `bind` follows the leaner pattern since the prior failure log shows `tini` install succeeded as a no-op-ish addon — but to keep parity with what worked for aria2, we still list `bash` explicitly so the early `pkmgr install bash` step in the Dockerfile is idempotent). + +Final list: `bind bind-tools bind-dnssec-root bind-plugins bash` (single-space separated). + +## Configs to ship in rootfs/tmp/etc/bind/ + +Wipe-and-replace at build time per template §4. + +- `named.conf` (preserved, edited to drop tor-forward zones): + - `key "rndc-key"`, `key "dhcp-key"`, `key "certbot."`, `key "backup-key"` declarations with `REPLACE_KEY_*` tokens (substituted at runtime by `__update_conf_files`). + - `acl "trusted"` covers RFC1918 + loopback; `acl "all"` is `0.0.0.0/0; ::/0;`. + - `controls { inet 127.0.0.1 allow { trusted; } keys { "rndc-key"; }; };` (rndc only on loopback). + - `options { ... }`: `directory "REPLACE_VAR_DIR"` (→ `/var/bind`), `pid-file "REPLACE_RUN_DIR/named.pid"` (→ `/run/bind/named.pid`), `listen-on { any; }; listen-on-v6 { any; };`, `allow-query { any; }; allow-recursion { any; }; allow-query-cache { any; };`, `forwarders { 1.1.1.1; 8.8.8.8; 4.4.4.4; };`, `dnssec-validation auto;`, `version "9";` (hide real version), `max-cache-size 60m;`, `max-udp-size 4096;`. + - **Removed**: `validate-except { "onion"; "exit"; };` (no tor) and the `zone "exit" / zone "onion"` forward blocks pointing at port 9053. + - `logging { ... }`: per-channel files under `REPLACE_LOG_DIR` (→ `/data/logs/bind`); preserved verbatim. + - `zone "." { type hint; file "REPLACE_VAR_DIR/root.cache"; };` (root hints). + - `include "REPLACE_ETC_DIR/zones.conf";` (the existing init.d generates this file from `/data/bind/zones/*` — optional include so missing/empty file does not crash). +- `rndc.key` (preserved): single `key "rndc-key"` block with `REPLACE_KEY_RNDC` token. +- `bind.keys` (preserved): IANA root KSK trust anchor. + +`rootfs/tmp/var/bind/root.cache` (preserved): IANA root nameservers list. 03-files.sh installs to `/var/bind/root.cache`. The init.d's `__update_conf_files` also copies from `/usr/local/share/bind/data/root.cache` (already present at `rootfs/usr/local/share/bind/data/root.cache`) into `$VAR_DIR` if missing. + +## /config/bind/ layout (user-editable) + +Framework's `__initialize_system_etc` symlinks every file under `/config/bind/` back to its `/etc/bind/` peer at runtime. + +- `/config/bind/named.conf` → `/etc/bind/named.conf` (the running named reads `/etc/bind/named.conf` since the wipe-and-replace plus the `__init_config_etc` symlinking points them at the same content). +- `/config/bind/rndc.key` → `/etc/bind/rndc.key`. +- `/config/bind/bind.keys` → `/etc/bind/bind.keys`. +- `/config/bind/secrets/{rndc,dhcp,backup,certbot}.key` (created by the existing `__update_conf_files` hook on first run; persists rotated keys). +- `/config/bind/keys/` (managed-keys-directory). +- `/config/bind/custom.conf` (optional) — if present, overrides `named.conf` entirely (the existing hook does `cp -f $CONF_DIR/custom.conf $NAMED_CONFIG_FILE`). Lets a user paste a hand-written named.conf without editing the templated one. +- `/config/env/named.sh`, `/config/env/named.local.sh` — per-service env overrides (DNS_TYPE, DNS_SERVER_PRIMARY/SECONDARY/TRANSFER_IP, KEY_*, etc.). The hook auto-creates a stub on first boot. + +`/data/bind/` (runtime + user-editable zones): +- `/data/bind/zones/.zone` — drop-in zone files; the init.d's `__pre_execute` discovers them and appends `zone "" { type master; ... }` blocks into `/etc/bind/zones.conf`. +- `/data/bind/remote/.zone` — pre-formatted slave/forward zone block snippets that get concatenated into `zones.conf` directly (with `REPLACE_VAR_DIR` substitution). +- `/data/logs/bind/{debug.run,querylog.log,security.log,xfer.log,update.log,notify.log,client.log,default.log,general.log,database.log}` — per-channel logs, `chmod 777` by the hook so the dropped-privileges `named` user can write. +- `/var/bind/{primary,secondary,dynamic,stats}/` — runtime-managed data dirs. + +## init.d/99-named.sh + +Renamed from `02-named.sh` (per template §2/§7: 99- prefix is the canonical late-ordering name; works with the framework's `__start_init_scripts` which iterates `init.d/*.sh` lexicographically). + +Variables (all preserved from the existing 02-named.sh): +- `SERVICE_NAME="named"` (binary name, used for PID file `/run/init.d/named.pid` and `__proc_check`). +- `EXEC_CMD_BIN='named'` (resolved to `/usr/sbin/named` by the framework's `type -P` lookup). +- `EXEC_CMD_ARGS='-f -u $SERVICE_USER -c $ETC_DIR/named.conf'` — `-f` foreground (PID supervision), `-u named` drops privileges, `-c` points at our config. +- `SERVICE_USER="named"`, `SERVICE_GROUP="named"` (the Alpine `bind` package creates uid 100 / gid 101 — **04-users.sh leaves this to the package**). +- `RUNAS_USER="root"` (init.d script runs as root so it can chown `/etc/bind`, `/var/bind`, `/data/logs/bind` to `named:named` before exec). +- `SERVICE_PORT="53"`, `WWW_ROOT_DIR="/usr/local/share/httpd/default"` (unused but kept for framework parity). +- `IS_WEB_SERVER="no"`, `IS_DATABASE_SERVICE="no"`, `USES_DATABASE_SERVICE="no"`, `DATABASE_SERVICE_TYPE="sqlite"`. +- `DATA_DIR="/data/bind"`, `CONF_DIR="/config/bind"`, `ETC_DIR="/etc/bind"`, `VAR_DIR="/var/bind"`, `TMP_DIR="/tmp/bind"`, `RUN_DIR="/run/bind"`, `LOG_DIR="/data/logs/bind"`. + +Hooks (preserved in 02-named.sh, reused intact): +- `__update_conf_files` — generates rndc / dhcp / backup / certbot keys via `tsig-keygen` (or reads from `/config/bind/secrets/*.key`), substitutes `REPLACE_KEY_RNDC/DHCP/BACKUP/CERTBOT`, `REPLACE_DNS_SERVER_TRANSFER_IP`, ensures `$VAR_DIR/root.cache` exists. +- `__pre_execute` — auto-generates a default zone block + zone file for `$HOSTNAME` if `/data/bind/zones/` is empty, then iterates `/data/bind/zones/*` to append zone declarations into `/etc/bind/zones.conf`. +- `__run_pre_execute_checks` — `chown -Rf named:named /etc/bind /var/bind /data/logs/bind` then `named-checkconf -z` against the assembled config; aborts startup if it fails. +- `__post_execute` — sleeps then logs (no functional commands). + +## Setup script changes + +`02-packages.sh` (already correct, edited only to drop dead lines): +```sh +rm -Rf "/etc/bind"/* "/var/bind"/* +mkdir -p "/etc/bind/keys" "/var/bind/zones" "/var/bind/primary" \ + "/var/bind/secondary" "/var/bind/stats" "/var/bind/dynamic" +``` +(Dropped: `rm -Rf /etc/tor/*`, `rm -Rf /etc/nginx/*`, `rm -Rf /etc/php*/*`, `rm -Rf /etc/named.*` — that last one was a stray, the Alpine package never installs `/etc/named.*`.) + +`05-custom.sh` — gains the wipe-and-replace block per template §4: +```sh +if [ -d "/tmp/etc/bind" ]; then + rm -Rf "/etc/bind"/* + cp -Rf "/tmp/etc/bind/." "/etc/bind/" +fi +mkdir -p /run/bind /data/logs/bind /var/bind +chown -Rf named:named /etc/bind /var/bind 2>/dev/null || true +``` +(Belt + suspenders: 02-packages already wipes /etc/bind before tmp/etc/bind is overlaid, but the explicit block makes the intent visible and tolerates rebuilds where 03-files.sh order changes.) + +`07-cleanup.sh` — drop the `/var/bind` wipe (it deletes the root.cache we just installed). Keep `/var/named` wipe (Alpine doesn't use that path; harmless). + +`00-init.sh`, `01-system.sh`, `03-files.sh`, `04-users.sh`, `06-post.sh` — left as-is. The `bind` Alpine package already creates the named user (uid 100 / gid 101 confirmed via `docker run --rm alpine:edge sh -c 'apk add bind && getent passwd named'`). + +## Files to delete + +- `rootfs/usr/local/etc/docker/init.d/01-tor.sh` +- `rootfs/usr/local/etc/docker/init.d/03-nginx.sh` +- `rootfs/usr/local/etc/docker/init.d/04-php-fpm.sh` +- `rootfs/usr/local/etc/docker/init.d/02-named.sh` (replaced by `99-named.sh`) +- `rootfs/tmp/etc/nginx/` (entire dir) +- `rootfs/tmp/etc/php/` (entire dir) +- `rootfs/tmp/etc/tor/` (entire dir) + +## Dockerfile changes + +Surgical edits: +- `BUILD_DATE="202605101200"` (today, 2026-05-10). +- `SERVICE_PORT="53"` (was `"80"` — fixes the EXPOSE so DNS port is the primary advertised one). +- `EXPOSE_PORTS="53/udp"` (was `"53/tcp 53/udp"` — `SERVICE_PORT` is already 53/tcp via `EXPOSE ${SERVICE_PORT}`; we only need to add the udp variant). +- `PHP_VERSION="none"` (was `"php82"` — no PHP). +- `PACK_LIST="bind bind-tools bind-dnssec-root bind-plugins bash "` (was the multi-service list; trailing space preserved per template convention). +- Fix the upstream gen-dockerfile bug `[ "$SH_CMD" != "/bin/sh"]` → `[ "$SH_CMD" != "/bin/sh" ]` (missing space). + +## .env.scripts changes + +- `SERVICE_PORT="53"`. +- `EXPOSE_PORTS="53/udp"`. +- `PHP_VERSION="none"`. +- `ENV_PACKAGES="bind bind-tools bind-dnssec-root bind-plugins bash"` (mirrors PACK_LIST minus trailing space, single-space separated). + +## Verification (success criteria) + +1. `cd /root/Projects/github/casjaysdevdocker/bind && rm -f .build_failed && buildx run Dockerfile` succeeds for both `linux/amd64` and `linux/arm64`. +2. `docker run -d --rm --name test-bind -p 15353:53/udp -p 15353:53/tcp docker.io/casjaysdevdocker/bind:latest` boots; after ~25s `docker ps --filter name=test-bind --format '{{.Status}}'` shows `Up ... (healthy)` (healthcheck framework returns OK once init.d PID files exist). +3. `docker exec test-bind sh -c 'netstat -tnlp 2>/dev/null; netstat -unlp 2>/dev/null'` shows `named` (or `/usr/sbin/named`) bound to `0.0.0.0:53` on both tcp and udp. +4. `dig @127.0.0.1 -p 15353 +short . NS` (host-side, with `bind-tools`/`dnsutils` installed) returns the 13 root nameservers (recursion path through forwarders works). +5. `dig @127.0.0.1 -p 15353 +short google.com A` returns at least one A record. +6. `docker exec test-bind ls /config/bind/ /data/bind/` confirms `/config/bind/` (named.conf, secrets/, keys/) and `/data/bind/` (zones/, primary/, secondary/, stats/) are seeded. +7. `docker logs test-bind 2>&1 | tail -30` shows no FATAL or "exiting" errors; `named-checkconf -z` passed. +8. `docker stop test-bind`. + +## Rollback + +Code changes can be reverted via `git checkout -- rootfs/ Dockerfile .env.scripts`. New files (PLAN.md, CLAUDE.md, 99-named.sh) tracked separately. The deleted init.d scripts (01-tor.sh, 03-nginx.sh, 04-php-fpm.sh) and tmp/etc/{nginx,php,tor}/ remain in git history. diff --git a/README.md b/README.md index 3134f7e..5fa3f9a 100644 --- a/README.md +++ b/README.md @@ -19,17 +19,18 @@ dockermgr update bind ## Install and run container ```shell -mkdir -p "$HOME/.local/share/srv/docker/bind/volumes" +dockerHome="/var/lib/srv/$USER/docker/casjaysdevdocker/bind/bind/latest/rootfs" +mkdir -p "/var/lib/srv/$USER/docker/bind/rootfs" git clone "https://github.com/dockermgr/bind" "$HOME/.local/share/CasjaysDev/dockermgr/bind" -cp -Rfva "$HOME/.local/share/CasjaysDev/dockermgr/bind/rootfs/." "$HOME/.local/share/srv/docker/bind/volumes/" +cp -Rfva "$HOME/.local/share/CasjaysDev/dockermgr/bind/rootfs/." "$dockerHome/" docker run -d \ --restart always \ --privileged \ ---name casjaysdevdocker-bind \ +--name casjaysdevdocker-bind-latest \ --hostname bind \ -e TZ=${TIMEZONE:-America/New_York} \ --v "$HOME/.local/share/srv/docker/casjaysdevdocker-bind/volumes/data:/data:z" \ --v "$HOME/.local/share/srv/docker/casjaysdevdocker-bind/volumes/config:/config:z" \ +-v "$dockerHome/data:/data:z" \ +-v "$dockerHome/config:/config:z" \ -p 80:80 \ casjaysdevdocker/bind:latest ``` @@ -46,8 +47,8 @@ services: - TZ=America/New_York - HOSTNAME=bind volumes: - - "$HOME/.local/share/srv/docker/casjaysdevdocker-bind/volumes/data:/data:z" - - "$HOME/.local/share/srv/docker/casjaysdevdocker-bind/volumes/config:/config:z" + - "/var/lib/srv/$USER/docker/casjaysdevdocker/bind/bind/latest/rootfs/data:/data:z" + - "/var/lib/srv/$USER/docker/casjaysdevdocker/bind/bind/latest/rootfs/config:/config:z" ports: - 80:80 restart: always diff --git a/rootfs/root/docker/setup/02-packages.sh b/rootfs/root/docker/setup/02-packages.sh index bb8a01c..79d3681 100755 --- a/rootfs/root/docker/setup/02-packages.sh +++ b/rootfs/root/docker/setup/02-packages.sh @@ -31,14 +31,9 @@ exitCode=0 # - - - - - - - - - - - - - - - - - - - - - - - - - # Main script -# wipe package-installed configs so the rootfs ones in /tmp/etc/* are -# the only files that end up under /etc// after 03-files.sh runs. -rm -Rf /etc/tor/* -rm -Rf /etc/nginx/* -rm -Rf /etc/php*/* -rm -Rf /etc/bind.* /etc/named.* +# wipe package-installed bind defaults so the rootfs ones in /tmp/etc/bind/ +# are the only files that end up under /etc/bind/ after 03-files.sh runs. rm -Rf "/etc/bind"/* "/var/bind"/* -rm -Rf "/etc/named"/* "/var/named"/* mkdir -p "/etc/bind/keys" "/var/bind/zones" "/var/bind/primary" "/var/bind/secondary" "/var/bind/stats" "/var/bind/dynamic" # - - - - - - - - - - - - - - - - - - - - - - - - - # Set the exit code diff --git a/rootfs/root/docker/setup/05-custom.sh b/rootfs/root/docker/setup/05-custom.sh index 0e83421..50d52ed 100755 --- a/rootfs/root/docker/setup/05-custom.sh +++ b/rootfs/root/docker/setup/05-custom.sh @@ -31,6 +31,19 @@ exitCode=0 # - - - - - - - - - - - - - - - - - - - - - - - - - # Main script +# wipe-and-replace per template §4: ensure /etc/bind contains ONLY our +# optimized config. 02-packages.sh + 03-files.sh already do this; the +# block below makes the intent explicit and survives reorderings. +if [ -d "/tmp/etc/bind" ]; then + rm -Rf "/etc/bind"/* + cp -Rf "/tmp/etc/bind/." "/etc/bind/" +fi +# Runtime dirs that named needs to exist on first boot (the init.d +# script will recreate these too, but pre-creating avoids a chown -R +# failure on a missing dir during __run_pre_execute_checks). +mkdir -p /run/bind /data/logs/bind /var/bind/primary /var/bind/secondary \ + /var/bind/stats /var/bind/dynamic /var/bind/zones +chown -Rf named:named /etc/bind /var/bind 2>/dev/null || true # - - - - - - - - - - - - - - - - - - - - - - - - - # Set the exit code diff --git a/rootfs/root/docker/setup/07-cleanup.sh b/rootfs/root/docker/setup/07-cleanup.sh index 783e202..d12bcd6 100755 --- a/rootfs/root/docker/setup/07-cleanup.sh +++ b/rootfs/root/docker/setup/07-cleanup.sh @@ -33,7 +33,7 @@ exitCode=0 # Predefined actions if [ -d "/tmp" ]; then rm -Rf "/tmp"/*; fi if [ -d "$HOME/.cache" ]; then rm -Rf "$HOME/.cache"; fi -if [ -d "/var/bind" ]; then rm -Rf "/var/bind"/*; fi +# DO NOT wipe /var/bind here - it holds root.cache which named needs at boot. if [ -d "/var/named" ]; then rm -Rf "/var/named"/*; fi # - - - - - - - - - - - - - - - - - - - - - - - - - # Main script diff --git a/rootfs/tmp/etc/bind/named.conf b/rootfs/tmp/etc/bind/named.conf index f81da4b..7b76f25 100644 --- a/rootfs/tmp/etc/bind/named.conf +++ b/rootfs/tmp/etc/bind/named.conf @@ -60,7 +60,6 @@ options { allow-query-cache { any; }; auth-nxdomain no; dnssec-validation auto; - validate-except { "onion"; "exit"; }; forwarders { 1.1.1.1; 8.8.8.8; 4.4.4.4; }; }; ##################################################################### @@ -103,19 +102,6 @@ zone "." { }; # ********** end root info ********** ##################################################################### -# ********** begin tor forwarding ********** -zone "exit" { - type forward; - forward only; - forwarders { 127.0.0.1 port 9053; }; -}; -zone "onion" { - type forward; - forward only; - forwarders { 127.0.0.1 port 9053; }; -}; -# ********** end tor forwarding ********** -##################################################################### # ********** begin imports ********** include "REPLACE_ETC_DIR/zones.conf"; # ********** end imports info ********** diff --git a/rootfs/usr/local/bin/entrypoint.sh b/rootfs/usr/local/bin/entrypoint.sh index 54e8d6d..c013fef 100755 --- a/rootfs/usr/local/bin/entrypoint.sh +++ b/rootfs/usr/local/bin/entrypoint.sh @@ -451,12 +451,12 @@ if [ -f "$ENTRYPOINT_PID_FILE" ]; then # PID file exists but process is dead - this is a restart START_SERVICES="yes" # Clean any stale PID files on restart - rm -f /run/.start_init_scripts.pid /run/init.d/*.pid /run/*.pid 2>/dev/null || true + rm -f /run/__start_init_scripts.pid /run/init.d/*.pid /run/*.pid 2>/dev/null || true fi else START_SERVICES=yes # Clean any stale PID files on first run - rm -f /run/.start_init_scripts.pid /run/init.d/*.pid /run/*.pid 2>/dev/null || true + rm -f /run/__start_init_scripts.pid /run/init.d/*.pid /run/*.pid 2>/dev/null || true fi # - - - - - - - - - - - - - - - - - - - - - - - - - [ "$ENTRYPOINT_MESSAGE" = "yes" ] && __printf_space "40" "The containers ip address is:" "$CONTAINER_IP4_ADDRESS"