Merge remote-tracking branch 'origin/master' into defer-wip

CZ-NIC · Dec 4, 2024 · 7f643e0 · 7f643e0
2 parents 8fc9d26 + 84fa76b
commit 7f643e0
Show file tree

Hide file tree

Showing 47 changed files with 1,213 additions and 156 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -197,25 +197,111 @@ build:macOS:
     - pip3 install -U requests
     - python3 ./ci/gh_actions.py ${CI_COMMIT_REF_NAME} ${CI_COMMIT_SHA}
 
-docker:
+.docker: &docker
   <<: *nodep
-  stage: build
+  except: null
   image: docker:latest
+  variables:
+    DOCKER_HUB_REGISTRY: cznic/knot-resolver
+    GITLAB_REGISTRY: ${CI_REGISTRY}/knot/knot-resolver/cross-platform
+  tags:
+    - amd64
+    - dind
+
+docker:build:
+  <<: *docker
   <<: *multi_platform
-  only:
-    refs:
-      - branches@knot/knot-resolver
+  stage: build
+  except:
+    - tags
+  script:
+    - docker buildx build --no-cache -t knot-resolver:${PLATFORM} .
+  after_script:
+    - docker rmi --force knot-resolver:${PLATFORM}
+    - docker rmi $(docker images -f "dangling=true" -q)
   tags:
     - ${PLATFORM}
     - dind
-  variables:
-    DOCKER_IMAGE_NAME: knot-resolver-test:${CI_COMMIT_SHA}
+
+docker:build:cross-platform:
+  <<: *docker
+  stage: build
+  only:
+    - master@knot/knot-resolver
+    - tags
+  before_script:
+    - >
+      docker buildx create
+      --name kres-builder
+      --driver docker-container
+      --bootstrap --use
+    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
   script:
-    - docker build --no-cache -t ${DOCKER_IMAGE_NAME} .
-    # TODO: perhaps try if the running image answers queries
-  after_script:  # remove dangling images to avoid running out of disk space
-    - docker rmi ${DOCKER_IMAGE_NAME}
-    - docker rmi $(docker images -f "dangling=true" -q)
+    - >
+      docker buildx build
+      --no-cache
+      --platform linux/amd64,linux/arm64/v8,linux/arm/v7
+      --provenance=false
+      --pull
+      --push
+      --tag ${GITLAB_REGISTRY}:${CI_COMMIT_REF_NAME}
+      .
+
+docker:test:cross-platform:
+  <<: *docker
+  <<: *multi_platform
+  stage: test
+  only:
+    - tags
+    - master@knot/knot-resolver
+  needs:
+    - docker:build:cross-platform
+  image:
+    name: ${GITLAB_REGISTRY}:${CI_COMMIT_REF_NAME}
+    entrypoint: [""]
+  before_script:
+    - apt-get update
+    - apt-get -y install knot-dnsutils curl git
+    - /usr/bin/knot-resolver -c /etc/knot-resolver/config.yaml > knot-resolver.log &
+  script:
+    # check that the resolver responds to queries
+    - kdig nic.cz @localhost#53
+    - kdig +tcp nic.cz @localhost#53
+    - kdig +tls nic.cz @localhost#853
+    - kdig +https nic.cz @localhost#443
+    # run some packaging tests
+    - tests/packaging/kresctl.sh
+    - tests/packaging/interactive/etag.sh
+    - tests/packaging/interactive/schema.sh
+    - tests/packaging/interactive/reload.sh
+    - tests/packaging/interactive/metrics.sh
+    - tests/packaging/interactive/cache-clear.sh
+    - tests/packaging/interactive/workers.sh
+    - kresctl stop
+  artifacts:
+    when: always
+    paths:
+      - knot-resolver.log
+  tags:
+    - docker
+    - ${PLATFORM}
+
+dockerhub:deploy:
+  <<: *docker
+  stage: deploy
+  when: manual
+  only:
+    - tags
+  needs:
+    - docker:test:cross-platform
+  before_script:
+    - echo "$DOCKER_HUB_TOKEN" | docker login -u $DOCKER_HUB_USER --password-stdin
+  script:
+    - >
+      docker buildx imagetools create
+      -t ${DOCKER_HUB_REGISTRY}:${CI_COMMIT_REF_NAME}
+      -t ${DOCKER_HUB_REGISTRY}:6
+      ${GITLAB_REGISTRY}:${CI_COMMIT_REF_NAME}
 # }}}
 
 # sanity {{{
@@ -576,7 +662,7 @@ obs:trigger: &obs_trigger
     - source ./venv/bin/activate
     - pip install --upgrade pip
     - pip install apkg
-    - scripts/make-obs.sh
+    - scripts/ci/make-obs.sh
     - echo y | scripts/ci/build-in-obs.sh $OBS_REPO
 
 obs:release:
@@ -618,6 +704,8 @@ obs:odvr:
     - apkg info cache | grep archive/dev
     - apkg install --build-dep
     - apkg test --test-dep
+  after_script:
+    - journalctl -u knot-resolver.service
   artifacts:
     expire_in: 1 week
     paths:
@@ -668,6 +756,10 @@ pkg:debian-11:
   <<: *enable_repo_build
   image: $CI_REGISTRY/packaging/apkg/full/debian-11
 
+pkg:ubuntu-24.10:
+  <<: *pkg_test_deb
+  image: $CI_REGISTRY/packaging/apkg/full/ubuntu-24.10
+
 pkg:ubuntu-24.04:
   <<: *pkg_test_deb
   image: $CI_REGISTRY/packaging/apkg/full/ubuntu-24.04
@@ -682,28 +774,28 @@ pkg:ubuntu-20.04:
   <<: *enable_repo_build
   image: $CI_REGISTRY/packaging/apkg/full/ubuntu-20.04
 
-pkg:fedora-40:
+pkg:fedora-41:
   <<: *pkg_test
-  image: $CI_REGISTRY/packaging/apkg/full/fedora-40
+  image: $CI_REGISTRY/packaging/apkg/full/fedora-41
 
-pkg:fedora-39:
+pkg:fedora-40:
   <<: *pkg_test
-  image: $CI_REGISTRY/packaging/apkg/full/fedora-39
+  image: $CI_REGISTRY/packaging/apkg/full/fedora-40
 
 pkg:alma-9:
   <<: *pkg_test
   image: $CI_REGISTRY/packaging/apkg/full/alma-9
+  before_script:
+    # python-watchdog is not included in the official Alma 9 packages
+    # install it using PyPi just for testing
+    - pip3 install watchdog
 
 pkg:arch:
   <<: *pkg_test_user
-  image: $CI_REGISTRY/packaging/apkg/test/arch
-  tags:
-    - docker
-    - linux
-    - amd64
+  image: $CI_REGISTRY/packaging/apkg/full/arch
   before_script:
-    - pacman -Syy
-    - pip install apkg
+    # prometheus and watchdog are optional dependencies, but our `apkg test` needs them
+    - pacman -Syu --noconfirm python-prometheus_client python-watchdog
 
 # RHEL 8 derivatives would need more work due to *default* python being old
 #pkg:rocky-8:

diff --git a/AUTHORS b/AUTHORS
@@ -21,6 +21,7 @@ Daniel Salzman <[email protected]>
 daurnimator <[email protected]>
 David Beitey <[email protected]>
 Felix Yan <[email protected]>
+Frantisek Tobias <[email protected]>
 Grigorii Demidov <[email protected]>
 Hasnat <[email protected]>
 Héctor Molinero Fernández <[email protected]>
@@ -45,6 +46,7 @@ Lukáš Ježek <[email protected]>
 Lukáš Ondráček <[email protected]>
 Manu Bretelle <[email protected]>
 Marek Vavruša <[email protected]>
+menakite <[email protected]>
 Michal Karm Babáček <[email protected]>
 Michal Lupečka <[email protected]>
 Ondřej Surý <[email protected]>

diff --git a/Dockerfile b/Dockerfile
@@ -6,7 +6,6 @@ FROM debian:12 AS build
 ENV OBS_REPO=knot-resolver-latest
 ENV DISTROTEST_REPO=Debian_12
 
-
 RUN apt-get update -qq && \
 	apt-get -qqq -y install \
 		apt-transport-https ca-certificates wget \
@@ -25,10 +24,19 @@ RUN cd /source && \
 	git submodule update --init --recursive && \
 	git config --global user.name "Docker Build" && \
 	git config --global user.email docker-build@knot-resolver && \
+	\
+	# Replace 'knot-resolver' user and group with 'root'
+	# in meson_options.tx and python/knot_resolver/constants.py.
+	# This is needed for the file/directory permissions validation
+	# and then for the proper functioning of the resolver.
+	sed s/knot-resolver/root/g -i meson_options.txt && \
+	sed 's/USER.*/USER = "root"/g' -i python/knot_resolver/constants.py && \
+	sed 's/GROUP.*/GROUP = "root"/g' -i python/knot_resolver/constants.py && \
+	git commit -a -m TMP && \
+	\
 	/root/.local/bin/apkg build-dep -y && \
 	/root/.local/bin/apkg build
 
-
 # Real container
 FROM debian:12-slim AS runtime
 
@@ -56,16 +64,20 @@ RUN apt-get install -y /pkg/*/*.deb && \
 	apt-get remove -y -qq curl gnupg2 && \
 	apt-get autoremove -y && \
 	apt-get clean && \
-	rm -rf /var/lib/apt/lists/* && \
-	mkdir /config
+	rm -rf /var/lib/apt/lists/*
 
-COPY etc/config/config.example.docker.yaml /config/config.yaml
+COPY etc/config/config.example.docker.yaml /etc/knot-resolver/config.yaml
 
 LABEL cz.knot-resolver.vendor="CZ.NIC"
 LABEL maintainer="[email protected]"
 
 # Export plain DNS, DoT, DoH and management interface
 EXPOSE 53/UDP 53/TCP 443/TCP 853/TCP 5000/TCP
 
+# Prepare shared config
+VOLUME /etc/knot-resolver
+# Prepare shared cache
+VOLUME /var/cache/knot-resolver
+
 ENTRYPOINT ["/usr/bin/knot-resolver"]
-CMD ["-c", "/config/config.yaml"]
+CMD ["-c", "/etc/knot-resolver/config.yaml"]
diff --git a/NEWS b/NEWS
@@ -1,16 +1,23 @@
-Knot Resolver 6.0.9 (2024-mm-dd)
+Knot Resolver 6.0.10 (202y-mm-dd)
 ================================
 
-Incompatible changes
---------------------
-- -f/--forks is removed (#631, !1602)
+Improvements
+------------
+- avoid multiple log lines when IPv6 isn't available (!1633)
+- manager: fix startup on Linux without libsystemd (!1608)
+- auto-reload TLS certificate files (!1626)
+
+
+Knot Resolver 6.0.9 (2024-11-11)
+================================
 
 Improvements
 ------------
 
+- rate-limiting: add these options, mechanism, docs (!1624)
 - manager: secret for TLS session resumption via ticket (RFC5077) (!1567)
 
-  The manager creates and sets the secret for all running 'kresd' workers.
+  The manager creates and sets the secret for all running ``kresd`` workers.
   The secret is created automatically if the user does not configure their own secret in the configuration.
   This means that the workers will be able to resume each other's TLS sessions, regardless of whether the user has configured it to do so.
 
@@ -20,6 +27,10 @@ Improvements
 - extended_errors: answer with EDE in more cases (!1585, !1588, !1590, !1592)
 - local-data: make DNAMEs work, i.e. generate CNAMEs (!1609)
 - daemon: use connected UDP sockets by default (#326, !1618)
+- docker: multiplatform builds (#922, !1623)
+- docker: shared VOLUMEs are prepared for configuration and cache (!1625, !1627)
+
+  Configuration path was changed to standard ``/etc/knot-resolver/config.yaml``.
 
 Bugfixes
 --------
@@ -29,6 +40,7 @@ Bugfixes
 
 Incompatible changes
 --------------------
+- -f/--forks is removed (#631, !1602)
 - gnutls < 3.4 support is dropped, released over 9 years ago (!1601)
 - libuv < 1.27 support is dropped, released over 5 years ago (!1618)
 
@@ -40,8 +52,8 @@ Security
 --------
 - reduce buffering of transmitted data, especially TCP-based in userspace
   Also expose some of the new tweaks in lua:
-   (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
-   (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
+  - (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
+  - (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
 
 Packaging
 ---------
@@ -69,12 +81,11 @@ Improvements
 ------------
 - TLS (DoT, DoH): respect crypto policy overrides in OS (!1526)
 - manager: export metrics to JSON via management HTTP API (!1527)
-  * JSON is the new default metrics output format
-  * the ``prometheus-client`` Python package is now an optional dependency,
-    required only for Prometheus export to work
+  - JSON is the new default metrics output format
+  - the ``prometheus-client`` Python package is now an optional dependency, required only for Prometheus export to work
 - cache: prefetching records
-  * predict module: prefetching expiring records moved to prefetch module
-  * prefetch module: new module to prefetch expiring records
+  - predict module: prefetching expiring records moved to prefetch module
+  - prefetch module: new module to prefetch expiring records
 - stats: add separate metrics for IPv6 and IPv4 (!1545)
 - add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)
 - manager: policy-loader: new component for separate loading of policy rules (!1540)