From 4666aae8ace4d578dc859de36e8e4c66d7913001 Mon Sep 17 00:00:00 2001 From: Warren Kumari Date: Thu, 5 Jan 2017 22:09:26 -0500 Subject: [PATCH] Added more documentation, GKE service files, stubby configs. --- README.md | 98 ++++++++++++++++++++++++++- gke/README.md | 26 +++++++ gke/dprive-nginx-bind-deployment.yaml | 30 ++++++++ gke/dprive-nginx-bind-service.yaml | 21 ++++++ stubby_configs/README.md | 11 +++ stubby_configs/stubby-aws.conf | 16 +++++ stubby_configs/stubby-gce-443.conf | 17 +++++ stubby_configs/stubby-gce.conf | 16 +++++ stubby_configs/stubby-snozzages.conf | 16 +++++ 9 files changed, 249 insertions(+), 2 deletions(-) create mode 100644 gke/README.md create mode 100644 gke/dprive-nginx-bind-deployment.yaml create mode 100644 gke/dprive-nginx-bind-service.yaml create mode 100644 stubby_configs/README.md create mode 100644 stubby_configs/stubby-aws.conf create mode 100644 stubby_configs/stubby-gce-443.conf create mode 100644 stubby_configs/stubby-gce.conf create mode 100644 stubby_configs/stubby-snozzages.conf diff --git a/README.md b/README.md index 2c6f583..9aac0b7 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,9 @@ This Docker container implements a [DPRIVE](https://datatracker.ietf.org/wg/dpri It listens on both the official DPRIVE port (853), and also on port 443 (as a test / proof-of-concept). -The container builds on both Ubuntu 16.04 and OS X Sierra, and deploys on Ubuntu, Google +The container builds on both Ubuntu 16.04 and OS X Sierra, and have been tested deployed on Ubuntu, Amazon AWS EC2 Container Service and [Google Container Engine (GKE)](https://cloud.google.com/container-engine/). The `gke` direcotry contains the YAML files I use to start this on GKE. + +The `stubby_configs` directory contains configurations for using this with [getdns](http://getdnsapi.net/) [Stubby](https://portal.sinodun.com/wiki/display/TDNS/DNS+Privacy+daemon+-+Stubby). ### Known issues / limitations This Dockerfile is based on Ubuntu and uses the Ubuntu BIND and NGINX packages. When I have more time, I'm planning on making new images which builds BIND and NGINX instead of using the packages. @@ -28,7 +30,7 @@ This Dockerfile is based on Ubuntu and uses the Ubuntu BIND and NGINX packages. #### Usage - +##### Docker Start: docker-compose up -d @@ -40,6 +42,32 @@ Stop: Attach to container: docker exec -it compose_dprive-nginx-bind_1 bash + +##### Google Container Engine +Starting deploymment and service: + +``` +$ kubectl create -f dprive-nginx-bind-deployment.yaml +$ kubectl create -f dprive-nginx-bind-service.yaml +``` + +Checking: + +``` +$ kubectl get deployment dprive-nginx-bind +NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE +dprive-nginx-bind 1 1 1 1 3d +$ kubectl get service dprive-nginx-bind +NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE +dprive-nginx-bind 10.3.242.209 104.196.153.172 853/TCP,443/TCP 8m +``` + +Stopping: + +``` +$ kubectl delete service dprive-nginx-bind-service +$ kubectl delete deployment dprive-nginx-bind-deployment +``` #### Client Included in `stubby-snozzages.conf` is a [Stubby] (https://portal.sinodun.com/wiki/display/TDNS/DNS+Privacy+daemon+-+Stubby) config file to talk to a test container which I'm running. Generating the `tls_pubkey_pinset` is a little tricky. Here is the cheat: @@ -48,6 +76,72 @@ Included in `stubby-snozzages.conf` is a [Stubby] (https://portal.sinodun.com/wi openssl dgst -sha256 -hex public.key | awk -F '= ' '{print "0x"$2}' +##### Example: + +Client (I add `nameserver 127.0.0.1` to `/etc/resolv.conf`) + +``` +$ sudo ./bin/stubby -C ./etc/stubby-gce.conf +[02:58:20.629838] => ENTRY: _getdns_submit_stub_request : MSG: 0x7fd32e802008 TYPE: 1 +[02:58:20.631413] --- SETUP: upstream_select_stateful : Testing upstreams 0 0 +[02:58:20.631421] --- SETUP: upstream_select_stateful : Testing upstreams 1 0 +[02:58:20.631434] --- SETUP: upstream_connect : Getting upstream connection: 0x7fd32d0119c8 +[02:58:20.631439] --- SETUP: tcp_connect : Creating TCP connection: 0x7fd32d0119c8 +[02:58:20.631753] --- SETUP(TLS): tls_create_object : Hostname verification requested for: *.snozzages.com +[02:58:20.631793] --- SETUP(TLS): tls_create_object : Using Strict TLS +[02:58:20.631803] GETDNS_DAEMON: 104.196.153.172 : Conn init : Transport=TLS - Profile=Strict +[02:58:20.631808] --- SETUP: upstream_find_for_transport : FD: 8 Connecting to upstream: 0x7fd32d0119c8 No: 1 +[02:58:20.631817] ----- SCHEDULE: upstream_schedule_netreq : MSG: 0x7fd32e802008 (schedule event) +[02:58:20.631920] => ENTRY: _getdns_submit_stub_request : MSG: 0x7fd32d802808 TYPE: 28 +[02:58:20.631932] --- SETUP: upstream_connect : Getting upstream connection: 0x7fd32d0119c8 +[02:58:20.631938] --- SETUP: upstream_find_for_transport : FD: 8 Connecting to upstream: 0x7fd32d0119c8 No: 1 +[02:58:20.631943] ----- SCHEDULE: upstream_schedule_netreq : MSG: 0x7fd32d802808 (schedule event) +[02:58:20.631950] ------- WRITE: upstream_write_cb : MSG: 0x7fd32e802008 (writing) +[02:58:20.631973] --- SETUP(TLS): tls_do_handshake : FD: 8 +[02:58:20.696750] ------- READ: upstream_read_cb : FD: 8 +[02:58:20.696801] --- SETUP(TLS): tls_do_handshake : FD: 8 +[02:58:20.697742] --- SETUP(TLS): tls_verify_callback : FD: 8 Verify result: (0) "ok" +[02:58:20.697785] --- SETUP(TLS): _getdns_verify_pinset_match : Name of cert: 0 CN = *.snozzages.com +[02:58:20.697892] --- SETUP(TLS): _getdns_verify_pinset_match : Pubkey 0 matched pin 0x7fd32cc01780 (32) +[02:58:20.698246] --- SETUP(TLS): tls_verify_callback : FD: 8 Verify result: (0) "ok" +[02:58:20.698267] --- SETUP(TLS): _getdns_verify_pinset_match : Name of cert: 0 CN = *.snozzages.com +[02:58:20.698355] --- SETUP(TLS): _getdns_verify_pinset_match : Pubkey 0 matched pin 0x7fd32cc01780 (32) +[02:58:20.698846] --- SETUP(TLS): tls_verify_callback : FD: 8 Verify result: (0) "ok" +[02:58:20.698868] --- SETUP(TLS): _getdns_verify_pinset_match : Name of cert: 0 CN = *.snozzages.com +[02:58:20.698934] --- SETUP(TLS): _getdns_verify_pinset_match : Pubkey 0 matched pin 0x7fd32cc01780 (32) +[02:58:20.732940] ------- READ: upstream_read_cb : FD: 8 +[02:58:20.732994] --- SETUP(TLS): tls_do_handshake : FD: 8 +[02:58:20.733630] --- SETUP(TLS): tls_do_handshake : FD: 8 Handshake succeeded with auth state 2. Session is new. +[02:58:20.733694] ------- WRITE: upstream_write_cb : MSG: 0x7fd32e802008 (writing) +[02:58:20.733711] --- SETUP: stub_tls_write : FD: 8 Requesting keepalive +[02:58:20.734099] ------- WRITE: upstream_write_cb : MSG: 0x7fd32d802808 (writing) +[02:58:20.774853] ------- READ: upstream_read_cb : FD: 8 +[02:58:20.774915] ------- READ: upstream_read_cb : MSG: 0x7fd32e802008 (read) +[02:58:20.774940] ------- READ: match_edns_opt_rr : OPT RR: ; EDNS: version: 0; flags: ; udp: 4096 +[02:58:20.774948] --- CLEANUP: stub_cleanup : MSG: 0x7fd32e802008 +[02:58:20.774956] ----- SCHEDULE: upstream_reschedule_events : FD: 8 +[02:58:20.832630] ------- READ: upstream_read_cb : FD: 8 +[02:58:20.832757] ------- READ: upstream_read_cb : MSG: 0x7fd32d802808 (read) +[02:58:20.832782] ------- READ: match_edns_opt_rr : OPT RR: ; EDNS: version: 0; flags: ; udp: 4096 +[02:58:20.832793] --- CLEANUP: stub_cleanup : MSG: 0x7fd32d802808 +[02:58:20.832804] ----- SCHEDULE: upstream_reschedule_events : FD: 8 +[02:58:20.832836] ----- SCHEDULE: upstream_reschedule_events : FD: 8 Connection idle - timeout is 10000 +[02:58:24.751765] => ENTRY: _getdns_submit_stub_request : MSG: 0x7fd32e008e08 TYPE: 1 +[02:58:24.751795] --- SETUP: upstream_connect : Getting upstream connection: 0x7fd32d0119c8 +[02:58:24.751802] --- SETUP: upstream_find_for_transport : FD: 8 Connecting to upstream: 0x7fd32d0119c8 No: 1 +[02:58:24.751808] ----- SCHEDULE: upstream_schedule_netreq : MSG: 0x7fd32e008e08 (schedule event) +[02:58:24.751829] ------- WRITE: upstream_write_cb : MSG: 0x7fd32e008e08 (writing) +[02:58:24.797597] ------- READ: upstream_read_cb : FD: 8 +[02:58:24.797682] ------- READ: upstream_read_cb : MSG: 0x7fd32e008e08 (read) +[02:58:24.797696] ------- READ: match_edns_opt_rr : OPT RR: ; EDNS: version: 0; flags: ; udp: 4096 +[02:58:24.797703] --- CLEANUP: stub_cleanup : MSG: 0x7fd32e008e08 +[02:58:24.797709] ----- SCHEDULE: upstream_reschedule_events : FD: 8 +[02:58:24.797715] ----- SCHEDULE: upstream_reschedule_events : FD: 8 Connection idle - timeout is 10000 +[02:58:34.798471] --- CLEANUP: upstream_idle_timeout_cb : FD: 8 Closing connection +[02:58:34.798524] GETDNS_DAEMON: 104.196.153.172 : Conn closed : Transport=TLS - Resp=3,Timeouts=0,Auth=Success,Keepalive(ms)=10000 +[02:58:34.798539] GETDNS_DAEMON: 104.196.153.172 : Upstream stats: Transport=TLS - Resp=3,Timeouts=0,Best_auth=Success +[02:58:34.798552] GETDNS_DAEMON: 104.196.153.172 : Upstream stats: Transport=TLS - Conns=1,Conn_fails=0,Conn_shutdowns=0,Backoffs=0 +``` #### Release notes / changelog V0.2.0: diff --git a/gke/README.md b/gke/README.md new file mode 100644 index 0000000..fd042e5 --- /dev/null +++ b/gke/README.md @@ -0,0 +1,26 @@ +# Google Container Engine + +## Description +These are Google Container Engine (GKE) config files for starting up the dprive-nginx-bind containers. + +## Usage / configuration +You will need to edit (at a minimum!) the `image` attribute in `dprive-nginx-bind-deployment.yaml`, and the `loadBalancerIP` attribute in `dprive-nginx-bind-service.yaml` (if you have not reserved a static IP, you can simply remote this attribute and an ephemeral one will be assigned. + +## Example usage: +Spinning up deploymment and service: + +``` +$ kubectl create -f dprive-nginx-bind-deployment.yaml +$ kubectl create -f dprive-nginx-bind-service.yaml +``` + +Checking: + +``` +$ kubectl get deployment dprive-nginx-bind +NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE +dprive-nginx-bind 1 1 1 1 3d +$ kubectl get service dprive-nginx-bind +NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE +dprive-nginx-bind 10.3.242.209 104.196.153.172 853/TCP,443/TCP 8m +``` diff --git a/gke/dprive-nginx-bind-deployment.yaml b/gke/dprive-nginx-bind-deployment.yaml new file mode 100644 index 0000000..6f5cee7 --- /dev/null +++ b/gke/dprive-nginx-bind-deployment.yaml @@ -0,0 +1,30 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: dprive-nginx-bind +spec: + replicas: 1 + template: + metadata: + labels: + run: dprive-nginx-bind + spec: + containers: + - image: us.gcr.io/dprive-nginx-bind:latest + imagePullPolicy: Always + name: dprive-nginx-bind + terminationMessagePath: /dev/termination-log + ports: + - containerPort: 853 + name: domain-s + - containerPort: 443 + name: https + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: {} + terminationGracePeriodSeconds: 30 +status: + availableReplicas: 1 + observedGeneration: 2 + replicas: 1 + updatedReplicas: 1 diff --git a/gke/dprive-nginx-bind-service.yaml b/gke/dprive-nginx-bind-service.yaml new file mode 100644 index 0000000..2b44d95 --- /dev/null +++ b/gke/dprive-nginx-bind-service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + run: dprive-nginx-bind + name: dprive-nginx-bind +spec: + type: LoadBalancer + loadBalancerIP: 104.196.153.172 + ports: + - name: domain-s + protocol: TCP + port: 853 + targetPort: 853 + - name: https + protocol: TCP + port: 443 + targetPort: 443 + selector: + run: dprive-nginx-bind + diff --git a/stubby_configs/README.md b/stubby_configs/README.md new file mode 100644 index 0000000..02a74d8 --- /dev/null +++ b/stubby_configs/README.md @@ -0,0 +1,11 @@ +# Stubby configs + +## Description +These are example stubby configs to talk to my deployments. + +``` +stubby-aws.conf # Amazon AWS container +stubby-gce-443.conf # Google Container on port 443 +stubby-gce.conf # Google Container Engine +stubby-snozzages.conf # Docker instance. +``` \ No newline at end of file diff --git a/stubby_configs/stubby-aws.conf b/stubby_configs/stubby-aws.conf new file mode 100644 index 0000000..97e0f57 --- /dev/null +++ b/stubby_configs/stubby-aws.conf @@ -0,0 +1,16 @@ +{ resolution_type: GETDNS_RESOLUTION_STUB +, dns_transport_list: [ GETDNS_TRANSPORT_TLS ] +, upstream_recursive_servers: + [ { address_data: 34.195.235.255 + , tls_auth_name: "*.snozzages.com" + , tls_pubkey_pinset: + [ { digest: "sha256" + , value: 0x35675a81f9afa826883465f9320201461d324dafde1aa127fb8a00a526f1cae9 + } ] + } ] +, tls_authentication: GETDNS_AUTHENTICATION_REQUIRED +, tls_query_padding_blocksize: 256 +, edns_client_subnet_private : 1 +, listen_addresses: [ 127.0.0.1, 0::1 ] +, idle_timeout: 10000 +} diff --git a/stubby_configs/stubby-gce-443.conf b/stubby_configs/stubby-gce-443.conf new file mode 100644 index 0000000..ceb3bad --- /dev/null +++ b/stubby_configs/stubby-gce-443.conf @@ -0,0 +1,17 @@ +{ resolution_type: GETDNS_RESOLUTION_STUB +, dns_transport_list: [ GETDNS_TRANSPORT_TLS ] +, upstream_recursive_servers: + [ { address_data: 104.196.153.172 + , tls_port: 443 + , tls_auth_name: "*.snozzages.com" + , tls_pubkey_pinset: + [ { digest: "sha256" + , value: 0x35675a81f9afa826883465f9320201461d324dafde1aa127fb8a00a526f1cae9 + } ] + } ] +, tls_authentication: GETDNS_AUTHENTICATION_REQUIRED +, tls_query_padding_blocksize: 256 +, edns_client_subnet_private : 1 +, listen_addresses: [ 127.0.0.1, 0::1 ] +, idle_timeout: 10000 +} diff --git a/stubby_configs/stubby-gce.conf b/stubby_configs/stubby-gce.conf new file mode 100644 index 0000000..f2dabf5 --- /dev/null +++ b/stubby_configs/stubby-gce.conf @@ -0,0 +1,16 @@ +{ resolution_type: GETDNS_RESOLUTION_STUB +, dns_transport_list: [ GETDNS_TRANSPORT_TLS ] +, upstream_recursive_servers: + [ { address_data: 104.196.153.172 + , tls_auth_name: "*.snozzages.com" + , tls_pubkey_pinset: + [ { digest: "sha256" + , value: 0x35675a81f9afa826883465f9320201461d324dafde1aa127fb8a00a526f1cae9 + } ] + } ] +, tls_authentication: GETDNS_AUTHENTICATION_REQUIRED +, tls_query_padding_blocksize: 256 +, edns_client_subnet_private : 1 +, listen_addresses: [ 127.0.0.1, 0::1 ] +, idle_timeout: 10000 +} diff --git a/stubby_configs/stubby-snozzages.conf b/stubby_configs/stubby-snozzages.conf new file mode 100644 index 0000000..1a5f3b5 --- /dev/null +++ b/stubby_configs/stubby-snozzages.conf @@ -0,0 +1,16 @@ +{ resolution_type: GETDNS_RESOLUTION_STUB +, dns_transport_list: [ GETDNS_TRANSPORT_TLS ] +, upstream_recursive_servers: + [ { address_data: 204.194.23.68 + , tls_auth_name: "*.snozzages.com" + , tls_pubkey_pinset: + [ { digest: "sha256" + , value: 0x35675a81f9afa826883465f9320201461d324dafde1aa127fb8a00a526f1cae9 + } ] + } ] +, tls_authentication: GETDNS_AUTHENTICATION_REQUIRED +, tls_query_padding_blocksize: 256 +, edns_client_subnet_private : 1 +, listen_addresses: [ 127.0.0.1, 0::1 ] +, idle_timeout: 10000 +}