From a246506150c3ba7acb40a967e207aac5481a0d7d Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 11 Dec 2019 16:20:55 +0100 Subject: [PATCH 1/4] Copy and use undelegated.txt --- Dockerfile | 1 + encrypted-dns.toml.in | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index eb2d5ff..9c9129e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -61,6 +61,7 @@ RUN mkdir -p \ /etc/service/watchdog COPY encrypted-dns.toml.in /opt/encrypted-dns/etc/ +COPY undelegated.txt /opt/encrypted-dns/etc/ COPY entrypoint.sh / diff --git a/encrypted-dns.toml.in b/encrypted-dns.toml.in index df2b0c9..f48ce2e 100644 --- a/encrypted-dns.toml.in +++ b/encrypted-dns.toml.in @@ -177,7 +177,7 @@ key_cache_capacity = 10000 ## but will never resolve to anything. The server will immediately return a ## synthesized NXDOMAIN response instead of hitting root servers. -# undelegated_list = "/etc/undelegated.txt" +undelegated_list = "/opt/encrypted-dns/etc/undelegated.txt" ## Ignore A and AAAA queries for unqualified host names. From 33080e9766ce7e8d502a13ba3fad3d2f4bf86254 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 11 Dec 2019 16:44:47 +0100 Subject: [PATCH 2/4] Ensure that the keys directory is accessible from _encrypted-dns --- encrypted-dns.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/encrypted-dns.sh b/encrypted-dns.sh index bb51607..9712207 100755 --- a/encrypted-dns.sh +++ b/encrypted-dns.sh @@ -8,4 +8,7 @@ if [ ! -f "$KEYS_DIR/provider_name" ]; then exit 1 fi +chown -R _encrypted-dns:_encrypted-dns /opt/dnscrypt-wrapper/etc/keys 2>/dev/null || : +chown -R _encrypted-dns:_encrypted-dns /opt/encrypted-dns/etc/keys 2>/dev/null || : + exec /opt/encrypted-dns/sbin/encrypted-dns --config "$CONFIG_FILE" From 9b7cd92696568048b91818bdc0126a7ca5764879 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 11 Dec 2019 16:45:19 +0100 Subject: [PATCH 3/4] Bump min TTL, switch daemon user and group --- encrypted-dns.toml.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/encrypted-dns.toml.in b/encrypted-dns.toml.in index f48ce2e..7b83338 100644 --- a/encrypted-dns.toml.in +++ b/encrypted-dns.toml.in @@ -70,7 +70,7 @@ cache_capacity = 150000 ## DNS cache: minimum TTL -cache_ttl_min = 600 +cache_ttl_min = 3600 ## DNS cache: max TTL @@ -100,12 +100,12 @@ daemonize = false ## User name to drop privileges to, when started as root. -# user = "_encrypted-dns" +user = "_encrypted-dns" ## Group name to drop privileges to, when started as root. -# group = "_encrypted-dns" +group = "_encrypted-dns" ## Path to chroot() to, when started as root. From 04c8c1c5cee9affb1641970ba1bb9fea010d6dbe Mon Sep 17 00:00:00 2001 From: mibere Date: Fri, 13 Dec 2019 16:08:50 +0100 Subject: [PATCH 4/4] Update README.md enhancements chapter 'Updating the container' --- README.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 79b0e08..f794c64 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ docker pull jedisct1/dnscrypt-server ls -l /etc/dnscrypt-server/keys ``` -If you have some content here, skip to step 2. +If you have some content here, skip to step 3. Nothing here? Maybe you didn't use the `-v` option to map container files to a local directory when creating the container. In that case, copy the data directly from the container: @@ -127,14 +127,20 @@ In that case, copy the data directly from the container: docker cp dnscrypt-server:/opt/encrypted-dns/etc/keys ~/keys ``` -3. Stop the container: +3. Stop the existing container: ```sh docker stop dnscrypt-server docker ps # Check that it's not running ``` -1. Use the `init` command again and start the new container: +4. Rename the existing container: + +```sh +docker rename dnscrypt-server dnscrypt-server-old +``` + +5. Use the `init` command again and start the new container: ```sh docker run --name=dnscrypt-server -p 443:443/udp -p 443:443/tcp --net=host \ @@ -144,9 +150,16 @@ jedisct1/dnscrypt-server init -N example.com -E '192.168.1.1:443' # (adjust accordingly) docker start dnscrypt-server +docker ps # Check that it's running ``` -5. Done! +6. Delete old container: + +```sh +docker rm dnscrypt-server-old +``` + +7. Done! Parameters differ from the ones used in the previous container.