Built-in nscd into the docker image (a better dns caching service) (#3472)

1 year ago · a0203372ce
parent 5ccf2d23fc
commit a0203372ce
5 changed files with 192 additions and 7 deletions
--- a/docker/debian-base.dockerfile
+++ b/docker/debian-base.dockerfile
@ -5,13 +5,29 @@ ARG TARGETPLATFORM

 WORKDIR /app

-# Install Curl
-# Install Apprise, add sqlite3 cli for debugging in the future, iputils-ping for ping, util-linux for setpriv
-# Stupid python3 and python3-pip actually install a lot of useless things into Debian, specify --no-install-recommends to skip them, make the base even smaller than alpine!
+# Specify --no-install-recommends to skip unused dependencies, make the base much smaller!
+# python3* = apprise's dependencies
+# sqlite3 = for debugging
+# iputils-ping = for ping
+# util-linux = for setpriv (Should be dropped in 2.0.0?)
+# dumb-init = avoid zombie processes (#480)
+# curl = for debugging
+# ca-certificates = keep the cert up-to-date
+# sudo = for start service nscd with non-root user
+# nscd = for better DNS caching
+# (pip) apprise = for notifications
 RUN apt-get update && \
-    apt-get --yes --no-install-recommends install python3 python3-pip python3-cryptography python3-six python3-yaml python3-click python3-markdown python3-requests python3-requests-oauthlib \
-        sqlite3 iputils-ping util-linux dumb-init git curl ca-certificates && \
-    pip3 --no-cache-dir install apprise==1.4.0 && \
+    apt-get --yes --no-install-recommends install  \
+        python3 python3-pip python3-cryptography python3-six python3-yaml python3-click python3-markdown python3-requests python3-requests-oauthlib \
+        sqlite3  \
+        iputils-ping  \
+        util-linux  \
+        dumb-init  \
+        curl  \
+        ca-certificates \
+        sudo \
+        nscd && \
+    pip3 --no-cache-dir install apprise==1.4.5 && \
    rm -rf /var/lib/apt/lists/* && \
    apt --yes autoremove

@ -26,3 +42,7 @@ RUN set -eux && \
    rm -rf /var/lib/apt/lists/* && \
    apt --yes autoremove

+# For nscd
+COPY ./docker/etc/nscd.conf /etc/nscd.conf
+COPY ./docker/etc/sudoers /etc/sudoers
+
--- a/docker/etc/nscd.conf
+++ b/docker/etc/nscd.conf
@ -0,0 +1,90 @@
+#
+# /etc/nscd.conf
+#
+# An example Name Service Cache config file.  This file is needed by nscd.
+#
+# Legal entries are:
+#
+#       logfile                 <file>
+#       debug-level             <level>
+#       threads                 <initial #threads to use>
+#       max-threads             <maximum #threads to use>
+#       server-user             <user to run server as instead of root>
+#               server-user is ignored if nscd is started with -S parameters
+#       stat-user               <user who is allowed to request statistics>
+#       reload-count            unlimited|<number>
+#       paranoia                <yes|no>
+#       restart-interval        <time in seconds>
+#
+#       enable-cache            <service> <yes|no>
+#       positive-time-to-live   <service> <time in seconds>
+#       negative-time-to-live   <service> <time in seconds>
+#       suggested-size          <service> <prime number>
+#       check-files             <service> <yes|no>
+#       persistent              <service> <yes|no>
+#       shared                  <service> <yes|no>
+#       max-db-size             <service> <number bytes>
+#       auto-propagate          <service> <yes|no>
+#
+# Currently supported cache names (services): passwd, group, hosts, services
+#
+
+
+#       logfile                 /var/log/nscd.log
+#       threads                 4
+#       max-threads             32
+#        server-user             node
+#       stat-user               somebody
+        debug-level             0
+#       reload-count            5
+        paranoia                no
+#       restart-interval        3600
+
+        enable-cache            passwd          no
+        positive-time-to-live   passwd          600
+        negative-time-to-live   passwd          20
+        suggested-size          passwd          211
+        check-files             passwd          yes
+        persistent              passwd          yes
+        shared                  passwd          yes
+        max-db-size             passwd          33554432
+        auto-propagate          passwd          yes
+
+        enable-cache            group           no
+        positive-time-to-live   group           3600
+        negative-time-to-live   group           60
+        suggested-size          group           211
+        check-files             group           yes
+        persistent              group           yes
+        shared                  group           yes
+        max-db-size             group           33554432
+        auto-propagate          group           yes
+
+        enable-cache            hosts           yes
+        positive-time-to-live   hosts           3600
+        negative-time-to-live   hosts           20
+        suggested-size          hosts           211
+        check-files             hosts           yes
+        persistent              hosts           yes
+# Set shared to "no" to display stats in `nscd -g`
+# Read more: https://stackoverflow.com/questions/40429245/nscdcentos7curl-0-dns-cache-hit-rate
+        shared                  hosts           no
+        max-db-size             hosts           33554432
+
+        enable-cache            services        no
+        positive-time-to-live   services        28800
+        negative-time-to-live   services        20
+        suggested-size          services        211
+        check-files             services        yes
+        persistent              services        yes
+        shared                  services        yes
+        max-db-size             services        33554432
+
+        enable-cache            netgroup        no
+        positive-time-to-live   netgroup        28800
+        negative-time-to-live   netgroup        20
+        suggested-size          netgroup        211
+        check-files             netgroup        yes
+        persistent              netgroup        yes
+        shared                  netgroup        yes
+        max-db-size             netgroup        33554432
--- a/docker/etc/sudoers
+++ b/docker/etc/sudoers
@ -0,0 +1,31 @@
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults        env_reset
+Defaults        mail_badpass
+Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo   ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
+#includedir /etc/sudoers.d
+
+# Allow `node` to control service (mainly for nscd)
+node ALL=(root) NOPASSWD: /usr/sbin/nscdservice
+node ALL=(root) NOPASSWD: /usr/sbin/service
--- a/server/server.js
+++ b/server/server.js
@ -49,6 +49,7 @@ if (! process.env.NODE_ENV) {
 }

 log.info("server", "Node Env: " + process.env.NODE_ENV);
+log.info("server", "Inside Container: " + process.env.UPTIME_KUMA_IS_CONTAINER === "1");

 log.info("server", "Importing Node libraries");
 const fs = require("fs");
@ -1589,6 +1590,8 @@ let needSetup = false;
        await shutdownFunction();
    });

+    server.start();
+
    server.httpServer.listen(port, hostname, () => {
        if (hostname) {
            log.info("server", `Listening on ${hostname}:${port}`);
--- a/server/uptime-kuma-server.js
+++ b/server/uptime-kuma-server.js
@ -10,6 +10,7 @@ const util = require("util");
 const { CacheableDnsHttpAgent } = require("./cacheable-dns-http-agent");
 const { Settings } = require("./settings");
 const dayjs = require("dayjs");
+const childProcess = require("child_process");
 // DO NOT IMPORT HERE IF THE MODULES USED `UptimeKumaServer.getInstance()`, put at the bottom of this file instead.

 /**
@ -334,9 +335,49 @@ class UptimeKumaServer {
        dayjs.tz.setDefault(timezone);
    }

-    /** Stop the server */
+    /**
+     * TODO: Listen logic should be moved to here
+     * @returns {Promise<void>}
+     */
+    async start() {
+        this.startServices();
+    }
+
+    /**
+     * Stop the server
+     * @returns {Promise<void>}
+     */
    async stop() {
+        this.stopServices();
+    }

+    /**
+     * Start all system services (e.g. nscd)
+     * For now, only used in Docker
+     */
+    startServices() {
+        if (process.env.UPTIME_KUMA_IS_CONTAINER) {
+            try {
+                log.info("services", "Starting nscd");
+                childProcess.execSync("sudo service nscd start", { stdio: "pipe" });
+            } catch (e) {
+                log.info("services", "Failed to start nscd");
+            }
+        }
+    }
+
+    /**
+     * Stop all system services
+     */
+    stopServices() {
+        if (process.env.UPTIME_KUMA_IS_CONTAINER) {
+            try {
+                log.info("services", "Stopping nscd");
+                childProcess.execSync("sudo service nscd stop");
+            } catch (e) {
+                log.info("services", "Failed to stop nscd");
+            }
+        }
    }
 }