Merge branch 'serverless-dns:main' into main

sagittaurius · Sep 28, 2024 · e62deab · e62deab · deno-deploy · Sep 28, 2024
2 parents 433d488 + 71bf7a0
commit e62deab
Show file tree

Hide file tree

Showing 35 changed files with 768 additions and 359 deletions.
diff --git a/.github/workflows/cf.yml b/.github/workflows/cf.yml
@@ -52,6 +52,7 @@ on:
 
 env:
   GIT_REF: ${{ github.event.inputs.commit || github.ref }}
+  WRANGLER_VER: '3.56.0'
   # default is 'dev' which is really empty/no env
   WORKERS_ENV: ''
 
@@ -112,6 +113,7 @@ jobs:
           apiToken: ${{ secrets.CF_API_TOKEN }}
           # input overrides env-defaults, regardless
           environment: ${{ env.WORKERS_ENV }}
+          wranglerVersion: ${{ env.WRANGLER_VER }}
         env:
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
           GIT_COMMIT_ID: ${{ env.COMMIT_SHA }}

diff --git a/.github/workflows/deno-deploy.yml b/.github/workflows/deno-deploy.yml
@@ -64,7 +64,7 @@ jobs:
       contents: read
     steps:
       - name: 🚚 Fetch code
-        uses: actions/checkout@v3.3.0
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.inputs.git-ref || github.ref }}
           fetch-depth: 0
@@ -85,10 +85,10 @@ jobs:
           git reset
           git merge origin/${BUILD_BRANCH} || :
 
-      - name: 🦕 Install Deno @1.29
+      - name: 🦕 Install Deno @1.44
         uses: denoland/setup-deno@main
         with:
-          deno-version: 1.29.3
+          deno-version: 1.44.4
 
       - name: 📦 Bundle up
         if: ${{ env.DEPLOY_MODE == 'action' }}
@@ -103,7 +103,7 @@ jobs:
       - name: 🤸🏼 Deploy to deno.com
         id: dd
         if: ${{ env.DEPLOY_MODE == 'action' }}
-        uses: denoland/deployctl@1.4.0
+        uses: denoland/deployctl@1.12.0
         with:
           project: ${{ env.PROJECT_NAME }}
           entrypoint: ${{ env.OUT_FILE }}

diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
@@ -0,0 +1,60 @@
+name: 🔄 runc
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+env:
+  REGISTRY: "ghcr.io"
+  IMAGE_NAME: ${{ github.repository }}
+  GIT_REF: ${{ github.event.inputs.git-ref || github.ref }}
+
+# docs.github.com/en/actions/publishing-packages/publishing-docker-images
+jobs:
+  nodejs:
+    name: 🚀 Node on Alpine
+    runs-on: ubuntu-latest
+    permissions:
+        contents: read
+        packages: write
+        attestations: write
+        id-token: write
+
+    steps:
+      - name: 🚚 Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.GIT_REF }}
+          fetch-depth: 0
+
+      - name: 🔐 Login
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 🏷️ Metadata
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: 🛠 Build 
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          file: ./node.Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: 📕 Attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif

diff --git a/deno.Dockerfile b/deno.Dockerfile
@@ -1,6 +1,6 @@
 # Based on github.com/denoland/deno_docker/blob/main/alpine.dockerfile
 
-ARG DENO_VERSION=1.29.2
+ARG DENO_VERSION=1.44.4
 ARG BIN_IMAGE=denoland/deno:bin-${DENO_VERSION}
 
 FROM ${BIN_IMAGE} AS bin

diff --git a/fly.tls.toml b/fly.tls.toml
@@ -2,7 +2,8 @@ app = ""
 
 kill_signal = "SIGINT"
 kill_timeout = "15s"
-swap_size_mb = 152
+# swap must be disabled when using "suspend"
+# swap_size_mb = 152
 
 [build]
   dockerfile = "node.Dockerfile"
@@ -20,11 +21,18 @@ swap_size_mb = 152
 [experimental]
 auto_rollback = true
 
+# community.fly.io/t/19180
+# fly.io/docs/machines/guides-examples/machine-restart-policy
+[[restart]]
+  policy = "on-failure"
+  retries = 3
+
 # DNS over HTTPS (well, h2c and http1.1)
 [[services]]
   internal_port = 8055
   protocol = "tcp"
-  auto_stop_machines = true
+  # community.fly.io/t/20672
+  auto_stop_machines = "suspend"
   auto_start_machines = true
 
   [services.concurrency]
@@ -57,7 +65,7 @@ auto_rollback = true
 [[services]]
   internal_port = 10555
   protocol = "tcp"
-  auto_stop_machines = true
+  auto_stop_machines = "suspend"
   auto_start_machines = true
 
   [services.concurrency]

diff --git a/fly.toml b/fly.toml
@@ -2,7 +2,9 @@ app = ""
 
 kill_signal = "SIGINT"
 kill_timeout = "15s"
-swap_size_mb = 152
+# swap cannot be used with "suspend"
+# community.fly.io/t/20672
+# swap_size_mb = 152
 
 [build]
   dockerfile = "node.Dockerfile"
@@ -17,11 +19,17 @@ swap_size_mb = 152
   NODE_ENV = "production"
   LOG_LEVEL = "info"
 
+# community.fly.io/t/19180
+# fly.io/docs/machines/guides-examples/machine-restart-policy
+[[restart]]
+  policy = "on-failure"
+  retries = 3
+
 # DNS over HTTPS
 [[services]]
   protocol = "tcp"
   internal_port = 8080
-  auto_stop_machines = true
+  auto_stop_machines = "suspend"
   auto_start_machines = true
 
   [[services.ports]]
@@ -50,7 +58,7 @@ swap_size_mb = 152
 [[services]]
   protocol = "tcp"
   internal_port = 10000
-  auto_stop_machines = true
+  auto_stop_machines = "suspend"
   auto_start_machines = true
 
   [[services.ports]]

diff --git a/import_map.json b/import_map.json
@@ -6,6 +6,7 @@
     "process": "https://deno.land/[email protected]/node/process.ts",
     "@serverless-dns/dns-parser": "https://github.com/serverless-dns/dns-parser/raw/v2.1.2/index.js",
     "@serverless-dns/lfu-cache": "https://github.com/serverless-dns/lfu-cache/raw/v3.4.1/lfu.js",
-    "@serverless-dns/trie/": "https://github.com/serverless-dns/trie/raw/v0.0.13/src/"
+    "@serverless-dns/trie/": "https://github.com/serverless-dns/trie/raw/v0.0.13/src/",
+    "@riaskov/mmap-io": "https://github.com/ARyaskov/mmap-io/raw/v1.4.3/src"
   }
 }
diff --git a/node.Dockerfile b/node.Dockerfile
@@ -1,27 +1,34 @@
-FROM node:20 as setup
+FROM node:22 as setup
 # git is required if any of the npm packages are git[hub] packages
 RUN apt-get update && apt-get install git -yq --no-install-suggests --no-install-recommends
-WORKDIR /node-dir
+WORKDIR /app
 COPY . .
 # get deps, build, bundle
 RUN npm i
+# webpack externalizes native modules (@riaskov/mmap-io)
 RUN npm run build:fly
 # or RUN npx webpack --config webpack.fly.cjs
 # download blocklists and bake them in the img
 RUN export BLOCKLIST_DOWNLOAD_ONLY=true && node ./dist/fly.mjs
+# or RUN export BLOCKLIST_DOWNLOAD_ONLY=true && node ./src/server-node.js
 
 # stage 2
-FROM node:alpine AS runner
+# pin to node22 for native deps (@ariaskov/mmap-io)
+FROM node:22-alpine AS runner
 
 # env vals persist even at run-time: archive.is/QpXp2
 # and overrides fly.toml env values
 ENV NODE_ENV production
-ENV NODE_OPTIONS="--max-old-space-size=320 --heapsnapshot-signal=SIGUSR2"
+ENV NODE_OPTIONS="--max-old-space-size=200 --heapsnapshot-signal=SIGUSR2"
 # get working dir in order
 WORKDIR /app
-COPY --from=setup /node-dir/dist ./
-COPY --from=setup /node-dir/blocklists__ ./blocklists__
-COPY --from=setup /node-dir/dbip__ ./dbip__
+# external deps not bundled by webpack
+RUN npm i @riaskov/[email protected]
+
+COPY --from=setup /app/dist ./
+COPY --from=setup /app/blocklists__ ./blocklists__
+COPY --from=setup /app/dbip__ ./dbip__
+
 # print files in work dir, must contain blocklists
 RUN ls -Fla
 # run with the default entrypoint (usually, bash or sh)

diff --git a/package.json b/package.json
@@ -34,6 +34,7 @@
     "@serverless-dns/lfu-cache": "github:serverless-dns/lfu-cache#v3.5.2",
     "@serverless-dns/trie": "github:serverless-dns/trie#v0.0.17",
     "httpx-server": "^1.4.4",
+    "@riaskov/mmap-io": "^1.4.3",
     "node-polyfill-webpack-plugin": "^2.0.1",
     "proxy-protocol-js": "^4.0.5"
   },
@@ -49,10 +50,11 @@
     "eslint-plugin-prettier": "^4.0.0",
     "husky": "^7.0.4",
     "lint-staged": "^12.1.4",
+    "node-loader": "^2.0.0",
     "prettier": "2.5.1",
-    "webpack": "^5.65.0",
+    "webpack": "^5.92.1",
     "webpack-cli": "^4.10.0",
-    "wrangler": "^2.1.15"
+    "wrangler": "^3.0.0"
   },
   "lint-staged": {
     "*.?(m|c)js": "eslint --cache --fix",

diff --git a/src/commons/bufutil.js b/src/commons/bufutil.js
@@ -169,11 +169,19 @@ export function bufferOf(arrayBuf) {
   return Buffer.from(new Uint8Array(arrayBuf));
 }
 
+/**
+ * @param {Buffer} b
+ * @returns {int}
+ */
 export function recycleBuffer(b) {
   b.fill(0);
   return 0;
 }
 
+/**
+ * @param {int} size
+ * @returns {Buffer}
+ */
 export function createBuffer(size) {
   return Buffer.allocUnsafe(size);
 }

diff --git a/src/commons/dnsutil.js b/src/commons/dnsutil.js
@@ -377,9 +377,19 @@ export function isAnswerQuad0(packet) {
   return isAnswerBlocked(packet.answers);
 }
 
+export function ttl(packet) {
+  if (!hasAnswers(packet)) return 0;
+  return packet.answers[0].ttl || 0;
+}
+
+/**
+ * @param {any} dnsPacket
+ * @returns {string[]}
+ */
 export function extractDomains(dnsPacket) {
   if (!hasSingleQuestion(dnsPacket)) return [];
 
+  /** @type {string} */
   const names = new Set();
   const answers = dnsPacket.answers;
 
@@ -416,7 +426,7 @@ export function extractDomains(dnsPacket) {
 
 export function getInterestingAnswerData(packet, maxlen = 80, delim = "|") {
   if (!hasAnswers(packet)) {
-    return !util.emptyObj(packet) ? packet.rcode || "WTF" : "WTF";
+    return !util.emptyObj(packet) ? packet.rcode || "WTF1" : "WTF2";
   }
 
   // set to true if at least one ip has been captured from ans
@@ -535,6 +545,10 @@ export function getQueryType(packet) {
   return util.emptyString(qt) ? false : qt;
 }
 
+/**
+ * @param {string?} n
+ * @returns {string}
+ */
 export function normalizeName(n) {
   if (util.emptyString(n)) return n;
 

diff --git a/src/commons/envutil.js b/src/commons/envutil.js
@@ -8,6 +8,12 @@
 
 // musn't import /depend on anything.
 
+export function isProd() {
+  if (!envManager) return false;
+
+  return envManager.determineEnvStage() === "production";
+}
+
 export function onFly() {
   if (!envManager) return false;
 
@@ -45,6 +51,11 @@ export function hasDisk() {
   return onFly() || onLocal();
 }
 
+export function useMmap() {
+  // got disk on fly and local deploys
+  return onFly() || onLocal();
+}
+
 export function hasDynamicImports() {
   if (onDenoDeploy() || onCloudflare() || onFastly()) return false;
   return true;
@@ -222,12 +233,10 @@ export function shutdownTimeoutMs() {
 }
 
 export function measureHeap() {
-  // disable; webpack can't bundle memwatch; see: server-node.js
-  return false;
   if (!envManager) return false;
   const reg = region();
   if (
-    reg === "maa" ||
+    reg === "bom" ||
     reg === "sin" ||
     reg === "fra" ||
     reg === "ams" ||