This is a containerized SKS OpenPGP Keyserver using s6-overlay on an Alpine Linux base image.
Including improvements based on Óscar García Amor and Martin Dobrev derived forks of this repository.
The /var/lib/sks
volume holds the key database, membership and sksconf files
which should be mounted from a persistent storage source.
The container provides 4 long-running services under s6 supervision:
sks-db
- primary dependent service that terminates the container if it crashessks-recon
- SKS gossip peering process which only starts aftersks-db
sks-stats
- generate DB statistics once an half hour by sendingsks-db
a USR2 signalsks-log-clean
- execute db_archive against key and PTree databases 2 hours
The entrypoint.sh
script will make use of the following environment variables
to setup the default sksconf
config file and modify on restarts unless altered
manually to no longer make use of the environment variables.
Variable | Default value |
---|---|
SKS_HOSTNAME | localhost |
SKS_RECON_ADDR | 0.0.0.0 |
SKS_RECON_PORT | 11370 |
SKS_HKP_ADRESS | 0.0.0.0 |
SKS_HKP_PORT | 11371 |
SKS_SERVER_CONTACT | |
SKS_NODENAME | keys |
SKS_COMMAND_TIMEOUT | 600 |
SKS_WSERVER_TIMEOUT | 30 |
SKS_MAX_RECOVER | 150 |
SKS_INIT_BUILD_FILES | 10 |
SKS_INIT_BUILD_CACHE | 100 |
SKS_INIT_PBUILD_CACHE | 20 |
SKS_INIT_PTREE_CACHE | 70 |
While other configuration options are available they are not managed at this
time and would require editing the sksconf
file directly.
The default persistent storage volume needed should be mounted to
/var/lib/sks
and will store the key (KDB) and ptree (PTree) databases along
with the sksconf
, membership
and DB_CONFIG
files.
If a keydump volume is mounted to /data/dump
to the container and the key and
ptree databases do not yet exist, the entrypoint.sh
will begin the database
build process automatically. The choice of path was made to ensure it was outside
the normal SKS basedir path so as not to be opened upon restart if the database
already exists and the mount has not been removed. Once the keydump has been imported
this mount volume could be removed as it is only necessary for initial import.
To be of much use the SKS keyserver requires an initial dump of the available
keys to be imported. As the version of wget
available within Alpine Linux
does not fully support the necessary options to mirror a keydump source, an
additional Debian base image has been made available in the keydump
directory of this repostory.
This may be built using the following:
docker build -t sks-keydump -f keydump/Dockerfile keydump/
This image takes an optional environment variable of KEYDUMP_URL
which
defaults to cyberbits.eu but can be pointed to any web accessible URL to
retrieve from.
Use of this is completely optional but can make retrieving an initial keydump relatively simple to populate a volume that can then be mounted to the SKS container for import.