/etc/unbound/unbound.conf.d is not read

[jinks]

Classification

• [X] Minor bug

Reproducibility

• [X] Always

Description

I wanted to add site-specific DNS setting and bind-mounted them to /etc/unbound/unbound.conf.d just to realize later, that /etc/unbound/unbound.conf does not contain any include statements, so the directory is ignored.

Since there are already 2 image-supplied files in that directory, I doubt that is intentional.

Steps to reproduce

1. add configuration file to /etc/unbound/unbound.conf.d

Expected results

Configuration is read and applied by unbound.

Actual results

Configuration is ignored.

[AndrewSav]

Since there are already 2 image-supplied files in that directory

Can you pin point where the two are coming from? Thanks!

[jinks]

[jinks@server] ~/docker/mail % docker compose exec -ti mailserver ls /etc/unbound/unbound.conf.d
remote-control.conf  root-auto-trust-anchor-file.conf

[root@server] /var/lib/docker/100000.100000 # find . -iname root-auto-trust-anchor-file.conf
./btrfs/subvolumes/44162958985cc9a97b722ee7cd50dc84cb2a177e82f4a66efdd1668b0251f58a/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
./btrfs/subvolumes/03198b59b36940946ba85bb1a2c605797072b3d14b709679cd3a02cc85f82e91/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
./btrfs/subvolumes/e8b4477c6e0e594cabf82a39469776354c441be64171c6d2a63d2adb0ca09183/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
./btrfs/subvolumes/fdd19f466affdab51c6e3f47c640eec869aec828618dd9db7d95bb247ca074e2-init/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
./btrfs/subvolumes/fdd19f466affdab51c6e3f47c640eec869aec828618dd9db7d95bb247ca074e2/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

[root@server] /var/lib/docker/100000.100000 # cat ./btrfs/subvolumes/44162958985cc9a97b722ee7cd50dc84cb2a177e82f4a66efdd1668b0251f58a/etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

They seem to be part of the Debian base image. - I'm not sure if an image can shadow files from a base image, but in its current stage it looks like the files are useful while they are not...

[jinks]

On another note: What problem does unbound solve in this package?

I stumbled upon this, because I needed to "hack" a docker service DNS resolution into unbound.

What are the implications of just turning it off via ENV flag? Is it a performance thing? Does Docker's own DNS have any issues specific to mailserver?

[SaraSmiseth]

The default unbound.conf from debian is replaced by our own.

We could add the line to include the files in the subdirectory.

But yes I think you can just disable unbound with the ENV flag. Docker's DNS just uses your system's DNS.

[diroots]

using local unbound keeps dns requests local instead of depending on onternal dns resolution. so can be faster and autonomous/independant

@jinks you can have your unbound copy in the stack, and then bind mount it :

• config/unbound/unbound.conf # modified with include-toplevel: "/etc/unbound/unbound.conf.d/*.conf" directive
• config/unbound/unbound.conf.d/ # folder with all your custom config files

then on compose file :

  mailserver:
    image: mailserver2/mailserver
    restart: ${RESTART_MODE}
[...]
    volumes:
      - ./config/unbound/unbound.conf:/etc/unbound/unbound.conf:ro
      - ./config/unbound/unbound.conf.d/:/etc/unbound/unbound.conf.d/

[jinks]

@SaraSmiseth

We could add the line to include the files in the subdirectory.

Debian's config negates some of mailserver2's config, so that's probably best avoided.

@diroots I'm trying to avoid outright overwriting existing config when possible. I'm gonna forge and then break some future update because I"ll miss a change in some file.

For now I've added a s6 run script calling ubound-control. This seems to work well.

[AndrewSav]

Debian's config negates some of mailserver2's config, so that's probably best avoided.

The config you linked is the one that is supposed to be used. not debian's. If it is it's probably unintentional

[jinks]

No, that's intentional...

if you look at the files inside unbound.conf.d (not part of this repo) you will see, that those override some configs form the linked file.

[AndrewSav]

Sorry I'm confused, the linked file does not include unbound.conf.d so how could they possibly override anything?

[jinks]

SaraSmiseth suggested here to include conf.d in mailserver2's unbound.conf which would break the existing config and is the comment I initially replied to.

[AndrewSav]

Can you post what you did with the s6 run script? Do you think it's worth a PR?

[AndrewSav]

@jinks is there anything here outstanding or could this be closed?

[jinks]

This can be closed.

As to the run script: it's literally just a hardcoded unbound-control local_data localserver A $SERVER_IP, so nothing that can be PR'd.