search

ventz / docker-bind

Docker Hub ventz/bind - Secure ISC BIND (Authoritative, Recursive, Slave, RPZ) - Docker image always latest built!
https://hub.docker.com/r/ventz/bind/
34 stars 37 forks source link

Suggestion: add $OPTIONS environment variable #14

Closed lkollenberger closed 5 years ago

lkollenberger commented 5 years ago

It'd be awesome to have this feature, replicating the functionality of the /etc/default/bind9 file in Debian/Ubuntu distros. It would be really useful for example for adding the -4 argument to bind in IPv4 only deployments.

A way to do it would be adding $OPTIONS to the last line in /entrypoint.sh.

UPDATE from ventz (complete): Added arbitrary parameter passing to the named daemon. Everything passed "at the end" will be directly passed to named.

For Ex:

docker run -it --rm  ventz/bind SOMETHING1 SOMETHING2
ventz commented 5 years ago

@lkollenberger Agreed.

Proposing doing it this way, since CMD is added to the ENTRYPOINT:

ARG OPTIONS
ENV OPTIONS ${OPTIONS}
...
COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"] 
CMD ${OPTIONS}

Please test it out to see if it covers your scenario and let me know. If it works, I'll push it out.

lkollenberger commented 5 years ago

Hmm, I don't think passing the options as CMD is working, am I doing something wrong? This is my resulting Dockerfile:

FROM alpine:latest
EXPOSE 53 53/udp

RUN apk --update upgrade && apk add bind

# /etc/bind needs to be owned by root, group owned by "bind", and chmod 750
# since we are mounting, do it manually
# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
# &
# /var/bind needs to be owned by root, group owned by "bind", and chmod 770
# since we are mounting, do it manually
# NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
# &
# Get latest bind.keys
RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \
    mkdir -m 0770 -p /var/cache/bind && chown -R root:named /var/cache/bind ; \
    wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \
    rndc-confgen -a -r /dev/urandom

COPY configs/. /etc/bind/

# Mounts
# NOTE: Per Dockerfile manual -->
#       "if any build steps change the data within the volume
#        after it has been declared, those changes will be discarded."
VOLUME ["/etc/bind"]
VOLUME ["/var/cache/bind"]

ARG OPTIONS
ENV OPTIONS ${OPTIONS}

COPY entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
CMD ${OPTIONS}

As it is, it's doing nothing (the $OPTIONS variable doesn't get passed to bind). I think that's because the CMD is not getting passed to bind on the entrypoint, so I tried adding "$@" to the last line in that script. However, now bind doesn't even start, it's complaining about extra arguments:

root@crapserv:~# docker logs -f bind
usage: named [-4|-6] [-c conffile] [-d debuglevel] [-E engine] [-f|-g]
             [-n number_of_cpus] [-p port] [-s] [-S sockets] [-t chrootdir]
             [-u username] [-U listeners] [-m {usage|trace|record|size|mctx}]
usage: named [-v|-V]

Running a docker inspect bind shows this:

            "Env": [
                "OPTIONS=-4",
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Cmd": [
                "/bin/sh",
                "-c",
                "${OPTIONS}"
            ],
            "ArgsEscaped": true,
            "WorkingDir": "",
            "Entrypoint": [
                "/entrypoint.sh"
            ],

So maybe the command line that runs named ends up like exec /usr/sbin/named -c /etc/bind/named.conf -g -u named /bin/sh -c -4 which of course, is not valid. Any ideas? For reference, this is my docker-compose:

version: "3"
services:
        bind:
                image: lkollenberger/bind:testing
                container_name: bind
                network_mode: host
                volumes:
                        - "/data/configs/bind/etc_bind:/etc/bind"
                        - "/data/configs/bind/var_cache_bind:/var/cache/bind"
                        - "/data/configs/bind/var_log_named:/var/log/named"
                environment:
                        - "OPTIONS=-4"
                restart: unless-stopped

Thanks!

ventz commented 5 years ago

@lkollenberger Fixed by just passing the CMD arg list directly to the entrypoint.

Take a look at the latest release - just pushed it out.

So this allows you now to do (which will break, but just as a test):

docker run -it --rm  ventz/bind -c /tmp/non-existent.conf

And you will see it passed + fail (since the config doesn't exist)

Ex:

% docker run -it --rm  ventz/bind -c /tmp/blah.conf
19-Nov-2018 21:09:48.271 starting BIND 9.12.2-P1 <id:8914b83>
19-Nov-2018 21:09:48.271 running on Linux x86_64 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018
19-Nov-2018 21:09:48.271 built with '--build=x86_64-alpine-linux-musl' '--host=x86_64-alpine-linux-musl' '--prefix=/usr' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-openssl=/usr' '--enable-linux-caps' '--with-libxml2' '--with-libjson' '--enable-threads' '--enable-filter-aaaa' '--enable-ipv6' '--enable-shared' '--enable-static' '--with-libtool' '--with-randomdev=/dev/random' '--mandir=/usr/share/man' '--infodir=/usr/share/info' 'build_alias=x86_64-alpine-linux-musl' 'host_alias=x86_64-alpine-linux-musl' 'CC=gcc' 'CFLAGS=-Os -fomit-frame-pointer -D_GNU_SOURCE' 'LDFLAGS=-Wl,--as-needed' 'CPPFLAGS=-Os -fomit-frame-pointer'
19-Nov-2018 21:09:48.271 running as: named -c /etc/bind/named.conf -g -u named -c /tmp/blah.conf
19-Nov-2018 21:09:48.271 compiled by GCC 6.4.0
19-Nov-2018 21:09:48.271 compiled with OpenSSL version: LibreSSL 2.7.4
19-Nov-2018 21:09:48.271 linked to OpenSSL version: LibreSSL 2.7.4
19-Nov-2018 21:09:48.271 compiled with libxml2 version: 2.9.8
19-Nov-2018 21:09:48.271 linked to libxml2 version: 20908
19-Nov-2018 21:09:48.271 compiled with libjson-c version: 0.13.1
19-Nov-2018 21:09:48.271 linked to libjson-c version: 0.13.1
19-Nov-2018 21:09:48.271 compiled with zlib version: 1.2.11
19-Nov-2018 21:09:48.271 linked to zlib version: 1.2.11
19-Nov-2018 21:09:48.271 threads support is enabled
19-Nov-2018 21:09:48.271 ----------------------------------------------------
19-Nov-2018 21:09:48.271 BIND 9 is maintained by Internet Systems Consortium,
19-Nov-2018 21:09:48.271 Inc. (ISC), a non-profit 501(c)(3) public-benefit 
19-Nov-2018 21:09:48.271 corporation.  Support and training for BIND 9 are 
19-Nov-2018 21:09:48.271 available at https://www.isc.org/support
19-Nov-2018 21:09:48.271 ----------------------------------------------------
19-Nov-2018 21:09:48.271 found 6 CPUs, using 6 worker threads
19-Nov-2018 21:09:48.271 using 5 UDP listeners per interface
19-Nov-2018 21:09:48.272 using up to 4096 sockets
19-Nov-2018 21:09:48.275 loading configuration from '/tmp/blah.conf'
19-Nov-2018 21:09:48.275 open: /tmp/blah.conf: file not found
19-Nov-2018 21:09:48.275 loading configuration: file not found
19-Nov-2018 21:09:48.275 exiting (due to fatal error)

^ Error as per design in this case

pharz commented 5 years ago

Probably I implemented it wrong but I'm still seeing this in my logs when the container starts:

using default UDP/IPv6 port range: [32768, 60999] listening on IPv6 interfaces, port 53

I'm running 9.12.2-P1 and have "-e OPTIONS=-4" set in the container startup command.

Thanks!

ventz commented 5 years ago

@pharz The commands after "ventz/bind" is what get passed to bind directly, so in your case, to disable ipv4, you would do:

docker run -it --rm ventz/bind -4

^ this is just to run it interactively -- you will want with "docker run -d ...", but you can see what I mean by this.

Let me know if this works for you.

pharz commented 5 years ago

Yes it does! Thank you so much.

ventz commented 5 years ago

Great!