search

ventz / docker-bind

Docker Hub ventz/bind - Secure ISC BIND (Authoritative, Recursive, Slave, RPZ) - Docker image always latest built!
https://hub.docker.com/r/ventz/bind/
34 stars 37 forks source link

rndc.key and /DATA directory. #26

Closed sjmuniz closed 4 years ago

sjmuniz commented 5 years ago

Hello, Ventz I find a bit of race condition between the generation of rndc key at build time and the expectation of "/DATA/etc/bind" to be mounted on top of /etc/bind within the container. Either I am doing something wrong or correct me if there is an issue.

If I mount from docker-compose a "/DATA/etc/bind" on top of /etc/bind there should be a mechanism to preserve rndc or it would be overwriten/hidden with the external information.

My docker-compose is:

$ cat docker-compose.yaml
version: "3"
services:
  bind:
    image: ventz/bind
    container_name: bind
    network_mode: host
    volumes:
      - "./etc_bind:/etc/bind"
      - "./var_cache_bind:/var/cache/bind"
      - "./var_log_named:/var/log/named"
    environment:
      - "OPTIONS=-4"
    restart: unless-stopped

I modified it to use path relatives to the docker-compose file. But of course rndc is not there after populating ./etc_bind: with container/configs/ contents, and bind fails to start because it can not find rndc.

bind    | 18-Aug-2019 08:49:57.899 ----------------------------------------------------
bind    | 18-Aug-2019 08:49:57.899 BIND 9 is maintained by Internet Systems Consortium,
bind    | 18-Aug-2019 08:49:57.900 Inc. (ISC), a non-profit 501(c)(3) public-benefit
bind    | 18-Aug-2019 08:49:57.900 corporation.  Support and training for BIND 9 are
bind    | 18-Aug-2019 08:49:57.900 available at https://www.isc.org/support
bind    | 18-Aug-2019 08:49:57.900 ----------------------------------------------------
bind    | 18-Aug-2019 08:49:57.900 found 2 CPUs, using 2 worker threads
bind    | 18-Aug-2019 08:49:57.900 using 2 UDP listeners per interface
bind    | 18-Aug-2019 08:49:57.904 using up to 4096 sockets
bind    | 18-Aug-2019 08:49:57.935 loading configuration from '/etc/bind/named.conf'
bind    | 18-Aug-2019 08:49:57.936 /etc/bind/named.conf:13: open: /etc/bind/rndc.key: file not found
bind    | 18-Aug-2019 08:49:57.939 loading configuration: file not found
bind    | 18-Aug-2019 08:49:57.939 exiting (due to fatal error)

¿What am I doing wrong? ¡Thanks you!

ventz commented 5 years ago

@sjmuniz Great question - It's due to overriding /etc/bind all together.

Unfortunately, the mentality was that if you override it, "you know what you are doing", and then chances are you are providing your own configs/keys/etc.

But to your point - the keys should probably be included. So this leaves 2 solutions: 1.) override a sub-folder within /etc/bind (ex: /etc/bind/custom) or 2.) have the keys be dropped/copied/etc as part of "startup" as the last step during container start (ex: /root/rndc.key -> /etc/bind.) on every single container start.

What do you think about a "good way" to set this up?

sjmuniz commented 5 years ago

@ventz I like the idea of generating it at /root and linking. I think it provides greater flexibility. Keep tuned for a set of patches. Thanks, Sebastian.