diff --git a/cfg/named.options.conf b/cfg/named.options.conf index 98dc3f5..f4020ed 100644 --- a/cfg/named.options.conf +++ b/cfg/named.options.conf @@ -8,6 +8,4 @@ options { listen-on { any; }; listen-on-v6 { any; }; allow-recursion { 127.0.0.1; ::1; }; - - dnssec-validation yes; }; diff --git a/docker.named.service b/docker.named.service deleted file mode 100644 index d641a35..0000000 --- a/docker.named.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=BIND9 Container -After=docker.service -Requires=docker.service - -[Service] -TimeoutStartSec=0 -Restart=always -ExecStartPre=-/usr/bin/docker stop bind9 -ExecStartPre=-/usr/bin/docker rm bind9 -# note: this container is actually provding DNS service, so when that is missing, the pull fails. -# ExecStartPre=/usr/bin/docker pull docker.io/internetsystemsconsortium/bind9:9.18 -ExecStart=/etc/bind/run_bind_container.sh - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/named.container b/named.container new file mode 100644 index 0000000..f67ec2c --- /dev/null +++ b/named.container @@ -0,0 +1,14 @@ +[Container] +Image=docker.io/internetsystemsconsortium/bind9:9.18 +ContainerName=bind9 +Network=host +Volume=/etc/bind/cfg:/etc/bind +Volume=/etc/bind/cache:/var/cache/bind +Volume=/etc/bind/zones:/var/lib/bind +Volume=/etc/bind/log:/var/log +# note that the default command is '-f -c /etc/bind/named.conf -L /var/log/bind/default.log' +# this is close, but not quite what we want +Exec=-f -c /etc/bind/named.conf + +[Install] +WantedBy=default.target diff --git a/run_bind_container.sh b/run_bind_container.sh index 8032afd..e4bdcf1 100755 --- a/run_bind_container.sh +++ b/run_bind_container.sh @@ -1,11 +1,25 @@ #! /bin/bash -BASE_CONF_DIR=/etc/bind -CMD="/etc/bind/run.sh" -[ "$1" = "interactive" ] && ARGS="-ti --entrypoint=/bin/bash" && CMD="" +# This is not normally how this container is launched. Instead, see +# named.container, which allows podman-systemd to construct a systemd +# unit files and run using podman. +# +# Instead, this script can be used to launch the container "by hand". + +BASE_CONF_DIR=/etc/bind +CMD="-f -c /etc/bind/named.conf" +[ "$1" = "interactive" ] && ARGS="-ti --entrypoint=/bin/sh" && CMD="" + +[ -x /usr/bin/docker ] && DOCKER=/usr/bin/docker +[ -x /usr/bin/podman ] && DOCKER=/usr/bin/podman + +# Note that as of 2024-09-01, this image is based on Alpine linux and its entrypoint is: +# '/usr/sbin/named -u bind' +# and the default command is: +# '-f -c /etc/bind/named.conf -L /var/log/bind/default.log' # shellcheck disable=SC2086 -docker run $ARGS \ +$DOCKER run $ARGS \ --rm \ --name=bind9 \ --network=host \ @@ -13,20 +27,4 @@ docker run $ARGS \ -v $BASE_CONF_DIR/cache:/var/cache/bind \ -v $BASE_CONF_DIR/zones:/var/lib/bind \ -v $BASE_CONF_DIR/log:/var/log \ - docker.io/internetsystemsconsortium/bind9:9.18 $CMD - -# using bridge networking -# : "${DNS_PORT:=53}" -# : "${RNDC_PORT:=953}" -# docker run $ARGS \ -# --rm \ -# --name=bind9 \ -# --add-host=host.docker.internal:host-gateway \ -# --publish "$RNDC_PORT:953/tcp" \ -# --publish "$DNS_PORT:53/udp" \ -# --publish "$DNS_PORT:53/tcp" \ -# -v $BASE_CONF_DIR/cfg:/etc/bind \ -# -v $BASE_CONF_DIR/cache:/var/cache/bind \ -# -v $BASE_CONF_DIR/zones:/var/lib/bind \ -# -v $BASE_CONF_DIR/log:/var/log \ -# docker.io/internetsystemsconsortium/bind9:9.18 $CMD + docker.io/internetsystemsconsortium/bind9:9.18 "$CMD" diff --git a/setup.sh b/setup.sh index fe5c1e5..8b5448b 100755 --- a/setup.sh +++ b/setup.sh @@ -1,9 +1,35 @@ #! /bin/bash -if [ "$EUID" -ne 0 ]; then - echo "Must run as root" +set -e + +# NOTE: groupadd and useradd require root. +[ "$EUID" -ne 0 ] && echo "Must be run by root" && exit 1 + +IMAGE="docker.io/internetsystemsconsortium/bind9:9.18" + +# determine current uid and gid +uidgid=$(podman run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind") +read -d '' -r uid gid <<< "$uidgid" || : + +# create the group and user +id -g bind >/dev/null 2>&1 || groupadd -f -g "$gid" bind +id -u bind >/dev/null 2>&1 || useradd -u "$uid" -g "$gid" -M --no-log-init bind + +# create our main directory setup +install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named +# copy over our config and data without overwriting anything, hopefully. +for d in cfg cache zones; do + rsync -av --chown bind:bind --ignore-existing ./$d/ /etc/bind/$d/ +done + +# install our podman config +if [ -d /etc/containers/systemd ]; then + install -o root -g root -m 0644 named.container /etc/containers/systemd/ + systemctl daemon-reload + systemctl start named +else + echo "containers-common not installed?" exit 1 fi -groupadd -f -g 105 bind -useradd -u 104 -g 105 -M --no-log-init bind +exit 0