Rework to use podman and podman-systemd; improve setup.sh
This commit is contained in:
parent
5566774c55
commit
1ec46f1565
@ -8,6 +8,4 @@ options {
|
|||||||
listen-on { any; };
|
listen-on { any; };
|
||||||
listen-on-v6 { any; };
|
listen-on-v6 { any; };
|
||||||
allow-recursion { 127.0.0.1; ::1; };
|
allow-recursion { 127.0.0.1; ::1; };
|
||||||
|
|
||||||
dnssec-validation yes;
|
|
||||||
};
|
};
|
||||||
|
|||||||
@ -1,16 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=BIND9 Container
|
|
||||||
After=docker.service
|
|
||||||
Requires=docker.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
TimeoutStartSec=0
|
|
||||||
Restart=always
|
|
||||||
ExecStartPre=-/usr/bin/docker stop bind9
|
|
||||||
ExecStartPre=-/usr/bin/docker rm bind9
|
|
||||||
# note: this container is actually provding DNS service, so when that is missing, the pull fails.
|
|
||||||
# ExecStartPre=/usr/bin/docker pull docker.io/internetsystemsconsortium/bind9:9.18
|
|
||||||
ExecStart=/etc/bind/run_bind_container.sh
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
14
named.container
Normal file
14
named.container
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[Container]
|
||||||
|
Image=docker.io/internetsystemsconsortium/bind9:9.18
|
||||||
|
ContainerName=bind9
|
||||||
|
Network=host
|
||||||
|
Volume=/etc/bind/cfg:/etc/bind
|
||||||
|
Volume=/etc/bind/cache:/var/cache/bind
|
||||||
|
Volume=/etc/bind/zones:/var/lib/bind
|
||||||
|
Volume=/etc/bind/log:/var/log
|
||||||
|
# note that the default command is '-f -c /etc/bind/named.conf -L /var/log/bind/default.log'
|
||||||
|
# this is close, but not quite what we want
|
||||||
|
Exec=-f -c /etc/bind/named.conf
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=default.target
|
||||||
@ -1,11 +1,25 @@
|
|||||||
#! /bin/bash
|
#! /bin/bash
|
||||||
BASE_CONF_DIR=/etc/bind
|
|
||||||
|
|
||||||
CMD="/etc/bind/run.sh"
|
# This is not normally how this container is launched. Instead, see
|
||||||
[ "$1" = "interactive" ] && ARGS="-ti --entrypoint=/bin/bash" && CMD=""
|
# named.container, which allows podman-systemd to construct a systemd
|
||||||
|
# unit files and run using podman.
|
||||||
|
#
|
||||||
|
# Instead, this script can be used to launch the container "by hand".
|
||||||
|
|
||||||
|
BASE_CONF_DIR=/etc/bind
|
||||||
|
CMD="-f -c /etc/bind/named.conf"
|
||||||
|
[ "$1" = "interactive" ] && ARGS="-ti --entrypoint=/bin/sh" && CMD=""
|
||||||
|
|
||||||
|
[ -x /usr/bin/docker ] && DOCKER=/usr/bin/docker
|
||||||
|
[ -x /usr/bin/podman ] && DOCKER=/usr/bin/podman
|
||||||
|
|
||||||
|
# Note that as of 2024-09-01, this image is based on Alpine linux and its entrypoint is:
|
||||||
|
# '/usr/sbin/named -u bind'
|
||||||
|
# and the default command is:
|
||||||
|
# '-f -c /etc/bind/named.conf -L /var/log/bind/default.log'
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
docker run $ARGS \
|
$DOCKER run $ARGS \
|
||||||
--rm \
|
--rm \
|
||||||
--name=bind9 \
|
--name=bind9 \
|
||||||
--network=host \
|
--network=host \
|
||||||
@ -13,20 +27,4 @@ docker run $ARGS \
|
|||||||
-v $BASE_CONF_DIR/cache:/var/cache/bind \
|
-v $BASE_CONF_DIR/cache:/var/cache/bind \
|
||||||
-v $BASE_CONF_DIR/zones:/var/lib/bind \
|
-v $BASE_CONF_DIR/zones:/var/lib/bind \
|
||||||
-v $BASE_CONF_DIR/log:/var/log \
|
-v $BASE_CONF_DIR/log:/var/log \
|
||||||
docker.io/internetsystemsconsortium/bind9:9.18 $CMD
|
docker.io/internetsystemsconsortium/bind9:9.18 "$CMD"
|
||||||
|
|
||||||
# using bridge networking
|
|
||||||
# : "${DNS_PORT:=53}"
|
|
||||||
# : "${RNDC_PORT:=953}"
|
|
||||||
# docker run $ARGS \
|
|
||||||
# --rm \
|
|
||||||
# --name=bind9 \
|
|
||||||
# --add-host=host.docker.internal:host-gateway \
|
|
||||||
# --publish "$RNDC_PORT:953/tcp" \
|
|
||||||
# --publish "$DNS_PORT:53/udp" \
|
|
||||||
# --publish "$DNS_PORT:53/tcp" \
|
|
||||||
# -v $BASE_CONF_DIR/cfg:/etc/bind \
|
|
||||||
# -v $BASE_CONF_DIR/cache:/var/cache/bind \
|
|
||||||
# -v $BASE_CONF_DIR/zones:/var/lib/bind \
|
|
||||||
# -v $BASE_CONF_DIR/log:/var/log \
|
|
||||||
# docker.io/internetsystemsconsortium/bind9:9.18 $CMD
|
|
||||||
|
|||||||
34
setup.sh
34
setup.sh
@ -1,9 +1,35 @@
|
|||||||
#! /bin/bash
|
#! /bin/bash
|
||||||
|
|
||||||
if [ "$EUID" -ne 0 ]; then
|
set -e
|
||||||
echo "Must run as root"
|
|
||||||
|
# NOTE: groupadd and useradd require root.
|
||||||
|
[ "$EUID" -ne 0 ] && echo "Must be run by root" && exit 1
|
||||||
|
|
||||||
|
IMAGE="docker.io/internetsystemsconsortium/bind9:9.18"
|
||||||
|
|
||||||
|
# determine current uid and gid
|
||||||
|
uidgid=$(podman run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind")
|
||||||
|
read -d '' -r uid gid <<< "$uidgid" || :
|
||||||
|
|
||||||
|
# create the group and user
|
||||||
|
id -g bind >/dev/null 2>&1 || groupadd -f -g "$gid" bind
|
||||||
|
id -u bind >/dev/null 2>&1 || useradd -u "$uid" -g "$gid" -M --no-log-init bind
|
||||||
|
|
||||||
|
# create our main directory setup
|
||||||
|
install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named
|
||||||
|
# copy over our config and data without overwriting anything, hopefully.
|
||||||
|
for d in cfg cache zones; do
|
||||||
|
rsync -av --chown bind:bind --ignore-existing ./$d/ /etc/bind/$d/
|
||||||
|
done
|
||||||
|
|
||||||
|
# install our podman config
|
||||||
|
if [ -d /etc/containers/systemd ]; then
|
||||||
|
install -o root -g root -m 0644 named.container /etc/containers/systemd/
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl start named
|
||||||
|
else
|
||||||
|
echo "containers-common not installed?"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
groupadd -f -g 105 bind
|
exit 0
|
||||||
useradd -u 104 -g 105 -M --no-log-init bind
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user