davidb/docker_bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

improve UID management, hopefully

Browse Source
This commit is contained in:
David Blacka 2026-01-10 11:54:00 -05:00
parent 2828d61265
commit 95d774d645
3 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -10,12 +10,12 @@ It *was* the revamped DNS service for `zeke.ecotroph.net`, and thus served zones
## Overview ## Overview
In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves. We started with 9.18.12 and now are up to 9.18.20. In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves. We started with 9.18.12 and now are up to 9.18.43.
This docker image imposes a few requirements: This docker image imposes a few requirements:
* Internally, the image runs `named` as the `bind` user (104:105). Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using. * Internally, the image runs `named` as the `bind` user (53:53). Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
* We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this, although that is not ideal. * We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this.
* Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr. * Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr.
* We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -u bind`. This will run in the foreground, and run as the internal `bind` user. * We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -u bind`. This will run in the foreground, and run as the internal `bind` user.
@ -86,4 +86,3 @@ named-compilezone -f raw -F text -o - blacka.com /etc/bind/zones/blacka.com.sign
If using the script that runs the version in our container, note that you may have to use the paths that work *inside the container*. The current script mounts your current working directory, so you can use `run_named_compilezone.sh ./some.zone`, but not `run_named_compilezone.sh /etc/named/zones/blacka.com`. If using the script that runs the version in our container, note that you may have to use the paths that work *inside the container*. The current script mounts your current working directory, so you can use `run_named_compilezone.sh ./some.zone`, but not `run_named_compilezone.sh /etc/named/zones/blacka.com`.
That said, we are probably better off just using the version that comes with our OS, and not using the container. That said, we are probably better off just using the version that comes with our OS, and not using the container.

19
setup.sh
View File

@ -11,16 +11,21 @@ IMAGE="docker.io/internetsystemsconsortium/bind9:9.18"
uidgid=$(podman run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind") uidgid=$(podman run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind")
read -d '' -r uid gid <<< "$uidgid" || : read -d '' -r uid gid <<< "$uidgid" || :
# create the group and user # Create or update the on host user to match the container's 'bind' user and group
id -g bind >/dev/null 2>&1 || groupadd -f -g "$gid" bind ACTUAL_UID=$(id -u bind 2>/dev/null)
id -u bind >/dev/null 2>&1 || useradd -u "$uid" -g "$gid" -M --no-log-init bind ACTUAL_GID=$(id -g bind 2>/dev/null)
# create our main directory setup [ -z "$ACTUAL_GID" ] && groupadd -f -g "$gid" bind
[ -z "$ACTUAL_UID" ] && useradd -u "$uid" -g "$gid" -M --no-log-init bind
[ "$ACTUAL_GID" -ne "$gid" ] && groupmod -g "$gid" bind
[ "$ACTUAL_UID" -ne "$uid" ] && usermod -u "$uid" -g "$gid"
# create/update our main directory setup
install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named
# copy over our config and data without overwriting anything, hopefully. # copy over our config and data without overwriting anything, hopefully.
for d in cfg cache zones; do rsync -av --chown bind:bind --del ./cfg/ /etc/bind/cfg/
rsync -av --chown bind:bind --ignore-existing ./$d/ /etc/bind/$d/ rsync -av --chown bind:bind ./zones /etc/bind/zones/
done rsync -av --chown bind:bind --ignore-existing ./cache/ /etc/bind/cache/
# install our podman config # install our podman config
if [ -d /etc/containers/systemd ]; then if [ -d /etc/containers/systemd ]; then

19
setup_docker.sh
View File

@ -11,16 +11,21 @@ IMAGE="docker.io/internetsystemsconsortium/bind9:9.18"
uidgid=$(docker run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind") uidgid=$(docker run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind")
read -d '' -r uid gid <<< "$uidgid" || : read -d '' -r uid gid <<< "$uidgid" || :
# create the group and user # Create or update the on host user to match the container's 'bind' user and group
id -g bind >/dev/null 2>&1 || groupadd -f -g "$gid" bind ACTUAL_UID=$(id -u bind 2>/dev/null)
id -u bind >/dev/null 2>&1 || useradd -u "$uid" -g "$gid" -M --no-log-init bind ACTUAL_GID=$(id -g bind 2>/dev/null)
# create our main directory setup [ -z "$ACTUAL_GID" ] && groupadd -f -g "$gid" bind
[ -z "$ACTUAL_UID" ] && useradd -u "$uid" -g "$gid" -M --no-log-init bind
[ "$ACTUAL_GID" -ne "$gid" ] && groupmod -g "$gid" bind
[ "$ACTUAL_UID" -ne "$uid" ] && usermod -u "$uid" -g "$gid"
# create/update our main directory setup
install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named
# copy over our config and data without overwriting anything, hopefully. # copy over our config and data without overwriting anything, hopefully.
for d in cfg cache zones; do rsync -av --chown bind:bind --del ./cfg/ /etc/bind/cfg/
rsync -av --chown bind:bind --ignore-existing ./$d/ /etc/bind/$d/ rsync -av --chown bind:bind ./zones /etc/bind/zones/
done rsync -av --chown bind:bind --ignore-existing ./cache/ /etc/bind/cache/
if [ -f docker.named.service ]; then if [ -f docker.named.service ]; then
install -m 0644 docker.named.service /etc/systemd/system/docker.named.service install -m 0644 docker.named.service /etc/systemd/system/docker.named.service