davidb/docker_bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

improve UID management, hopefully

Browse Source
This commit is contained in:
David Blacka 2026-01-10 11:54:00 -05:00
parent 2828d61265
commit 95d774d645
3 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -10,12 +10,12 @@ It *was* the revamped DNS service for `zeke.ecotroph.net`, and thus served zones
## Overview
In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves. We started with 9.18.12 and now are up to 9.18.20.
In the past, we just ran the version of BIND that came with our distribution (at this moment, that is CentOS 7, which translates to bind 9.11.) This new configuration runs a very recent version of BIND 9 via a docker image produced by ISC themselves. We started with 9.18.12 and now are up to 9.18.43.
This docker image imposes a few requirements:
* Internally, the image runs `named` as the `bind` user (104:105). Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
* We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this, although that is not ideal.
* Internally, the image runs `named` as the `bind` user (53:53). Since we bind-mount directories, we do need those directories owned by whatever internal UID it is using.
* We need some way to ensure that our container is run on system reboots, etc. Here we chose to use `systemd` to do this.
* Presumably the normal way to do logging for a docker container is to use the standard journal service, although this image is set up to bind-mount `/var/log`. On the other hand, the standard command uses the `-g` flag, which is "debug" mode, and causes all of the logs to go to stderr.
* We do want named to stay in the foreground here. Fortunately, there have always been command line options that do this (`-g` and `-f`). Thus, in order to log to `/var/log`, we supply a different command: `/usr/sbin/named -f -u bind`. This will run in the foreground, and run as the internal `bind` user.
@ -86,4 +86,3 @@ named-compilezone -f raw -F text -o - blacka.com /etc/bind/zones/blacka.com.sign
If using the script that runs the version in our container, note that you may have to use the paths that work *inside the container*. The current script mounts your current working directory, so you can use `run_named_compilezone.sh ./some.zone`, but not `run_named_compilezone.sh /etc/named/zones/blacka.com`.
That said, we are probably better off just using the version that comes with our OS, and not using the container.

19
setup.sh
View File

@ -11,16 +11,21 @@ IMAGE="docker.io/internetsystemsconsortium/bind9:9.18"
uidgid=$(podman run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind")
read -d '' -r uid gid <<< "$uidgid" || :
# create the group and user
id -g bind >/dev/null 2>&1 || groupadd -f -g "$gid" bind
id -u bind >/dev/null 2>&1 || useradd -u "$uid" -g "$gid" -M --no-log-init bind
# Create or update the on host user to match the container's 'bind' user and group
ACTUAL_UID=$(id -u bind 2>/dev/null)
ACTUAL_GID=$(id -g bind 2>/dev/null)
# create our main directory setup
[ -z "$ACTUAL_GID" ] && groupadd -f -g "$gid" bind
[ -z "$ACTUAL_UID" ] && useradd -u "$uid" -g "$gid" -M --no-log-init bind
[ "$ACTUAL_GID" -ne "$gid" ] && groupmod -g "$gid" bind
[ "$ACTUAL_UID" -ne "$uid" ] && usermod -u "$uid" -g "$gid"
# create/update our main directory setup
install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named
# copy over our config and data without overwriting anything, hopefully.
for d in cfg cache zones; do
rsync -av --chown bind:bind --ignore-existing ./$d/ /etc/bind/$d/
done
rsync -av --chown bind:bind --del ./cfg/ /etc/bind/cfg/
rsync -av --chown bind:bind ./zones /etc/bind/zones/
rsync -av --chown bind:bind --ignore-existing ./cache/ /etc/bind/cache/
# install our podman config
if [ -d /etc/containers/systemd ]; then

19
setup_docker.sh
View File

@ -11,16 +11,21 @@ IMAGE="docker.io/internetsystemsconsortium/bind9:9.18"
uidgid=$(docker run --rm --entrypoint=/bin/sh "$IMAGE" -c "/usr/bin/id -u bind; /usr/bin/id -g bind")
read -d '' -r uid gid <<< "$uidgid" || :
# create the group and user
id -g bind >/dev/null 2>&1 || groupadd -f -g "$gid" bind
id -u bind >/dev/null 2>&1 || useradd -u "$uid" -g "$gid" -M --no-log-init bind
# Create or update the on host user to match the container's 'bind' user and group
ACTUAL_UID=$(id -u bind 2>/dev/null)
ACTUAL_GID=$(id -g bind 2>/dev/null)
# create our main directory setup
[ -z "$ACTUAL_GID" ] && groupadd -f -g "$gid" bind
[ -z "$ACTUAL_UID" ] && useradd -u "$uid" -g "$gid" -M --no-log-init bind
[ "$ACTUAL_GID" -ne "$gid" ] && groupmod -g "$gid" bind
[ "$ACTUAL_UID" -ne "$uid" ] && usermod -u "$uid" -g "$gid"
# create/update our main directory setup
install -d -o bind -g bind -m 0755 /etc/bind/cfg /etc/bind/cache /etc/bind/zones /etc/bind/log/named
# copy over our config and data without overwriting anything, hopefully.
for d in cfg cache zones; do
rsync -av --chown bind:bind --ignore-existing ./$d/ /etc/bind/$d/
done
rsync -av --chown bind:bind --del ./cfg/ /etc/bind/cfg/
rsync -av --chown bind:bind ./zones /etc/bind/zones/
rsync -av --chown bind:bind --ignore-existing ./cache/ /etc/bind/cache/
if [ -f docker.named.service ]; then
install -m 0644 docker.named.service /etc/systemd/system/docker.named.service