Re: Docker Compose Setup with ISC/Bind9 Image
This is extremely bad advice. Unless the OP understands what went wrong and how to fix it, advising them to change the image, change the architecture and mash random stuff into docker will only lead to more confusion and more problems in the future.I was using ISC docker images with my students during the fall semester and the images work just fine both for authoritative and recursive workload. And I’ve tested them using both docker and podman.Ondrej--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 30. 12. 2024, at 9:21, Fajar Nugraha wrote:Try theseBackground info on my setup- ubuntu 24.04 + https://docs.docker.com/engine/install/ubuntu/ , arm64 (a vm on mac, if it matters). Other distros should work fine too, as long it can run docker compose.- ubuntu/bind9:9.20-24.10_edge docker image . Mainly because internetsystemsconsortium/bind9 don't hame arm64 image.- test on host port 10053 first, so you can make sure it works while still having whatever is currently using port 53 running (e.g. your non-docker bind9 setup)- make sure the user owns the directory and is part of "docker" group (in my case, the user name is "user")$ iduid=1000(user) gid=1000(user) groups=1000(user),997(docker)Preparation:- make sure docker-ce-cli and docker-compose-plugin is installed (if you can run "docker compose", you should be fine already)- pick a directory (in my case, /data/bind9), make user the user running docker owns it.- easiest way to setup sub directories for docker volumes: $ mkdir -m 1777 {etc,cache,lib}- create minimal etc/named.confoptions { directory "/var/cache/bind"; // needed if your ISP mess with DNS dnssec-validation no;};- create this compose.yml, then run "docker compose up"services: bind9: image: ubuntu/bind9:9.20-24.10_edge command: "docker-entrypoint.sh -4" ports: - "10053:53" - "10053:53/udp" volumes: - etc:/etc/bind - lib:/var/lib/bind - cache:/var/cache/bindvolumes: etc: driver: local driver_opts: device: "./etc" type: none o: bind lib: driver: local driver_opts: device: "./lib" type: none o: bind cache: driver: local driver_opts: device: "./cache" type: none o: bind- or you can also rundocker run --rm -it --name bind9 \ -e TZ=UTC \ -p 10053:53 -p 10053:53/udp \ -v ./etc:/etc/bind \ -v ./lib:/var/lib/bind \ -v ./cache:/var/cache/bind \ ubuntu/bind9:9.20-24.10_edge \ docker-entrypoint.sh -4- on another terminal, "dig google.com @127.0.0.1 -p 10053"- to exit, press ctrl-c on the docker / docker compose terminal- to listen on your ip address port 53, replace "10053:53" with "your_ip_addres:53:53", e.g "192.168.25.156:53:53". note that you will also need to edit named.conf to allow queries from that subnet-- FajarOn Mon, Dec 30, 2024 at 1:27 AM Pablo Andalaft Tarodo wrote:Hi all,
Thanks for taking the time. I've been spending many hours on this, to no
solution. But, some things that may shine more light:
When the container is stuck restarting, the error, aside from exit code
1, is "user 'bind' is not recognised" or something similar, and checking
the container entrypoint "/usr/sbin/named -u bind -f -c
/etc/bind/named.conf", it tries to use the user "bind" to start "named",
but this user is present in the base image (checking /etc/passwd)...
For a long time I wasn't able to find other logs and I resorted to using
a Dockerfile to see if I could control more steps for the image, no help.
So I started off with what works, running a container directly from the
image (doesn't get stuck restarting), and copying the files to it
`docker container cp /config/named.conf
:/etc/bind/named.conf` etc., and finally exec'ing into
the container's shell and launching `/usr/sbin/named -u bind -f -g -c
/etc/bind/named.conf`, this showed me that there were some errors in the
config (thanks for the -g heads up), that I could address.
However through docker compose, I still get the "named: user 'bind'
unknown" error.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing [email protected]://lists.isc.org/mailman/listinfo/bind-users--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
Re: Docker Compose Setup with ISC/Bind9 Image
Try these
Background info on my setup
- ubuntu 24.04 + https://docs.docker.com/engine/install/ubuntu/ , arm64 (a
vm on mac, if it matters). Other distros should work fine too, as long it
can run docker compose.
- ubuntu/bind9:9.20-24.10_edge docker image . Mainly
because internetsystemsconsortium/bind9 don't hame arm64 image.
- test on host port 10053 first, so you can make sure it works while still
having whatever is currently using port 53 running (e.g. your non-docker
bind9 setup)
- make sure the user owns the directory and is part of "docker" group (in
my case, the user name is "user")
$ id
uid=1000(user) gid=1000(user) groups=1000(user),997(docker)
Preparation:
- make sure docker-ce-cli and docker-compose-plugin is installed (if you
can run "docker compose", you should be fine already)
- pick a directory (in my case, /data/bind9), make user the user running
docker owns it.
- easiest way to setup sub directories for docker volumes: $ mkdir -m 1777
{etc,cache,lib}
- create minimal etc/named.conf
options {
directory "/var/cache/bind";
// needed if your ISP mess with DNS
dnssec-validation no;
};
- create this compose.yml, then run "docker compose up"
services:
bind9:
image: ubuntu/bind9:9.20-24.10_edge
command: "docker-entrypoint.sh -4"
ports:
- "10053:53"
- "10053:53/udp"
volumes:
- etc:/etc/bind
- lib:/var/lib/bind
- cache:/var/cache/bind
volumes:
etc:
driver: local
driver_opts:
device: "./etc"
type: none
o: bind
lib:
driver: local
driver_opts:
device: "./lib"
type: none
o: bind
cache:
driver: local
driver_opts:
device: "./cache"
type: none
o: bind
- or you can also run
docker run --rm -it --name bind9 \
-e TZ=UTC \
-p 10053:53 -p 10053:53/udp \
-v ./etc:/etc/bind \
-v ./lib:/var/lib/bind \
-v ./cache:/var/cache/bind \
ubuntu/bind9:9.20-24.10_edge \
docker-entrypoint.sh -4
- on another terminal, "dig google.com @127.0.0.1 -p 10053"
- to exit, press ctrl-c on the docker / docker compose terminal
- to listen on your ip address port 53, replace "10053:53" with
"your_ip_addres:53:53", e.g "192.168.25.156:53:53". note that you will also
need to edit named.conf to allow queries from that subnet
--
Fajar
On Mon, Dec 30, 2024 at 1:27 AM Pablo Andalaft Tarodo
wrote:
> Hi all,
>
>
> Thanks for taking the time. I've been spending many hours on this, to no
> solution. But, some things that may shine more light:
>
> When the container is stuck restarting, the error, aside from exit code
> 1, is "user 'bind' is not recognised" or something similar, and checking
> the container entrypoint "/usr/sbin/named -u bind -f -c
> /etc/bind/named.conf", it tries to use the user "bind" to start "named",
> but this user is present in the base image (checking /etc/passwd)...
>
> For a long time I wasn't able to find other logs and I resorted to using
> a Dockerfile to see if I could control more steps for the image, no help.
>
> So I started off with what works, running a container directly from the
> image (doesn't get stuck restarting), and copying the files to it
> `docker container cp /config/named.conf
> :/etc/bind/named.conf` etc., and finally exec'ing into
> the container's shell and launching `/usr/sbin/named -u bind -f -g -c
> /etc/bind/named.conf`, this showed me that there were some errors in the
> config (thanks for the -g heads up), that I could address.
>
> However through docker compose, I still get the "named: user 'bind'
> unknown" error.
>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
Re: Docker Compose Setup with ISC/Bind9 Image
You have the error message. Cut and paste it from the logs and post it here. Saying there is something to do with the user ‘bind’ when you have an actual error message is wasting everyone’s time. -- Mark Andrews > On 30 Dec 2024, at 05:27, Pablo Andalaft Tarodo wrote: > > Hi all, > > > Thanks for taking the time. I've been spending many hours on this, to no > solution. But, some things that may shine more light: > > When the container is stuck restarting, the error, aside from exit code 1, is > "user 'bind' is not recognised" or something similar, and checking the > container entrypoint "/usr/sbin/named -u bind -f -c /etc/bind/named.conf", it > tries to use the user "bind" to start "named", but this user is present in > the base image (checking /etc/passwd)... > > For a long time I wasn't able to find other logs and I resorted to using a > Dockerfile to see if I could control more steps for the image, no help. > > So I started off with what works, running a container directly from the image > (doesn't get stuck restarting), and copying the files to it `docker container > cp /config/named.conf :/etc/bind/named.conf` etc., and > finally exec'ing into the container's shell and launching `/usr/sbin/named -u > bind -f -g -c /etc/bind/named.conf`, this showed me that there were some > errors in the config (thanks for the -g heads up), that I could address. > > However through docker compose, I still get the "named: user 'bind' unknown" > error. > > > Regards, > > Pablo > > >> On 29/12/2024 10:11, Johannes Kastl wrote: >> Hi Pablo, >> >>> On 27.12.24 21:17 Pablo wrote: >>> >>> This is my docker-compose.yml (my start command has to be sudoed for >>> some reason, Debian 12 machine: sudo docker compose up -d): >> Guess: Your user is not part of the docker group? >> >> Side note: I avoid docker and use (rootless) podman instead, which can >> be used as a backend for docker compose. >> >>> services: >>> bind9: >>> image: internetsystemsconsortium/bind9:9.20 >> For some reason the official container image logs to a file instead of >> stdout. It logs to /var/log/bind/default.log by default. >> >> You have mounted the log directory to /var/log/named instead: >> >>> volumes: >>>- ./config:/etc/bind >>>- ./cache:/var/cache/bind >>>- ./zones:/var/lib/bind >>>- ./log:/var/log/named >> Try changing that to /var/log/bind/. Then you should be able to check >> the log file for errors. >> >> Did you check the docker compose logs for your bind9 service? >> >> Kind Regards, >> Johannes >> > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
Re: Docker Compose Setup with ISC/Bind9 Image
Hi all, Thanks for taking the time. I've been spending many hours on this, to no solution. But, some things that may shine more light: When the container is stuck restarting, the error, aside from exit code 1, is "user 'bind' is not recognised" or something similar, and checking the container entrypoint "/usr/sbin/named -u bind -f -c /etc/bind/named.conf", it tries to use the user "bind" to start "named", but this user is present in the base image (checking /etc/passwd)... For a long time I wasn't able to find other logs and I resorted to using a Dockerfile to see if I could control more steps for the image, no help. So I started off with what works, running a container directly from the image (doesn't get stuck restarting), and copying the files to it `docker container cp /config/named.conf :/etc/bind/named.conf` etc., and finally exec'ing into the container's shell and launching `/usr/sbin/named -u bind -f -g -c /etc/bind/named.conf`, this showed me that there were some errors in the config (thanks for the -g heads up), that I could address. However through docker compose, I still get the "named: user 'bind' unknown" error. Regards, Pablo On 29/12/2024 10:11, Johannes Kastl wrote: Hi Pablo, On 27.12.24 21:17 Pablo wrote: This is my docker-compose.yml (my start command has to be sudoed for some reason, Debian 12 machine: sudo docker compose up -d): Guess: Your user is not part of the docker group? Side note: I avoid docker and use (rootless) podman instead, which can be used as a backend for docker compose. services: bind9: image: internetsystemsconsortium/bind9:9.20 For some reason the official container image logs to a file instead of stdout. It logs to /var/log/bind/default.log by default. You have mounted the log directory to /var/log/named instead: volumes: - ./config:/etc/bind - ./cache:/var/cache/bind - ./zones:/var/lib/bind - ./log:/var/log/named Try changing that to /var/log/bind/. Then you should be able to check the log file for errors. Did you check the docker compose logs for your bind9 service? Kind Regards, Johannes -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
Re: Docker Compose Setup with ISC/Bind9 Image
Hi Pablo, On 27.12.24 21:17 Pablo wrote: > This is my docker-compose.yml (my start command has to be sudoed for > some reason, Debian 12 machine: sudo docker compose up -d): Guess: Your user is not part of the docker group? Side note: I avoid docker and use (rootless) podman instead, which can be used as a backend for docker compose. > services: > bind9: > image: internetsystemsconsortium/bind9:9.20 For some reason the official container image logs to a file instead of stdout. It logs to /var/log/bind/default.log by default. You have mounted the log directory to /var/log/named instead: > volumes: >- ./config:/etc/bind >- ./cache:/var/cache/bind >- ./zones:/var/lib/bind >- ./log:/var/log/named Try changing that to /var/log/bind/. Then you should be able to check the log file for errors. Did you check the docker compose logs for your bind9 service? Kind Regards, Johannes OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
Re: Docker Compose Setup with ISC/Bind9 Image
I agree with the others, does it run standalone without docker complicating things. I suggest running with -g option too to keep it in the foreground and log to your terminal session. Happy hunting, Stace Sent from Gmail Mobile On Sat, 28 Dec 2024 at 12:22, Darren Ankney wrote: > Hi Pablo, > > There is an official BIND docker image that might be useful? > > https://hub.docker.com/r/internetsystemsconsortium/bind9 > > And yes - I agree with Michael. It is important to check the startup > logs for named to see why it wouldn't run. > > Thank you, > Darren Ankney > > On Fri, Dec 27, 2024 at 9:28 PM Michael Richardson > wrote: > > > > If it doesn't work without docker, then it probably won't work with > Docker. > > Probably all the clue you need is in the log files. Did you read them? > > > > -- > > ] Never tell me the odds! | ipv6 mesh > networks [ > > ] Michael Richardson, Sandelman Software Works|IoT > architect [ > > ] [email protected] http://www.sandelman.ca/| ruby on > rails[ > > > > -- > > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > > > > bind-users mailing list > > [email protected] > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
Re: Docker Compose Setup with ISC/Bind9 Image
Hi Pablo, There is an official BIND docker image that might be useful? https://hub.docker.com/r/internetsystemsconsortium/bind9 And yes - I agree with Michael. It is important to check the startup logs for named to see why it wouldn't run. Thank you, Darren Ankney On Fri, Dec 27, 2024 at 9:28 PM Michael Richardson wrote: > > If it doesn't work without docker, then it probably won't work with Docker. > Probably all the clue you need is in the log files. Did you read them? > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works|IoT architect [ > ] [email protected] http://www.sandelman.ca/| ruby on rails > [ > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
Re: Docker Compose Setup with ISC/Bind9 Image
If it doesn't work without docker, then it probably won't work with Docker. Probably all the clue you need is in the log files. Did you read them? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works|IoT architect [ ] [email protected] http://www.sandelman.ca/| ruby on rails[ -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
