I was wondering if you have a way to reread the zone files on a running bind container without webmin -> our zone files are managed in a git repo and installed with a Makefile. Currently we restart bind.

I would like to just do a command line to tell the bind container to reread. I thought I would ask you to see if you had done something like that or had any ideas before I set out to compose a way. Thanks!

Random question did you have to do anything special in your squid.conf to get it to work on kubernetes? Im able to see my traffic in the access log, but im not able to deny any sites

Describes test 2

Inside webmin, when testing a zone transfer, it will fail since the "dig" utility isn't part of the image. I've been installing it from the dnsutils package (apt-get update && apt-get install dnsutils), but this really should be part of the image.

Hi.

I'll say straight away, I don't know or understand bind and/or linux networking.

My requirement is to have the browser that runs inside a selenium container have access to an nginx server running in another container. We are using selenium for some of our automated testing and am trying to make things a little simpler for the developers who need to build and run the end-to-end testing.

It sounds simple enough. But I don't even know how to ask the question properly.

Currently (without the bind container), we have to manually add every domain and subdomain to the links section in our docker-compose.yml file for the nginx service for the browser inside the selenium container to see things.

This would be great, but we want to use a wildcard subdomain sort of thing, so any subdomain of test.local (for example) would be sent to the nginx container, where nginx picks up the request and uses PHP-FPM to handle it. The PHP code deals with extracting the right processing for the subdomain. A multi-tenanted application with subdomain partitioning. Not particularly unusual.

Hi, thanks for your effort on working this project.

I got the following error from running this container using docker-machine created docker-engine.

I am using MacOS, and docker-machine to create my docker environment(boot2docker with virtualbox)

my boot2docker's ip is 192.168.99.100

I got this container running on 172.17.0.2(got this info from docker inspect bind)

I can do nslookup www.google.com 172.17.0.2

But If I do it on my mac nslookup www.google.com 192.168.99.100

I got this

Server:     192.168.99.100
Address:    192.168.99.100#53

** server can't find www.google.com: REFUSED

Do you have any idea how to resolve this?

Hi I'm trying to configure logging to a mounted volume but the daemon is run with -g which forces logging to stderr is it possible to override this?

Thanks.

docker run -d --name=bind --dns=127.0.0.1 --publish=172.17.42.1:53:53/udp --publish=172.17.42.1:10000:10000 --volume=/srv/docker/bind:/data --env='ROOT_PASSWORD=SecretPassword' sameersbn/bind:latest
WARNING: Localhost DNS setting (--dns=127.0.0.1) may fail in containers.
Unable to find image 'sameersbn/bind:latest' locally
latest: Pulling from sameersbn/bind
Digest: sha256:e15a826c3ded4ea696717fde612f88c5bf205c6bccbb1df67678631496d8b803
Status: Downloaded newer image for sameersbn/bind:latest
b65c626e422aef6ba21f4bfe38d6bd69795ea1090e8f170833e17e938ce00825
docker: Error response from daemon: driver failed programming external connectivity on endpoint bind (46ab9155dd1cdf9c0d5ba344a2d23840171eaff94a57e82a4dca8ee58bf64663): Error starting userland proxy: listen tcp 172.17.42.1:10000: bind: cannot assign requested address.

any ideas ?

As of BIND 9.4.1-P1, new options have become available (and are required) to allow recursive DNS entries as explained by this ISC article. Therefore, after this container is started, it will not allow clients outside of the host to do recursive DNS entries with the current configuration.

Expected Behavior:
After the container is started with the default, included config, this server will be able to resolve recursive DNS entries from other clients on the network as implied by this example article.

Actual Behavior:
The server responds with this message to the client:
** server can't find google.com: REFUSED
The logs on the client read:
client 192.168.2.202#64300 (google.com): query (cache) 'google.com/A/IN' denied

Description

It appears when you create a slave zone, they never fill with content as they cannot perform the necessary zone transfers to complete this.

root@88efec7f40cd:/# squid3 -k rotate
squid: ERROR: No running copy

root@88efec7f40cd:/# cat /var/run/squid3.pid
1

Any ideas?
TIA

hi I get the sameersbn/squid ,but I need use my squid.conf file. so i do this：
$ sudo docker run -i -t sameersbn/squid /bin/bash
I custom the /etc/squid3/squid.conf, modify it and save it. and exit. create a new image "squid-new" .
$ sudo docker commit squid-new
$ docker run --name squid-d --restart=always --publish 9000:9000 squid-new
in my custom squid.conf,the port is 9000.
but the container is still restarting. it can't be started. why is this?
so how to modify sameersbn/squid image, and let it work?

It would be interesting to read Webmin's root password from a secret file instead from an environment variable as the current version does.

• && wget http://www.webmin.com/jcameron-key.asc -qO - | apt-key add - \
  

• && wget https://www.webmin.com/jcameron-key.asc -qO - | apt-key add - \

replace http by https

Hi, I tried with docker-compose, but it did not work!

I'm trying to mount /data on an NFS mount. The idea is that I can boot up the image from any of my hosts in case one goes down. However, I'm getting the following error:

```chown: changing ownership of`/data/bind': Operation not permitted

Looks like the directories are initially created by nobody:nogroup.

Which user is attempting to change theh ownership?
Is this because of the docker bridge network?
How can I map /data to my NFS mount.

Why do I have to exec into the server and install dnsutils? should't this be installed from the Dockerfile ?

Testing transfer of slave zone from 172.25.0.4 ..
.. from 172.25.0.4 : Failed : Missing dig command

the --env='ROOT_PASSWORD=????' is ignored and webmin uses default username/password

hello,

i get this issue when i try to build
(sudo docker build -t sameersbn/bind github.com/sameersbn/docker-bind)
i already install apt-transport-https (sudo apt-get install apt-transport-https)
i just installed docker

here is my source.list
deb http://httpredir.debian.org/debian jessie main
deb-src http://httpredir.debian.org/debian jessie main

deb http://httpredir.debian.org/debian jessie-updates main
deb-src http://httpredir.debian.org/debian jessie-updates main

deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main

here is my /etc/apt/sources.list.d/backports.list content
deb http://http.debian.net/debian wheezy-backports main

Get:9 http://archive.ubuntu.com/ubuntu/ trusty-updates/main python2.7-minimal amd64 2.7.6-8ubuntu0.3 [1187 kB]
E: The method driver /usr/lib/apt/methods/https could not be found.
The command '/bin/sh -c rm -rf /etc/apt/apt.conf.d/docker-gzip-indexes && wget http://www.webmin.com/jcameron-key.asc -qO - | apt-key add - && echo "deb http://download.webmin.com/download/repository sarge contrib" >> /etc/apt/sources.list && apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bind9=${BIND_VERSION}* bind9-host=${BIND_VERSION}* webmin=${WEBMIN_VERSION}* && rm -rf /var/lib/apt/lists/*' returned a non-zero code: 100

When I run webmin, it looks like it is using an SSL cert generated on the fly.
Is there any way a param can be passed to docker to use a SSL cert that I own?

mkdir -p /srv/docker/bind
chcon -Rt svirt_sandbox_file_t /srv/docker/bind

docker run --name bind -d --restart=always --publish 53:53/tcp --publish 53:53/udp --publish 10000:10000/tcp --volume /srv/docker/bind:/data sameersbn/bind:9.9.5-20170626

docker logs -f bind
mv: cannot remove '/etc/bind': Directory not empty
rm: cannot remove '/etc/bind': Directory not empty
rm: cannot remove '/etc/bind': Directory not empty
rm: cannot remove '/etc/bind': Directory not empty
rm: cannot remove '/etc/bind': Directory not empty
rm: cannot remove '/etc/bind': Directory not empty
rm: cannot remove '/etc/bind': Directory not empty

Hello

When I run the docker-bind image docker ps says:
Restarting (1) 1 seconds ago

mkdir: cannot create directory '/data/bind': Permission denied

solution:
setenforce 0

Have you setup a master and slave configuration with docker-bind? Been reading about it and it looks fairly easy, but thought I'd ask you first because you always seem to have done it all! Thanks for any info on configuring this.

I think Webmin just for bind management is too heavy .

Are you open to explore other lighter gui's ?

After running a month the docker fails because its has not enough space on hard disk

docker[1001]: 2016/03/07 11:48:22| Loaded Icons.
docker[1001]: 2016/03/07 11:48:22| HTCP Disabled.
docker[1001]: 2016/03/07 11:48:22| Pinger socket opened on FD 10
docker[1001]: 2016/03/07 11:48:22| Squid plugin modules loaded: 0
docker[1001]: 2016/03/07 11:48:22| Adaptation support is off.
docker[1001]: 2016/03/07 11:48:22| Accepting HTTP Socket connections at local=[::]:8080 remote=[::] FD 8 flags=9
docker[1001]: 2016/03/07 11:48:23| storeLateRelease: released 0 objects
docker[1001]: 2016/03/07 11:48:24| Closing HTTP port [::]:8080
docker[1001]: 2016/03/07 11:48:24| storeDirWriteCleanLogs: Starting...
docker[1001]: 2016/03/07 11:48:24|   Finished.  Wrote 0 entries. 
docker[1001]: 2016/03/07 11:48:24|   Took 0.00 seconds (  0.00 entries/sec).
docker[1001]: FATAL: logfileWrite: stdio:/var/log/squid3/access.log: (28) No space left on device
docker[1001]: 
docker[1001]: 2016/03/07 11:48:24| Closing Pinger socket on FD 10

The host machine has space in their hard drive.

[root@docker ~]# df -h
Filesystem                      Size  Used Avail Use% Mounted on
devtmpfs                         16G     0   16G   0% /dev
tmpfs                            16G   12K   16G   1% /dev/shm
tmpfs                            16G 1000K   16G   1% /run
tmpfs                            16G     0   16G   0% /sys/fs/cgroup
/dev/mapper/fedora_docker-root  123G   19G  104G  16% /
tmpfs                            16G  8,0K   16G   1% /tmp
/dev/cciss/c0d0p1               477M  100M  348M  23% /boot
tmpfs                           3,2G     0  3,2G   0% /run/user/0

Possible to add optional DHCP as well? That way the dhcp can sync with BIND

Thanks,

Hi!

It's not always notable, but DNS(and bind as DNS server) may use 53/tcp port as well. Usually this happens during zone transfer, when zone doesn't fit into UDP packet size. That not very common, but may happen and lead to unpredictable results. So, please add EXPOSE 53/tcp entry.

I need to use the last version of BIND statistics in 9.10.X. But your image is using 9.9.5, default version of ubuntu trusty. It would be interesting to upgrade your ubuntu version to xenial, which use bind 9.10.3. Or having an option to choose the BIND version.

So I was just setting things up and following your blog out on damagehead and I got to the point of testing and this works. Here is the reply:
[srv12 ~]$ host www.google.com 172.17.42.1
Using domain server:
Name: 172.17.42.1
Address: 172.17.42.1#53
Aliases:
www.google.com has address 173.194.33.146
www.google.com has address 173.194.33.145
www.google.com has address 173.194.33.144
www.google.com has address 173.194.33.148
www.google.com has address 173.194.33.147
www.google.com has IPv6 address 2607:f8b0:400a:804::1013

and in the logs:
05-May-2015 18:27:14.370 error (network unreachable) resolving 'www.google.com/A/IN': 2001:7fe::53#53

So I then stop and remove the container and change the run command:
from -> --publish=172.17.42.1:53:53/udp
to -> --publish=53:53/udp

and then start it up again. But this gives me a refused message like:
[srv12 ~]$ host www.google.com 192.168.101.2
Using domain server:
Name: 192.168.101.2
Address: 192.168.101.2#53
Aliases:
Host www.google.com not found: 5(REFUSED)

I tried this coming from other systems as well. The log shows:
05-May-2015 18:08:25.607 client 192.168.101.2#39475 (www.google.com): query (cache) 'www.google.com/A/IN' denied

So I also tried a specific interface with:
--publish=192.168.101.2:53:53/udp
and I get the same result.

Is there some config I need to do to get bind to process the request?

I've been tsting on various sites downloading zip files, and web pages, squid is definitely up and running and routing requests through but

1504359527.880    197 172.17.0.1 TCP_MISS/200 39969 GET http://www.colorado.edu/conflict/peace/download/peace_essay.ZIP - HIER_DIRECT/128.138.129.98 application/zip
1504359558.843    438 172.17.0.1 TCP_CLIENT_REFRESH_MISS/200 39968 GET http://www.colorado.edu/conflict/peace/download/peace_essay.ZIP - HIER_DIRECT/128.138.129.98 application/zip
1504359584.790   1044 172.17.0.1 TCP_MISS/200 523564 GET http://www.colorado.edu/conflict/peace/download/peace_treatment.ZIP - HIER_DIRECT/128.138.129.98 application/zip
1504359598.573   1038 172.17.0.1 TCP_CLIENT_REFRESH_MISS/200 523563 GET http://www.colorado.edu/conflict/peace/download/peace_treatment.ZIP - HIER_DIRECT/128.138.129.98 application/zip

You can see one of the test files I used

another is located here

http://speedtest.tele2.net/

I performed 2 back to back curl tests

curl http://speedtest.tele2.net/100MB.zip --proxy localhost:3128 -o /dev/null

Both cases I saw this in the squid logs

1504359799.758  22379 172.17.0.1 TCP_MISS/200 104857975 GET http://speedtest.tele2.net/100MB.zip - HIER_DIRECT/90.130.70.73 application/zip
1504359862.523  57009 172.17.0.1 TCP_MISS/200 104857975 GET http://speedtest.tele2.net/100MB.zip - HIER_DIRECT/90.130.70.73 application/zip

it would be nice to add this:
--publish 53:53/tcp

to the quickstart examples
(took me some time to debug why my tcp call to update the DNS weren't working)

Hello, I am trying to use docker-squid, but I am running into some issues. I have a custom squid.conf, so I am using the run command:

docker run --name squid-cache -d --restart=always --publish 3128:3128 --volume /opt/squid-proxy/logs:/var/log/squid3 --volume /opt/squid-proxy/squid3/squid.conf:/etc/squid3/squid.conf sameersbn/squid:3.3.8-14

But I am getting this error:

Initializing cache...
FATAL: getpwnam failed to find userid for effective user 'squid'
Squid Cache (Version 3.3.8): Terminated abnormally.
CPU Usage: 0.014 seconds = 0.007 user + 0.007 sys
Maximum Resident Size: 24912 KB
Page faults with physical i/o: 0

I think that means that there is no user named squid, but I'm not 100% sure, so I came here for help.

Instead of writing logs into the docker at /var/logs the logs should emit to stdout and then normal docker logging drivers can handle the logs.

please help me fit it

Hi, I'm currently unable to mount a shared folder as a volume inside the image, since it fails during the chown operation here:

https://github.com/sameersbn/docker-squid/blob/master/entrypoint.sh#L12

Can you consider removing the operation?

Setting an explicit SQUID_USER is not a solution in my use case, unfortunely.

I'm trying to use this container for rewriting an existing domain's IP inside a private network.

My setup is that I have a private network with some machines setup and a router which has an internet accessible public IP. One of these machines is serving some content to the internet under a domain (say example.com) pointing to the public IP, by having a port opened from router to it. The thing is that other machines in the private network also need access to that server. Router however blocks packets originating from inside to access the public IP. So I thought I would use this container as a local DNS server to overwrite that public IP with the local one.

I have setup this container with this docker-compose file:

version: '2'

services:
  bind:
    image: sameersbn/bind:latest
    restart: always
    dns: 8.8.8.8
    logging:
      driver: "json-file"
      options:
        max-size: "200k"
        max-file: "10"
    environment:
        - ROOT_PASSWORD=somepass
    ports:
      - 10000:10000
      - 53:53/udp
    volumes:
      - ./data:/data

and added following ACL and configs to it:

acl localclients {
	192.168.0.0/16;
	172.17.0.0/16;
	localhost;
	localnets;
};

options {
	directory "/var/cache/bind";
	dnssec-validation auto;

	auth-nxdomain no;
	listen-on-v6 { any; };
	listen-on {
		any;
		};

	recursion yes;

	allow-query { any; };
	allow-recursion {
		localclients;
		};
	allow-query-cache { localclients; };
}

currently looking up domain name on docker's host machine (with IP 192.168.1.6) works as expected:

$ nslookup example.com
Server:		192.168.1.6
Address:	192.168.1.64#53

Name:	example.com
Address: 192.168.1.4

but I can't use that for another container:

$ docker run --rm busybox nslookup example.com
Server:    192.168.1.6
Address 1: 192.168.1.6 servername

Name:      example.com
Address 1: 188.15.221.88

where 188.15.221.88 is the public IP. do I need additional config set on the container?

Webmin just hangs on connecting:

vrogojin@wormhole:~$ wget localhost:10000
converted 'http://localhost:10000' (ANSI_X3.4-1968) -> 'http://localhost:10000' (UTF-8)
--2017-01-07 15:59:56--  http://localhost:10000/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:10000... connected.
HTTP request sent, awaiting response... 

IT HANGS HERE

Using docker-compose:

bind:
  image: sameersbn/bind:latest
  dns: 127.0.0.1
  environment:
    - ROOT_PASSWORD=SecretPassword
  ports:
   - 10000:10000
   - 53:53/udp
  volumes:
    - ./bind:/data

on Debian Jessie

pulled latest version using latest version of docker for centos7

run by:
docker run --name bind -d
--publish 53:53/tcp --publish 53:53/udp --publish 10000:10000/tcp
--volume /srv/docker/bind:/data
sameersbn/bind

got this error when starting the container:
mv: cannot remove '/etc/bind': Directory not empty

Hi, thx for your amazing containers,

could you please update this one to the last version ?
I'm facing security issues with this one (its a 2013 release ^^" )

Getting this error when I try to run this command on all the mounted files:
chcon: can't apply partial context to unlabeled file 'rndc.conf'

I have also tried with sudo

chcon -Rt svirt_sandbox_file_t /srv/docker/bind

hello I followed your guide and installed the docker but I can't resolve with the DNS Container from outside of the Container and Host (Container IP 172.18.0.2/24; CoreOS/Host [Docker] IP 172.xx.xx.22; TEST-VM 172.xx.xx.88) I only get an refused when I tried to resolve any address when I try it with the TEST-VM, while when I try with the Host it will resolve but won't if I ask for the address of the TEST-VM and gives out NXDOMAIN .
The container itself can resolve other containers.

Hey. I used Logging and Errors in the webmin interface to add an option to write to a logfile i created. I set permissions to 777 on that file and applied changes with no errors the file however stays empty. do you have any ideas on how I can resolve?

If you create a container then later try to change the password using the ROOT_PASSWORD variable while mounting the /data directory you are unable to. Passwd and the change password inside of webmin also do not work.

Container restarts every second.
Docker logs shows only -

Starting webmin...

Client:
 Version:      1.12.3
 API version:  1.24
 Go version:   go1.6.2
 Git commit:   6b644ec
 Built:        Mon, 19 Dec 2016 09:20:48 +1300
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.3
 API version:  1.24
 Go version:   go1.6.2
 Git commit:   6b644ec
 Built:        Mon, 19 Dec 2016 09:20:48 +1300
 OS/Arch:      linux/amd64

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 2
Server Version: 1.12.3
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 10
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host overlay null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-64-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 24
Total Memory: 62.88 GiB
Name: hive
ID: Z47Y:UYNW:OMOS:OKCB:5OZQ:6KUR:LXVK:7AOL:EG33:XV6E:NUZE:SM3Z
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
 127.0.0.0/8

docker run --name bind -d --restart=always \
  --publish 53:53/tcp --publish 53:53/udp --publish 10000:10000/tcp \
  --volume /hive/bind:/data \
  --env='ROOT_PASSWORD=dnspassword!@#' \
  sameersbn/bind:latest

Note: this may not be necessary as I'm tracking an issue with either BIND or Docker, but it's part of the configuration for BIND.

The file suggested is /etc/default/bind9

For modifying the default configuration of bind in image,
I mount files/folders into the /etc/bind/ directory inside the container.
However, this doesn't seem to work with this bind image:

[...]
rm: cannot remove '/etc/bind/testfile': Device or resource busy
bind[...] exited with code 1

I prepared a repository with a docker-compose.yml for easily reproducing the issue:
https://github.com/strarsis/bind-issue

$ git clone https://github.com/strarsis/bind-issue
$ cd bind-issue
$ docker-compose up

It is possible to mount files/folders into container outside of /etc/bind/ without issues,
bind starts up and runs normally then, but bind config cannot be changed that way though.

Hi, after running the container following the tutorial, the host command fails to resolve 'www.google.com'. Also I get an ominous

WARNING: Localhost DNS setting (--dns=127.0.0.1) may fail in containers.

...warning which is not mentioned in the tutorial.

This is how I run the container:

docker run -d --name=bind --dns=127.0.0.1 \
  --publish=172.17.0.1:53:53/udp --publish=172.17.0.1:10000:10000 \
  --volume=/srv/docker/bind:/root/data/bind \
  --env='ROOT_PASSWORD=SecretPassword' \
  sameersbn/bind:latest

This is my version and info for docker:

root@photon-rps-client [ ~ ]# docker version
Client:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   4dc5990
 Built:        Wed Apr 13 19:36:04 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   4dc5990
 Built:        Wed Apr 13 19:36:04 2016
 OS/Arch:      linux/amd64

root@photon-rps-client [ ~ ]# docker info
Containers: 1
 Running: 1
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 1.11.0
Storage Driver: overlay
 Backing Filesystem: extfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge null host
Kernel Version: 4.4.8
Operating System: VMware Photon/Linux
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 974.9 MiB
Name: photon-rps-client
ID: CEG3:K7XA:UMDZ:HXR4:YEMV:OOIJ:6HIT:4VEJ:JDMM:YLP4:E3EO:KH5V
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/

I am running this on Photon OS on Fusion on my Mac:

VMware Photon Linux 1.0
PHOTON_BUILD_NUMBER=13c08b6

I have a problem, after making modifications to my dns server, I need to copy the configs to another server and start the container with the same data I had modified before, I get an error like mv: failed to access '/data/bind/etc': Too many levels of symbolic links

Within the container, bind seems to always assume IPv6 is enabled.
In the logs, it shows error (network unreachable) resolving 'xxx.apple.com/A/IN': 2001:500:3::42#53 when there is no IPv6 support outside the container.

As per http://crashmag.net/disable-ipv6-lookups-with-bind-on-rhel-or-centos it states that IPv6 can be disabled by add OPTIONS="-4" to /etc/sysconfig/named (on centOS)

It would be helpful to either expose the appropriate config to /data or have an environment variable that allows it to be disabled.