TECHLOGICS

HYLOGICS分室。作業メモやガジェットのレビューなど、主に技術系のエントリを取り扱います。

【備忘録】内部DNSのAlpine Linuxへの移行

背景

前回はCentOSのコンテナ上にbindを構築した。

tech.hylogics.com

問題なく動いてはいるが、パッケージの管理が面倒&ビルドで少し待たされるのでAlpine Linux上に再構築することにした。

構成ファイル

今回からdocker-composeを用いる。

$ cat Dockerfile
# hylogics/bind:alpine-latest
FROM docker.io/alpine
RUN apk update && apk add bind tzdata --no-cache
RUN cp /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
EXPOSE 53/udp

$ cat docker-compose.yml
version: '3'
services:
  bind:
    image: "hylogics/bind:alpine-latest"
    container_name: "bind"
    ports:
      - "53:53/udp"
    volumes:
      - "/home/docker/app/hylogics/conf/bind-alpine/named.conf:/etc/bind/named.conf"
      - "/home/docker/app/hylogics/conf/bind-alpine/master:/etc/bind/master"
    logging:
      driver: "json-file"
    command: "/usr/sbin/named -c /etc/bind/named.conf -u named -g"
    restart: always

$ cat conf/bind-alpine/named.conf
// Copy this file to /etc/bind/named.conf if you want to run bind as an
// authoritative nameserver. If you want to run a recursive DNS resolver
// instead, see /etc/bind/named.conf.recursive.
//
// BIND supports using the same daemon as both authoritative nameserver and
// recursive resolver; it supports this because it is the oldest and original
// nameserver and so was designed before it was realized that combining these
// functions is inadvisable.
//
// In actual fact, combining these functions is a very bad idea. It is thus
// recommended that you run a given instance of BIND as either an authoritative
// nameserver or recursive resolver, not both. The example configuration herein
// provides a secure starting point for running an authoritative nameserver.

options {
        directory "/var/bind";

        // Configure the IPs to listen on here.
        listen-on { any; };
        listen-on-v6 { none; };

        // If you want to allow only specific hosts to use the DNS server:
        allow-query {
              127.0.0.1; 192.168.0.0/16; 172.16.0.0/12;
        };

        // Specify a list of IPs/masks to allow zone transfers to here.
        //
        // You can override this on a per-zone basis by specifying this inside a zone
        // block.
        //
        // Warning: Removing this block will cause BIND to revert to its default
        //          behaviour of allowing zone transfers to any host (!).
        allow-transfer {
                none;
        };

        // If you have problems and are behind a firewall:
        //query-source address * port 53;

        pid-file "/var/run/named/named.pid";

        // Changing this is NOT RECOMMENDED; see the notes above and in
        // named.conf.recursive.
        allow-recursion { none; };
        recursion no;
};

// Example of how to configure a zone for which this server is the master:
//zone "example.com" IN {
//      type master;
//      file "/etc/bind/master/example.com";
//};


// You can include files:
//include "/etc/bind/example.conf";

ポイント

  • パッケージ管理はapk。
  • Debianと違って環境変数を設定してもJSTにならない。
  • IPアドレスは固定せずに用いるためlisten-on { any; };
  • ログは管理しない。syslogに出ても鬱陶しいのでlogging: driver: "json-file"としておく。
  • 自動再起動 restart: always を忘れずに。

移行前後の比較

$ docker images
REPOSITORY            TAG                 IMAGE ID            CREATED             SIZE
hylogics/bind            alpine-latest       9eb702c23ae4        13 minutes ago      11.5 MB
hylogics/bind            centos-latest       9196e1cd1424        2 hours ago         269 MB

ディスクスペースは269MBから11.5MBへ。250MBほど軽量。

$ docker-compose -f docker-compose.test.yml up -d
Creating bind ... done

$ free -h
              total        used        free      shared  buff/cache   available
Mem:           3.7G        165M        3.2G        8.5M        297M        3.3G
Swap:          2.0G          0B        2.0G

$ docker-compose -f docker-compose.production.yml up -d
Creating bind ... done

$ free -h
              total        used        free      shared  buff/cache   available
Mem:           3.7G        171M        3.2G        8.5M        298M        3.3G
Swap:          2.0G          0B        2.0G

若干だがメモリも節約出来た。