I'm trying to set up ssl for my home network and I've set up a bind9 container with a custom domain that points to my unraid server. So far so good. I've also set up a private step-ca certificate authority which needs it's dns set to the bind9 container so that it knows about my private domain. The setup works if I set the dns of the step container to the internal docker ip address of the bind container but since these ip addresses are ephemeral I can't rely on that hence why I'm binding the bind9 ip address to something within 192.168.0.1/24 and accessing it there. This works if I set the dns server of my pc to the bind9 container but I am unable to do so for other docker containers for some reason

in short, step-ca and my proxy traefik need their dns set to bind9 which I want to have set up with a static ip address on the 192.168.0.1/24 subnet. traefik also needs to be able to talk to containers on the bridge network br0 otherwise it won't be able to proxy requests to the containers

CodePudding user response：

The addresses of your containers don't need to be ephemeral. We can set up a custom network using the networks top-level element that defines a static range for the network using the ipam option, and then we can assign our containers static address on this network.

We can use the dns option to configure containers to use the bind9 container for name resolution.

Here's an example docker-compose.yaml that sets up a bind9 container and a couple of additional containers that will use it for DNS:

version: "3"

services:
  bind9:
    image: docker.io/internetsystemsconsortium/bind9:9.19
    volumes:
      - "./bind:/etc/bind"
      - bind9_cache:/var/cache/bind
      - bind9_log:/var/log
      - bind9_lib:/var/lib/bind
    networks:
      bind9:
        ipv4_address: 192.168.133.10

  web1:
    image: docker.io/alpinelinux/darkhttpd:latest
    networks:
      bind9:
        ipv4_address: 192.168.133.20
    dns: 192.168.133.10

  web2:
    image: docker.io/alpinelinux/darkhttpd:latest
    networks:
      bind9:
        ipv4_address: 192.168.133.21
    dns: 192.168.133.10

networks:
  bind9:
    ipam:
      driver: default
      config:
        - subnet: 192.168.133.0/24
          gateway: 192.168.133.1

volumes:
  bind9_cache:
  bind9_lib:
  bind9_log:

In in the bind directory, I have bind configured to serve the following zonefile:

$TTL    604800
@   IN  SOA docker.example. root.docker.example. (
                  2     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
@   IN  NS  ns.docker.example.
ns  IN  A   192.168.133.10
web1    IN  A   192.168.133.20
web2    IN  A   192.168.133.21
web IN  A   192.168.133.20
web IN  A   192.168.133.21

From either the web1 or web2 containers, we can confirm that they are using our bind instance for name resolution:

/ $ wget -O- web1.docker.example:8080
Connecting to web1.docker.example:8080 (192.168.133.20:8080)
writing to stdout
<html>
.
.
.
</html>

Recall that docker-compose is just a fancy wrapper for docker run, so you can accomplish the same thing without using docker-compose (although it will of course make life much easier).

If you need to access the bind9 container, you would of course just publish the appropriate ports on your host by adding the necessary ports section to the compose configuration (or by using the --publish/-p option on the docker run command line):

  bind9:
    image: docker.io/internetsystemsconsortium/bind9:9.19
    ports:
      - "53:53/udp"
      - "53:53/tcp"
    volumes:
      - "./bind:/etc/bind"
      - bind9_cache:/var/cache/bind
      - bind9_log:/var/log
      - bind9_lib:/var/lib/bind
    networks:
      bind9:
        ipv4_address: 192.168.133.10