镜像制作
1.1 下载镜像
docker pull centos:centos7.9.2009
1.2 运行容器
[root@localhost ~]# docker run -d \
--privileged \
--name=bind9 \
--restart=always \
-p 53:53/udp \
-p 53:53/tcp \
-v /data/bind9:/etc/bind \
-v /sys/fs/cgroup:/sys/fs/cgroup \
centos:centos7.9.2009 /usr/sbin/init
# 查看容器日志
[root@localhost ~]# docker logs bind9
# 进入容器查看
[root@localhost ~]# docker exec -it bind9 bash
# 步骤七: 查看容器运行情况
root@ubuntu-vm1:/data/bind9# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3e12e7dd4439 centos:centos7.9.2009 "/usr/sbin/init" 42 seconds ago Up 41 seconds 0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp, :::53->53/tcp, :::53->53/udp bind9
1.3 部署named服务
# 1. 进入容器查看
[root@localhost ~]# docker exec -it bind9 bash
# 2. 关闭SELinux与防火墙
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld
# 永久关闭
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@localhost ~]# systemctl disable firewalld
# 3. yum 安装DNS服务
[root@localhost ~]# yum install -y bind* vim*
# 查看bind是否完成
[root@localhost yum.repos.d]# rpm -aq |grep bind
# 状态管理
systemctl enable named --now
systemctl status named
systemctl stop named
systemctl start named
systemctl restart named
1.4 配置文件
1.4.1 named.conf
# 在docker容器中执行
$. cp /etc/named.conf /etc/named.conf-bak
$. vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
// listen-on port 53 { 127.0.0.1; };
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
//allow-query { localhost; };
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
forward first;
forwarders { 8.8.8.8; };
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
// mine
include "/etc/bind/named.zones";
1.4.2 named.zones
# 宿主机中
[root@localhost ~]# cd /data/bind9
[root@localhost ~]# vi named.zones
// named.zones文件内容如下:
zone "lpf-test.com" IN {
type master;
file "/etc/bind/lpf-test.com.hosts";
};
zone "31.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/lpf-test.com.back";
};
1.4.3 lpf-test.com.hosts, lpf-test.com.back
[root@localhost ~]# cd /data/bind9/zones
[root@localhost ~]# vi lpf-test.com.hosts
$TTL 1D
@ IN SOA @ root.lpf-test.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns.lpf-test.com.
@ IN A 192.168.31.85
* IN A 192.168.31.85
[root@localhost ~]# vi lpf-test.com.back
$TTL 1D
@ IN SOA @ root.lpf-test.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.lpf-test.com.
100 IN PTR dns.lpf-test.com
101 IN PTR www.lpf-test.com
102 IN PTR smb.lpf-test.com
103 IN PTR ftp.lpf-test.com
1.4.4 步骤四:检查
root@my-ubuntu-vm1:~# docker exec -it bind9 bash
# 查看状态
root@8d4b47ea885c:/# service named status
root@8d4b47ea885c:/# service named restart
root@8d4b47ea885c:/# service named status
$. named-checkconf -z "$NAMEDCONF"
$. named-checkconf /etc/named.conf
# 检查主配置文件:
[root@localhost ~]# named-checkconf
# named-checkzone yourDNS域名和路径
# 检查正向解析文件
[root@localhost ~]# named-checkzone lpf-test.com \
/etc/bind/lpf-test.com.hosts
zone lpf-test.com/IN: loaded serial 0
OK
# 检查反向解析文件:
[root@localhost ~]# named-checkzone \
31.168.192.in-addr.arpa \
/etc/bind/lpf-test.com.back
zone 10.168.192.in-addr.arpa/IN: loaded serial 0
OK
# 问题排查
journalctl -xefu named
journalctl -xefu docker
journalctl -u named
1.4.5 开机启动执行
# 容器中执行如下命令
chmod +x /etc/rc.d/rc.local
vi /etc/rc.d/rc.local
# 添加如下内容
mkdir -p /etc/bind
cp -p /opt/* /etc/bind
1.5 打包镜像
# 打包镜像
docker commit -p \
-a "langpf" \
-m "centos7.9.2009, bind-9.11.4" \
d46d528d2f97 centos/bind9:9.11.4-26
# 推送到本地仓库
1)
docker tag centos/bind9:9.11.4-26 \
k8s-harbor.com/my-project/centos-bind9:9.11.4-26
2)
docker login \
https://k8s-harbor.com/harbor/projects \
-u admin -p Harbor12345
3)
docker push k8s-harbor.com/my-project/centos-bind9:9.11.4-26
问题处理
问题:
在docker中启动服务报错:
New main PID 547 does not belong to service,
and PID file is not owned by root. Refusing.
解决:
挂载宿主机 cgroup目录,启动时加上 -v /sys/fs/cgroup:/sys/fs/cgroup
完整启动命令如下:
docker run -itd --name=ldap --privileged=true \
-v /sys/fs/cgroup:/sys/fs/cgroup \
-p 80:80 -p 389:389 centos:7 /usr/sbin/init
