Resolve error 'the working directory is not writable' by switching into the /tmp/bind directory before executing the bind process

README.md

@@ -1,6 +1,6 @@
-### ISC BIND9 Container (Stable: 9.14.7_xx) built on top of Alpine
+### ISC BIND9 Container (Stable: 9.16.6_xx) built on top of Alpine
-### Last update: 10-24-19
+### Last update: 8-31-20
-### Latest Stable Docker Tag: 9.14.7-r0
+### Latest Stable Docker Tag: 9.16.6-r0
 
 NOTE: "Last Update" is the date of the latest DockerHub build.
 
@@ -11,20 +11,22 @@ It is ideal for an extremely secure and fast master (authoritative server),
 slave, recursive server/resolver, RPZ "dns firewall", or just
 about any other purpose you can use bind for.
 
-# Security - always on the latest stable BIND release!
+To get started quickly, skip to step "D".
+
+# (A.) Security - always on the latest stable BIND release!
 This container will _always_ be up to date on the latest
 stable+patched version, usually within 24 hours of it being available
 in Alpine. In fact, most of the BIND vulnerabilities so far have been
 reported by me to the Alpine developers.
 
-# How to deploy a Bind (DNS) server?
+# (B.) How to deploy a Bind (DNS) server?
 This container contains everything needed in terms of configuration to
 run as an authoritative server or a recursive resolver/forwarding cacher.
 
 However, the default config permits queries and recursion only from 127.0.0.1 - which will not be too useful :)
 But the assumption is that you will override ```/etc/bind``` with your configs, and ```/var/cache/bind``` with your zones.
 
-# Required "DATA" directory - for configs and zone data:
+# (C.) Required "DATA" directory - for configs and zone data:
 This container assumes you have a "/DATA" folder with with your container specific data.
 (You can change that folder, sub-folders, and file points as needed, but make sure you update the "-v" mounts for the run.)
 
@@ -39,7 +41,7 @@ A "/DATA/var/cache/bind" directory for all of the master or slave zones. If it's
 ```
 
 
-# How to run a BIND ("named") Docker Container?
+# (D.) How to run a BIND ("named") Docker Container?
 
 ## Default Example:
 This is just to test it out - by default only allows queries from
@@ -79,3 +81,93 @@ ventz/bind
 
 Additional options may be passed to the bind daemon via the `OPTIONS` argument, provided as:
 `docker run --env OPTIONS='...'
+
+# (E.) FAQs
+
+## How do I generate an RNDC Key?
+```
+docker run -it --rm --entrypoint "/usr/sbin/rndc-confgen" ventz/bind
+```
+
+Take the portion that looks like this and save to "/etc/bind/rndc.key":
+```
+# Start of rndc.conf
+key "rndc-key" {
+    algorithm hmac-sha256;
+    # Note: the secret will be different, this is just an example
+    secret "zjVC59ehGxbbB6OhYhGaqUTIXu8Imcg3VKzvoMwIMzY=";
+};
+```
+
+## What configuration files do I need to get started?
+
+I highly recommend reading more about bind if this is your question. Here are some useful resources:
+
+* https://www.bind9.net/manuals
+* https://wiki.debian.org/Bind9
+* https://help.ubuntu.com/community/BIND9ServerHowto
+* https://www.zytrax.com/books/dns/ch7/
+* https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-ubuntu-18-04
+
+That said, as a bare minimum (and depending on what you want - recursive, authoritative, etc), you need:
+
+[note: all of these are provided in `container/configs` folder]
+
+1.) Main config: `/etc/bind/named.conf`
+
+2.) Options: `/etc/bind/named.conf.options` (note: sane and secure defaults for recursive! If for authoritative, turn off recursive at least!)
+
+3.) Local zones: `/etc/bind/named.conf.local` (for your zone configs if authoritative/slave/etc)
+
+4.) Optional: `/etc/bind/named.conf.rfc1918` (for your RFC1918 "private IP" zone definitions - this is optional, and while recommended, you may comment out the last line in `named.conf.local` that utilizes it)
+
+5.) Optional: `/etc/bind/default-zones` (folder for rfc1918 definitions - not needed if `named.conf.rfc1918` is not used)
+
+## How do I log everything:
+
+1.) Add to your `named.conf`:
+```
+...
+include "/etc/bind/named.conf.logging";
+...
+```
+
+and
+
+2.) Create a file `named.conf.logging` with:
+```
+logging {
+    channel stdout {
+        stderr;
+        severity info;
+        print-category no;
+        print-severity no;
+        print-time yes;
+    };
+	# Customize categories as needed
+    # To log everything, keep at least "default"
+    category security { stdout; };
+    category queries  { stdout; };
+    category dnssec   { stdout; };
+    category xfer-in  { stdout; };
+    category xfer-out { stdout; };
+    category default  { stdout; };
+};
+
+For more information, see: https://www.slideshare.net/MenandMice/bind-9-logging-best-practices
+
+## How do I just change Bind STDERR to STDOUT logging?
+
+There is now a "BIND_LOG" ENV (environment) variable for logging
+
+Environment variables can both have a default and be customized at run time. 
+
+```
+"-g" = (default) Run the server in the foreground and force all logging stderr.
+"-f" = Run the server in the foreground
+```
+
+By default, the "-g" value is set, as that logs all to STDERR.
+You can now override it with "-f" by passing `-e "BIND_LOG=-f"` to `docker run`
+
+

container/Dockerfile

@@ -3,6 +3,11 @@ EXPOSE 53 53/udp
 
 RUN apk --update upgrade && apk add bind bind-tools bind-plugins
 
+# BIND Log Options - you can override at run time
+# "-g" = (default) Run the server in the foreground and force all logging stderr.
+# "-f" = Run the server in the foreground
+env BIND_LOG -g
+
 # /etc/bind needs to be owned by root, group owned by "bind", and chmod 750
 # since we are mounting, do it manually
 # NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
@@ -12,7 +17,7 @@ RUN apk --update upgrade && apk add bind bind-tools bind-plugins
 # NOTE: Per Dockerfile manual --> need to mkdir the mounted dir to chown
 # &
 # Get latest bind.keys
-RUN mkdir -m 0770 -p /etc/bind && chown -R root:named /etc/bind ; \
+RUN mkdir -m 0750 -p /etc/bind && chown -R root:named /etc/bind ; \
     mkdir -m 0770 -p /var/cache/bind && chown -R named:named /var/cache/bind ; \
     wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11 ; \
     rndc-confgen -a

container/configs/default-zones/db.root

@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ; 
-;       last update:     January 30, 2018 
+;       last update:     April 29, 2020 
-;       related version of root zone:     2018013001
+;       related version of root zone:     2020042901
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;

container/entrypoint.sh

@@ -1,8 +1,14 @@
 #!/bin/sh
 OPTIONS=$@
+# "Run Time" changes - needed for when creating a *new* directory/first-time volume map
+# A great example of this is "/var/cache/bind" for dynamic configs, and mapping it in
+# The first time around, it will not be owned by named:named, and thus it won't be writable
+mkdir /tmp/bind
 chown -R root:named /etc/bind /var/run/named
-chown -R named:named /var/cache/bind
+chown -R named:named /var/cache/bind /tmp/bind
-chmod -R 770 /var/cache/bind /var/run/named
+chmod -R 770 /etc/bind /var/cache/bind /var/run/named
-chmod -R 750 /etc/bind
+find /etc/bind /var/cache/bind -type f -exec chmod 640 -- {} +
-# Run in foreground and log to STDERR (console):
+# By default - run in foreground and log to STDERR (console)
-exec /usr/sbin/named -c /etc/bind/named.conf -g -u named $OPTIONS
+# can be changed by running container with: -e "BIND_LOG=-f"
+cd /tmp/bind
+exec /usr/sbin/named -c /etc/bind/named.conf $BIND_LOG -u named $OPTIONS