I have a problem, after making modifications to my dns server, I need to copy the configs to another server and start the container with the same data I had modified before, I get an error like mv: failed to access '/data/bind/etc': Too many levels of symbolic links

I'm trying to use this container for rewriting an existing domain's IP inside a private network.

My setup is that I have a private network with some machines setup and a router which has an internet accessible public IP. One of these machines is serving some content to the internet under a domain (say example.com) pointing to the public IP, by having a port opened from router to it. The thing is that other machines in the private network also need access to that server. Router however blocks packets originating from inside to access the public IP. So I thought I would use this container as a local DNS server to overwrite that public IP with the local one.

I have setup this container with this docker-compose file:

version: '2'

services:
  bind:
    image: sameersbn/bind:latest
    restart: always
    dns: 8.8.8.8
    logging:
      driver: "json-file"
      options:
        max-size: "200k"
        max-file: "10"
    environment:
        - ROOT_PASSWORD=somepass
    ports:
      - 10000:10000
      - 53:53/udp
    volumes:
      - ./data:/data

and added following ACL and configs to it:

acl localclients {
	192.168.0.0/16;
	172.17.0.0/16;
	localhost;
	localnets;
};

options {
	directory "/var/cache/bind";
	dnssec-validation auto;

	auth-nxdomain no;
	listen-on-v6 { any; };
	listen-on {
		any;
		};

	recursion yes;

	allow-query { any; };
	allow-recursion {
		localclients;
		};
	allow-query-cache { localclients; };
}

currently looking up domain name on docker's host machine (with IP 192.168.1.6) works as expected:

$ nslookup example.com
Server:		192.168.1.6
Address:	192.168.1.64#53

Name:	example.com
Address: 192.168.1.4

but I can't use that for another container:

$ docker run --rm busybox nslookup example.com
Server:    192.168.1.6
Address 1: 192.168.1.6 servername

Name:      example.com
Address 1: 188.15.221.88

where 188.15.221.88 is the public IP. do I need additional config set on the container?

Hey. I used Logging and Errors in the webmin interface to add an option to write to a logfile i created. I set permissions to 777 on that file and applied changes with no errors the file however stays empty. do you have any ideas on how I can resolve?

Hello, I am trying to use docker-squid, but I am running into some issues. I have a custom squid.conf, so I am using the run command:

docker run --name squid-cache -d --restart=always --publish 3128:3128 --volume /opt/squid-proxy/logs:/var/log/squid3 --volume /opt/squid-proxy/squid3/squid.conf:/etc/squid3/squid.conf sameersbn/squid:3.3.8-14

But I am getting this error:

Initializing cache...
FATAL: getpwnam failed to find userid for effective user 'squid'
Squid Cache (Version 3.3.8): Terminated abnormally.
CPU Usage: 0.014 seconds = 0.007 user + 0.007 sys
Maximum Resident Size: 24912 KB
Page faults with physical i/o: 0

I think that means that there is no user named squid, but I'm not 100% sure, so I came here for help.

Hi, thx for your amazing containers,

could you please update this one to the last version ?
I'm facing security issues with this one (its a 2013 release ^^" )

By allowing the user to create a custom derived image from this one just adding his own configuration files, you can create immutable containers that are suitable to be deployed on a docker swarm.

please help me fit it

Random question did you have to do anything special in your squid.conf to get it to work on kubernetes? Im able to see my traffic in the access log, but im not able to deny any sites

After editing squid.conf by adding http_access allow all as a quick test to allow all IP addresses to connect, how can the new conf be loaded? service squid3 reload does not seem to work as squid3 is not found as one of the "services"

I've set up squid within docker on a remote server using this docker image and my config file adjustments have worked fine, until I tried enabling digest authentication. It doesn't seem to do anything. I added this to the config file.

auth_param digest program /usr/lib/squid3/digest_file_auth –c /etc/squid/password-file
auth_param digest children 5 startup=0 idle=1
auth_param digest realm Squid Proxy
auth_param digest nonce_garbage_interval 5 minutes
auth_param digest nonce_max_duration 30 minutes
auth_param digest nonce_max_count 50

Then I did this:

$ htdigest -c password-file Squid\ Proxy jason
$ docker cp ~/password-file squid:/etc/squid/
$ docker exec -it squid bash
    
# chown root:root /etc/squid/password-file
# chmod 400 /etc/squid/password-file
# exit
    
$ docker kill -s HUP squid

Everything works as before and I am not being asked for a username and password when I connect a browser to the proxy. Previous ACLs have not been changed.

Is there any reason why this wouldn't work in Docker or have I got something wrong?

When i Sending build context to Docker daemon 269.3 kB
Step 1 : FROM sameersbn/ubuntu:14.04.20160321
Get https://registry-1.docker.io/v2/sameersbn/ubuntu/manifests/14.04.20160321: x 509: certificate is valid for FGT80C3913605510, not registry-1.docker.io

Webmin just hangs on connecting:

vrogojin@wormhole:~$ wget localhost:10000
converted 'http://localhost:10000' (ANSI_X3.4-1968) -> 'http://localhost:10000' (UTF-8)
--2017-01-07 15:59:56--  http://localhost:10000/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:10000... connected.
HTTP request sent, awaiting response... 

IT HANGS HERE

Using docker-compose:

bind:
  image: sameersbn/bind:latest
  dns: 127.0.0.1
  environment:
    - ROOT_PASSWORD=SecretPassword
  ports:
   - 10000:10000
   - 53:53/udp
  volumes:
    - ./bind:/data

on Debian Jessie

If you create a container then later try to change the password using the ROOT_PASSWORD variable while mounting the /data directory you are unable to. Passwd and the change password inside of webmin also do not work.

Getting this error when I try to run this command on all the mounted files:
chcon: can't apply partial context to unlabeled file 'rndc.conf'

I have also tried with sudo

chcon -Rt svirt_sandbox_file_t /srv/docker/bind

Has anyone tried to enable ldap authentication with osixia/docker-openldap? After successfully ldapadd and ldapsearch the user but not able to make it work with the below settings in squid.conf.

auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 -Z -b "dc=example,dc=com" -f "uid=%s" -h ldap.example.com
auth_param basic children 5 startup=5 idle=1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 8 hours
acl ldap_auth proxy_auth REQUIRED
http_access allow ldap_auth

I tested connectivity using the authentication module and it yields a hang
/usr/lib/squid3/basic_ldap_auth -v 3 -Z -b "dc=example,dc=com" -f "uid=%s" -h ldap.example.com

Running docker 1.6.0 on Fedora 21 I'm getting:

[root@squid ~]# docker run -it --rm --name='squid' -p 3128:3128 sameersbn/squid
Unable to find image 'sameersbn/squid:latest' locally
latest: Pulling from docker.io/sameersbn/squid
83e4dde6b9cf: Pull complete
b670fb0c7ecd: Pull complete
29460ac93442: Pull complete
d2a0ecffe6fa: Pull complete
e0c4b5a5f14e: Pull complete
b3381f2756dd: Pull complete
520083657edb: Pull complete
fc59de8fbe26: Pull complete
87e8becdd341: Pull complete
aebe4d084938: Pull complete
e33aa611ecce: Pull complete
cd03cb7fb103: Pull complete
35b1c18935c9: Pull complete
a8200ffcff19: Already exists
Digest: sha256:915667ad2221043601dabb9dbf4f804dba224006af73ae36e8801c776d5f27d8
Status: Downloaded newer image for docker.io/sameersbn/squid:latest
/usr/sbin/squid3: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
[root@squid ~]# docker --version
Docker version 1.6.0, build 350a636/1.6.0
[root@squid ~]# uname -a
Linux squid 3.17.4-301.fc21.x86_64 #1 SMP Thu Nov 27 19:09:10 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

sudo docker run --name='squid' -it --rm -p 3128:3128 sameersbn/squid:latest

squid3[24]: Squid Parent: will start 1 kids
squid3[24]: Squid Parent: (squid-1) process 26 started
2014/12/28 20:39:28| Starting Squid Cache version 3.3.8 for x86_64-pc-linux-gnu...
2014/12/28 20:39:28| Process ID 1
2014/12/28 20:39:28| Process Roles: master worker
2014/12/28 20:39:28| With 65536 file descriptors available
2014/12/28 20:39:28| Initializing IP Cache...
2014/12/28 20:39:28| DNS Socket created at [::], FD 5
2014/12/28 20:39:28| DNS Socket created at 0.0.0.0, FD 6
2014/12/28 20:39:28| Adding nameserver 8.8.8.8 from /etc/resolv.conf
2014/12/28 20:39:28| Adding nameserver 8.8.4.4 from /etc/resolv.conf
2014/12/28 20:39:28| Adding domain local from /etc/resolv.conf
2014/12/28 20:39:28| Logfile: opening log daemon:/var/log/squid3/access.log
2014/12/28 20:39:28| Logfile Daemon: opening log /var/log/squid3/access.log
2014/12/28 20:39:28 kid1| Creating missing swap directories
2014/12/28 20:39:28 kid1| /var/spool/squid3 exists
2014/12/28 20:39:28 kid1| Making directories in /var/spool/squid3/00
2014/12/28 20:39:28 kid1| Making directories in /var/spool/squid3/01
2014/12/28 20:39:28 kid1| Making directories in /var/spool/squid3/02
2014/12/28 20:39:28 kid1| Making directories in /var/spool/squid3/03
2014/12/28 20:39:28 kid1| Making directories in /var/spool/squid3/04
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/05
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/06
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/07
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/08
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/09
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/0A
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/0B
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/0C
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/0D
2014/12/28 20:39:29 kid1| Making directories in /var/spool/squid3/0E
2014/12/28 20:39:29| Unlinkd pipe opened on FD 12
2014/12/28 20:39:29| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2014/12/28 20:39:29| Store logging disabled
2014/12/28 20:39:29| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2014/12/28 20:39:29| Target number of buckets: 1402
2014/12/28 20:39:29| Using 8192 Store buckets
2014/12/28 20:39:29| Max Mem size: 262144 KB
2014/12/28 20:39:29| Max Swap size: 102400 KB
2014/12/28 20:39:29| ERROR: /var/spool/squid3/0F: (2) No such file or directory
FATAL: Failed to verify one of the swap directories, Check cache.log
for details. Run 'squid -z' to create swap directories
if needed, or if running Squid for the first time.

Firstly, I thought it is a problem due to insufficient memory, because my VPS had just 512Mb memory. But then I tried on 1Gb VPS and it repeated the same error. Also checked with external volume for cash directory /var/spool/squid3, but it didn't help as well.

Using latest docker version 1.4.1
Host has Ubuntu 14.04 installed.

The container fails to run when I try to use a custom squid.conf:

# docker run -it -p 3128:3128 -v /mnt/main/docker/container-data/squid/squid.conf:/etc/squid3/squid.conf --name squid sameersbn/squid
sed: cannot rename /etc/squid3/sedsax6Ln: Device or resource busy

When I try to mount the squid.conf with this docker config line I get an empty location:

--volume /local/location/to/squid.conf:/etc/squid3/squid.conf \

Is this the correct location for the newest build of squid?

Hi,

This is a suggestion to revise the method to reload the squid configuration on a running instance.

I have used sameersbn/squid:3.3.8-23 and it work nice until I try to reload the squid configuration on a running instance. I found that after typing docker kill -s HUP squid to my terminal, squid shows the same configuration as before. I try a lot of ways to figure out the problem, but only to find that it was the problem of mounting the squid.conf.

Here is the detail.

I create and run sameersbn/squid:3.3.8-23 following the instruction in README.md:

docker run -d --name squid --restart=always --publish 3128:3128 --volume /etc/squid/squid.conf:/etc/squid3/squid.conf --volume /var/spool/squid3:/var/spool/squid3 sameersbn/squid:3.3.8-23

This works nice, however, when you try to reload squid.conf on the running instance using:

docker kill -s HUP squid

You will find the configuration of squid doesn't change at all. After a lot of miserable reading of docker issues, I found the problem. Docker can not detect the mounted file changes unless you mount the directory. In my situation, I create a new container and mount my squid.conf directory, then HUP works. That is:

docker run -d --name squid --restart=always --publish 3128:3128 --volume /etc/squid/squid.conf:/etc/squid3/squid.conf --volume /etc/squid:/etc/squid3 --volume /var/spool/squid3:/var/spool/squid3 sameersbn/squid:3.3.8-23

The magic is --volume /etc/squid:/etc/squid3

I hope my experience could help new guys like me. 😃

Within the container, bind seems to always assume IPv6 is enabled.
In the logs, it shows error (network unreachable) resolving 'xxx.apple.com/A/IN': 2001:500:3::42#53 when there is no IPv6 support outside the container.

As per http://crashmag.net/disable-ipv6-lookups-with-bind-on-rhel-or-centos it states that IPv6 can be disabled by add OPTIONS="-4" to /etc/sysconfig/named (on centOS)

It would be helpful to either expose the appropriate config to /data or have an environment variable that allows it to be disabled.

docker run -d --name=bind --dns=127.0.0.1 --publish=172.17.42.1:53:53/udp --publish=172.17.42.1:10000:10000 --volume=/srv/docker/bind:/data --env='ROOT_PASSWORD=SecretPassword' sameersbn/bind:latest
WARNING: Localhost DNS setting (--dns=127.0.0.1) may fail in containers.
Unable to find image 'sameersbn/bind:latest' locally
latest: Pulling from sameersbn/bind
Digest: sha256:e15a826c3ded4ea696717fde612f88c5bf205c6bccbb1df67678631496d8b803
Status: Downloaded newer image for sameersbn/bind:latest
b65c626e422aef6ba21f4bfe38d6bd69795ea1090e8f170833e17e938ce00825
docker: Error response from daemon: driver failed programming external connectivity on endpoint bind (46ab9155dd1cdf9c0d5ba344a2d23840171eaff94a57e82a4dca8ee58bf64663): Error starting userland proxy: listen tcp 172.17.42.1:10000: bind: cannot assign requested address.

any ideas ?

hello,

i get this issue when i try to build
(sudo docker build -t sameersbn/bind github.com/sameersbn/docker-bind)
i already install apt-transport-https (sudo apt-get install apt-transport-https)
i just installed docker

here is my source.list
deb http://httpredir.debian.org/debian jessie main
deb-src http://httpredir.debian.org/debian jessie main

deb http://httpredir.debian.org/debian jessie-updates main
deb-src http://httpredir.debian.org/debian jessie-updates main

deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main

here is my /etc/apt/sources.list.d/backports.list content
deb http://http.debian.net/debian wheezy-backports main

Get:9 http://archive.ubuntu.com/ubuntu/ trusty-updates/main python2.7-minimal amd64 2.7.6-8ubuntu0.3 [1187 kB]
E: The method driver /usr/lib/apt/methods/https could not be found.
The command '/bin/sh -c rm -rf /etc/apt/apt.conf.d/docker-gzip-indexes && wget http://www.webmin.com/jcameron-key.asc -qO - | apt-key add - && echo "deb http://download.webmin.com/download/repository sarge contrib" >> /etc/apt/sources.list && apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y bind9=${BIND_VERSION}* bind9-host=${BIND_VERSION}* webmin=${WEBMIN_VERSION}* && rm -rf /var/lib/apt/lists/*' returned a non-zero code: 100

Links in file README.md points to other files in your repo (docker-compose.yml for example ) are relative. On page hub.docker.com it does not work correctly.

the --env='ROOT_PASSWORD=????' is ignored and webmin uses default username/password

Description

How to manage ACLs.....

After running a month the docker fails because its has not enough space on hard disk

docker[1001]: 2016/03/07 11:48:22| Loaded Icons.
docker[1001]: 2016/03/07 11:48:22| HTCP Disabled.
docker[1001]: 2016/03/07 11:48:22| Pinger socket opened on FD 10
docker[1001]: 2016/03/07 11:48:22| Squid plugin modules loaded: 0
docker[1001]: 2016/03/07 11:48:22| Adaptation support is off.
docker[1001]: 2016/03/07 11:48:22| Accepting HTTP Socket connections at local=[::]:8080 remote=[::] FD 8 flags=9
docker[1001]: 2016/03/07 11:48:23| storeLateRelease: released 0 objects
docker[1001]: 2016/03/07 11:48:24| Closing HTTP port [::]:8080
docker[1001]: 2016/03/07 11:48:24| storeDirWriteCleanLogs: Starting...
docker[1001]: 2016/03/07 11:48:24|   Finished.  Wrote 0 entries. 
docker[1001]: 2016/03/07 11:48:24|   Took 0.00 seconds (  0.00 entries/sec).
docker[1001]: FATAL: logfileWrite: stdio:/var/log/squid3/access.log: (28) No space left on device
docker[1001]: 
docker[1001]: 2016/03/07 11:48:24| Closing Pinger socket on FD 10

The host machine has space in their hard drive.

[root@docker ~]# df -h
Filesystem                      Size  Used Avail Use% Mounted on
devtmpfs                         16G     0   16G   0% /dev
tmpfs                            16G   12K   16G   1% /dev/shm
tmpfs                            16G 1000K   16G   1% /run
tmpfs                            16G     0   16G   0% /sys/fs/cgroup
/dev/mapper/fedora_docker-root  123G   19G  104G  16% /
tmpfs                            16G  8,0K   16G   1% /tmp
/dev/cciss/c0d0p1               477M  100M  348M  23% /boot
tmpfs                           3,2G     0  3,2G   0% /run/user/0

Instead of writing logs into the docker at /var/logs the logs should emit to stdout and then normal docker logging drivers can handle the logs.

I've been tsting on various sites downloading zip files, and web pages, squid is definitely up and running and routing requests through but

1504359527.880    197 172.17.0.1 TCP_MISS/200 39969 GET http://www.colorado.edu/conflict/peace/download/peace_essay.ZIP - HIER_DIRECT/128.138.129.98 application/zip
1504359558.843    438 172.17.0.1 TCP_CLIENT_REFRESH_MISS/200 39968 GET http://www.colorado.edu/conflict/peace/download/peace_essay.ZIP - HIER_DIRECT/128.138.129.98 application/zip
1504359584.790   1044 172.17.0.1 TCP_MISS/200 523564 GET http://www.colorado.edu/conflict/peace/download/peace_treatment.ZIP - HIER_DIRECT/128.138.129.98 application/zip
1504359598.573   1038 172.17.0.1 TCP_CLIENT_REFRESH_MISS/200 523563 GET http://www.colorado.edu/conflict/peace/download/peace_treatment.ZIP - HIER_DIRECT/128.138.129.98 application/zip

You can see one of the test files I used

another is located here

http://speedtest.tele2.net/

I performed 2 back to back curl tests

curl http://speedtest.tele2.net/100MB.zip --proxy localhost:3128 -o /dev/null

Both cases I saw this in the squid logs

1504359799.758  22379 172.17.0.1 TCP_MISS/200 104857975 GET http://speedtest.tele2.net/100MB.zip - HIER_DIRECT/90.130.70.73 application/zip
1504359862.523  57009 172.17.0.1 TCP_MISS/200 104857975 GET http://speedtest.tele2.net/100MB.zip - HIER_DIRECT/90.130.70.73 application/zip

Squid has been for quite some time on the 4.6 can you upgrade the container to 4.6 latest stable?
.. I forgot to mention that there is no DEB file from Ubuntu for it.

When I run webmin, it looks like it is using an SSL cert generated on the fly.
Is there any way a param can be passed to docker to use a SSL cert that I own?

Note: this may not be necessary as I'm tracking an issue with either BIND or Docker, but it's part of the configuration for BIND.

The file suggested is /etc/default/bind9

I'm trying to mount /data on an NFS mount. The idea is that I can boot up the image from any of my hosts in case one goes down. However, I'm getting the following error:

chown: changing ownership of/data/bind': Operation not permitted

Looks like the directories are initially created by nobody:nogroup.

Which user is attempting to change theh ownership?
Is this because of the docker bridge network?
How can I map /data to my NFS mount.

Describes test 2

The squid.conf that comes with this image does not have a cache_dir directive.

As such, it will never use persistent storage by default.

Running the latest squid docker image, I tried to use a custom server.key / server.cert for using https with

https_port 8128 cert=/etc/squid/ssl/server.crt key=/etc/squid/ssl/server.key

I tried several options like acel / transparent / intercept aso. but never got a working configuration.
Which is the correct option to work with the docker/squid ?

It would be interesting to read Webmin's root password from a secret file instead from an environment variable as the current version does.

desc

Webmin uses ports 10000-100010 for RPC communication. When setting up a bind slave, Webmin uses these extra ports for communication.

What ports does Webmin RPC use>
Webmin has two RPC modes - slow mode, that only uses the same HTTP port the webserver listens on (typically 10000), and fast mode which uses ports 10000 on up. The upper bound depends on the number of concurrent RPC operations, but opening the range 10000 to 10010 should be enough when configuring the firewall between two Webmin servers.

http://www.webmin.com/faq.html

hi @sameersbn ,

i was testing your image, and it seems not to be caching https.

i fixed the max object size for caching and its caching ftp and http but not https.

Anything i might have missed?

Thanks

As of BIND 9.4.1-P1, new options have become available (and are required) to allow recursive DNS entries as explained by this ISC article. Therefore, after this container is started, it will not allow clients outside of the host to do recursive DNS entries with the current configuration.

Expected Behavior:
After the container is started with the default, included config, this server will be able to resolve recursive DNS entries from other clients on the network as implied by this example article.

Actual Behavior:
The server responds with this message to the client:
** server can't find google.com: REFUSED
The logs on the client read:
client 192.168.2.202#64300 (google.com): query (cache) 'google.com/A/IN' denied

docker inspect sameersbn/squid:3.3.8-23 - doesnt shows any exposed file to be mouted to local host

https://github.com/sameersbn/docker-bind/blob/e2ce4dad28781a2517a556232cf3b83397c6a5d4/Dockerfile#L10

• && wget http://www.webmin.com/jcameron-key.asc -qO - | apt-key add - \
  

• && wget https://www.webmin.com/jcameron-key.asc -qO - | apt-key add - \

replace http by https

Possible to add optional DHCP as well? That way the dhcp can sync with BIND

Thanks,

Hi, I tried with docker-compose, but it did not work!

root@88efec7f40cd:/# squid3 -k rotate
squid: ERROR: No running copy

root@88efec7f40cd:/# cat /var/run/squid3.pid
1

Any ideas?
TIA

what are the default username and password?

Hi, I'm currently unable to mount a shared folder as a volume inside the image, since it fails during the chown operation here:

https://github.com/sameersbn/docker-squid/blob/master/entrypoint.sh#L12

Can you consider removing the operation?

Setting an explicit SQUID_USER is not a solution in my use case, unfortunely.

hi I get the sameersbn/squid ,but I need use my squid.conf file. so i do this：
$ sudo docker run -i -t sameersbn/squid /bin/bash
I custom the /etc/squid3/squid.conf, modify it and save it. and exit. create a new image "squid-new" .
$ sudo docker commit squid-new
$ docker run --name squid-d --restart=always --publish 9000:9000 squid-new
in my custom squid.conf,the port is 9000.
but the container is still restarting. it can't be started. why is this?
so how to modify sameersbn/squid image, and let it work?