From 71ba016120f103c82f39c5b0f13532333d8989a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Thu, 17 Jan 2019 14:17:44 +0200 Subject: [PATCH] Unbound docs for Swarm --- docs/swarm/master/README.md | 41 +++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/docs/swarm/master/README.md b/docs/swarm/master/README.md index 61319cfd..d03ba562 100644 --- a/docs/swarm/master/README.md +++ b/docs/swarm/master/README.md @@ -250,3 +250,44 @@ Run the follwoing command: ```bash core@coreos-01 ~ $ docker stack rm mailu ``` + +## Notes on unbound resolver + +In Docker compose flavor we currently have the option to include the unbound DNS resolver. This does not work in Docker Swarm, as it in not possible to configure any static IP addresses. There is an [open issue)](https://github.com/moby/moby/issues/24170]) on this over at Docker. However, this doesn't seem to move anywhere since some time now. For that reasons we've chosen not to include the unbound resolver in the stack flavor. + +If you still want to benefit from Unbound as a system resolver, you can install it system-wide. The following procedure was done on a Fedora 28 system and might needs some adjustments for your system. Note that this will need to be done on every swarm node. In this example we will make use of `dnssec-trigger`, which is used to configure unbound. When installing this and running the service, unbound is pulled in as dependency and does not need to be installed, configured or run separately. + +Install required packages(unbound will be installed as dependency): + +``` +sudo dnf install dnssec-trigger +``` + +Enable and start the *dnssec-trigger* daemon: + +``` +sudo systemctl enable --now dnssec-triggerd.service +``` + +Configure NetworkManager to use unbound, create the file `/etc/NetworkManager/conf.d/unbound.conf` with contents: + +``` +[main] +dns=unbound +``` + +You might need to restart NetworkManager for the changes to take effect: + +``` +sudo systemctl restart NetworkManager +``` + +Verify `resolv.conf`: + +``` +$ cat /etc/resolv.conf +# Generated by dnssec-trigger-script +nameserver 127.0.0.1 +``` + +Most of this info was take from this [Fedora Project page](https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#How_To_Test).