Docker Unbound DNS Server: How to launch as service

My host system is Arch Linux, and the Docker image is “base/arch” (archlinux) with my own modifications. Unbound is installed on a committed image, but I don’t quite know how to launch the container with the service running since SystemD is not meant to run in Docker.

How do I actually launch the container with Unbound running as a service?

  • Configuring options for docker run
  • Dockerfile: Docker build can't download packages: centos->yum, debian/ubuntu->apt-get behind intranet
  • Docker DNS issue on local machine
  • Docker - Hostname was NOT found in DNS cache
  • Docker Weave and WeaveDNS issues
  • Private Network broken in Vagrant with Docker
  • I’ve gone through some basic tutorials, but most of them cover launching pre-built containers:

    Dockers basic course.

    Arch Wiki.

    Digital Ocean overview.

    Thanks!

  • How to get the service IP in Kubernetes?
  • what's the best way to let kubenetes pods communicate with each other?
  • How to generate a host unique ID?
  • Can access to Bluemix container registry be access controlled?
  • asp.net MVC 5 hosting setup
  • Copy file to a Docker container before starting it
  • One Solution collect form web for “Docker Unbound DNS Server: How to launch as service”

    For this answer, I’m assuming that you’ve installed Unbound by simply installing the community/unbound package via pacman.

    You can inspect the systemd unit files that are installed alongside the package to determine how to actually start the server. Have a look at /usr/lib/systemd/system/unbound.service:

    [Unit]
    Description=Unbound DNS Resolver
    After=network.target
    
    [Service]
    ExecStartPre=/bin/cp -f /etc/trusted-key.key /etc/unbound/
    PIDFile=/run/unbound.pid
    ExecStart=/usr/bin/unbound -d
    ExecReload=/bin/kill -HUP $MAINPID
    Restart=always
    
    [Install]
    WantedBy=multi-user.target
    

    Most important is the ExecStart line. This describes the command that systemd uses to actually start the service. According to unbound‘s help (unbound -h), the -d switch means do not fork into the background (which is a good thing because that’s also exactly what you need to start Unbound in a Docker contaier).

    The ExecStartPre command can be a simple RUN step when building the image.

    In conclusion, you can translate this into a Dockerfile similar to this:

    FROM base/arch
    
    # <omitted>
    
    RUN /bin/cp -f /etc/trusted-key.key /etc/unbound/
    CMD ["/usr/bin/unbound", "-d"]
    
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.