Docker Unbound DNS Server: How to launch as service

My host system is Arch Linux, and the Docker image is “base/arch” (archlinux) with my own modifications. Unbound is installed on a committed image, but I don’t quite know how to launch the container with the service running since SystemD is not meant to run in Docker.

How do I actually launch the container with Unbound running as a service?

  • Docker: Why is /etc/resolv.conf unreadable? Breaks DNS [closed]
  • Add host mapping to /etc/hosts in Kubernetes
  • Docker set container IP addr from DHCP/DNS automatically
  • Kubernetes cluster attempts endless DNS lookups, swamping the router. What is wrong and how can I put a stop to it?
  • Docker - adding DNS by editing “docker” file
  • Docker Weave and WeaveDNS issues
  • I’ve gone through some basic tutorials, but most of them cover launching pre-built containers:

    Dockers basic course.

    Arch Wiki.

    Digital Ocean overview.


  • Running a Docker image command in a mounted folder
  • How to Bootstrap from Workstaion to Docker conatiner?
  • Running docker securely
  • How to configure docker registry to make a priority to local registry when PULL?
  • Docker service with ulimit
  • docker0 interface missing on osx
  • One Solution collect form web for “Docker Unbound DNS Server: How to launch as service”

    For this answer, I’m assuming that you’ve installed Unbound by simply installing the community/unbound package via pacman.

    You can inspect the systemd unit files that are installed alongside the package to determine how to actually start the server. Have a look at /usr/lib/systemd/system/unbound.service:

    Description=Unbound DNS Resolver
    ExecStartPre=/bin/cp -f /etc/trusted-key.key /etc/unbound/
    ExecStart=/usr/bin/unbound -d
    ExecReload=/bin/kill -HUP $MAINPID

    Most important is the ExecStart line. This describes the command that systemd uses to actually start the service. According to unbound‘s help (unbound -h), the -d switch means do not fork into the background (which is a good thing because that’s also exactly what you need to start Unbound in a Docker contaier).

    The ExecStartPre command can be a simple RUN step when building the image.

    In conclusion, you can translate this into a Dockerfile similar to this:

    FROM base/arch
    # <omitted>
    RUN /bin/cp -f /etc/trusted-key.key /etc/unbound/
    CMD ["/usr/bin/unbound", "-d"]
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.