Getting two containers to talk to each other, and one listening on the host`, but internally a fixed IP required

General
1

I am trying to run unbound (DNS resolver) and nsd (authorative DNS server) in containers, which are started like this (I removed the --mount arguments here, the -p on --network=host gives a warning and is ignored):

docker run -p 1054:1054/tcp -p 1054:1054/udp --name rna-nsd-lan -i -t -d \
        --entrypoint /usr/sbin/nsd rna-nameserver-base -V 2 -d
docker run --network=host  -p 53:53/tcp -p 53:53/udp \
        --privileged --name rna-unbound-forwarders-lan -i -t -d \
        --entrypoint /usr/sbin/unbound rna-nameserver-base -v -v -v -d

nsd is running on port 1054 and unbound is running on port 53, both in their config on interface 0.0.0.0/0. nsd is exposed on port 1054 on both 127.0.0.1 and 192.168.x,y. I can use dig -p 1054 @127.0.0.1 and dig -p 1054 @192.168.x.y to get a valid reply from nsd. And unbound is running on port 53 on the host network and it can also get answers from nsd.

I tried:

docker run --network=mynetwork \
        -p 1054:1054/tcp -p 1054:1054/udp --name rna-nsd-lan -i -t -d \
        --entrypoint /usr/sbin/nsd rna-nameserver-base -V 2 -d
docker run --network=mynetwork \
        --privileged -p 53:53/tcp -p 53:53/udp --name rna-unbound-forwarders-lan -i -t -d \
        --entrypoint /usr/sbin/unbound rna-nameserver-base -v -v -v -d

Now, I can again reach both from the host, but unbound cannot reach nsd, because it is trying to find it as 127.0.0.1 but nsd only listens as, say, 172.23.0.2 an IP address that may be different depending on the order of containers being created.

I would like unbound to serve requests on the host network on port 53 (preferably not with --nework=host), while for authoritative queries it queries a non-exposed nsd on an internal docker network. But unbound needs to know where to go for its query, this is hard coded in the configuration file. Currently, it has been configured to look for the authoritative nsd DNS server @ 127.0.0.1 on port 1054.

My current guess is that I will have to create a separate docker network with an IP-range not already taken, and start nsd with a fixed IP-address so that I can put that in unbound’s config. Another option is to use traefik to have traefik connect traffic to port 1054 to the nsd container. But I rather would like this not to run behind traefik (as this is so fundamental it must also work when all else is down). I guess compose might help but I’d like to be able to do this without compose as well. I am wondering how to set this up.

2

Answering myself:

create docker network for fixed-IP communication:

docker network create --internal --subnet 192.168.53.0/24 --gateway 192.168.53.1 rna-fixed-internal```

and

docker run --network=rna-fixed-internal --ip=192.168.53.54\
	-p 1054:1054/tcp -p 1054:1054/udp --name rna-nsd-lan -i -t -d \
	--entrypoint /usr/sbin/nsd rna-nameserver-base -V 2 -d
docker run --network=rna-docker-exposed \
	--privileged -p 53:53/tcp -p 53:53/udp --name rna-unbound-forwarders-lan -i -t -d \
	--entrypoint /usr/sbin/unbound rna-nameserver-base -v -v -v -d
docker network connect --ip=192.168.53.53 rna-fixed-internal rna-unbound-forwarders-lan