How to run a dockerized dnsmasq name server within a tinc VPN with only one process per container

Question

I have a tinc VPN mesh network that is used by various types of hosts all over the world and I want to deploy a dockerized dnsmasq name server for use within that tinc mesh.

I have already successfully built and configured a "fat" multi-process docker container (using runit) which does what I am looking for. It runs both a tinc process and a dnsmasq process and dnsmasq is configured to bind to the tinc network interface in the container. But now I am trying to build the same functionality using 1-process containers.

I know how to build and configure a basic 1-process dnsmasq container and I know how to build and configure a basic 1-process tinc container. I can write a simple docker-compose file that will bring them both up.

What I don't know how to do is something like using the tinc container as a gateway that exposes the dnsmasq container to the mesh network, allowing other hosts on that tinc network to run DNS queries against dnsmasq. Is that possible?

Answer 1

After doing some intense googling and adapting similar use-cases with openVPN, I figured out a working setup. Conceptually, you bind the network of the dnsmasq container to the tinc container. Here's an abbreviated docker-compose.yml that shows the essentials:

version: '3'
services:

  tinc:
    ...

  dnsmasq:
    depends_on: 
      - tinc
    network_mode: "service:tinc"

If you docker exec -ti dnsmasq /bin/sh after bringing this up and then do an ifconfig inside the dnsmasq container, you will see the tinc network interface that the tinc container creates. So if your dnsmasq config binds to that network interface, it just works.

Cool.