Can't make Router Integration to work

[FaBMak]

First, great work. This is a great project and very polished, included the documentation.

Second, I can't figured out, why the Router Integration (SSH) isn't working. I'm deploying dnsmasq (plus ssh) and dnswear in separated containers. Dnsmasq should be accessible via SSH., but dsnweaver is ignoring the router integration and not connecting via SSH. Instead, it's running the reload command in the dsweaver container itself.

Tried to debug, entering in dsnweaver via Docker and installed openssh, and I was able to connect to dnsmasq via SSH, using the credentials provided in compose.yml. SSH first prompted to accept the authenticity, typed 'yes', and later the password. But, It's working.

The volume ./dnsmasq.d:/etc/dnsmasq.d is shared between containers. So, is accessible from both containers.

compose.yml

  dnsweaver:
    image: maxamill/dnsweaver:latest
    container_name: dnsweaver
    hostname: dnsweaver
    environment:
      - DNSWEAVER_INSTANCES=router
      - DNSWEAVER_LOG_LEVEL=debug
      - DNSWEAVER_SOURCES=dnsweaver
      - DNSWEAVER_CLEANUP_ORPHANS=true
      - DNSWEAVER_ROUTER_TYPE=dnsmasq
      - DNSWEAVER_ROUTER_CONFIG_DIR=/etc/dnsmasq.d
      - DNSWEAVER_ROUTER_RECORD_TYPE=A
      - DNSWEAVER_ROUTER_TARGET=XXX.XXX.XXX.XXX
      - DNSWEAVER_ROUTER_DOMAINS=*.docker
      - DNSWEAVER_ROUTER_RELOAD_COMMAND=supervisorctl restart dnsmasq
      - DNSWEAVER_ROUTER_SSH_HOST=XXX.XXX.XXX.XXX
      - DNSWEAVER_ROUTER_SSH_PORT=22
      - DNSWEAVER_ROUTER_SSH_USER=root
      - DNSWEAVER_ROUTER_SSH_PASSWORD=XXXXXX
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./dnsmasq.d:/etc/dnsmasq.d
    depends_on:
      dnsmasq:
        condition: service_healthy
    networks:
      swag:
        ipv4_address: XXX.XXX.XXX.XXX
    restart: unless-stopped

dsweaver logs

{"time":"2026-06-03T10:29:27.24652467Z","level":"DEBUG","msg":"received docker event","type":"container","action":"start","actor_id":"af45cf6ccb835d5403a3259147bac3a6385c96f6a2267a9be7a81aae3477a5c1","attributes":{"com.docker.compose.config-hash":"f81d26672b25bcfb4b8a4f62902a78d1997bd9a0aa648ba8c37d655795e6a685","com.docker.compose.container-number":"1","com.docker.compose.depends_on":"","com.docker.compose.image":"sha256:7bbe425033dce54c9e540e600128b511c04855e01a66417bb7e5de0a71c26de9","com.docker.compose.oneoff":"False","com.docker.compose.project":"dockhand","com.docker.compose.project.config_files":"/srv/docker/dockhand/compose.yml","com.docker.compose.project.working_dir":"/srv/docker/dockhand","com.docker.compose.replace":"dockhand","com.docker.compose.service":"dockhand","com.docker.compose.version":"5.1.4","dnsweaver.hostname":"dockhand.docker","image":"fnsys/dockhand:latest","name":"dockhand"}}
{"time":"2026-06-03T10:29:29.247635039Z","level":"INFO","msg":"triggering reconciliation due to docker event"}
{"time":"2026-06-03T10:29:29.247664919Z","level":"INFO","msg":"starting reconciliation","dry_run":false,"cleanup_orphans":true}
{"time":"2026-06-03T10:29:29.278662576Z","level":"DEBUG","msg":"listed containers","count":5,"include_stopped":false}
{"time":"2026-06-03T10:29:29.278687976Z","level":"DEBUG","msg":"scanned workloads from platform","platform":"docker","count":5}
{"time":"2026-06-03T10:29:29.278724297Z","level":"DEBUG","msg":"found simple dnsweaver hostname","hostname":"dockhand.docker","ttl":0}
{"time":"2026-06-03T10:29:29.278730657Z","level":"DEBUG","msg":"extracted hostnames from dnsweaver labels","count":1}
{"time":"2026-06-03T10:29:29.278734137Z","level":"DEBUG","msg":"source extracted hostnames","source":"dnsweaver","count":1}
{"time":"2026-06-03T10:29:29.278753217Z","level":"DEBUG","msg":"extracted hostnames from workload","workload":"dockhand","count":1,"hostnames":["dockhand.docker"]}
{"time":"2026-06-03T10:29:29.278766777Z","level":"INFO","msg":"hostname extraction complete","workloads":5,"hostnames":1}
{"time":"2026-06-03T10:29:29.278816577Z","level":"DEBUG","msg":"listed records","provider":"router","count":0}
{"time":"2026-06-03T10:29:29.278823577Z","level":"DEBUG","msg":"cached records for provider","provider":"router","total_records":0,"unique_hostnames":0}
{"time":"2026-06-03T10:29:29.279333901Z","level":"DEBUG","msg":"created record","hostname":"dockhand.docker","type":"A","target":"XXX.XXX.XXX.XXX"}
{"time":"2026-06-03T10:29:29.279349541Z","level":"DEBUG","msg":"executing command","command":"supervisorctl restart dnsmasq"}
{"time":"2026-06-03T10:29:29.279387981Z","level":"WARN","msg":"failed to reload dnsmasq","error":"command failed: exec: \"supervisorctl\": executable file not found in $PATH, output: "}
{"time":"2026-06-03T10:29:29.279394861Z","level":"INFO","msg":"created record","provider":"router","hostname":"dockhand.docker","type":"A","target":"XXX.XXX.XXX.XXX"}
{"time":"2026-06-03T10:29:29.279409021Z","level":"INFO","msg":"created record","hostname":"dockhand.docker","provider":"router","type":"A","target":"XXX.XXX.XXX.XXX"}
{"time":"2026-06-03T10:29:29.279414821Z","level":"DEBUG","msg":"skipping TXT record (not supported by dnsmasq provider)","hostname":"_dnsweaver.dockhand.docker"}
{"time":"2026-06-03T10:29:29.279419541Z","level":"DEBUG","msg":"created ownership record","hostname":"dockhand.docker","provider":"router"}
{"time":"2026-06-03T10:29:29.279433582Z","level":"INFO","msg":"reconciliation complete","created":1,"updated":0,"deleted":0,"failed":0,"skipped":0,"duration":31754542}
{"time":"2026-06-03T10:29:29.279448622Z","level":"INFO","msg":"reconciliation complete","reason":"triggered","created":1,"deleted":0,"skipped":0,"errors":0,"duration":31754542}

So, any advice will be appreciated. Thanks.

[FaBMak]

I've just tried using SSH Keys. It didn't work, same result.

[maxfield-allison]

I'll take a look at this today!

[maxfield-allison]

Root cause (real bug): the dnsmasq provider's SSH mode is documented and the SSH_* variables get validated, but the SSH code path was never actually wired into the provider. So even with SSH_HOST set, dnsweaver writes the config file locally and runs your RELOAD_COMMAND inside the dnsweaver container instead of over SSH. That's the exec: "supervisorctl": executable file not found in $PATH you're seeing, and the config getting accepted silently is what makes it look like the integration is being ignored.

Full transparency: dnsmasq is the only provider that uses SSH, and I don't run a remote dnsmasq myself, so I built the SSH client and never actually plugged it into the provider. That's on me. Thanks for the detailed report that surfaced it.

Fixing two things for the next release:

1. Actually wire up SSH. When SSH is configured, dnsweaver will write the config over SFTP and run the reload command on the remote host via SSH exec, the way the docs already describe.
2. Fail fast instead of failing silent. If SSH config is present but can't be honored, you'll get a clear startup error instead of a quietly-local fallback.

Leaving this open until it lands in a release. I'll comment back when there's a tag to upgrade to.

[maxfield-allison]

This is fixed in v1.6.0, just published. SSH mode now actually connects: dnsweaver writes the config over SFTP and runs your reload command on the remote host instead of locally, so the supervisorctl error goes away.

Two things to know when you upgrade:

Host key verification is on by default. Add DNSWEAVER_ROUTER_SSH_KNOWN_HOSTS_FILE pointing at a known_hosts file for the router, or set DNSWEAVER_ROUTER_SSH_STRICT_HOST_KEY_CHECKING=false if you want to skip it (not recommended).
Your shared ./dnsmasq.d volume isn't needed in SSH mode anymore, dnsweaver writes to CONFIG_DIR on the remote host directly. It won't hurt anything if you leave it.
Pull maxamill/dnsweaver:v1.6.0 and let me know if it sorts it.