Changes to the dnscrypt-server components

Question

Changes to the dnscrypt-server components

ooonea opened this issue 6 years ago · 29 comments

Being subscribed to the project mailing list I read that you switched to OprnSSL. Do I have to follow this guide to update my servers? https://github.com/jedisct1/dnscrypt-proxy/wiki/Manually-updating-your-DNSCrypt-server

Answer 1 · 2019-03-10T23:34:38.000Z

You can.

But honestly, there is absolutely no urgency to do it. The current version you are running is fine.
So only do it if you are bored :)

Answer 2 · 2019-03-10T23:42:11.000Z

Thank you so much for your answer. At the moment I activated watchtower. I tried on one of the servers to upgrade according to the aforementioned guide. But I had a strange log about certain limits and unbound. But I do not understand anything. I had created a snapshot and I came back. If you're interested, I'll try again and send you the log.

Answer 3 · 2019-03-11T00:20:10.000Z

I'd be definitely interested in these logs if you have time.

Answer 4 · 2019-03-11T00:23:06.000Z

Ok. Tomorrow afternoon I redo everything. Now sleep, then work, then family and then server. Thanks for your patience. I would like to understand something too.

Answer 5 · 2019-03-11T17:42:58.000Z

I am attaching the logs of one of the servers. The logs file comes from the 'docker logs dnscrypt-server' command. The unbound_warning file is an extract of the log that reports the unbound warnings I was telling you about. The file docker_inspect finally comes from the command 'docker inspect dnscrypt-server' from which I understand that nothing has been updated, because I always read libressl. Let me know.
PS: The three files are in the log.zip, plus I added a screenshot of the https://rootcanary.org/test.html of my servers. Worse than before.

log.zip

Answer 6 · 2019-03-11T17:53:43.000Z

Weird, it definitely looks like you are not running the current image.

Answer 7 · 2019-03-11T17:55:55.000Z

How can I update? I followed the guide on Github to manually update the container. Then I installed and activated watchtower. But the result is the same. How can I do? Even if I uninstall and install again, nothing changes. I follow the guide for Scaleway.

Answer 8 · 2019-03-11T17:56:59.000Z

Looks like the Docker Hub didn't properly build the new version.

I triggered a new build. Give it a couple minutes :)

Answer 9 · 2019-03-11T17:58:29.000Z

Ok. Thank you so much Frank. I'll try soon and I'll let you know. But those unbound notices? What's up?

Answer 10 · 2019-03-11T18:00:23.000Z

I think these are limits enforced by Kubernetes or whatever runs your containers.

Answer 11 · 2019-03-11T18:01:00.000Z

I use Docker.

Answer 12 · 2019-03-11T18:03:57.000Z

Maybe this could help? https://mtyurt.net/post/docker-how-to-increase-number-of-open-files-limit.html

Answer 13 · 2019-03-11T18:05:33.000Z

Now I try everything and let you know. You are very kind.

Answer 14 · 2019-03-11T18:16:54.000Z

Looks like the new image is on the Docker hub!

Answer 15 · 2019-03-11T18:34:03.000Z

In fact I had reproached, but still nothing. Now I have updated the first server manually and the others have updated with watchtower, but rightfully I have to manually reset the keys. So it's automatic in half. The test, however, does not change and I seem to be different from the one attached by the user 'mibere'.

Answer 16 · 2019-03-11T18:36:47.000Z

@lucenera did you try a browser reload of the page + "Re-run test"? The test sometimes behave a bit strange.

Answer 17 · 2019-03-11T18:40:29.000Z

@mibere Yes thanks. It was just a matter of browser cache. I tried in an anonymous browsing window and the test matches yours. By any chance do you know how to use the --ulimit in docker option?

Answer 18 · 2019-03-11T18:47:31.000Z

I didn't change anything regarding ulimit in Docker - just on the host.

After

docker exec -it dnscrypt-server /bin/bash

followed by a

ulimit -n

the output on my system is "1048576".

And ulimit -n on my host outputs "16384" (default was "1024").

Answer 19 · 2019-03-11T19:01:55.000Z

My limit in docker (unlimit -n) is 1024. How do I fix it?

Answer 20 · 2019-03-11T19:32:14.000Z

The link posted by Frank should help, see above.

I'm confused why my default in the Docker container is 1048576.

Answer 21 · 2019-03-11T19:34:13.000Z

@mibere In fact, your default limit is very high. I was able to use the instructions on the page that Frank suggested to me and now I modified the guide to create the server in 10 minutes. So others will not have my same problem.

Answer 22 · 2019-03-11T19:59:54.000Z

Thanks a lot for having updated the instructions!

Answer 23 · 2019-03-11T20:00:33.000Z

(my defaults are very high as well, same as @mibere ... Not sure why ... I use stock Ubuntu).

Answer 24 · 2019-03-11T20:06:31.000Z

I do what I can and now I put something more in the guide to help people like me who do not understand too much. Increasing the limit to 90000 already I do not receive any more errors. I also use Ubuntu stock and I do not know why your limit is so high by default. Will it be the Ubuntu version? I use Ubuntu Server 18.04.2.

Answer 25 · 2019-03-11T20:07:35.000Z

I would also advise against watchtower for this container for the key problem. But maybe it's me that I do not know how to automatically restore them to the update. How do I know when your container is updated in Docker Hub? Then update it manually.

Answer 26 · 2019-03-11T20:24:21.000Z

After I connect into the container

cat /etc/alpine-release

=> 3.9.2

Answer 27 · 2019-03-11T20:31:41.000Z

Host
Distributor ID: Ubuntu
Description: Ubuntu 18.04.2 LTS
Release: 18.04
Codename: bionic

Docker
Docker version 18.06.1-ce, build e68fc7a

Container' alpine
cat /etc/alpine-release
3.9.2

Answer 28 · 2019-03-11T20:47:14.000Z

Ah, maybe because of this:

On my host (Debian 9.8)

grep -i limit /etc/init/docker.conf

=> limit nofile 524288 1048576

I definitively didn't modify that file.

Answer 29 · 2019-03-11T20:49:37.000Z

Probably Ubuntu is much more conservative. Ubuntu itself is set at 1024.