Unable to start unbound container
hamah99 opened this issue · 16 comments
Similar to issue #24 I'm getting the following errors when attempting to start unbound:
/usr/local/sbin/unbound.sh: line 2: /usr/local/unbound/unbound.d/sbin/unbound-anchor: not found
/usr/local/sbin/unbound.sh: exec: line 3: /usr/local/unbound/unbound.d/sbin/unbound: not found
I'm attempting to configure a 2 container stack (pihole+unbound) following this blog: https://www.xfelix.com/2020/09/pihole-unbound-docker-setup-on-raspberry-pi/
I have not seen these 2 files mentioned before but thinking they were required I tried created them but got the following errors:
/usr/local/sbin/unbound.sh: line 2: /usr/local/unbound/unbound.d/sbin/unbound-anchor: Permission denied
/usr/local/sbin/unbound.sh: exec: line 3: /usr/local/unbound/unbound.d/sbin/unbound: Permission denied
Here is the volumes part of the unbound service in the compose file:
volumes:
- /home/steve/docker/unbound/:/usr/local/unbound/:rw
- /home/steve/docker/unbound/conf.d/:/usr/local/unbound/conf.d/:rw
- /home/steve/docker/unbound/log.d/:/usr/local/unbound/log.d/:rw
- /home/steve/docker/unbound/zones.d/:/usr/local/unbound/zones.d/:rw
- /home/steve/docker/unbound/iana.d/:/usr/local/unbound/iana.d/:rw
Being new to this I'm unsure what to do and looking for some help.
Thanks
Hi and thanks for opening a new issue so the participiants of the already closed issue are not notified.
We'll get this running. At a first glance, please remove this line (- /home/steve/docker/unbound/:/usr/local/unbound/:rw) and try to spin up the container.
If that won't help, please try to start with a minimal config using this dockerfile and post the results please.
Cheers.
Thanks for helping. I deleted the line so my volumes section now reads:
volumes:
- /home/steve/docker/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw
- /home/steve/docker/unbound/conf.d/:/usr/local/unbound/conf.d/:rw
- /home/steve/docker/unbound/log.d/:/usr/local/unbound/log.d/:rw
- /home/steve/docker/unbound/zones.d/:/usr/local/unbound/zones.d/:rw
- /home/steve/docker/unbound/iana.d/:/usr/local/unbound/iana.d/:rw
The container still will not start (continuously restarts). The log output is linked below.
The minimalist compose file provided does start :
root@rpi2:/home/steve/docker/unbound# dig www.google.com @172.27.0.2 -p 5335
; <<>> DiG 9.16.44-Raspbian <<>> www.google.com @172.27.0.2 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55776
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 300 IN A 142.250.69.196
;; Query time: 119 msec
;; SERVER: 172.27.0.2#5335(172.27.0.2)
;; WHEN: Tue Feb 13 13:44:38 PST 2024
;; MSG SIZE rcvd: 59
It seems from the log and the fact the minimalist unbound compose you provided runs, that there are problems with 1 or more of my conf files? I have also linked a zipped copy of the conf files below in case they are of any help in troubleshooting this issue.
Sorry for being a bit quiet, I wanted to have the new release out. So if the container starts, attach some more volumes. It could be that you need to download the example conf files and may need to correct permissions on your unbound folder.
Does it start with a default unbound.conf?
@madnuttah should I open a separate issue for my problem? May be a bit confusing otherwise. I just would like to use your container image without any modifications - like I did before v1.19.1
Ah I see you are a different person. I miss sometimes things on my tablet. Yes, that would be nice.
Hi and thanks again for your assistance. I tried pulling the latest image thinking (hoping) I might also be experiencing the bug resolved in 1.19.1-2 (but I don't think so :)) Then I tried:
- Using my compose file (linked below)with all volumes except "- /home/steve/docker/unbound/:/usr/local/unbound/:rw" (which has been removed per your suggestion):
[1707966638] libunbound[7:0] fatal error: could not open autotrust file for writing, /usr/local/unbound/iana.d/root.key.7-0-76be2c20: Permission denied
Feb 14 19:10:38 unbound[1:0] notice: init module 0: validator
Feb 14 19:10:38 unbound[1:0] notice: init module 1: iterator
Feb 14 19:10:38 unbound[1:0] info: start of service (unbound 1.19.1).
Feb 14 19:10:38 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
Feb 14 19:10:38 unbound[1:0] fatal error: could not open autotrust file for writing, /usr/local/unbound/iana.d/root.key.1-0-76b335c0: Permission denied
- Using my compose after commenting out all volumes except "- /home/steve/docker/unbound/:/usr/local/unbound/:rw" and using the default unbound.conf:
Feb 14 18:31:34 unbound[1:0] notice: init module 0: validator
Feb 14 18:31:34 unbound[1:0] notice: init module 1: iterator
Feb 14 18:31:34 unbound[1:0] info: start of service (unbound 1.19.1).
Feb 14 18:31:35 unbound[1:0] error: could not open /iana.d/root.zone.tmp1: No such file or directory
Thanks for your patience.
It doesn't look too bad. This /home/steve/docker/unbound/:/usr/local/unbound/:rw should be like this: /home/steve/docker/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw
Please run the following command following this: chown -R 1000:1000 /home/steve/docker/unbound/ and try to start the container again.
After viewing your configs in the zip I've seen that the file extension is .txt. They should have the suffix .conf.
@hamah99 you are running this on Pi-hole so you need to put sudo in front of the command, it should read sudo chown -R 1000:1000 /home/steve/docker/unbound/
Hi and thanks for the rapid reply. I really appreciate that you took the time to walk me through what was a noob operator configuration error.
The tl;dr version is that after running the chow command the container came up and seems to be working. I do have an error in the log but I don't know if it matters or not.
-
as I noted in my last post I had removed the "/home/steve/docker/unbound/:/usr/local/unbound/:rw" volume and there is a volume "/home/steve/docker/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw". Here is the current unbound volumes section of the pihole-unbound compose:
volumes:
- /home/steve/docker/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw
- /home/steve/docker/unbound/conf.d/:/usr/local/unbound/conf.d/:rw
- /home/steve/docker/unbound/log.d/:/usr/local/unbound/log.d/:rw
- /home/steve/docker/unbound/zones.d/:/usr/local/unbound/zones.d/:rw
- /home/steve/docker/unbound/iana.d/:/usr/local/unbound/iana.d/:rw
-
chown -R 1000:1000
steve@rpi2:/docker/unbound $ sudo chown -R 1000:1000 /home/steve/docker/unbound/docker/unbound $ ls -l
steve@rpi2:
total 128
drwxr-xr-x 2 steve steve 4096 Feb 13 20:30 conf.d
-rw-r--r-- 1 steve steve 52119 Feb 14 10:56 default_unbound.conf
drwxr-xr-x 2 steve steve 4096 Feb 15 07:59 iana.d
drwxr-xr-x 3 steve steve 4096 Feb 14 17:09 log.d
-rw-r--r-- 1 steve steve 311 Feb 13 20:38 my_unbound.conf
-rw-r--r-- 1 steve steve 52163 Feb 14 18:29 unbound.conf
drwxr-xr-x 3 steve steve 4096 Feb 11 23:08 unbound.d
drwxr-xr-x 2 steve steve 4096 Feb 13 20:18 zones.d
unbound log
Feb 15 09:14:59 unbound[1:0] notice: init module 0: validator
Feb 15 09:14:59 unbound[1:0] notice: init module 1: iterator
Feb 15 09:14:59 unbound[1:0] info: start of service (unbound 1.19.1).
Feb 15 09:15:00 unbound[1:0] error: could not open /iana.d/root.zone.tmp1: No such file or directory
The good news? The container is running and not restarting:
steve@rpi2:~/docker/unbound $ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
56c8f35f70f5 madnuttah/unbound:latest "/usr/local/unbound/…" 14 hours ago Up 5 minutes 0.0.0.0:5335->5335/tcp, 0.0.0.0:5335->5335/udp, :::5335->5335/tcp, :::5335->5335/udp unbound
9ed61b093bad portainer/agent:2.19.4 "./agent" 2 weeks ago Up 2 weeks 0.0.0.0:9001->9001/tcp, :::9001->9001/tcp portainer_agent
I'm not sure if the log output is an indication of a problem or not as the container is up and seems to be working:
steve@rpi2:~/docker/unbound $ dig www.nba.com @172.24.0.3 -p 5335
; <<>> DiG 9.16.44-Raspbian <<>> www.nba.com @172.24.0.3 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3125
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.nba.com. IN A
;; ANSWER SECTION:
www.nba.com. 299 IN CNAME www.nba.com-v1.edgekey.net.
www.nba.com-v1.edgekey.net. 21600 IN CNAME e8017.dscb.akamaiedge.net.
e8017.dscb.akamaiedge.net. 20 IN A 23.59.156.242
;; Query time: 879 msec
;; SERVER: 172.24.0.3#5335(172.24.0.3)
;; WHEN: Thu Feb 15 09:25:47 PST 2024
;; MSG SIZE rcvd: 132
- not sure why the txt extension shows is the zip file (except access-control.txt which had been corrected by the time I zipped up the file) but the files on the system all have conf, zone, or key as the extension.
What happens if you comment out the iana.d folder?
If this won't work either, please connect the volume and try to manually download the files and set the permissions on the folder once again?
well, I tried:
- commenting out iana.d
- adding your root.hints file
- touched a root.zone.tmp1 file
All had the same "unbound[1:0] error: could not open /iana.d/root.zone.tmp1: No such file or directory" but the service still seems to run.
Are you still using the files in the zip you provided?
Hi and sorry for the delay in responding. I believe I am using all of the files from the zip but there might have been a few changes. It looks like everything is running and the only issue is that minor error on start up complaining of a missing root.zone.tmp1 file so I don't think any further assistance is required
Once again, thanks for jumping in and being so responsive and helpful.