[Bug] unbound is already running / unable to chroot
JaneDilbert opened this issue · 10 comments
Been using madnuttah unbound docker on Synology NAS for more than a month behind Pi-hole. Everything works great, no issue at all.
Today I made the mistake of restarting it to update the image, and never got back online. I only get these errors:
unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53
unbound[1:0] fatal error: could not open ports
- As far as I can remember, I haven't changed anything.
- I even tried executing with high privileges with the same result.
- Tried restarting Docker and also the whole NAS, no change.
- Pi-hole still works fine, although I had to redirect to a different server. All other containers work fine.
- Since is running on bridged on its own container and without exposing ports to host, the error doesn't make sense unless is clashing with another unbound instance.
Then tried different IPs and playing with interfaces.conf using a different port, but thigs got weirder. It would seem somehow two instances of unbound are trying to run at the same time or file permissions issues?
unbound[1:0] warning: unbound is already running as pid 1.
unbound[1:0] fatal error: unable to chroot to /usr/local/unbound: Operation not permitted
compose.yaml
services:
unbound:
container_name: unbound
depends_on:
- redis-dns
hostname: unbound
image: madnuttah/unbound:latest
environment:
- TZ=Pacific/Auckland
- UID=1031
- GID=65537
- ServerIP=172.21.0.102
volumes:
- ./unbound/conf.d:/usr/local/unbound/conf.d
- ./unbound/iana.d:/usr/local/unbound/iana.d
- ./unbound/log.d:/usr/local/unbound/log.d
- ./unbound/zones.d:/usr/local/unbound/zones.d
- ./unbound/unbound.conf:/usr/local/unbound/unbound.conf
networks:
bridge0:
ipv4_address: 172.21.0.102
# ports:
# - 5335:53/tcp # Web UI port
# - 5335:53/udp # Web UI port
restart: unless-stopped
networks:
bridge0:
external: true
name: bridge-custom
unbound.conf
include: "/usr/local/unbound/conf.d/*.conf"
include: "/usr/local/unbound/zones.d/*.conf"
server:
module-config: "cachedb iterator" #validator
username: "_unbound"
directory: "/usr/local/unbound"
chroot: "/usr/local/unbound"
do-daemonize: no
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
auto-trust-anchor-file: "/usr/local/unbound/iana.d/root.key"
trust-anchor-signaling: yes
interfaces.conf
server:
interface: 127.0.0.1
interface: 172.21.0.102
do-ip4: yes
do-ip6: no
do-tcp: yes
do-udp: yes
udp-connect: yes
Any help will be greatly appreciated.
Hi, unfortunately the changes lead to some issues regarding the config files. As it was running for you, there will be just little adaptions to do.
I've changed the online examples so comparing them should solve the issue.
What I see instantly is in your main unbound.conf. Please modify as follows:
include: "/usr/local/unbound/conf.d/*.conf"
include: "/usr/local/unbound/zones.d/*.conf"
server:
module-config: "cachedb iterator" #validator
username: ""
directory: "/usr/local/unbound"
chroot: ""
do-daemonize: no
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
auto-trust-anchor-file: "/usr/local/unbound/iana.d/root.key"
trust-anchor-signaling: yes
And your intefaces.conf:
server:
# interface: 127.0.0.1
interface: 172.21.0.102
do-ip4: yes
do-ip6: no
do-tcp: yes
do-udp: yes
udp-connect: yes
If there are more configs changed, please show them too.
Thanks.
PS: You can overcome unbound[1:0] warning: unbound is already running as pid 1. by docker-compose down and docker compose up -d again
Thanks for your reply!
Changing username and chroot did half the trick: I still had to change the port to something different than 53. Otherwise I kept on getting the errors.
unbound[1:0] error: can't bind socket: Permission denied for 172.21.0.102 port 53
unbound[1:0] fatal error: could not open ports
If is not too much asking, do you know what is driving this issue? I was confident it was working, and I'd be keen on learning so it won't happen again later on.
Thanks again.
I'm happy to help! No worries.
Using port 53 would need to enable a CAP in your compose file since the _unbound user has limited permissions which makes the image even more secure (I mean before the CAP is added):
cap_add:
- NET_BIND_SERVICE
Here's a read at Docker about Privileges and CAPs:
Runtime privilege and Linux capabilities
NET_BIND_SERVICE should be sufficient.
Thank you.
Hi @JaneDilbert, do you need more help?
Hi @madnuttah. No, everything works great and I got the answers. Apologies I missed the docs earlier. Thanks again!
Thank you @JaneDilbert and I'm happy it works for you again.
No apologies please, I messed up the things.
Hi @madnuttah : I'd like to come back to this issue from @JaneDilbert .
For me, the mentioned error remains (also using this container in a Synology-Docker-environment), even with
cap_add:
- NET_BIND_SERVICE
in the yaml file.
Log says upon starting the container:
unbound[1:0] fatal error: could not open ports
unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53
My interfaces.conf:
server:
interface: 127.0.0.1
# interface: ::1@53
#outgoing-interface: 0.0.0.0
so-reuseport: yes
do-ip4: yes
do-ip6: no
do-tcp: yes
do-udp: yes
udp-connect: yes
prefer-ip4: yes
prefer-ip6: no
I have tried two other unbound container repos. They do work on port 53. But maybe they work otherwise.
Any help would be highly appreciated, as I really like your approach and you are about the only one with an unbound container that is taking TZ into account (which seems to be relevant for correct DNSSEC).
Thanks,
JD
Sorry @madnuttah for highlighting you again. This one is driving me crazy....I've tried about hundred things to get this going...without luck.
But in a pure desperation act the hundred-and-first try was using an older version of the repo.....tadaa...the older version is working. Container ist starting without problems with port 53. I have pinned down this to tag 1.19.1-0. This is the last version which is working for me. Any newer version doesn't allow me to bind port 53.
Maybe this can help a little bit to solve this issue. Speaking of issues....This issue is officially closed. Should I open a new one?