-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker working directory changed #6249
Comments
Not sure if related, but also for me coredns started crashing this morning after pulling latest (1.11.0) due latest tag:
I've received continuously the following error in the logs every minute: After reverting back to 1.10.1 everything works again:
(I'm using docker-compose on synology nas) |
I'm guessing this is related to the user ID change. |
@SuperQ could you guide me in the right direction what to do to able to run 1.11.0? |
@NikVandewouwer, Try adding NET_BIND_SERVICE capability |
Nevermind - I was thinking this was a privileged port bind issue, not a directory issue. I wasn't paying attention. |
OK, I see there are two issue reported here. Second is a port bind issue: |
@chrisohaver how would I update my docker-compose to add NET_BIND_SERVICE ? The documentation I find is mainly around k8s. This for example leads to the same error
|
I dont know off hand. |
This change in the dockerfile bricked coredns for us. The environment is highly restricted and we're binding coredns on a higher port, however due to the mandatory Can you please remove that capability from the dockerfile (or create two image variants?). The capability shouldn't be added inside the dockerfile directly. |
You have a highly restricted environment and you use public container images? |
We mirror them and they are being scanned.. this however has nothing to do with my issue :) |
UPDATE: I have raised a PR removing the The proper fix would be to have
Files: # compose.yaml
services:
coredns:
image: coredns/coredns:latest
container_name: coredns
volumes:
- /tmp/Corefile:/Corefile
# Restore previous working directory:
working_dir: /
# Alternatively direct the command to the custom config location:
#command: -conf /Corefile
Bring that up with Now you can query it from the host (or another container on the same container network): # Working whoami for configured domain:
dig @172.18.0.2 example.test | grep '^example'
# Working forward:
dig @172.18.0.2 google.com | grep '^google' I can add the ports and observe no problems in the logs for the container (in this case the host already had ports:
- 54:53
- 54:53/udp Now you can query localhost on port 54: # Working whoami for configured domain:
dig @127.0.0.1 -p 54 example.test | grep '^example'
# Working forward:
dig @127.0.0.1 -p 54 google.com | grep '^google' On the test system (Ubuntu 22.04.3 LTS, fresh VM server install), running as a non-root user (but configured for the # docker logs coredns
# exec /coredns: operation not permitted
cap_drop:
- NET_BIND_SERVICE And as expected that's a non-issue if running the Is the
|
moby/moby#45491: a similar problem was fixed and backported to docker v23.0.7+ & v24.0.6+ & 25.0.0. moby/moby#46222. For this bind permission denied error, could you check if it is fixed in new docker versions. See kubernetes-sigs/kubespray#10869 (comment) for detials. |
EDIT: Sorry, below was regarding a related issue that outputs
Last I checked it is not and there is no reason it should be "fixed", as it's doing what is intended. I was working on an example in late Dec to share but have been side tracked elsewhere unfortunately. If you are security conscious and drop all capabilities that you don't need, the approach CoreDNS has taken conflicts with that.
|
Upgraded from 1.10.1 to 1.11.0 and coredns was not reading the config from /Corefile or /hosts anymore
steps to reproduce:
deploy docker image with volume mounts to /Corefile and /hosts
per docker inspect, the working directory for the docker container was changed from / to /home/nonroot
using coredns/coredns:latest from hub.docker.com
The text was updated successfully, but these errors were encountered: