[Bug] unbound is already running / unable to chroot

[JaneDilbert]

Been using madnuttah unbound docker on Synology NAS for more than a month behind Pi-hole. Everything works great, no issue at all.

Today I made the mistake of restarting it to update the image, and never got back online. I only get these errors:

unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53
unbound[1:0] fatal error: could not open ports

• As far as I can remember, I haven't changed anything.
• I even tried executing with high privileges with the same result.
• Tried restarting Docker and also the whole NAS, no change.
• Pi-hole still works fine, although I had to redirect to a different server. All other containers work fine.
• Since is running on bridged on its own container and without exposing ports to host, the error doesn't make sense unless is clashing with another unbound instance.

Then tried different IPs and playing with interfaces.conf using a different port, but thigs got weirder. It would seem somehow two instances of unbound are trying to run at the same time or file permissions issues?

unbound[1:0] warning: unbound is already running as pid 1.
unbound[1:0] fatal error: unable to chroot to /usr/local/unbound: Operation not permitted

compose.yaml

services:
  unbound:
    container_name: unbound
    depends_on:
        - redis-dns
    hostname: unbound
    image: madnuttah/unbound:latest
    environment:
      - TZ=Pacific/Auckland
      - UID=1031
      - GID=65537
      - ServerIP=172.21.0.102
    volumes:
      - ./unbound/conf.d:/usr/local/unbound/conf.d
      - ./unbound/iana.d:/usr/local/unbound/iana.d
      - ./unbound/log.d:/usr/local/unbound/log.d
      - ./unbound/zones.d:/usr/local/unbound/zones.d
      - ./unbound/unbound.conf:/usr/local/unbound/unbound.conf
    networks:
      bridge0:
        ipv4_address: 172.21.0.102
#    ports:
#      - 5335:53/tcp # Web UI port
#      - 5335:53/udp # Web UI port
    restart: unless-stopped

networks:
  bridge0:
    external: true
    name: bridge-custom

unbound.conf

include: "/usr/local/unbound/conf.d/*.conf"
include: "/usr/local/unbound/zones.d/*.conf"

server:
    module-config: "cachedb iterator" #validator
    username: "_unbound"
    directory: "/usr/local/unbound"
    chroot: "/usr/local/unbound"
    do-daemonize: no
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    auto-trust-anchor-file: "/usr/local/unbound/iana.d/root.key"
    trust-anchor-signaling: yes

interfaces.conf

server:	
  interface: 127.0.0.1
  interface: 172.21.0.102
	
  do-ip4: yes
  do-ip6: no
  do-tcp: yes
  do-udp: yes
  udp-connect: yes

Any help will be greatly appreciated.

[madnuttah]

Hi, unfortunately the changes lead to some issues regarding the config files. As it was running for you, there will be just little adaptions to do.

I've changed the online examples so comparing them should solve the issue.

What I see instantly is in your main unbound.conf. Please modify as follows:

include: "/usr/local/unbound/conf.d/*.conf"
include: "/usr/local/unbound/zones.d/*.conf"

server:
    module-config: "cachedb iterator" #validator
    username: ""
    directory: "/usr/local/unbound"
    chroot: ""
    do-daemonize: no
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    auto-trust-anchor-file: "/usr/local/unbound/iana.d/root.key"
    trust-anchor-signaling: yes

And your intefaces.conf:

server:	
  # interface: 127.0.0.1
  interface: 172.21.0.102
	
  do-ip4: yes
  do-ip6: no
  do-tcp: yes
  do-udp: yes
  udp-connect: yes

If there are more configs changed, please show them too.

Thanks.

[madnuttah]

PS: You can overcome unbound[1:0] warning: unbound is already running as pid 1. by docker-compose down and docker compose up -d again

[JaneDilbert]

Thanks for your reply!

Changing username and chroot did half the trick: I still had to change the port to something different than 53. Otherwise I kept on getting the errors.

unbound[1:0] error: can't bind socket: Permission denied for 172.21.0.102 port 53
unbound[1:0] fatal error: could not open ports

If is not too much asking, do you know what is driving this issue? I was confident it was working, and I'd be keen on learning so it won't happen again later on.

Thanks again.

[madnuttah]

I'm happy to help! No worries.

Using port 53 would need to enable a CAP in your compose file since the _unbound user has limited permissions which makes the image even more secure (I mean before the CAP is added):

cap_add: 
  - NET_BIND_SERVICE

Here's a read at Docker about Privileges and CAPs:

Runtime privilege and Linux capabilities

NET_BIND_SERVICE should be sufficient.

Thank you.

[madnuttah]

Hi @JaneDilbert, do you need more help?

[JaneDilbert]

Hi @madnuttah. No, everything works great and I got the answers. Apologies I missed the docs earlier. Thanks again!

[madnuttah]

Thank you @JaneDilbert and I'm happy it works for you again.

No apologies please, I messed up the things.

[jaydee73]

Hi @madnuttah : I'd like to come back to this issue from @JaneDilbert .

For me, the mentioned error remains (also using this container in a Synology-Docker-environment), even with

cap_add: 
  - NET_BIND_SERVICE

in the yaml file.

Log says upon starting the container:

unbound[1:0] fatal error: could not open ports
unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53 

My interfaces.conf:

server:	
  interface: 127.0.0.1
#  interface: ::1@53
  
  #outgoing-interface: 0.0.0.0
	
  so-reuseport: yes
	
  do-ip4: yes
  do-ip6: no
  do-tcp: yes
  do-udp: yes
  udp-connect: yes
		
  prefer-ip4: yes
  prefer-ip6: no

I have tried two other unbound container repos. They do work on port 53. But maybe they work otherwise.

Any help would be highly appreciated, as I really like your approach and you are about the only one with an unbound container that is taking TZ into account (which seems to be relevant for correct DNSSEC).

Thanks,
JD

[jaydee73]

Sorry @madnuttah for highlighting you again. This one is driving me crazy....I've tried about hundred things to get this going...without luck.

But in a pure desperation act the hundred-and-first try was using an older version of the repo.....tadaa...the older version is working. Container ist starting without problems with port 53. I have pinned down this to tag 1.19.1-0. This is the last version which is working for me. Any newer version doesn't allow me to bind port 53.

Maybe this can help a little bit to solve this issue. Speaking of issues....This issue is officially closed. Should I open a new one?

[madnuttah]

Yes @jaydee73, it would be better if you could please open a new issue. We`re solving this issue in a breeze then. Thank you!