Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault in /usr/lib/nagios/plugins/check_dns in Watchdog container #5033

Closed
5 tasks done
Lorak-mmk opened this issue Jan 30, 2023 · 5 comments
Closed
5 tasks done

Segfault in /usr/lib/nagios/plugins/check_dns in Watchdog container #5033

Lorak-mmk opened this issue Jan 30, 2023 · 5 comments
Labels
bug stale Please update the issue with current status, unclear if it's still open/needed.

Comments

@Lorak-mmk
Copy link

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I see A LOT of segfaults for `/usr/lib/nagios/plugins/check_dns` in my journalctl.
See example journalctl entries in "Logs" section.


I can see that it's being run here, by watchdog container: https://github.com/mailcow/mailcow-dockerized/blob/640f535e9995f27fcc1541a60f0a56648d0d66cc/data/Dockerfiles/watchdog/watchdog.sh#L272

When I try to execute the command myself in the container, I also get the segfault (see gdb session in "Logs" section), but it seems that the binary has no symbols, so the stacktrace is quite useless.

Logs:

Crash in journalctl:

Jan 30 22:02:47 vps770689.ovh.net systemd-coredump[3126064]: [🡕] Process 3126059 (check_dns) of user 0 dumped core.
                                                             
                                                             Module /usr/lib/nagios/plugins/check_dns without build-id.
                                                             Module /lib/libcrypto.so.3 without build-id.
                                                             Module /lib/ld-musl-x86_64.so.1 without build-id.
                                                             Module linux-vdso.so.1 with build-id 5cbcbeaed17f6205501c99ad3b84bfa3cb42f965
                                                             Stack trace of thread 1646727:
                                                             #0  0x00005576fbe22ffc n/a (/usr/lib/nagios/plugins/check_dns + 0x6ffc)
                                                             ELF object binary architecture: AMD x86-64

GDB session:

ea9217b7bd96:/# gdb /usr/lib/nagios/plugins/check_dns
GNU gdb (GDB) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-alpine-linux-musl".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/nagios/plugins/check_dns...
(No debugging symbols found in /usr/lib/nagios/plugins/check_dns)
(gdb) r -s 172.22.1.254 -H stackoverflow.com
Starting program: /usr/lib/nagios/plugins/check_dns -s 172.22.1.254 -H stackoverflow.com
warning: Error disabling address space randomization: Operation not permitted
[Detaching after fork from child process 1645329]

Program received signal SIGSEGV, Segmentation fault.
0x00005586fc99bffc in ?? ()
(gdb) bt
#0  0x00005586fc99bffc in ?? ()
#1  0x00005586fc9987e8 in ?? ()
#2  0x00007f9edd1cf9ca in ?? () from /lib/ld-musl-x86_64.so.1
#3  0x00007f9edd1cf9a2 in ?? () from /lib/ld-musl-x86_64.so.1
#4  0x00007ffc6368ed10 in ?? ()
#5  0x0000000000000000 in ?? ()



### Steps to reproduce:

```plain text
1. Install and start mailcow-dockerized
2. I guess look into your journalctl? I'm not aware of any other prerequisites.

Which branch are you using?

master

Operating System:

Fedora 37

Server/VM specifications:

OVH VPS, 2GB RAM, 1 core

Is Apparmor, SELinux or similar active?

It's Fedora, to SELinux is active

Virtualization technology:

Not sure - the one OVH uses for their VPSs

Docker version:

20.10.22

docker-compose version or docker compose version:

v2.14.1

mailcow version:

2023-01

Reverse proxy:

Nginx

Logs of git diff:

diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem
index 96d16bec..52904bf7 100644
--- a/data/assets/ssl-example/cert.pem
+++ b/data/assets/ssl-example/cert.pem
@@ -1,19 +1,33 @@
<Removed for clarity - I don't think those files matter?>
diff --git a/data/assets/ssl-example/key.pem b/data/assets/ssl-example/key.pem
index cedf35a0..88588c39 100644
--- a/data/assets/ssl-example/key.pem
+++ b/data/assets/ssl-example/key.pem
@@ -1,27 +1,52 @@
<Removed for clarity - I don't think those files matter?>
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index a445b60c..9dae5e12 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -198,3 +198,6 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks
 
 # DO NOT EDIT ANYTHING BELOW #
 # User overrides #
+
+myhostname = <REDACTED>
+
diff --git a/docker-compose.yml b/docker-compose.yml
index 3b3ccee3..2083b1e6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -377,9 +377,6 @@ services:
         - ./data/conf/nginx/:/etc/nginx/conf.d/:z
         - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
         - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
-      ports:
-        - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
-        - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
       restart: always
       networks:
         mailcow-network:
@@ -582,36 +579,6 @@ services:
           aliases:
             - ofelia
 
-    ipv6nat-mailcow:
-      depends_on:
-        - unbound-mailcow
-        - mysql-mailcow
-        - redis-mailcow
-        - clamd-mailcow
-        - rspamd-mailcow
-        - php-fpm-mailcow
-        - sogo-mailcow
-        - dovecot-mailcow
-        - postfix-mailcow
-        - memcached-mailcow
-        - nginx-mailcow
-        - acme-mailcow
-        - netfilter-mailcow
-        - watchdog-mailcow
-        - dockerapi-mailcow
-        - solr-mailcow
-      environment:
-        - TZ=${TZ}
-      image: robbertkl/ipv6nat
-      security_opt:
-        - label=disable
-      restart: always
-      privileged: true
-      network_mode: "host"
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
-        - /lib/modules:/lib/modules:ro
-
 networks:
   mailcow-network:
     driver: bridge

Logs of iptables -L -vn:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 3 packets, 180 bytes)
 pkts bytes target     prot opt in     out     source               destination         
7285K 5616M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
7285K 5616M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
  24M   23G ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2110K  133M DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
2464K  229M ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
1993K  126M ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
 633K   56M ACCEPT     all  --  *      br-810f291b86e6  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   58  3480 DOCKER     all  --  *      br-810f291b86e6  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-810f291b86e6 !br-810f291b86e6  0.0.0.0/0            0.0.0.0/0           
   58  3480 ACCEPT     all  --  br-810f291b86e6 br-810f291b86e6  0.0.0.0/0            0.0.0.0/0           
1169K  210M ACCEPT     all  --  *      br-5bdd706cb31b  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
34034 2042K DOCKER     all  --  *      br-5bdd706cb31b  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-5bdd706cb31b !br-5bdd706cb31b  0.0.0.0/0            0.0.0.0/0           
34034 2042K ACCEPT     all  --  br-5bdd706cb31b br-5bdd706cb31b  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-8d8f1dcfd711  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-8d8f1dcfd711  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-8d8f1dcfd711 !br-8d8f1dcfd711  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-8d8f1dcfd711 br-8d8f1dcfd711  0.0.0.0/0            0.0.0.0/0           
  19M 6325M ACCEPT     all  --  *      br-f5abef682adf  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1689K  101M DOCKER     all  --  *      br-f5abef682adf  0.0.0.0/0            0.0.0.0/0           
  13M 9136M ACCEPT     all  --  br-f5abef682adf !br-f5abef682adf  0.0.0.0/0            0.0.0.0/0           
 454K   27M ACCEPT     all  --  br-f5abef682adf br-f5abef682adf  0.0.0.0/0            0.0.0.0/0           
 526K  118M ACCEPT     all  --  *      br-abd5809b0006  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1528 91680 DOCKER     all  --  *      br-abd5809b0006  0.0.0.0/0            0.0.0.0/0           
 413K   82M ACCEPT     all  --  br-abd5809b0006 !br-abd5809b0006  0.0.0.0/0            0.0.0.0/0           
 1518 91080 ACCEPT     all  --  br-abd5809b0006 br-abd5809b0006  0.0.0.0/0            0.0.0.0/0           
1962K  799M ACCEPT     all  --  *      br-686f28e69491  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 153K 9175K DOCKER     all  --  *      br-686f28e69491  0.0.0.0/0            0.0.0.0/0           
10639 1181K ACCEPT     all  --  br-686f28e69491 !br-686f28e69491  0.0.0.0/0            0.0.0.0/0           
 153K 9175K ACCEPT     all  --  br-686f28e69491 br-686f28e69491  0.0.0.0/0            0.0.0.0/0           
3323K 1376M ACCEPT     all  --  *      br-02505fa297c1  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 302K   18M DOCKER     all  --  *      br-02505fa297c1  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-02505fa297c1 !br-02505fa297c1  0.0.0.0/0            0.0.0.0/0           
 302K   18M ACCEPT     all  --  br-02505fa297c1 br-02505fa297c1  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-01298c332710  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-01298c332710  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-01298c332710 !br-01298c332710  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-01298c332710 br-01298c332710  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (10 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.2           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    7   400 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:3306
  236 13660 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
33109 1978K ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
  601 35672 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
  141  8156 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
  114  6480 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
  274 14400 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
  115  6568 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-5bdd706cb31b !br-5bdd706cb31b  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-810f291b86e6 !br-810f291b86e6  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-686f28e69491 !br-686f28e69491  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-01298c332710 !br-01298c332710  0.0.0.0/0            0.0.0.0/0           
 762K   70M DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
    3   120 DOCKER-ISOLATION-STAGE-2  all  --  br-f5abef682adf !br-f5abef682adf  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-abd5809b0006 !br-abd5809b0006  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-8d8f1dcfd711 !br-8d8f1dcfd711  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-02505fa297c1 !br-02505fa297c1  0.0.0.0/0            0.0.0.0/0           
7285K 5616M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (10 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-5bdd706cb31b  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-810f291b86e6  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-686f28e69491  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-01298c332710  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-f5abef682adf  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-abd5809b0006  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-8d8f1dcfd711  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-02505fa297c1  0.0.0.0/0            0.0.0.0/0           
 762K   70M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 135M   94G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Logs of ip6tables -L -vn:

# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
1702K 1623M DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0                
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0                
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0                
 630K   68M ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0                
5121K 5371M ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0                
  11M   11G ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
2310K  167M DOCKER     all      *      br-mailcow  ::/0                 ::/0                
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   140 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::5  tcp dpt:4190
   11   880 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::5  tcp dpt:995
    2   144 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:587
  290 23184 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::5  tcp dpt:993
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:465
    1    80 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::5  tcp dpt:143
    7   464 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:25
    1    80 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::5  tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-5bdd706cb31b !br-5bdd706cb31b  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-810f291b86e6 !br-810f291b86e6  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-686f28e69491 !br-686f28e69491  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-01298c332710 !br-01298c332710  ::/0                 ::/0                
 188K   19M DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-f5abef682adf !br-f5abef682adf  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-abd5809b0006 !br-abd5809b0006  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-8d8f1dcfd711 !br-8d8f1dcfd711  ::/0                 ::/0                
    0     0 DOCKER-ISOLATION-STAGE-2  all      br-02505fa297c1 !br-02505fa297c1  ::/0                 ::/0                
1702K 1623M RETURN     all      *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (10 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      docker0  ::/0                 ::/0                
    0     0 DROP       all      *      br-5bdd706cb31b  ::/0                 ::/0                
    0     0 DROP       all      *      br-810f291b86e6  ::/0                 ::/0                
    0     0 DROP       all      *      br-686f28e69491  ::/0                 ::/0                
    0     0 DROP       all      *      br-01298c332710  ::/0                 ::/0                
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0                
    0     0 DROP       all      *      br-f5abef682adf  ::/0                 ::/0                
    0     0 DROP       all      *      br-abd5809b0006  ::/0                 ::/0                
    0     0 DROP       all      *      br-8d8f1dcfd711  ::/0                 ::/0                
    0     0 DROP       all      *      br-02505fa297c1  ::/0                 ::/0                
 188K   19M RETURN     all      *      *       ::/0                 ::/0

Logs of iptables -L -vn -t nat:

# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 280K   14M DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
1146K   84M MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-810f291b86e6  172.20.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-5bdd706cb31b  172.19.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-8d8f1dcfd711  172.18.0.0/16        0.0.0.0/0           
    2  2920 MASQUERADE  all  --  *      !br-f5abef682adf  172.29.0.0/16        0.0.0.0/0           
15050  903K MASQUERADE  all  --  *      !br-abd5809b0006  192.168.0.0/20       0.0.0.0/0           
  699 41940 MASQUERADE  all  --  *      !br-686f28e69491  172.28.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-02505fa297c1  172.21.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-01298c332710  172.23.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.2           172.22.1.2           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.6           172.22.1.6           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-5bdd706cb31b *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-810f291b86e6 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-686f28e69491 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-01298c332710 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-f5abef682adf *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-abd5809b0006 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-8d8f1dcfd711 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-02505fa297c1 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.2:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    7   400 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.6:3306
  236 13660 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
33113 1978K DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
  601 35672 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
  141  8156 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
  114  6480 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
  274 14400 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
  115  6568 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110

Logs of ip6tables -L -vn -t nat:

# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 129K   10M DOCKER     all      *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all      *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all      *      !docker0  fd00:dead:beef:c0::/80  ::/0                
 515K   47M MASQUERADE  all      *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0                
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::5  fd4d:6169:6c63:6f77::5  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::5  fd4d:6169:6c63:6f77::5  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:587
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::5  fd4d:6169:6c63:6f77::5  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::5  fd4d:6169:6c63:6f77::5  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:25
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::5  fd4d:6169:6c63:6f77::5  tcp dpt:110

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all      docker0 *       ::/0                 ::/0                
    0     0 RETURN     all      br-mailcow *       ::/0                 ::/0                
    2   140 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::5]:4190
   11   880 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::5]:995
    2   144 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::b]:587
  290 23184 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::5]:993
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::b]:465
    1    80 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::5]:143
    7   464 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::b]:25
    1    80 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::5]:110

DNS check:

docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
151.101.129.69
151.101.65.69
151.101.193.69
151.101.1.69
@Lorak-mmk Lorak-mmk added the bug label Jan 30, 2023
@MAGICCC
Copy link
Member

MAGICCC commented Jan 31, 2023

Just tried on my box, with KVM, and no segfaults

Can you trun systemd-detect-virt to see if your VM also uses KVM? If yes, then tbh I have no clue :(

@Lorak-mmk
Copy link
Author

Yes, this command says it's kvm.

@MAGICCC MAGICCC mentioned this issue Mar 9, 2023
Closed
5 tasks
@milkmaker
Copy link
Collaborator

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@milkmaker milkmaker added the stale Please update the issue with current status, unclear if it's still open/needed. label Apr 2, 2023
@milkmaker milkmaker closed this as not planned Won't fix, can't repro, duplicate, stale Apr 9, 2023
@flomaass
Copy link

I have the same issue with the nagios check_dns on current mailcow version 2023-05a with docker of 24.0.5, build ced0996 and docker compose version v2.20.2; ipv6 disabled as per recommendation of docs.

@Xeroxxx
Copy link

Xeroxxx commented Nov 19, 2023

I have the same error getting a segmentation fault with nagios 2.4.2 and 2.4.5. However DNS works fine. I ended up disabling the nagios check_dns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug stale Please update the issue with current status, unclear if it's still open/needed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Xeroxxx @flomaass @MAGICCC @Lorak-mmk @milkmaker