Docker reports health is unhealthy

[daryll-swer]

I will share the config first and my findings on what I think is responsible for the failing health check

Docker/Compose config

version: "3.8"
networks:
  docker_bridge:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        - subnet: 2400:7060::/64
          gateway: 2400:7060::1

#Unbound Recursor
    unbound:
        networks:
            docker_bridge:
                ipv6_address: 2400:7060::8
        container_name: unbound
        ports:
            - '5335:5335/tcp'
            - '5335:5335/udp'
        restart: unless-stopped
        volumes:
            - '/opt/unbound:/opt/unbound/etc/unbound/'
        image: 'mvance/unbound-rpi:latest'

unbound.conf

server:
        # If no logfile is specified, syslog is used
        # logfile: "/var/log/unbound/unbound.log"
        verbosity: 0

        interface: 0.0.0.0
        interface: 2400:7060:1:202::8
        port: 5335
        do-ip4: yes
        do-ip6: yes
        prefer-ip6: yes
        do-udp: yes
        do-tcp: yes

        access-control: 2400:7060:1::/64 allow

        # Trust glue only if it is within the server's authority
        harden-glue: yes

        # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
        harden-dnssec-stripped: yes

        # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
        # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
        use-caps-for-id: no

        edns-buffer-size: 1232

        # Perform prefetching of close to expired message cache entries
        # This only applies to domains that have been frequently queried
        prefetch: yes

        # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performa>
        num-threads: 1

        # Ensure kernel buffer is large enough to not lose messages in traffic spikes
        so-rcvbuf: 1m

        # Ensure privacy of local IP ranges
        private-address: 192.168.0.0/16
        private-address: 169.254.0.0/16
        private-address: 172.16.0.0/12
        private-address: 10.0.0.0/8
        private-address: fd00::/8
        private-address: fe80::/10

Docker PS output

CONTAINER ID   IMAGE                       COMMAND         CREATED          STATUS                            PORTS                                                                                                  NAMES
7218a14401bc   mvance/unbound-rpi:latest   "/unbound.sh"   19 minutes ago   Up 2 minutes (unhealthy)   53/tcp, 53/udp, 0.0.0.0:5335->5335/tcp, 0.0.0.0:5335->5335/udp, :::5335->5335/tcp, :::5335->5335/udp   unbound

What I want to do is simple. I want unbound container to listen only on IPv6 port 5335 inside and outside, but that does not seem to work correctly as we can see ports 53 are still opened somehow and if I disable IPv4 listening in the unbound config, then I'm not able to reach the recursor from a forwarder. The above config works fine except for two issues:

1. Health is unhealthy – Likely related to the port issues.
2. Ports 53 still opened for some reason even though I explicitly specify 5335 in both docker compose and unbound config
3. Not sure how to make the container listen only on IPv6 port 53 and not bind to IPv4 at all

[daryll-swer]

@MatthewVance am I doing something wrong or did I encounter a bug?

[MatthewVance]

IPv6 isn’t supported. It may be possible to reconfigure the Unbound settings to permit this, but the defaults do not. This is due to some complexity with how Docker does IPv6 and underlying host requirements (you need to enable IPv6 support in the Docker daemon). On Nov 11, 2022, at 11:25 AM, Daryll Swer @.***> wrote: @MatthewVance am I doing something wrong or did I encounter a bug?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

[daryll-swer]

@MatthewVance

Docker IPv6 is already enabled on the host and I have a PIA IPv6 block, and a bunch of containers already working fine with IPv6 such as this.

If you checked the unbound config file I shared, IPv6 is enabled and IPv6 is working correctly from client towards the container as well. There's no doubt about IPv6 working correctly in this issue.

The issue is with the health checks/port numbers/wanting to remove IPv4 from unbound config/docker compose config.

[MatthewVance]

If you don’t want IPv4, this shouldn’t be in your config: interface: 0.0.0.0

For the health check, you’re going to need to override the default one in the Dockerfile by providing an alternative in the compose file.

[daryll-swer]

@MatthewVance

If you don’t want IPv4, this shouldn’t be in your config: interface: 0.0.0.0

As stated before, if I remove IPv4 config on unbound.conf, unbound itself stops working and no longer replies to clients. So that method does not work so far.

For the health check, you’re going to need to override the default one in the Dockerfile by providing an alternative in the compose file.

Can you share some compose config samples to fix the health checks?

[MatthewVance]

I’m trying to give you pointers, but IPv6 isn’t supported.

https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck

[MatthewVance]

One other tip, consider providing an expose value in your Compose file to match your port assignments and override the default in the Dockefilre.

https://docs.docker.com/compose/compose-file/compose-file-v3/#expose

https://github.com/MatthewVance/unbound-docker-rpi/blob/master/1.17.0/Dockerfile#L130