Error on startup: so-rcvbuf 1048576 was not granted.

[LeWimbes]

Hi, I was trying to setup your unbound image along my already running Pi-hole. When I try to start all the services with sudo docker-compose up, unbound returns the following message and exits:

unbound[1:0] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.

On the Pi-hole discourse site I found a post dealing with the same issue https://discourse.pi-hole.net/t/pihole-on-ubuntu-18-04-with-unbound-fails-after-some-time/22585, but it seems like using different ports isn't solving the issue in my case.

In my setup I mostly followed this guide: https://docs.pi-hole.net/guides/unbound/

This is my current unbound.conf:

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    access-control: 173.32.0.0/16 allow # answer queries from local subnet (pi-hole)
    interface: 0.0.0.0 # listen on all interfaces
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

And the probably relevant part of my docker-compose.yml:

version: '3.8'

networks:
  frontend_proxy:
  dhcp_backend:
    ipam:
      config:
        - subnet: 172.31.0.0/16
  dns_backend:
    driver: bridge
    ipam:
      config:
        - subnet: 173.32.0.0/16

services:
  unbound:
    image: mvance/unbound-rpi:latest
    container_name: unbound
    restart: unless-stopped
    networks:
      - dns_backend
    volumes:
      - './unbound/setup/config/:/opt/unbound/etc/unbound/'
      - './unbound/setup/root_hints/:/var/lib/unbound/'
    ports:
      # - '8953:8953/tcp' # saw the port on stackoverflow, really needed?
      - '5335:5335' # connection with pi-hole
      - '5353:53' # as 53 is already used by pi-hole

  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: unless-stopped
    networks:
      frontend_proxy: {}
      dhcp_backend:
        ipv4_address: '172.31.0.100' # ip in docker network needed for dhcp relay
      dns_backend: {}
    volumes:
      - './pihole/data/pihole/:/etc/pihole/'
      - './pihole/data/dnsmasq.d/:/etc/dnsmasq.d/'
    ports:
      - '53:53/tcp'
      - '53:53/udp'
      - '3002:80/tcp'
      - '3003:443/tcp'
    depends_on:
      - dhcp_helper # needed because we can't run pihole in host network mode because of the reverse proxy (port 80 is needed!)
      - unbound
    # DHCP needs NET_ADMIN; NET_RAW is needed for DHCPv6
    #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      TZ: 'Europe/Berlin'
      WEBPASSWORD: '???'
      ServerIP: x.x.x.x # external ip address
      DNS1: 1.1.1.1 # Primary upstream DNS provider; Cloudflare
      DNS2: 1.0.0.1 # Secondary upstream DNS provider; Cloudflare
      DNSMASQ_LISTENING: all # listen to forwarded dhcp requests in docker network

  dhcp_helper:
    build:
      context: ./dhcp_helper/setup
      dockerfile: dhcp_helper_dockerfile.yml
    container_name: dhcp_helper
    restart: unless-stopped
    network_mode: "host"
    command: -s 172.31.0.100 # ip of pihole in docker network
    cap_add:
      - NET_ADMIN
      - NET_RAW

I would really appreciate your help finding the cause of this issue. Thank you :)

[MatthewVance]

Hello,

I'm not sure what is causing the issue. I don't personally use Pi-hole so I don't currently have an easy example to compare it to.

One thing that stands out is the so-rcvbuf error warning you showed is likely unrelated. That's a performance setting, related to kernel buffer. It looks like your device was trying to request more resources than permitted by the OS. It still got some so the container should have been able to start.

I don't see anything in the errors that would make me think it would be port related. Could you increase the logging verbosity to see if that shows more?

Also, you might also read through the following two closed issues:

• https://github.com/MatthewVance/unbound-docker/issues/21
• https://github.com/MatthewVance/unbound-docker/issues/35

[LeWimbes]

First of all: Thank you for your replay.

Actually increasing the logging verbosity revealed one/two error:

[1599155750] unbound[1:0] error: could not read root hints /var/lib/unbound/root.hints: No such file or directory
[1599155750] unbound[1:0] error: Could not set root or stub hints

But I don't understand why unbound can't find that file. As you can see in my docker compose file I am mounting ./unbound/setup/root_hints/ on /var/lib/unbound/. And in the root_hints directory is my root.hints file:

x@y:/a/b/docker/unbound/setup/root_hints $ ls
root.hints

If I comment out the root.hints line no error occurs and unbound starts.

[MatthewVance]

My initial thought is root hints is being mounted in the wrong location. Unbound runs in a chroot.

On Thu, Sep 3, 2020, 1:12 PM LeWimbes notifications@github.com wrote:

First of all: Thank you for your replay.

Actually increasing the logging verbosity revealed one/two error:

[1599155750] unbound[1:0] error: could not read root hints /var/lib/unbound/root.hints: No such file or directory [1599155750] unbound[1:0] error: Could not set root or stub hints

But I don't understand why unbound can't find that file. As you can see in my docker compose file I am mounting ./unbound/setup/root_hints/ on /var/lib/unbound/. And in the root_hints directory is my root.hints file:

x@y:/a/b/docker/unbound/setup/root_hints $ ls root.hints

If I comment out the root.hints line no error occurs and unbound starts.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker-rpi/issues/4#issuecomment-686662617, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOR4ZYZVKSQ6T3ZPWRTSD7L7HANCNFSM4QPGN3XA .

[LeWimbes]

Hmm... I've now simply put the root.hints file in the same folder as my unbound.conf. It seams to work so far.

[Telesphoreo]

For anyone who is having this problem (even on non Docker) the solution is to edit the /etc/sysctl.conf file and add this line somewhere in the file: net.core.rmem_max=1048576

After I rebooted, you can now run sudo service unbound status and no more error! I'm posting the solution here since this is the first thing that shows up on google when you search for it hope that's okay

[MatthewVance]

@Telesphoreo thanks for sharing.

[tigerkzr]

just got here a year later looking for this issue. the current docker image does not have the sysctl.conf file nor the sysctl command. My thought on a solution was to run -- sysctl -w net.core.rmem_max=4194304 with the command: key in docker compose. Can't run it without the sysctl command.

[mjhwully]

add: cap_add: NET_ADMIN to the docker file for unbound. It solved this issue for me