New container with default setting keeps restarting on start

[x-Felix]

That's quite interesting. The default setting even not work on start. Seems like need a bit manual work to get it work.

  unbound:
    container_name: unbound
    image: mvance/unbound-rpi:latest
    volumes:
      - /home/pi/unbound:/opt/unbound/etc/unbound/
    ports:
      - "5335:53/tcp"
      - "5335:53/udp"
    restart: unless-stopped

/opt/unbound/etc/unbound/unbound.conf:291: error: cannot open include file '/opt/unbound/etc/unbound/a-records.conf': No such file or directory
read /opt/unbound/etc/unbound/unbound.conf failed: 1 errors in configuration file
[1599791470] unbound[1:0] fatal error: Could not read config file: /opt/unbound/etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
/opt/unbound/etc/unbound/unbound.conf:291: error: cannot open include file '/opt/unbound/etc/unbound/a-records.conf': No such file or directory

[MatthewVance]

It is expecting a particular file if you run with a volume mount. For the simplest default, try the standard usage:

docker run --name unbound-rpi -d -p 53:53/udp -p 53:53/tcp --restart=always mvance/unbound-rpi:latest

On Thu, Sep 10, 2020, 9:34 PM Felix notifications@github.com wrote:

That's quite interesting. The default setting even not work on start. Seems like need a bit manual work to get it work.

unbound: container_name: unbound image: mvance/unbound-rpi:latest volumes:

• /home/pi/unbound:/opt/unbound/etc/unbound/ ports:
• "5335:53/tcp"
• "5335:53/udp" restart: unless-stopped

/opt/unbound/etc/unbound/unbound.conf:291: error: cannot open include file '/opt/unbound/etc/unbound/a-records.conf': No such file or directory read /opt/unbound/etc/unbound/unbound.conf failed: 1 errors in configuration file [1599791470] unbound[1:0] fatal error: Could not read config file: /opt/unbound/etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf /opt/unbound/etc/unbound/unbound.conf:291: error: cannot open include file '/opt/unbound/etc/unbound/a-records.conf': No such file or directory

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker-rpi/issues/5, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOR4FX5UY2LRWUA2P2TSFGECVANCNFSM4RGMN7NQ .

[x-Felix]

Thanks for promptly response. I sorted out restart issue. However, I still not able to set the container to run as recursive DNS server.

My unbound.conf file

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 0.0.0.0
    port: 53
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
pi@PiDocker:~/unbound $ 

docker-compose.yml file

version: '3'
services:
  unbound:
    container_name: unbound
    image: mvance/unbound-rpi:latest
    volumes:
      - /home/pi/unbound:/opt/unbound/etc/unbound
    ports:
      - "5053:53/tcp"
      - "5053:53/udp"
    restart: unless-stopped

pi@PiDocker:~ $ sudo docker ps
CONTAINER ID        IMAGE                                             COMMAND             CREATED             STATUS                   PORTS                                        NAMES
386cc9a004c3        mvance/unbound-rpi:latest                         "/unbound.sh"       9 minutes ago       Up 9 minutes (healthy)   0.0.0.0:5053->53/tcp, 0.0.0.0:5053->53/udp   unbound
pi@PiDocker:~ $ sudo docker logs unbound
[1599795512] unbound[1:0] warning: so-rcvbuf 1048576 was not granted. Got 360448. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.
[1599795512] unbound[1:0] debug: switching log to syslog
pi@PiDocker:~ $ sudo dig www.google.com @127.0.0.1 -p 5053

; <<>> DiG 9.11.5-P4-5.1+deb10u2-Raspbian <<>> www.google.com @127.0.0.1 -p 5053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 18558
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Sep 11 13:49:01 AEST 2020
;; MSG SIZE  rcvd: 12

I don't understand why it is not resolving anything. Would you please suggest possible misconfigruation? Thanks.

[x-Felix]

I figured it out by adding access-control in unbound.conf Is this a new requirement in latest unbound version? I will close this issue for now. Thanks.

[MatthewVance]

I'm glad you got it sorted. I'm not aware of it being a new requirement.

The Unbound changelog is available at https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0.

The Unbound config documentation explains what access-control defaults to: https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

On Thu, Sep 10, 2020, 11:02 PM Felix notifications@github.com wrote:

I figured it out by adding access-control in unbound.conf Is this a new requirement in latest unbound version? I will close this issue for now. Thanks.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker-rpi/issues/5#issuecomment-690860240, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHORFBOT7YORYAURBY4TSFGOOXANCNFSM4RGMN7NQ .

[MatthewVance]

If it helps, this is roughly my recommended config for a basic forwarding setup. https://gist.github.com/MatthewVance/5051bf45cfed6e4a2a2ed9bb014bcd72

You'd just need to swap out the forward zone section to meet your recursive needs.

On Fri, Sep 11, 2020, 6:27 AM Matthew Vance vancematthew@gmail.com wrote:

I'm glad you got it sorted. I'm not aware of it being a new requirement.

The Unbound changelog is available at https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0.

The Unbound config documentation explains what access-control defaults to: https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

On Thu, Sep 10, 2020, 11:02 PM Felix notifications@github.com wrote:

I figured it out by adding access-control in unbound.conf Is this a new requirement in latest unbound version? I will close this issue for now. Thanks.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker-rpi/issues/5#issuecomment-690860240, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHORFBOT7YORYAURBY4TSFGOOXANCNFSM4RGMN7NQ .