search

MatthewVance / unbound-docker-rpi

Run Unbound with latest version of OpenSSL on Raspberry Pi with Docker.
MIT License
136 stars 23 forks source link

Versions 1.19.2, 1.19.1, 1.19.0, 1.18.0 are not starting properly: error reading auto-trust-anchor-file: var/root.key #51

Closed d-rez closed 3 months ago

d-rez commented 4 months ago

Describe the bug As of the most recent docker version bump from yesterday, [mvance/unbound-rpi:latest] container fails to start with task non-zero error (1). Issue started with the most recent docker container latest tag update.

Tested 1.19.2, 1.19.1, 1.19.0, 1.18.0 - none of these work. Same error. Log errors below after redirecting to STDERR:

[1710134927] unbound[1:0] error: unable to open var/root.key for reading: No such file or directory
[1710134927] unbound[1:0] error: error reading auto-trust-anchor-file: var/root.key
[1710134927] unbound[1:0] error: validator: error in trustanchors config
[1710134927] unbound[1:0] error: validator: could not apply configuration settings.
[1710134927] unbound[1:0] fatal error: failed to setup modules
[1710134927] unbound[1:0] error: module init for module validator failed

The old 1.17.1 works fine.

To Reproduce Steps to reproduce the behavior:

  1. Docker run command or compose file: 
    version: "3.7"
services:
unbound:
image: mvance/unbound-rpi
deploy:
  mode: global
healthcheck:
  disable: true
networks: 
  hostnet: {}
dns:
  - 127.0.0.1
  - 1.1.1.1
configs:
  - source: "unbound.conf.3"
    target: "/opt/unbound/etc/unbound/unbound.conf"
networks: 
hostnet:
external: true
name: host
configs:
unbound.conf.3:
external:  true
  2. Customizations (config files): Note: Default config also causes this, but no logs are visible, the service container just fails and Docker spins up a new one over and over again. My config is mostly default. Below is an extract with all comment lines removed. 
    
server:
private-domain: plex.direct
cache-max-ttl: 86400
cache-min-ttl: 300
directory: "/opt/unbound/etc/unbound"
edns-buffer-size: 1472
interface: 0.0.0.0@5553
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: yes
rrset-roundrobin: yes
username: "_unbound"
log-local-actions: no
log-queries: no
log-replies: no
log-servfail: no
logfile: ""
verbosity: 0
aggressive-nsec: yes
delay-close: 10000
do-daemonize: no
do-not-query-localhost: no
neg-cache-size: 4M
qname-minimisation: yes
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: fc00::/7 allow
access-control: ::1/128 allow
auto-trust-anchor-file: "var/root.key"
chroot: "/opt/unbound/etc/unbound"
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-glue: yes
harden-large-queries: yes
harden-referral-path: no
harden-short-bufsize: yes
hide-identity: yes
hide-version: yes
identity: "DNS"
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
ratelimit: 1000
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
unwanted-reply-threshold: 10000
use-caps-for-id: yes
val-clean-additional: yes
infra-cache-slabs: 4
key-cache-slabs: 4
msg-cache-size: 90894336
msg-cache-slabs: 4
num-queries-per-thread: 4096
num-threads: 3
outgoing-range: 8192
rrset-cache-size: 181788672
rrset-cache-slabs: 4
minimal-responses: yes
prefetch: yes
prefetch-key: yes
serve-expired: yes
so-reuseport: yes
include: /opt/unbound/etc/unbound/a-records.conf
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

remote-control: control-enable: no

4. Directory structure: N/A, no volume mounts, just docker configs
5. See error

**Expected behavior**
Unbound starts and runs correctly

**Error messages**

[1710134927] unbound[1:0] error: unable to open var/root.key for reading: No such file or directory [1710134927] unbound[1:0] error: error reading auto-trust-anchor-file: var/root.key [1710134927] unbound[1:0] error: validator: error in trustanchors config [1710134927] unbound[1:0] error: validator: could not apply configuration settings. [1710134927] unbound[1:0] fatal error: failed to setup modules [1710134927] unbound[1:0] error: module init for module validator failed



**Additional context**
Add any other context about the problem here.
MatthewVance commented 4 months ago

Thanks. I confirmed the issue and am looking into it.

iyzana commented 4 months ago

I did a bit of analysis and I think the problem is that in /unbound.sh the line chown _unbound:_unbound /opt/unbound/etc/unbound/unbound.log && \ should be removed, because the file does not exist and is not needed.

It results in the root.key not being created and then in unbound failing to start

MatthewVance commented 4 months ago

@iyzana thanks for that. I haven't tried removing that line yet, but I pushed an update a moment ago that appears to fix this. I'm not closing this issue yet until confirmation that everything is working for others as well.

LeWimbes commented 4 months ago

Thanks for the quick fix. My instances seem to be working as expected again.

iyzana commented 4 months ago

I'm not sure how you're deploying to docker hub, but the pushed images are working now and the chown for unbound.log is removed from them, even though it is still present in this git repository.

But the change adding the new 1.18.0 features (from https://github.com/MatthewVance/unbound-docker/commit/84088be699f699b889f473120c6c01ecad611d82 in the main repo) is now also gone, from the docker images as well as in this repo.

MeCias commented 4 months ago

Can confirm as well. IP address is now assigned as expected. THX.

MatthewVance commented 4 months ago

I'm not sure how you're deploying to docker hub, but the pushed images are working now and the chown for unbound.log is removed from them, even though it is still present in this git repository.

But the change adding the new 1.18.0 features (from MatthewVance/unbound-docker@84088be in the main repo) is now also gone, from the docker images as well as in this repo.

The missing chown for unbound.log in the built image is odd and something I need to correct in the code because the built images should 100% match the code. I built the images using a copy of the repo I had on a Raspberry Pi. I copied the source from the 1.17.1 directory on the Pi, made the version updates, and then built the images. I then did the same steps on another computer that is setup with Git. Unexpectedly, there was a minor difference (the chown step) between the unbound.sh script on my Pi and my other computer. Those should have been in sync. The lesson learned for me is to scp the files from my Pi to my computer with Git to ensure a 100% match (or better yet switch over to GitHub Actions to build the images from the code in the repo).

I removed the 1.18.0 features for now. I'm planning to bring them back in later.

d-rez commented 3 months ago

I can also confirm the :latest is now fixed by f7b72d62a6bc96325510e4fd18d30f40e92c408c and seems to work as expected :)

root@node_name:/opt/unbound# unbound -V    
Version 1.19.2

Thanks!