Closed PrivateCon88 closed 3 years ago
Can you provide more details such as your compose file and full config?
On Tue, Feb 16, 2021, 2:03 AM PrivateCon88 notifications@github.com wrote:
In unbound.conf, I set
use-syslog: yes verbosity: 3 log-queries: yes logfile: /dev/null --> comment out
In docker-compose.yml I put network_mode: "host"
Still, I see no unbound log in /var/log/syslog. But nginx docker able to send log to syslog just fine.
Did I miss something?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/61, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOTPRWVABR4IAKO5OW3S7IRF5ANCNFSM4XV7RWBQ .
docker-compose.yml
services:
unbound:
image: mvance/unbound
container_name: unbound
restart: unless-stopped
volumes:
- /doh/unbound:/opt/unbound/etc/unbound
healthcheck:
disable: true
network_mode: "host"
unbound.conf
server:
cache-max-ttl: 86400
cache-min-ttl: 300
directory: "/opt/unbound/etc/unbound"
edns-buffer-size: 1232
interface: 0.0.0.0@5353
rrset-roundrobin: yes
username: "_unbound"
log-queries: yes
#logfile: /opt/unbound/etc/unbound/logs/unbound.log
verbosity: 3
aggressive-nsec: yes
delay-close: 10000
do-daemonize: no
do-not-query-localhost: no
neg-cache-size: 4M
qname-minimisation: yes
access-control: 0.0.0.0/0 allow
auto-trust-anchor-file: "var/root.key"
chroot: "/opt/unbound/etc/unbound"
deny-any: yes
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-glue: yes
harden-large-queries: yes
harden-referral-path: no
harden-short-bufsize: yes
hide-identity: yes
hide-version: yes
identity: "unbound"
ratelimit: 1000
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
unwanted-reply-threshold: 10000
use-caps-for-id: yes
val-clean-additional: yes
infra-cache-slabs: 4
incoming-num-tcp: 10
key-cache-slabs: 4
msg-cache-size: 300557653
msg-cache-slabs: 4
num-queries-per-thread: 4096
num-threads: 1
outgoing-range: 8192
rrset-cache-size: 601115306
rrset-cache-slabs: 4
minimal-responses: yes
prefetch: yes
prefetch-key: yes
serve-expired: yes
so-reuseport: yes
client-subnet-zone: "."
client-subnet-always-forward: yes
max-client-subnet-ipv4: 24
log-time-ascii: yes
use-syslog: yes
log-identity: unbound
do-tcp: no
do-ip6: no
Your volume mount looks off to me. Double check that. If in doubt, exec into the container and see if it mounted your config or loaded the default.
On Tue, Feb 16, 2021, 6:25 AM PrivateCon88 notifications@github.com wrote:
docker-compose.yml
services: unbound: image: mvance/unbound container_name: unbound restart: unless-stopped volumes:
- /doh/unbound:/opt/unbound/etc/unbound healthcheck: disable: true network_mode: "host"
unbound.conf
server:
cache-max-ttl: 86400 cache-min-ttl: 300 directory: "/opt/unbound/etc/unbound" edns-buffer-size: 1232 interface: 0.0.0.0@5353 rrset-roundrobin: yes username: "_unbound" log-queries: yes #logfile: /opt/unbound/etc/unbound/logs/unbound.log verbosity: 3 aggressive-nsec: yes delay-close: 10000 do-daemonize: no do-not-query-localhost: no neg-cache-size: 4M qname-minimisation: yes access-control: 0.0.0.0/0 allow auto-trust-anchor-file: "var/root.key" chroot: "/opt/unbound/etc/unbound" deny-any: yes harden-algo-downgrade: yes harden-below-nxdomain: yes harden-dnssec-stripped: yes harden-glue: yes harden-large-queries: yes harden-referral-path: no harden-short-bufsize: yes hide-identity: yes hide-version: yes identity: "unbound" ratelimit: 1000 tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt unwanted-reply-threshold: 10000 use-caps-for-id: yes val-clean-additional: yes infra-cache-slabs: 4 incoming-num-tcp: 10 key-cache-slabs: 4 msg-cache-size: 300557653 msg-cache-slabs: 4 num-queries-per-thread: 4096 num-threads: 1 outgoing-range: 8192 rrset-cache-size: 601115306 rrset-cache-slabs: 4 minimal-responses: yes prefetch: yes prefetch-key: yes serve-expired: yes so-reuseport: yes client-subnet-zone: "." client-subnet-always-forward: yes max-client-subnet-ipv4: 24 log-time-ascii: yes use-syslog: yes log-identity: unbound do-tcp: no do-ip6: no
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/61#issuecomment-779804320, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHORG375GT4OUG4WIRPLS7JP5HANCNFSM4XV7RWBQ .
I did checked by going inside the container. /opt/unbound/etc/unbound/unbound.conf pointing to the correct file in the host machine.
Chroot is yes but syslog is outside that
On Tue, Feb 16, 2021, 8:03 AM PrivateCon88 notifications@github.com wrote:
I did checked by going inside the container. /opt/unbound/etc/unbound/unbound.conf pointing to the correct file in the host machine.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/61#issuecomment-779856498, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOVTOWSDX5Z47Q5ZAPTS7J3KHANCNFSM4XV7RWBQ .
From what I understand, network_mode: "host" will make the container's localhost is the host machine. Works fine with nginx docker passing the log to the syslog outside the container. So weird.
Is nginx config also in a chroot?
On Tue, Feb 16, 2021, 9:00 AM PrivateCon88 notifications@github.com wrote:
From what I understand, network_mode: "host" will make the container's localhost is the host machine. Works fine with nginx docker passing the log to the syslog outside the container. So weird.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/61#issuecomment-779892875, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOTIPDXCQQZS2O2GIP3S7KCAPANCNFSM4XV7RWBQ .
no it's not chroot. is that the reason this unbound docker can't accesss the syslog?
It may be. The config enables chroot for security reasons. You can disable that in your unbound.conf to see if helps.
chroot: ""
The Unbound docs explain the relationship between chroot and log configs. https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
On Tue, Feb 16, 2021, 9:06 AM PrivateCon88 notifications@github.com wrote:
no it's not chroot. is that the reason this unbound docker can't accesss the syslog?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/61#issuecomment-779896593, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOXYSQZNS7M4VYVITDLS7KCVRANCNFSM4XV7RWBQ .
chroot disabled but still no luck.
Hey, @MatthewVance I got it working. chroot is not the problem I just need to mount volumes /dev/log:/dev/log. Voila, works. Anyway, thank you for your effort to help me, @MatthewVance
I'm glad you got it working. Thanks for sharing the fix. Out of curiosity, is chroot still enabled with the volume mount fix?
On Tue, Feb 16, 2021, 10:52 AM PrivateCon88 notifications@github.com wrote:
Hey, @MatthewVance https://github.com/MatthewVance I got it working. chroot is not the problem I just need to mount volumes /dev/log:/dev/log. Voila, works. Anyway, thank you for your effort to help me, @MatthewVance https://github.com/MatthewVance
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/unbound-docker/issues/61#issuecomment-779968100, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUMHOQQ6JQBZOJBJLYST3DS7KPE3ANCNFSM4XV7RWBQ .
Yes, chroot is still enabled.
In unbound.conf, I set
use-syslog: yes verbosity: 3 log-queries: yes # logfile: /dev/null --> comment out
In docker-compose.yml I put network_mode: "host"
Still, I see no unbound log in /var/log/syslog. But nginx docker able to send log to syslog just fine.
Did I miss something?