search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
16.68k stars 13.12k forks source link

nebula Failed to start DNS server #291755

Open WillPower3309 opened 4 months ago

WillPower3309 commented 4 months ago

Describe the bug

Due to some permission issues with the systemd service created in the nebula module, using a lighthouse as a DNS server as described in https://nebula.defined.net/docs/guides/using-lighthouse-dns/ does not work, as there is a permissions issue:

Feb 27 08:07:01 nixos.qcow2.gz-s-1vcpu-512mb-10gb-sfo3-01 nebula[3456]: time="2024-02-27T08:07:01Z" level=info msg="Starting DNS responder" dnsListener="[::]:53"
Feb 27 08:07:01 nixos.qcow2.gz-s-1vcpu-512mb-10gb-sfo3-01 nebula[3456]: time="2024-02-27T08:07:01Z" level=error msg="Failed to start server: listen udp 0.0.0.0:53: bind: permission denied\n "

Steps To Reproduce

Use the following nebula config

  services.nebula.networks.home = {
    enable = true;
    isLighthouse = true;
    isRelay = true;

    cert = config.age.secrets.lighthouseNebulaCert.path; # lighthouse.crt
    key = config.age.secrets.lighthouseNebulaKey.path; # lighthouse.key
    ca = config.age.secrets.nebulaCaCert.path; # ca.crt

    settings.lighthouse = {
      serve_dns = true;
      dns = {
        host = "[::]";
        port = 53;
      };
    };
    firewall.inbound = [{
      port = 53;
      proto = "udp";
      host = "any";
    }];
  };

  networking.firewall.allowedUDPPorts = [ 4242 53 ];

Note the message in systemctl status nebula@home.service:

Feb 27 08:07:01 nixos.qcow2.gz-s-1vcpu-512mb-10gb-sfo3-01 nebula[3456]: time="2024-02-27T08:07:01Z" level=info msg="Starting DNS responder" dnsListener="[::]:53"
Feb 27 08:07:01 nixos.qcow2.gz-s-1vcpu-512mb-10gb-sfo3-01 nebula[3456]: time="2024-02-27T08:07:01Z" level=error msg="Failed to start server: listen udp 0.0.0.0:53: bind: permission denied\n "

Expected behavior

The DNS server should start.

Notify maintainers

@numinit @Jaculabilis

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.75, NixOS, 24.05 (Uakari), 24.05.20240131.5ad9903`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.1`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
WillPower3309 commented 4 months ago

Based on a quick search, it seems adding

AmbientCapabilities=CAP_NET_BIND_SERVICE

To the systemd service might fix it, however the official systemd service in the nebula repo doesn't seem to include such a line: https://github.com/slackhq/nebula/blob/master/dist/fedora/nebula.service

I wonder if this issue occurs due to the extra hardening lines in the NixOS nebula systemd service definition

WillPower3309 commented 4 months ago

Fixed, PR will be up soon

eclairevoyant commented 4 months ago

I wonder if this issue occurs due to the extra hardening lines in the NixOS nebula systemd service definition

Yes, not specifying anything means there's no additional restrictions on the capabilities, while if you specify any, they have to be specified exhaustively.

numinit commented 4 months ago

That sounds good. It would also be good to have a test for this in the NixOS test!

WillPower3309 commented 4 months ago

PR up! I have one question I asked there if anyone is able to answer it