unhealthy container using NordVPN due to failed DNS resolution

[daviddoji]

Is there a pinned issue for this?

• [X] I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

• [X] I have searched the existing issues
• [X] I have searched the existing discussions

Is there any comment in the documentation for this?

• [X] I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

• [X] I have checked the provider repo for issues
• [X] My issue is NOT related to a provider

Are you using the latest release?

• [X] I am using the latest release

Have you tried using the dev branch latest?

• [ ] I have tried using dev branch

Docker run config used

version: '3.3' 
services:
# TRANSMISSION + OVPN ==> Transmission client under a VPN
  transmission-ovpn:
    image: haugene/transmission-openvpn:$transmission_tag
    container_name: transmission
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    ports:
      - "9091:9091"
    networks:
      - admin_network
    volumes:
      - /media/Storage_Server/Docker_containers/data/torrents:/data/torrents
      - /media/Storage_Server/Docker_containers/Transmission/config/:/config
    environment:
      - PUID=$puid
      - PGID=$pgid
      - OPENVPN_PROVIDER=$provider
      - OPENVPN_USERNAME=$user
      - OPENVPN_PASSWORD=$password
      - NORDVPN_COUNTRY=$country
      - NORDVPN_CATEGORY=legacy_p2p
      - NORDVPN_PROTOCOL=udp
      - LOCAL_NETWORK=$local_network
      - TRANSMISSION_RPC_USERNAME=$web_username
      - TRANSMISSION_RPC_PASSWORD=$web_password
      - TRANSMISSION_RPC_AUTHENTICATION_REQUIRED=true
      - TRANSMISSION_RPC_PORT=$port
      - TRANSMISSION_SCRAPE_PAUSED_TORRENTS_ENABLED=false
      - TRANSMISSION_DOWNLOAD_DIR=$downloads
      - TRANSMISSION_INCOMPLETE_DIR_ENABLED=false
      - TRANSMISSION_WATCH_DIR_ENABLED=false

    logging:
      driver: json-file
      options:
        max-size: 10m
    labels:
      - traefik.enable=true
      - traefik.http.routers.transmission.rule=Host(`torrent.elnota.space`)
      - traefik.http.routers.transmission.entrypoints=secure
      - traefik.http.routers.transmission.tls.certresolver=le
      - traefik.http.services.transmission.loadbalancer.server.port=9091

Current Behavior

Web UI is not accessible and unhealthy container

david@homeserver ~> docker ps | grep transmission
c6a23de825d2   haugene/transmission-openvpn:master      "dumb-init /etc/open…"   3 minutes ago   Up 3 minutes (unhealthy)     8118/tcp, 0.0.0.0:9091->9091/tcp, :::9091->9091/tcp                                                                   transmission

Expected Behavior

Being able to access the UI using the url provided in the configuration

How have you tried to solve the problem?

1) Update to master branch (was using 5.2.0) 2) Delete container folder and recreated from scratch 3) I also checked if the VPN is running.

david@homeserver ~> curl ifconfig.io
31.17.199.138

david@homeserver ~> docker exec -it c6a23de825d2 bash
root@c6a23de825d2:/# curl ifconfig.io
185.214.97.160

4) check ping from host and from container

david@homeserver ~> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=9.47 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=9.64 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=10.3 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 9.465/9.800/10.296/0.357 ms

david@homeserver ~> docker exec -it c6a23de825d2 ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=80.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=52.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=69.4 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 52.914/67.693/80.809/11.448 ms

Log output

david@homeserver ~> docker logs c6a23de825d2
Starting container with revision: ad0d9972d1fd14b33e3949bd0878f9c0ba02477c
TRANSMISSION_HOME is currently set to: /config/transmission-home
Creating TUN device /dev/net/tun
Using OpenVPN provider: NORDVPN
Running with VPN_CONFIG_SOURCE auto
Provider NORDVPN has a bundled setup script. Defaulting to internal config
Executing setup script for NORDVPN
/etc/openvpn/nordvpn/..
INFO: OVPN: Checking curl installation
INFO: OVPN: DNS resolution ok
INFO: OVPN: ok, configurations download site reachable
INFO: OVPN: Removing existing configs in /etc/openvpn/nordvpn
Checking NORDPVN API responses
INFO: OVPN:Selecting the best server...
INFO: OVPN: Searching for country : ES (202)
INFO: OVPN: Searching for group: legacy_p2p
INFO: OVPN:Searching for technology: openvpn_udp
INFO: OVPN: Best server : es233.nordvpn.com, load: 6
Best server : es233.nordvpn.com
INFO: OVPN: Downloading config: es233.nordvpn.com.ovpn
INFO: OVPN: Downloading from: https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/es233.nordvpn.com.udp.ovpn
OVPN: NORDVPN: selected: es233.nordvpn.com, VPN_PROVIDER_HOME: /etc/openvpn/nordvpn
Starting OpenVPN using config es233.nordvpn.com.ovpn
Modifying /etc/openvpn/nordvpn/es233.nordvpn.com.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
Modification: Change ping options
Modification: Update/set resolv-retry to 15 seconds
Modification: Change tls-crypt keyfile path
Modification: Set output verbosity to 3
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
Modification: Updating status for config failure detection
Setting OpenVPN credentials...
adding route to local network 192.168.88.0/24 via 172.18.0.1 dev eth0
2023-11-30 10:28:32 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-11-30 10:28:32 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-11-30 10:28:32 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-11-30 10:28:32 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-11-30 10:28:32 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-11-30 10:28:32 TCP/UDP: Preserving recently used remote address: [AF_INET]185.214.97.126:1194
2023-11-30 10:28:32 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-11-30 10:28:32 UDP link local: (not bound)
2023-11-30 10:28:32 UDP link remote: [AF_INET]185.214.97.126:1194
2023-11-30 10:28:32 TLS: Initial packet from [AF_INET]185.214.97.126:1194, sid=f3479331 82fcb1ba
2023-11-30 10:28:32 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
2023-11-30 10:28:32 VERIFY OK: depth=1, O=NordVPN, CN=NordVPN CA8
2023-11-30 10:28:32 VERIFY KU OK
2023-11-30 10:28:32 Validating certificate extended key usage
2023-11-30 10:28:32 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-11-30 10:28:32 VERIFY EKU OK
2023-11-30 10:28:32 VERIFY X509NAME OK: CN=es233.nordvpn.com
2023-11-30 10:28:32 VERIFY OK: depth=0, CN=es233.nordvpn.com
2023-11-30 10:28:32 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512
2023-11-30 10:28:32 [es233.nordvpn.com] Peer Connection Initiated with [AF_INET]185.214.97.126:1194
2023-11-30 10:28:32 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,explicit-exit-notify,comp-lzo no,route-gateway 10.8.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.2.6 255.255.255.0,peer-id 5,cipher AES-256-CBC'
2023-11-30 10:28:32 OPTIONS IMPORT: timers and/or timeouts modified
2023-11-30 10:28:32 OPTIONS IMPORT: explicit notify parm(s) modified
2023-11-30 10:28:32 OPTIONS IMPORT: compression parms modified
2023-11-30 10:28:32 OPTIONS IMPORT: --ifconfig/up options modified
2023-11-30 10:28:32 OPTIONS IMPORT: route options modified
2023-11-30 10:28:32 OPTIONS IMPORT: route-related options modified
2023-11-30 10:28:32 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-11-30 10:28:32 OPTIONS IMPORT: peer-id set
2023-11-30 10:28:32 OPTIONS IMPORT: adjusting link_mtu to 1657
2023-11-30 10:28:32 OPTIONS IMPORT: data channel crypto options modified
2023-11-30 10:28:32 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2023-11-30 10:28:32 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-11-30 10:28:32 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2023-11-30 10:28:32 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-11-30 10:28:32 net_route_v4_best_gw query: dst 0.0.0.0
2023-11-30 10:28:32 net_route_v4_best_gw result: via 172.18.0.1 dev eth0
2023-11-30 10:28:32 ROUTE_GATEWAY 172.18.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:12:00:07
2023-11-30 10:28:32 TUN/TAP device tun0 opened
2023-11-30 10:28:32 net_iface_mtu_set: mtu 1500 for tun0
2023-11-30 10:28:32 net_iface_up: set tun0 up
2023-11-30 10:28:32 net_addr_v4_add: 10.8.2.6/24 dev tun0
2023-11-30 10:28:32 net_route_v4_add: 185.214.97.126/32 via 172.18.0.1 dev [NULL] table 0 metric -1
2023-11-30 10:28:32 net_route_v4_add: 0.0.0.0/1 via 10.8.2.1 dev [NULL] table 0 metric -1
2023-11-30 10:28:32 net_route_v4_add: 128.0.0.0/1 via 10.8.2.1 dev [NULL] table 0 metric -1
Up script executed with device=tun0 ifconfig_local=10.8.2.6
Updating TRANSMISSION_BIND_ADDRESS_IPV4 to the ip of tun0 : 10.8.2.6
Enforcing ownership on transmission directories
Applying permissions to transmission directories
Setting owner for transmission paths to 1000:1000
Setting permissions for download and incomplete directories
umask: 2
Directories: 775
Files: 664
Setting permission for watch directory (775) and its files (664)

-------------------------------------
Transmission will run as
-------------------------------------
User name:   abc
User uid:    1000
User gid:    1000
-------------------------------------

Updating Transmission settings.json with values from env variables
Attempting to use existing settings.json for Transmission
Successfully used existing settings.json /config/transmission-home/settings.json
Overriding bind-address-ipv4 because TRANSMISSION_BIND_ADDRESS_IPV4 is set to 10.8.2.6
Overriding download-dir because TRANSMISSION_DOWNLOAD_DIR is set to /data/torrents
Overriding incomplete-dir because TRANSMISSION_INCOMPLETE_DIR is set to /data/incomplete
Overriding incomplete-dir-enabled because TRANSMISSION_INCOMPLETE_DIR_ENABLED is set to false
Overriding rpc-authentication-required because TRANSMISSION_RPC_AUTHENTICATION_REQUIRED is set to true
Overriding rpc-password because TRANSMISSION_RPC_PASSWORD is set to [REDACTED]
Overriding rpc-port because TRANSMISSION_RPC_PORT is set to 9091
Overriding rpc-username because TRANSMISSION_RPC_USERNAME is set to david
Overriding scrape-paused-torrents-enabled because TRANSMISSION_SCRAPE_PAUSED_TORRENTS_ENABLED is set to false
Overriding watch-dir because TRANSMISSION_WATCH_DIR is set to /data/watch
Overriding watch-dir-enabled because TRANSMISSION_WATCH_DIR_ENABLED is set to false
sed'ing True to true
STARTING TRANSMISSION
Transmission startup script complete.
2023-11-30 10:28:32 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-11-30 10:28:32 Initialization Sequence Completed

HW/SW Environment

david@homeserver ~> uname -a
Linux homeserver 5.15.0-89-generic haugene/docker-transmission-openvpn#99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

david@homeserver ~> docker --version
Docker version 24.0.7, build afdd53b

Anything else?

david@homeserver ~> docker inspect c6a23de825d2
[
            "Health": {
                "Status": "unhealthy",
                "FailingStreak": 14,
                "Log": [
                    {
                        "Start": "2023-11-30T11:38:25.212799472+01:00",
                        "End": "2023-11-30T11:38:25.426838501+01:00",
                        "ExitCode": 1,
                        "Output": "DNS resolution failed\n"
                    },
                    {
                        "Start": "2023-11-30T11:39:25.443422763+01:00",
                        "End": "2023-11-30T11:39:25.663883169+01:00",
                        "ExitCode": 1,
                        "Output": "DNS resolution failed\n"
                    },
                    {
                        "Start": "2023-11-30T11:40:25.680994609+01:00",
                        "End": "2023-11-30T11:40:25.892664897+01:00",
                        "ExitCode": 1,
                        "Output": "DNS resolution failed\n"
                    },
                    {
                        "Start": "2023-11-30T11:41:25.909325078+01:00",
                        "End": "2023-11-30T11:41:26.132528526+01:00",
                        "ExitCode": 1,
                        "Output": "DNS resolution failed\n"
                    },
                    {
                        "Start": "2023-11-30T11:42:26.148734604+01:00",
                        "End": "2023-11-30T11:42:26.359150127+01:00",
                        "ExitCode": 1,
                        "Output": "DNS resolution failed\n"
                    }
                ]
            }
        },

[ilike2burnthing]

Change ENV HEALTH_CHECK_HOST to github.com

[hevel86]

Change ENV HEALTH_CHECK_HOST to github.com

This worked for me. Thank you!

[pkishino]

Considering the logs are fine, dns initially works etc, this looks like provider end intermittent issue , As suggested, try a different health check address and please close if that solves it

[Strike9i]

HEALTH_CHECK_HOST google.com is not working properly and HEALTH_CHECK_HOST github.com is working for me. For future use it helps when this is changed in the instructions. And even on the Tips & Tricks page.