search

madnuttah / unbound-docker

🛡️ This distroless Unbound Docker image is based on Alpine Linux with focus on security, privacy, performance and a small image size. And with Pi-hole in mind.
https://hub.docker.com/r/madnuttah/unbound
MIT License
235 stars 21 forks source link

[Bug] Docker container did not start (root.key is missing) #64

Closed update-freak closed 4 months ago

update-freak commented 4 months ago

Describe the bug The docker container dont start. Details below. Here the files to reproduce: unbound.zip

To Reproduce Steps to reproduce the behavior:

  1. Create a folder volume1/docker/unbound and copy all files from https://github.com/madnuttah/unbound-docker/tree/main/doc/examples/usr/local/unbound into it
  2. Create the file root.zone from https://www.internic.net/domain/root.zone in /volume1/docker/unbound/iana.d/root.zone
  3. Create an auth-zone.conf in docker/unbound/zones.d with Root-Server from here https://www.iana.org/domains/root/servers ---> Is there also a template on your folders how the file should look like or is it downloaded automatically?
  4. Use the docker compose in Portainer to start the container on a Synology NAS: docker compose.txt
  5. Change DNS-Settings in AdGuard home to

    Unbound

    127.0.0.1:5355

Expected behavior Container starts

Screenshots But I got this error:

could not write builtin anchor, to file /usr/local/unbound/iana.d/root.key: Permission denied [1714068106] libunbound[7:0] error: unable to open /usr/local/unbound/iana.d/root.key for reading: No such file or directory [1714068106] libunbound[7:0] error: error reading auto-trust-anchor-file: /usr/local/unbound/iana.d/root.key [1714068106] libunbound[7:0] error: validator: error in trustanchors config [1714068106] libunbound[7:0] error: validator: could not apply configuration settings. [1714068106] libunbound[7:0] error: module init for module validator failed Apr 25 20:01:46 unbound[1:0] notice: init module 0: validator Apr 25 20:01:46 unbound[1:0] notice: init module 1: iterator Apr 25 20:01:47 unbound[1:0] info: start of service (unbound 1.19.3).

Without the volumes in the docker-compose the docker container can start.

Please complete the following information:

Additional context asked the question also here: https://www.synology-forum.de/threads/best-practice-adguard-home-unbound-als-dns-server.127983/page-15

madnuttah commented 4 months ago

Hi and thanks for reaching out to me.

Why do you want to mount the iana.d folder? It's not recommended to map this volume:

image

The "internic" files are downloaded at buildtime, the only reason to connect this volume would be manually updating these files. If you manually copied the files into the folder for a reason, just correct ownership and permissions. Anyway, you shouldn't need this mapping at all.

Edit: Yeah, that folder is still mapped in the examples, will fix that fixed.

madnuttah commented 4 months ago

One more thing: you only need to connect the folders if you want to use splitted configs or need the log. The image also runs fine without. In this case, only your customized unbound.conf needs to be mapped, if necessary at all. The image is already adapted to recursive mode, some say "hyperlocal" and has various optimizations for performance and security already.

update-freak commented 4 months ago

thank you very much for the info. I removed now the volumes-part in the docker compose. Now it works, but I get this warning. Is there an additional step necessary to solve this warning?

Apr 26 15:11:06 unbound[1:0] notice: init module 0: validator Apr 26 15:11:06 unbound[1:0] notice: init module 1: iterator Apr 26 15:11:06 unbound[1:0] warning: auth zone .: ZONEMD verification failed: verify DNSKEY RRset with trust anchor failed Apr 26 15:11:06 unbound[1:0] info: start of service (unbound 1.19.3). Apr 26 15:11:12 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN

madnuttah commented 4 months ago

Did you completely down and up the compose stack docker-compose down && docker-compose up -d? If it still shows this warning, I'd need your unbound config(s) then please. Thank you.

update-freak commented 4 months ago

I used portainer to create a stack and used the docker compose file from above but without the volumes. So I also did not specify a dedicated conf-file (and using the default)

madnuttah commented 4 months ago

OK, then please mount the iana.d folder again (sorry) and put the fresh downloaded root files (iana.org root.key and root.zone) in there.

You'll surely need to correct ownership and the permissions afterwards using chown -R YourUNBOUND_UID:YourUNBOUND_GID /VOLUME1/.../YourUnboundFolder and chmod -r 770 /VOLUME1/.../YourUnboundFolder (sudo may apply).

You maybe also need to set additional permissions via Synology File Manager or Windows ACLs on your Unbound share.

Thank you.

update-freak commented 4 months ago

now it works without an error/warning in the log.

What I did:

  1. Use all the files in my first post
  2. Create an additional emtpy root.key file and put this in the iana.d folder
  3. Synology -> give rights for writing and reading for the unbound-folder and all files below
  4. use the docker compose from first post

Thank you for your help and this great docker image! From my side we can close this ticket.

madnuttah commented 4 months ago

It was a pleasure to me. Thanks for choosing my image, glad it works for you! If there's anything else, feel free to reopen the issue or to file a new one.

Cheers.