search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
6.69k stars 330 forks source link

Bug: still chown-ing /etc/unbound even with DOT=off #2291

Open skedastically opened 1 month ago

skedastically commented 1 month ago

Is this urgent?

No

Host OS

Alpine

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

Podman

What is the version of Gluetun

Running version latest built on 2024-05-18T18:08:57.405Z (commit 4218dba)

What's the problem 🤔

I'm trying to run gluetun as a non-root user with DOT=off and all capabilities dropped except NET_ADMIN.

However, gluetun still tries to chown /etc/unbound despite disabling said Unbound server. This results in an error that shuts down the container.

ERROR chown /etc/unbound: operation not permitted

Therefore, I would like to disable this behaviour entirely when the DOT=off env var is present.

Adding --cap-add CHOWN, for now, would fix the issue.

Share your logs (at least 10 lines)

├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 9.9.9.9
|   └── DNS over TLS settings:
|       └── Enabled: no
...
├── OS Alpine settings:
|   ├── Process UID: 1001
|   └── Process GID: 1001
...
2024-05-20T09:49:39Z WARN DNS address is set to 9.9.9.9 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-05-20T09:49:39Z INFO using existing username 1001 corresponding to user id 1001
2024-05-20T09:49:39Z ERROR chown /etc/unbound: operation not permitted
2024-05-20T09:49:39Z INFO Shutdown successful

Share your configuration

version: "3.8"
services:  
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    user: "1001:1001"
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./gluetun:/gluetun/ # config inside /gluetun/wireguard/wg0.conf
    environment:
      - PGID=1001
      - PUID=1001
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - DNS_ADDRESS=1.1.1.1 # using plain-text DNS
      - DOT=off
    security_opt:
      no-new-privileges: true
    cap_drop:
      - ALL
    cap_add:
      - NET_ADMIN
#     - CHOWN # adding this would fix the issue
github-actions[bot] commented 1 month ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please: