VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
Running version latest built on 2024-05-18T18:08:57.405Z (commit 4218dba)
What's the problem 🤔
I'm trying to run gluetun as a non-root user with DOT=off and all capabilities dropped except NET_ADMIN.
However, gluetun still tries to chown /etc/unbound despite disabling said Unbound server. This results in an error that shuts down the container.
ERROR chown /etc/unbound: operation not permitted
Therefore, I would like to disable this behaviour entirely when the DOT=off env var is present.
Adding --cap-add CHOWN, for now, would fix the issue.
Share your logs (at least 10 lines)
├── DNS settings:
| ├── Keep existing nameserver(s): no
| ├── DNS server address to use: 9.9.9.9
| └── DNS over TLS settings:
| └── Enabled: no
...
├── OS Alpine settings:
| ├── Process UID: 1001
| └── Process GID: 1001
...
2024-05-20T09:49:39Z WARN DNS address is set to 9.9.9.9 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-05-20T09:49:39Z INFO using existing username 1001 corresponding to user id 1001
2024-05-20T09:49:39Z ERROR chown /etc/unbound: operation not permitted
2024-05-20T09:49:39Z INFO Shutdown successful
Share your configuration
version: "3.8"
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
user: "1001:1001"
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- ./gluetun:/gluetun/ # config inside /gluetun/wireguard/wg0.conf
environment:
- PGID=1001
- PUID=1001
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- DNS_ADDRESS=1.1.1.1 # using plain-text DNS
- DOT=off
security_opt:
no-new-privileges: true
cap_drop:
- ALL
cap_add:
- NET_ADMIN
# - CHOWN # adding this would fix the issue
@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:
do not ask for updates, be patient
:+1: the issue to show your support instead of commenting
@qdm12 usually checks issues at least once a week, if this is a new urgent bug,
revert to an older tagged container image
Is this urgent?
No
Host OS
Alpine
CPU arch
x86_64
VPN service provider
Custom
What are you using to run the container
Podman
What is the version of Gluetun
Running version latest built on 2024-05-18T18:08:57.405Z (commit 4218dba)
What's the problem 🤔
I'm trying to run gluetun as a non-root user with
DOT=off
and all capabilities dropped exceptNET_ADMIN
.However, gluetun still tries to chown
/etc/unbound
despite disabling said Unbound server. This results in an error that shuts down the container.Therefore, I would like to disable this behaviour entirely when the
DOT=off
env var is present.Adding
--cap-add CHOWN
, for now, would fix the issue.Share your logs (at least 10 lines)
Share your configuration