search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
7.34k stars 348 forks source link

Bug: could not read root hints /etc/unbound/root.hints: Permission denied #2360

Closed pops64 closed 2 weeks ago

pops64 commented 1 month ago

Is this urgent?

No

Host OS

Arch

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-07-12T19:57:02.146Z (commit 9d50c23)

What's the problem 🤔

Getting permission denied errors to root hints. Docker volumes are running on top of ZFS. I have ensure root user has permissions to ZFS share. With no effect

[****@**** ****]$ docker exec gluetun ls -l /etc/unbound/root.hints
-rw-r-----    1 root     root          3310 Jul 15 16:33 /etc/unbound/root.hints

Share your logs (at least 10 lines)

2024-07-15T16:05:59Z ERROR [dns] could not read root hints /etc/unbound/root.hints: Permission denied
2024-07-15T16:05:59Z INFO [dns] fatal error: Could not set root or stub hints
2024-07-15T16:06:00Z INFO [dns] falling back on plaintext DNS at address 10.2.0.1
2024-07-15T16:06:00Z WARN [dns] exit status 1
2024-07-15T16:06:00Z INFO [dns] attempting restart in 10s
2024-07-15T16:06:10Z INFO [dns] downloading DNS over TLS cryptographic files
2024-07-15T16:06:10Z INFO [dns] downloading hostnames and IP block lists
2024-07-15T16:06:13Z INFO [dns] ready
2024-07-15T16:06:17Z ERROR [dns] could not read root hints /etc/unbound/root.hints: Permission denied
2024-07-15T16:06:17Z INFO [dns] fatal error: Could not set root or stub hints
2024-07-15T16:06:17Z INFO [dns] falling back on plaintext DNS at address 10.2.0.1
2024-07-15T16:06:17Z WARN [dns] exit status 1
2024-07-15T16:06:17Z INFO [dns] attempting restart in 10s
2024-07-15T16:06:27Z INFO [dns] downloading DNS over TLS cryptographic files
2024-07-15T16:06:28Z INFO [dns] downloading hostnames and IP block lists
2024-07-15T16:06:30Z INFO [dns] ready
2024-07-15T16:06:35Z ERROR [dns] could not read root hints /etc/unbound/root.hints: Permission denied

Share your configuration

gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      ******
    volumes:
      - ./config/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP=185.159.156.100
      - VPN_ENDPOINT_PORT=51820
      - WIREGUARD_PUBLIC_KEY=***********
      - WIREGUARD_PRIVATE_KEY=******************
      - WIREGUARD_ADDRESSES=10.2.0.2/32
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn
      - DNS_ADDRESS=10.2.0.1
      - FIREWALL_OUTBOUND_SUBNETS=192.168.***.0/24
github-actions[bot] commented 1 month ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

qdm12 commented 1 month ago

Unbound doesn't run as root, it runs as nonrootuser with uid and gid 1000. Why are you fiddling with permissions? The Gluetun program (running as root) creates /etc/unbound and sets ownership and permissions correctly by default:

https://github.com/qdm12/gluetun/blob/a03041cfea85b670c1c84d6cfbee3a60fdde55b1/cmd/gluetun/main.go#L314

pops64 commented 1 month ago

I am only fiddling with permissions because the default owner:group is not root and because of weird ZFS/ACL/Linux interface root doesn't trump owner:group. The only thing I made sure was that root was in the same group as the ZFS shares. So it wouldn't be interfered with.

Also theses are the permissions set by Gluetun for the unbound for some reason Gluetun is not setting pid and uid to root for this folder which shouldn't causes an issue because other has r-x perms

[*****@*****~]$ docker exec gluetun ls -l /etc | grep unbound
drwxr-xr-x    1 nonrootu 1000             6 Jul 27 04:24 unbound

Also here are the perms for the file it is trying to acesss

[****@**** ****]$ docker exec gluetun ls -l /etc/unbound/root.hints
-rw-r-----    1 root     root          3310 Jul 15 16:33 /etc/unbound/root.hints
qdm12 commented 1 month ago

I suggest you try image qmcgaw/gluetun:pr-1742 (see PR #1742 and issue #137). This is ready to be used pretty much, but I'm waiting to do a v3.39.0 release before removing Unbound. It's just DNSSEC validation is dropped (for the time being), but it's really not something THAT useful (I nearly completed a full implementation at https://github.com/qdm12/dns/pull/97 I know what I'm talking about 🤣)

qdm12 commented 2 weeks ago

This PR mentioned just got merged, so there is no Unbound anymore, closing this as a consequence.

github-actions[bot] commented 2 weeks ago

Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.