search

smebberson / docker-alpine

Docker containers running Alpine Linux and s6 for process management. Solid, reliable containers.
MIT License
596 stars 186 forks source link

Support storage back ends that do not support extended file attributes #80

Open bluen opened 7 years ago

bluen commented 7 years ago

When using a storage back end in docker that does not support extended file attributes, the go-dnsmasq resolver is not able to bind to port 53 (or any other port < 1024).

Basically the line https://github.com/smebberson/docker-alpine/blob/master/alpine-base/Dockerfile#L18 has no effect when such a storage back end (aufs, btrfs - see https://github.com/docker/docker/issues/30557) is used, so DNS fails in the container.

I suggest a simple workaround in https://github.com/smebberson/docker-alpine/blob/master/alpine-base/root/etc/services.d/resolver/run like this:

#!/usr/bin/with-contenv sh

RUNAS="go-dnsmasq"

setcap -v CAP_NET_BIND_SERVICE=+eip /bin/go-dnsmasq
status=$?

if [ !$status ];
then
    RUNAS="root"
fi

s6-setuidgid ${RUNAS} go-dnsmasq --default-resolver --ndots "1" --fwd-ndots "0" --hostsfile=/etc/hosts >> $GO_DNSMASQ_LOG_FILE 2>&1

This makes go-dnsmasq run as root (instead of the go-dnsmasq user) if the capability is not set on the binary (which is the case when using a back end that does not support extended file attributes.

bluen commented 7 years ago

Here's some information observed on Debian jessie with docker 1.13.1 using storage back end aufs:

# setcap -v CAP_NET_BIND_SERVICE=+eip /bin/go-dnsmasq
/bin/go-dnsmasq differs in [pie]

/var/log/go-dnsmasq/go-dnsmasq.log in the container:

time="2017-03-16T13:15:28Z" level=info msg="Starting go-dnsmasq server 1.0.7" 
time="2017-03-16T13:15:28Z" level=info msg="Nameservers: [8.8.8.8:53 8.8.4.4:53]" 
time="2017-03-16T13:15:28Z" level=info msg="Setting host nameserver to 127.0.0.1" 
time="2017-03-16T13:15:28Z" level=info msg="Ready for queries on tcp://127.0.0.1:53" 
time="2017-03-16T13:15:28Z" level=info msg="Ready for queries on udp://127.0.0.1:53" 
time="2017-03-16T13:15:28Z" level=fatal msg="listen udp 127.0.0.1:53: bind: permission denied"
smebberson commented 7 years ago

@bluen, I've experienced this myself and came up with the same solution. Just going through some maintenance releases and will release this shortly with an upgrade to Alpine 3.5.

sramazzina commented 7 years ago

Hi @smebberson. Any news on this issue of level=fatal msg="listen udp 127.0.0.1:53: bind: permission denied"? I'm using your container and experiencing same issue. When you are planning to release the fixes you're talking about?

smebberson commented 7 years ago

@bluen, what are your thoughts on https://github.com/smebberson/docker-alpine/commits/abh-master

It takes a different approach to resolve the setcap issue. Less smart, but simpler than your version. Any thoughts?