Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: still chown-ing /etc/unbound even with DOT=off #2291

Open
skedastically opened this issue May 21, 2024 · 1 comment
Open

Bug: still chown-ing /etc/unbound even with DOT=off #2291

skedastically opened this issue May 21, 2024 · 1 comment
Labels
Category: DNS 📠

Comments

@skedastically
Copy link

skedastically commented May 21, 2024
edited
Loading

Is this urgent?

No

Host OS

Alpine

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

Podman

What is the version of Gluetun

Running version latest built on 2024-05-18T18:08:57.405Z (commit 4218dba)

What's the problem 🤔

I'm trying to run gluetun as a non-root user with DOT=off and all capabilities dropped except NET_ADMIN.

However, gluetun still tries to chown /etc/unbound despite disabling said Unbound server. This results in an error that shuts down the container.

ERROR chown /etc/unbound: operation not permitted

Therefore, I would like to disable this behaviour entirely when the DOT=off env var is present.

Adding --cap-add CHOWN, for now, would fix the issue.

Share your logs (at least 10 lines)

├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 9.9.9.9
|   └── DNS over TLS settings:
|       └── Enabled: no
...
├── OS Alpine settings:
|   ├── Process UID: 1001
|   └── Process GID: 1001
...
2024-05-20T09:49:39Z WARN DNS address is set to 9.9.9.9 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-05-20T09:49:39Z INFO using existing username 1001 corresponding to user id 1001
2024-05-20T09:49:39Z ERROR chown /etc/unbound: operation not permitted
2024-05-20T09:49:39Z INFO Shutdown successful

Share your configuration

version: "3.8"
services:  
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    user: "1001:1001"
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./gluetun:/gluetun/ # config inside /gluetun/wireguard/wg0.conf
    environment:
      - PGID=1001
      - PUID=1001
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - DNS_ADDRESS=1.1.1.1 # using plain-text DNS
      - DOT=off
    security_opt:
      no-new-privileges: true
    cap_drop:
      - ALL
    cap_add:
      - NET_ADMIN
#     - CHOWN # adding this would fix the issue
@github-actions GitHub Actions
Copy link
Contributor

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Category: DNS 📠
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qdm12 @skedastically