docker-alpine icon indicating copy to clipboard operation
docker-alpine copied to clipboard

Published 20 hours ago verified publisher icon smebberson

Support storage back ends that do not support extended file attributes

Open bluen opened this issue 7 years ago • 4 comments

When using a storage back end in docker that does not support extended file attributes, the go-dnsmasq resolver is not able to bind to port 53 (or any other port < 1024).

Basically the line https://github.com/smebberson/docker-alpine/blob/master/alpine-base/Dockerfile#L18 has no effect when such a storage back end (aufs, btrfs - see https://github.com/docker/docker/issues/30557) is used, so DNS fails in the container.

I suggest a simple workaround in https://github.com/smebberson/docker-alpine/blob/master/alpine-base/root/etc/services.d/resolver/run like this:

#!/usr/bin/with-contenv sh

RUNAS="go-dnsmasq"

setcap -v CAP_NET_BIND_SERVICE=+eip /bin/go-dnsmasq
status=$?

if [ !$status ];
then
    RUNAS="root"
fi

s6-setuidgid ${RUNAS} go-dnsmasq --default-resolver --ndots "1" --fwd-ndots "0" --hostsfile=/etc/hosts >> $GO_DNSMASQ_LOG_FILE 2>&1

This makes go-dnsmasq run as root (instead of the go-dnsmasq user) if the capability is not set on the binary (which is the case when using a back end that does not support extended file attributes.

bluen avatar Mar 16 '17 13:03 bluen

Here's some information observed on Debian jessie with docker 1.13.1 using storage back end aufs:

# setcap -v CAP_NET_BIND_SERVICE=+eip /bin/go-dnsmasq
/bin/go-dnsmasq differs in [pie]

/var/log/go-dnsmasq/go-dnsmasq.log in the container:

time="2017-03-16T13:15:28Z" level=info msg="Starting go-dnsmasq server 1.0.7" 
time="2017-03-16T13:15:28Z" level=info msg="Nameservers: [8.8.8.8:53 8.8.4.4:53]" 
time="2017-03-16T13:15:28Z" level=info msg="Setting host nameserver to 127.0.0.1" 
time="2017-03-16T13:15:28Z" level=info msg="Ready for queries on tcp://127.0.0.1:53" 
time="2017-03-16T13:15:28Z" level=info msg="Ready for queries on udp://127.0.0.1:53" 
time="2017-03-16T13:15:28Z" level=fatal msg="listen udp 127.0.0.1:53: bind: permission denied"

bluen avatar Mar 16 '17 13:03 bluen

@bluen, I've experienced this myself and came up with the same solution. Just going through some maintenance releases and will release this shortly with an upgrade to Alpine 3.5.

smebberson avatar Mar 23 '17 08:03 smebberson

Hi @smebberson. Any news on this issue of level=fatal msg="listen udp 127.0.0.1:53: bind: permission denied"? I'm using your container and experiencing same issue. When you are planning to release the fixes you're talking about?

sramazzina avatar Apr 19 '17 07:04 sramazzina

@bluen, what are your thoughts on https://github.com/smebberson/docker-alpine/commits/abh-master

It takes a different approach to resolve the setcap issue. Less smart, but simpler than your version. Any thoughts?

smebberson avatar May 08 '17 11:05 smebberson