Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support storage back ends that do not support extended file attributes #80

Open
bluen opened this issue Mar 16, 2017 · 4 comments
Open

Support storage back ends that do not support extended file attributes #80

bluen opened this issue Mar 16, 2017 · 4 comments

Comments

@bluen
Copy link

bluen commented Mar 16, 2017

When using a storage back end in docker that does not support extended file attributes, the go-dnsmasq resolver is not able to bind to port 53 (or any other port < 1024).

Basically the line https://github.com/smebberson/docker-alpine/blob/master/alpine-base/Dockerfile#L18 has no effect when such a storage back end (aufs, btrfs - see moby/moby#30557) is used, so DNS fails in the container.

I suggest a simple workaround in https://github.com/smebberson/docker-alpine/blob/master/alpine-base/root/etc/services.d/resolver/run like this:

#!/usr/bin/with-contenv sh

RUNAS="go-dnsmasq"

setcap -v CAP_NET_BIND_SERVICE=+eip /bin/go-dnsmasq
status=$?

if [ !$status ];
then
    RUNAS="root"
fi

s6-setuidgid ${RUNAS} go-dnsmasq --default-resolver --ndots "1" --fwd-ndots "0" --hostsfile=/etc/hosts >> $GO_DNSMASQ_LOG_FILE 2>&1

This makes go-dnsmasq run as root (instead of the go-dnsmasq user) if the capability is not set on the binary (which is the case when using a back end that does not support extended file attributes.
@bluen
Copy link
Author

bluen commented Mar 16, 2017

Here's some information observed on Debian jessie with docker 1.13.1 using storage back end aufs:

# setcap -v CAP_NET_BIND_SERVICE=+eip /bin/go-dnsmasq
/bin/go-dnsmasq differs in [pie]

/var/log/go-dnsmasq/go-dnsmasq.log in the container:

time="2017-03-16T13:15:28Z" level=info msg="Starting go-dnsmasq server 1.0.7" 
time="2017-03-16T13:15:28Z" level=info msg="Nameservers: [8.8.8.8:53 8.8.4.4:53]" 
time="2017-03-16T13:15:28Z" level=info msg="Setting host nameserver to 127.0.0.1" 
time="2017-03-16T13:15:28Z" level=info msg="Ready for queries on tcp://127.0.0.1:53" 
time="2017-03-16T13:15:28Z" level=info msg="Ready for queries on udp://127.0.0.1:53" 
time="2017-03-16T13:15:28Z" level=fatal msg="listen udp 127.0.0.1:53: bind: permission denied"

@smebberson
Copy link
Owner

@bluen, I've experienced this myself and came up with the same solution. Just going through some maintenance releases and will release this shortly with an upgrade to Alpine 3.5.

tomashley pushed a commit to outlyerapp/docker-alpine that referenced this issue Mar 29, 2017
Support storage back ends that do not support extended file attributes
154d5ad 
smebberson/docker-alpine#80
Temporary fix from PayU before making it upstream
@sramazzina
Copy link

Hi @smebberson. Any news on this issue of level=fatal msg="listen udp 127.0.0.1:53: bind: permission denied"? I'm using your container and experiencing same issue. When you are planning to release the fixes you're talking about?

@bjuri bjuri mentioned this issue May 3, 2017
Closed
@smebberson
Copy link
Owner

@bluen, what are your thoughts on https://github.com/smebberson/docker-alpine/commits/abh-master

It takes a different approach to resolve the setcap issue. Less smart, but simpler than your version. Any thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smebberson @sramazzina @bluen