Bug: still chown-ing /etc/unbound even with DOT=off
skedastically opened this issue Β· comments
Is this urgent?
No
Host OS
Alpine
CPU arch
x86_64
VPN service provider
Custom
What are you using to run the container
Podman
What is the version of Gluetun
Running version latest built on 2024-05-18T18:08:57.405Z (commit 4218dba)
What's the problem π€
I'm trying to run gluetun as a non-root user with DOT=off
and all capabilities dropped except NET_ADMIN
.
However, gluetun still tries to chown /etc/unbound
despite disabling said Unbound server. This results in an error that shuts down the container.
ERROR chown /etc/unbound: operation not permitted
Therefore, I would like to disable this behaviour entirely when the DOT=off
env var is present.
Adding --cap-add CHOWN
, for now, would fix the issue.
Share your logs (at least 10 lines)
βββ DNS settings:
| βββ Keep existing nameserver(s): no
| βββ DNS server address to use: 9.9.9.9
| βββ DNS over TLS settings:
| βββ Enabled: no
...
βββ OS Alpine settings:
| βββ Process UID: 1001
| βββ Process GID: 1001
...
2024-05-20T09:49:39Z WARN DNS address is set to 9.9.9.9 so the DNS over TLS (DoT) server will not be used. The default value changed to 127.0.0.1 so it uses the internal DoT serves. If the DoT server fails to start, the IPv4 address of the first plaintext DNS server corresponding to the first DoT provider chosen is used.
2024-05-20T09:49:39Z INFO using existing username 1001 corresponding to user id 1001
2024-05-20T09:49:39Z ERROR chown /etc/unbound: operation not permitted
2024-05-20T09:49:39Z INFO Shutdown successful
Share your configuration
version: "3.8"
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
user: "1001:1001"
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- ./gluetun:/gluetun/ # config inside /gluetun/wireguard/wg0.conf
environment:
- PGID=1001
- PUID=1001
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- DNS_ADDRESS=1.1.1.1 # using plain-text DNS
- DOT=off
security_opt:
no-new-privileges: true
cap_drop:
- ALL
cap_add:
- NET_ADMIN
# - CHOWN # adding this would fix the issue
@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:
- do not ask for updates, be patient
- π the issue to show your support instead of commenting
@qdm12 usually checks issues at least once a week, if this is a new urgent bug,
revert to an older tagged container image