Hello!
After an update from version 1.4-rolling-202106271939, my podman container for CoreDNS doesn’t start up.
Logs show that there are bind mount errors:
...
[WARNING] An external plugin (/go/pkg/mod/github.com/ori-edge/k8s_gateway@v0.1.6/setup.go line 56) is using the deprecated function Normalize. This will be removed in a future versions of CoreDNS. The plugin should be updated to use OriginsFromArgsOrServerBlock or NormalizeExact instead.
[INFO] plugin/k8s_gateway: Starting k8s_gateway controller
Listen: listen tcp 10.10.0.1:53: bind: permission denied
[WARNING] An external plugin (/go/pkg/mod/github.com/ori-edge/k8s_gateway@v0.1.6/setup.go line 56) is using the deprecated function Normalize. This will be removed in a future versions of CoreDNS. The plugin should be updated to use OriginsFromArgsOrServerBlock or NormalizeExact instead.
[INFO] plugin/k8s_gateway: Starting k8s_gateway controller
Listen: listen tcp 10.11.0.1:53: bind: permission denied
[WARNING] An external plugin (/go/pkg/mod/github.com/ori-edge/k8s_gateway@v0.1.6/setup.go line 56) is using the deprecated function Normalize. This will be removed in a future versions of CoreDNS. The plugin should be updated to use OriginsFromArgsOrServerBlock or NormalizeExact instead.
[INFO] plugin/k8s_gateway: Starting k8s_gateway controller
Listen: listen tcp 10.10.0.1:53: bind: permission denied
[WARNING] An external plugin (/go/pkg/mod/github.com/ori-edge/k8s_gateway@v0.1.6/setup.go line 56) is using the deprecated function Normalize. This will be removed in a future versions of CoreDNS. The plugin should be updated to use OriginsFromArgsOrServerBlock or NormalizeExact instead.
[INFO] plugin/k8s_gateway: Starting k8s_gateway controller
Listen: listen tcp 10.20.0.1:53: bind: permission denied
[WARNING] An external plugin (/go/pkg/mod/github.com/ori-edge/k8s_gateway@v0.1.6/setup.go line 56) is using the deprecated function Normalize. This will be removed in a future versions of CoreDNS. The plugin should be updated to use OriginsFromArgsOrServerBlock or NormalizeExact instead.
[INFO] plugin/k8s_gateway: Starting k8s_gateway controller
Listen: listen tcp 10.40.0.1:53: bind: permission denied
...
CoreFile here:
vyos@fw# cat /config/coredns/Corefile
.:53 {
bind 127.0.0.1 10.9.18.1 10.10.0.1 10.20.0.1 10.40.0.1 10.30.0.1 10.50.0.1 10.5.0.1 10.11.0.1
errors
log
prometheus :9153
hosts /etc/hosts {
reload "1m"
fallthrough
}
k8s_gateway holthome.net {
ttl 30
kubeconfig /config/kubeconfig
fallthrough
}
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
}
}
And vyos config for container here:
vyos@fw# show container
name coredns {
allow-host-networks
image ghcr.io/k8s-at-home/coredns:v1.8.4
volume config_folder {
destination /config
source /config/coredns
}
volume hosts {
destination /etc/hosts
source /etc/hosts
}
}
Here’s the podman container info:
vyos@fw# sudo podman inspect coredns
[
{
"Id": "f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f",
"Created": "2021-09-15T10:39:09.297543349-04:00",
"Path": "/coredns",
"Args": [
"-conf",
"/config/Corefile"
],
"State": {
"OciVersion": "1.0.2-dev",
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 69625,
"ConmonPid": 69616,
"ExitCode": 0,
"Error": "",
"StartedAt": "2021-09-15T10:48:06.686754668-04:00",
"FinishedAt": "2021-09-15T10:48:06.402237508-04:00",
"Healthcheck": {
"Status": "",
"FailingStreak": 0,
"Log": null
}
},
"Image": "a03250528a6331b147bb5ed5bb5620234769f197d08a9fb0203e503b49447e12",
"ImageName": "ghcr.io/k8s-at-home/coredns:v1.8.4",
"Rootfs": "",
"Pod": "",
"ResolvConfPath": "/run/containers/storage/vfs-containers/f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f/userdata/resolv.conf",
"HostnamePath": "/run/containers/storage/vfs-containers/f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f/userdata/hostname",
"HostsPath": "/run/containers/storage/vfs-containers/f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f/userdata/hosts",
"StaticDir": "/config/containers/storage/vfs-containers/f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f/userdata",
"OCIConfigPath": "/config/containers/storage/vfs-containers/f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f/userdata/config.json",
"OCIRuntime": "crun",
"ConmonPidFile": "/run/containers/storage/vfs-containers/f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f/userdata/conmon.pid",
"Name": "coredns",
"RestartCount": 1593,
"Driver": "vfs",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"EffectiveCaps": null,
"BoundingCaps": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYS_CHROOT"
],
"ExecIDs": [],
"GraphDriver": {
"Name": "vfs",
"Data": null
},
"Mounts": [
{
"Type": "bind",
"Source": "/config/coredns",
"Destination": "/config",
"Driver": "",
"Mode": "",
"Options": [
"rbind"
],
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/etc/hosts",
"Destination": "/etc/hosts",
"Driver": "",
"Mode": "",
"Options": [
"rbind"
],
"RW": true,
"Propagation": "rprivate"
}
],
"Dependencies": [],
"NetworkSettings": {
"EndpointID": "",
"Gateway": "",
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "",
"Bridge": "",
"SandboxID": "",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "",
"Networks": {
"podman": {
"EndpointID": "",
"Gateway": "",
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "",
"NetworkID": "podman",
"DriverOpts": null,
"IPAMConfig": null,
"Links": null
}
}
},
"ExitCommand": [
"/usr/bin/podman",
"--root",
"/config/containers/storage",
"--runroot",
"/run/containers/storage",
"--log-level",
"warning",
"--cgroup-manager",
"systemd",
"--tmpdir",
"/run/libpod",
"--runtime",
"crun",
"--storage-driver",
"vfs",
"--events-backend",
"journald",
"container",
"cleanup",
"f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f"
],
"Namespace": "",
"IsInfra": false,
"Config": {
"Hostname": "fw",
"Domainname": "",
"User": "nonroot:nonroot",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": true,
"OpenStdin": true,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm",
"container=podman",
"SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt",
"HOME=/home/nonroot",
"HOSTNAME=fw"
],
"Cmd": [
"/coredns",
"-conf",
"/config/Corefile"
],
"Image": "ghcr.io/k8s-at-home/coredns:v1.8.4",
"Volumes": null,
"WorkingDir": "/home/nonroot",
"Entrypoint": "",
"OnBuild": null,
"Labels": {
"coredns-external-plugins": "alternate, mdns, wgsd, coredns-git, k8s_gateway",
"maintainer": "Devin Buhl \u003cdevin.kray@gmail.com\u003e, Bernd Schorgers \u003cme@bjw-s.dev\u003e",
"org.opencontainers.image.authors": "Anthony Rabbito \u003chello@anthonyrabbito.com\u003e",
"org.opencontainers.image.source": "https://github.com/k8s-at-home/container-images",
"org.opencontainers.image.title": "CoreDNS",
"org.opencontainers.image.version": "1.8.4"
},
"Annotations": {
"io.container.manager": "libpod",
"io.kubernetes.cri-o.Created": "2021-09-15T10:39:09.297543349-04:00",
"io.kubernetes.cri-o.TTY": "true",
"io.podman.annotations.autoremove": "FALSE",
"io.podman.annotations.init": "FALSE",
"io.podman.annotations.privileged": "FALSE",
"io.podman.annotations.publish-all": "FALSE",
"org.opencontainers.image.stopSignal": "15"
},
"StopSignal": 15,
"CreateCommand": [
"podman",
"run",
"--detach",
"--interactive",
"--tty",
"--replace",
"--memory",
"512m",
"--memory-swap",
"0",
"--restart",
"on-failure",
"--name",
"coredns",
"-v",
"/config/coredns:/config",
"-v",
"/etc/hosts:/etc/hosts",
"--net",
"host",
"ghcr.io/k8s-at-home/coredns:v1.8.4"
],
"Umask": "0022"
},
"HostConfig": {
"Binds": [
"/config/coredns:/config:rw,rprivate,rbind",
"/etc/hosts:/etc/hosts:rw,rprivate,rbind"
],
"CgroupManager": "systemd",
"CgroupMode": "private",
"ContainerIDFile": "",
"LogConfig": {
"Type": "k8s-file",
"Config": null,
"Path": "/config/containers/storage/vfs-containers/f222199478d18dc3589279e317f5794295409ba3483c7a2319321a7d11be330f/userdata/ctr.log",
"Tag": "",
"Size": "0B"
},
"NetworkMode": "host",
"PortBindings": {},
"RestartPolicy": {
"Name": "on-failure",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": [],
"CapDrop": [
"CAP_AUDIT_WRITE",
"CAP_NET_RAW",
"CAP_MKNOD"
],
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": [],
"GroupAdd": [],
"IpcMode": "private",
"Cgroup": "",
"Cgroups": "default",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "private",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": [],
"Tmpfs": {},
"UTSMode": "private",
"UsernsMode": "",
"ShmSize": 65536000,
"Runtime": "oci",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 536870912,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": -1,
"OomKillDisable": false,
"PidsLimit": 2048,
"Ulimits": [
{
"Name": "RLIMIT_NOFILE",
"Soft": 1048576,
"Hard": 1048576
},
{
"Name": "RLIMIT_NPROC",
"Soft": 4194304,
"Hard": 4194304
}
],
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"CgroupConf": null
}
}
]
Did something change in the underlying permissions for Podman that would cause this error?