Hello there, I am new to VyOS Community and networking in general. I’m running a pi-hole container and fail committing config when trying to bind both 53/tcp and 53/udp as source ports. Binding tcp only works, udp only does not. I do not have DNS forwarding enabled. Here is sudo netstat -ntulp output without container running:
sudo netstat -ntulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2822/sshd: /usr/sbi
tcp 0 0 127.0.0.1:2616 0.0.0.0:* LISTEN 1427/staticd
tcp 0 0 127.0.0.1:2617 0.0.0.0:* LISTEN 1431/bfdd
tcp 0 0 127.0.0.1:2623 0.0.0.0:* LISTEN 1386/mgmtd
tcp 0 0 127.0.0.1:2608 0.0.0.0:* LISTEN 1407/isisd
tcp 0 0 127.0.0.1:2609 0.0.0.0:* LISTEN 1410/babeld
tcp 0 0 127.0.0.1:2612 0.0.0.0:* LISTEN 1420/ldpd
tcp 0 0 127.0.0.1:2601 0.0.0.0:* LISTEN 1380/zebra
tcp 0 0 127.0.0.1:2602 0.0.0.0:* LISTEN 1395/ripd
tcp 0 0 127.0.0.1:2604 0.0.0.0:* LISTEN 1401/ospfd
tcp 0 0 127.0.0.1:2605 0.0.0.0:* LISTEN 1388/bgpd
tcp6 0 0 :::22 :::* LISTEN 2822/sshd: /usr/sbi
tcp6 0 0 ::1:2622 :::* LISTEN 1413/pim6d
tcp6 0 0 ::1:2603 :::* LISTEN 1398/ripngd
tcp6 0 0 ::1:2606 :::* LISTEN 1404/ospf6d
udp 0 0 0.0.0.0:3784 0.0.0.0:* 1431/bfdd
udp 0 0 0.0.0.0:67 0.0.0.0:* 2707/dhcpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2551/chronyd
udp 0 0 127.0.0.1:323 0.0.0.0:* 2551/chronyd
udp 0 0 0.0.0.0:4784 0.0.0.0:* 1431/bfdd
udp6 0 0 :::3784 :::* 1431/bfdd
udp6 0 0 :::3785 :::* 1431/bfdd
udp6 0 0 :::123 :::* 2551/chronyd
udp6 0 0 ::1:323 :::* 2551/chronyd
udp6 0 0 :::4784 :::* 1431/bfdd
I do have cap-add net-bind-service enabled. I’ve seen this post, but their commit does not fail as they say as opposed to mine. Here is the commit error output:
commit error output
Report time: 2024-03-24 13:42:09
Image version: VyOS 1.4-rolling-202403131944
Release train: sagitta
Built by: [email protected]
Built on: Wed 13 Mar 2024 19:44 UTC
Build UUID: 6ea59ece-d77c-4f36-86a5-ba1c0d82b76f
Build commit ID: 213c9e34bff3ef
Architecture: x86_64
Boot via: installed image
System type: bare metal
Hardware vendor: FUJITSU
Hardware model: ESPRIMO E910
Hardware S/N: YLHN025967
Hardware UUID: f6bd2270-dfe2-e211-9463-2dfa5a061e62
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/container.py", line 486, in <module>
apply(c)
File "/usr/libexec/vyos/conf_mode/container.py", line 459, in apply
cmd(f'systemctl restart vyos-container-{name}.service')
File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 155, in cmd
raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: systemctl restart vyos-container-pihole.service
returned:
exit code: 1
noteworthy:
cmd 'systemctl restart vyos-container-pihole.service'
returned (out):
returned (err):
Job for vyos-container-pihole.service failed because the control process exited with error code.
See "systemctl status vyos-container-pihole.service" and "journalctl -xeu vyos-container-pihole.service" for details.
[[container]] failed
Commit failed
Running systemctl status vyos-container-pihole.service yields:
systemctl status vyos-container-pihole.service
× vyos-container-pihole.service - VyOS Container pihole
Loaded: loaded (/run/systemd/system/vyos-container-pihole.service; static)
Active: failed (Result: exit-code) since Sun 2024-03-24 13:42:12 UTC; 2min 0s ago
Duration: 1min 28.766s
Process: 41294 ExecStartPre=/bin/rm -f /run/vyos-container-pihole.service.pid /run/vyos-container-pihole.service.cid (code=exited, status=0/SUCCESS)
Process: 41295 ExecStart=/usr/bin/podman run --conmon-pidfile /run/vyos-container-pihole.service.pid --cidfile /run/vyos-container-pihole.service.cid --cgroups=no-conmon --detach --interactive --tty --replace --cap-add=NET_BIND_SERVICE --memory 512m --shm-size 64m --memory-swap 0 --restart always --name pihole --publish 53:53/tcp --publish 53:53/udp --publish 80:80/tcp --volume /config/podman/pihole-volumes/etc-dnsmasq.d:/etc/dnsmasq.d:rw,rprivate --volume /config/podman/pihole-volumes/etc-pihole:/etc/pihole:rw,rprivate --env TZ=Europe/Warsaw --env WEBPASSWORD=XXXXX --no-healthcheck --net pihole-net --ip 172.16.0.10 pihole/pihole:latest (code=exited, status=126)
Process: 41421 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile /run/vyos-container-pihole.service.cid (code=exited, status=0/SUCCESS)
Process: 41430 ExecStopPost=/bin/rm -f /run/vyos-container-pihole.service.cid (code=exited, status=0/SUCCESS)
CPU: 249ms
Mar 24 13:42:12 vyos systemd[1]: vyos-container-pihole.service: Scheduled restart job, restart counter is at 5.
Mar 24 13:42:12 vyos systemd[1]: Stopped vyos-container-pihole.service - VyOS Container pihole.
Mar 24 13:42:12 vyos systemd[1]: vyos-container-pihole.service: Start request repeated too quickly.
Mar 24 13:42:12 vyos systemd[1]: vyos-container-pihole.service: Failed with result 'exit-code'.
Mar 24 13:42:12 vyos systemd[1]: Failed to start vyos-container-pihole.service - VyOS Container pihole.
I have tried running sudo /usr/bin/podman run ... --publish 10.21.37.1:53:53/tcp --publish 10.21.37.1:53:53/udp --publish 80:80 tcp ... pihole/pihole:latest
Instead of:
sudo /usr/bin/podman run ... --publish 53:53/tcp --publish 53:53/udp --publish 80:80 tcp ... pihole/pihole:latest
where 10.21.37.1 is my LAN interface address, and pihole started working.
config
container {
name pihole {
cap-add net-bind-service
description "Pi-hole DNS"
environment TZ {
value Europe/Warsaw
}
environment WEBPASSWORD {
value XXXXXX
}
image pihole/pihole:latest
network pihole-net {
address 172.16.0.10
}
port dns-tcp {
destination 53
protocol tcp
source 53
}
port dns-udp {
destination 53
protocol udp
source 53
}
port http {
destination 80
protocol tcp
source 80
}
restart always
volume etc-dnsmasq.d {
destination /etc/dnsmasq.d
source /config/podman/pihole-volumes/etc-dnsmasq.d
}
volume etc-pihole {
destination /etc/pihole
source /config/podman/pihole-volumes/etc-pihole
}
}
network pihole-net {
description "Pi-hole network"
prefix 172.16.0.0/24
}
}
firewall {
ipv4 {
name CONTAINER-LAN {
default-action accept
}
name CONTAINER-LOCAL {
default-action accept
}
name CONTAINER-WAN {
default-action accept
}
name LAN-CONTAINER {
default-action accept
}
name LAN-LOCAL {
default-action accept
}
name LAN-WAN {
default-action accept
}
name LOCAL-CONTAINER {
default-action accept
}
name LOCAL-LAN {
default-action accept
}
name LOCAL-WAN {
default-action accept
}
name WAN-CONTAINER {
default-action drop
rule 5 {
action accept
description "Allow Established/Related Traffic"
state established
state related
}
}
name WAN-LAN {
default-action drop
rule 5 {
action accept
description "Allow Established/Related Traffic"
state established
state related
}
rule 20 {
action accept
protocol icmp
state new
}
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
description "Allow Established/Related Traffic"
state established
state related
}
rule 20 {
action accept
protocol icmp
state new
}
rule 25 {
action drop
description "Block SSH access from WAN"
destination {
port ssh
}
protocol tcp
}
}
}
zone LAN {
default-action drop
from LOCAL {
firewall {
name LOCAL-LAN
}
}
from PIHOLE {
firewall {
name CONTAINER-LAN
}
}
from WAN {
firewall {
name WAN-LAN
}
}
interface eth1
}
zone LOCAL {
default-action drop
from LAN {
firewall {
name LAN-LOCAL
}
}
from PIHOLE {
firewall {
name CONTAINER-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
local-zone
}
zone PIHOLE {
default-action drop
from LAN {
firewall {
name LAN-CONTAINER
}
}
from LOCAL {
firewall {
name LOCAL-CONTAINER
}
}
from WAN {
firewall {
name WAN-CONTAINER
}
}
interface pod-pihole-net
}
zone WAN {
default-action drop
from LAN {
firewall {
name LAN-WAN
}
}
from LOCAL {
firewall {
name LOCAL-WAN
}
}
from PIHOLE {
firewall {
name CONTAINER-WAN
}
}
interface pppoe0
}
}
interfaces {
ethernet eth0 {
hw-id xx:xx:xx:xx:xx:9e
}
ethernet eth1 {
address 10.21.37.1/24
description LAN
hw-id xx:xx:xx:xx:xx:e8
}
ethernet eth2 {
description WAN
hw-id xx:xx:xx:xx:xx:e9
}
loopback lo {
}
pppoe pppoe0 {
authentication {
password xxxxxx
username xxxxxx
}
mtu 1492
no-peer-dns
source-interface eth2
}
}
nat {
source {
rule 100 {
outbound-interface {
name pppoe0
}
source {
address 10.21.37.0/24
}
translation {
address masquerade
}
}
rule 101 {
outbound-interface {
name pppoe0
}
source {
address 172.16.0.0/24
}
translation {
address masquerade
}
}
}
}
service {
dhcp-server {
shared-network-name LAN {
subnet 10.21.37.0/24 {
default-router 10.21.37.1
name-server 10.21.37.1
range 0 {
start 10.21.37.150
stop 10.21.37.250
}
}
}
}
ntp {
allow-client xxxxxx
address xxx.xxx.0.0/0
address ::/0
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name xxxxxx
login {
user xxxxxx {
authentication {
encrypted-password xxxxxx
plaintext-password xxxxxx
public-keys [email protected] {
key xxxxxx
type ssh-rsa
}
}
}
}
name-server xxx.xxx.37.1
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
}
Need help with setting this up properly. Thanks!