Container port mapping error

Hello there, I am new to VyOS Community and networking in general. I’m running a pi-hole container and fail committing config when trying to bind both 53/tcp and 53/udp as source ports. Binding tcp only works, udp only does not. I do not have DNS forwarding enabled. Here is sudo netstat -ntulp output without container running:

sudo netstat -ntulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2822/sshd: /usr/sbi 
tcp        0      0 127.0.0.1:2616          0.0.0.0:*               LISTEN      1427/staticd        
tcp        0      0 127.0.0.1:2617          0.0.0.0:*               LISTEN      1431/bfdd           
tcp        0      0 127.0.0.1:2623          0.0.0.0:*               LISTEN      1386/mgmtd          
tcp        0      0 127.0.0.1:2608          0.0.0.0:*               LISTEN      1407/isisd          
tcp        0      0 127.0.0.1:2609          0.0.0.0:*               LISTEN      1410/babeld         
tcp        0      0 127.0.0.1:2612          0.0.0.0:*               LISTEN      1420/ldpd           
tcp        0      0 127.0.0.1:2601          0.0.0.0:*               LISTEN      1380/zebra          
tcp        0      0 127.0.0.1:2602          0.0.0.0:*               LISTEN      1395/ripd           
tcp        0      0 127.0.0.1:2604          0.0.0.0:*               LISTEN      1401/ospfd          
tcp        0      0 127.0.0.1:2605          0.0.0.0:*               LISTEN      1388/bgpd           
tcp6       0      0 :::22                   :::*                    LISTEN      2822/sshd: /usr/sbi 
tcp6       0      0 ::1:2622                :::*                    LISTEN      1413/pim6d          
tcp6       0      0 ::1:2603                :::*                    LISTEN      1398/ripngd         
tcp6       0      0 ::1:2606                :::*                    LISTEN      1404/ospf6d         
udp        0      0 0.0.0.0:3784            0.0.0.0:*                           1431/bfdd           
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2707/dhcpd          
udp        0      0 0.0.0.0:123             0.0.0.0:*                           2551/chronyd        
udp        0      0 127.0.0.1:323           0.0.0.0:*                           2551/chronyd        
udp        0      0 0.0.0.0:4784            0.0.0.0:*                           1431/bfdd           
udp6       0      0 :::3784                 :::*                                1431/bfdd           
udp6       0      0 :::3785                 :::*                                1431/bfdd           
udp6       0      0 :::123                  :::*                                2551/chronyd        
udp6       0      0 ::1:323                 :::*                                2551/chronyd        
udp6       0      0 :::4784                 :::*                                1431/bfdd

I do have cap-add net-bind-service enabled. I’ve seen this post, but their commit does not fail as they say as opposed to mine. Here is the commit error output:

commit error output
Report time:      2024-03-24 13:42:09
Image version:    VyOS 1.4-rolling-202403131944
Release train:    sagitta

Built by:         j.randomhacker@vyos.io
Built on:         Wed 13 Mar 2024 19:44 UTC
Build UUID:       6ea59ece-d77c-4f36-86a5-ba1c0d82b76f
Build commit ID:  213c9e34bff3ef

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  FUJITSU
Hardware model:   ESPRIMO E910
Hardware S/N:     YLHN025967
Hardware UUID:    f6bd2270-dfe2-e211-9463-2dfa5a061e62

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/container.py", line 486, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/container.py", line 459, in apply
    cmd(f'systemctl restart vyos-container-{name}.service')
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 155, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: systemctl restart vyos-container-pihole.service
returned: 
exit code: 1

noteworthy:
cmd 'systemctl restart vyos-container-pihole.service'
returned (out):

returned (err):
Job for vyos-container-pihole.service failed because the control process exited with error code.
See "systemctl status vyos-container-pihole.service" and "journalctl -xeu vyos-container-pihole.service" for details.

[[container]] failed
Commit failed

Running systemctl status vyos-container-pihole.service yields:

systemctl status vyos-container-pihole.service
× vyos-container-pihole.service - VyOS Container pihole
     Loaded: loaded (/run/systemd/system/vyos-container-pihole.service; static)
     Active: failed (Result: exit-code) since Sun 2024-03-24 13:42:12 UTC; 2min 0s ago
   Duration: 1min 28.766s
    Process: 41294 ExecStartPre=/bin/rm -f /run/vyos-container-pihole.service.pid /run/vyos-container-pihole.service.cid (code=exited, status=0/SUCCESS)
    Process: 41295 ExecStart=/usr/bin/podman run --conmon-pidfile /run/vyos-container-pihole.service.pid --cidfile /run/vyos-container-pihole.service.cid --cgroups=no-conmon --detach --interactive --tty --replace --cap-add=NET_BIND_SERVICE --memory 512m --shm-size 64m --memory-swap 0 --restart always --name pihole --publish 53:53/tcp --publish 53:53/udp --publish 80:80/tcp --volume /config/podman/pihole-volumes/etc-dnsmasq.d:/etc/dnsmasq.d:rw,rprivate --volume /config/podman/pihole-volumes/etc-pihole:/etc/pihole:rw,rprivate --env TZ=Europe/Warsaw --env WEBPASSWORD=XXXXX --no-healthcheck --net pihole-net --ip 172.16.0.10 pihole/pihole:latest (code=exited, status=126)
    Process: 41421 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile /run/vyos-container-pihole.service.cid (code=exited, status=0/SUCCESS)
    Process: 41430 ExecStopPost=/bin/rm -f /run/vyos-container-pihole.service.cid (code=exited, status=0/SUCCESS)
        CPU: 249ms

Mar 24 13:42:12 vyos systemd[1]: vyos-container-pihole.service: Scheduled restart job, restart counter is at 5.
Mar 24 13:42:12 vyos systemd[1]: Stopped vyos-container-pihole.service - VyOS Container pihole.
Mar 24 13:42:12 vyos systemd[1]: vyos-container-pihole.service: Start request repeated too quickly.
Mar 24 13:42:12 vyos systemd[1]: vyos-container-pihole.service: Failed with result 'exit-code'.
Mar 24 13:42:12 vyos systemd[1]: Failed to start vyos-container-pihole.service - VyOS Container pihole.

I have tried running sudo /usr/bin/podman run ... --publish 10.21.37.1:53:53/tcp --publish 10.21.37.1:53:53/udp --publish 80:80 tcp ... pihole/pihole:latest

Instead of:
sudo /usr/bin/podman run ... --publish 53:53/tcp --publish 53:53/udp --publish 80:80 tcp ... pihole/pihole:latest

where 10.21.37.1 is my LAN interface address, and pihole started working.

config
container {
    name pihole {
        cap-add net-bind-service
        description "Pi-hole DNS"
        environment TZ {
            value Europe/Warsaw
        }
        environment WEBPASSWORD {
            value XXXXXX
        }
        image pihole/pihole:latest
        network pihole-net {
            address 172.16.0.10
        }
        port dns-tcp {
            destination 53
            protocol tcp
            source 53
        }
        port dns-udp {
            destination 53
            protocol udp
            source 53
        }
        port http {
            destination 80
            protocol tcp
            source 80
        }
        restart always
        volume etc-dnsmasq.d {
            destination /etc/dnsmasq.d
            source /config/podman/pihole-volumes/etc-dnsmasq.d
        }
        volume etc-pihole {
            destination /etc/pihole
            source /config/podman/pihole-volumes/etc-pihole
        }
    }
    network pihole-net {
        description "Pi-hole network"
        prefix 172.16.0.0/24
    }
}
firewall {
    ipv4 {
        name CONTAINER-LAN {
            default-action accept
        }
        name CONTAINER-LOCAL {
            default-action accept
        }
        name CONTAINER-WAN {
            default-action accept
        }
        name LAN-CONTAINER {
            default-action accept
        }
        name LAN-LOCAL {
            default-action accept
        }
        name LAN-WAN {
            default-action accept
        }
        name LOCAL-CONTAINER {
            default-action accept
        }
        name LOCAL-LAN {
            default-action accept
        }
        name LOCAL-WAN {
            default-action accept
        }
        name WAN-CONTAINER {
            default-action drop
            rule 5 {
                action accept
                description "Allow Established/Related Traffic"
                state established
                state related
            }
        }
        name WAN-LAN {
            default-action drop
            rule 5 {
                action accept
                description "Allow Established/Related Traffic"
                state established
                state related
            }
            rule 20 {
                action accept
                protocol icmp
                state new
            }
        }
        name WAN-LOCAL {
            default-action drop
            rule 5 {
                action accept
                description "Allow Established/Related Traffic"
                state established
                state related
            }
            rule 20 {
                action accept
                protocol icmp
                state new
            }
            rule 25 {
                action drop
                description "Block SSH access from WAN"
                destination {
                    port ssh
                }
                protocol tcp
            }
        }
    }
    zone LAN {
        default-action drop
        from LOCAL {
            firewall {
                name LOCAL-LAN
            }
        }
        from PIHOLE {
            firewall {
                name CONTAINER-LAN
            }
        }
        from WAN {
            firewall {
                name WAN-LAN
            }
        }
        interface eth1
    }
    zone LOCAL {
        default-action drop
        from LAN {
            firewall {
                name LAN-LOCAL
            }
        }
        from PIHOLE {
            firewall {
                name CONTAINER-LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone PIHOLE {
        default-action drop
        from LAN {
            firewall {
                name LAN-CONTAINER
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-CONTAINER
            }
        }
        from WAN {
            firewall {
                name WAN-CONTAINER
            }
        }
        interface pod-pihole-net
    }
    zone WAN {
        default-action drop
        from LAN {
            firewall {
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-WAN
            }
        }
        from PIHOLE {
            firewall {
                name CONTAINER-WAN
            }
        }
        interface pppoe0
    }
}
interfaces {
    ethernet eth0 {
        hw-id xx:xx:xx:xx:xx:9e
    }
    ethernet eth1 {
        address 10.21.37.1/24
        description LAN
        hw-id xx:xx:xx:xx:xx:e8
    }
    ethernet eth2 {
        description WAN
        hw-id xx:xx:xx:xx:xx:e9
    }
    loopback lo {
    }
    pppoe pppoe0 {
        authentication {
            password xxxxxx
            username xxxxxx
        }
        mtu 1492
        no-peer-dns
        source-interface eth2
    }
}
nat {
    source {
        rule 100 {
            outbound-interface {
                name pppoe0
            }
            source {
                address 10.21.37.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 101 {
            outbound-interface {
                name pppoe0
            }
            source {
                address 172.16.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name LAN {
            subnet 10.21.37.0/24 {
                default-router 10.21.37.1
                name-server 10.21.37.1
                range 0 {
                    start 10.21.37.150
                    stop 10.21.37.250
                }
            }
        }
    }
    ntp {
        allow-client xxxxxx
            address xxx.xxx.0.0/0
            address ::/0
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name xxxxxx
    login {
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
                plaintext-password xxxxxx
                public-keys xxxx@xxx.xxx {
                    key xxxxxx
                    type ssh-rsa
                }
            }
        }
    }
    name-server xxx.xxx.37.1
    syslog {
        global {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
}

Need help with setting this up properly. Thanks!

Do you use dns forwarding as service?
You can bind the port only once

One of them could help link1 link2

Let us know if this didn’t help you.

Hello,

DNS forwarding service is disabled. show service dns:

Configuration under specified path is empty

The first link is using set container name pihole allow-host-networks which I want to avoid.

set container name pihole cap-add ‘net-admin’
set container name pihole cap-add ‘net-raw’

The above also results in the same commit error.

The second link does it in an alternative way; the port that is bound is 5353 and the port that I want to bind is specifically 53, so the forwarding is not needed.

Thanks for the fast reply!

I found a solution to my problem based on the podman --publish modified earlier.

I found through /usr/libexec/vyos/conf_mode/container.py that it can be modified by using set container name <name> port <portname> listen-address so it matches the podman run.

The container looks now like this:

container configuration
name pihole {
     cap-add net-bind-service
     cap-add net-admin
     cap-add net-raw
     description "Pi-hole DNS"
     environment TZ {
         value Europe/Warsaw
     }
     environment WEBPASSWORD {
         value XXXXXX
     }
     image pihole/pihole:latest
     network pihole-net {
         address 172.16.0.10
     }
     port dns-tcp {
         destination 53
         listen-address 10.21.37.1
         protocol tcp
         source 53
     }
     port dns-udp {
         destination 53
         listen-address 10.21.37.1
         protocol udp
         source 53
     }
     port http {
         destination 80
         protocol tcp
         source 80
     }
     restart always
     volume etc-dnsmasq.d {
         destination /etc/dnsmasq.d
         source /config/podman/pihole-volumes/etc-dnsmasq.d
     }
     volume etc-pihole {
         destination /etc/pihole
         source /config/podman/pihole-volumes/etc-pihole
     }
 }
 network pihole-net {
     description "Pi-hole network"
     prefix 172.16.0.0/24
 }

I assigned 10.21.37.1 address to listen-address. This solves my problem, yet I do not know how would I set it up so that every interface could access it, i.e. podman showed 0.0.0.0:53->53/udp instead of 10.21.37.1:53->53/udp.

show container now outputs this:

show container
CONTAINER ID  IMAGE                           COMMAND     CREATED      STATUS      PORTS                                                             NAMES
413e6104b1d6  docker.io/pihole/pihole:latest              2 hours ago  Up 2 hours  10.21.37.1:53->53/tcp, 10.21.37.1:53->53/udp, 0.0.0.0:80->80/tcp  pihole

As you can see, http (port 80) can be on 0.0.0.0, but 53 cannot.
If anyone is willing to solve this issue, I would be very glad, but for now I check this topic as solved because my initial problem is now answered.

Config
container {
    name pihole {
        cap-add net-bind-service
        cap-add net-admin
        cap-add net-raw
        description "Pi-hole DNS"
        environment TZ {
            value Europe/Warsaw
        }
        environment WEBPASSWORD {
            value XXXXXXXX
        }
        image pihole/pihole:latest
        network pihole-net {
            address xxx.xxx.0.10
        }
        port dns-tcp {
            destination 53
            listen-address xxx.xxx.37.1
            protocol tcp
            source 53
        }
        port dns-udp {
            destination 53
            listen-address xxx.xxx.37.1
            protocol udp
            source 53
        }
        port http {
            destination 80
            protocol tcp
            source 80
        }
        restart always
        volume etc-dnsmasq.d {
            destination /etc/dnsmasq.d
            source /config/podman/pihole-volumes/etc-dnsmasq.d
        }
        volume etc-pihole {
            destination /etc/pihole
            source /config/podman/pihole-volumes/etc-pihole
        }
    }
    network pihole-net {
        description "Pi-hole network"
        prefix xxx.xxx.0.0/24
    }
}
firewall {
    ipv4 {
        name CONTAINER-LAN {
            default-action accept
        }
        name CONTAINER-LOCAL {
            default-action accept
        }
        name CONTAINER-WAN {
            default-action accept
        }
        name LAN-CONTAINER {
            default-action accept
        }
        name LAN-LOCAL {
            default-action accept
        }
        name LAN-WAN {
            default-action accept
        }
        name LOCAL-CONTAINER {
            default-action accept
        }
        name LOCAL-LAN {
            default-action accept
        }
        name LOCAL-WAN {
            default-action accept
        }
        name WAN-CONTAINER {
            default-action drop
            rule 5 {
                action accept
                description "Allow Established/Related Traffic"
                state established
                state related
            }
        }
        name WAN-LAN {
            default-action drop
            rule 5 {
                action accept
                description "Allow Established/Related Traffic"
                state established
                state related
            }
            rule 20 {
                action accept
                protocol icmp
                state new
            }
        }
        name WAN-LOCAL {
            default-action drop
            rule 5 {
                action accept
                description "Allow Established/Related Traffic"
                state established
                state related
            }
            rule 20 {
                action accept
                protocol icmp
                state new
            }
            rule 25 {
                action drop
                description "Block SSH access from WAN"
                destination {
                    port ssh
                }
                protocol tcp
            }
        }
    }
    zone LAN {
        default-action drop
        from LOCAL {
            firewall {
                name LOCAL-LAN
            }
        }
        from PIHOLE {
            firewall {
                name CONTAINER-LAN
            }
        }
        from WAN {
            firewall {
                name WAN-LAN
            }
        }
        interface eth1
    }
    zone LOCAL {
        default-action drop
        from LAN {
            firewall {
                name LAN-LOCAL
            }
        }
        from PIHOLE {
            firewall {
                name CONTAINER-LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone PIHOLE {
        default-action drop
        from LAN {
            firewall {
                name LAN-CONTAINER
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-CONTAINER
            }
        }
        from WAN {
            firewall {
                name WAN-CONTAINER
            }
        }
        interface pod-pihole-net
    }
    zone WAN {
        default-action drop
        from LAN {
            firewall {
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-WAN
            }
        }
        from PIHOLE {
            firewall {
                name CONTAINER-WAN
            }
        }
        interface pppoe0
    }
}
interfaces {
    ethernet eth0 {
        hw-id xx:xx:xx:xx:xx:9e
    }
    ethernet eth1 {
        address xxx.xxx.37.1/24
        description LAN
        hw-id xx:xx:xx:xx:xx:e8
    }
    ethernet eth2 {
        description WAN
        hw-id xx:xx:xx:xx:xx:e9
    }
    loopback lo {
    }
    pppoe pppoe0 {
        authentication {
            password xxxxxx
            username xxxxxx
        }
        mtu 1492
        no-peer-dns
        source-interface eth2
    }
}
nat {
    source {
        rule 100 {
            outbound-interface {
                name pppoe0
            }
            source {
                address xxx.xxx.37.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 101 {
            outbound-interface {
                name pppoe0
            }
            source {
                address xxx.xxx.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name xxxxxx {
            subnet xxx.xxx.37.0/24 {
                default-router xxx.xxx.37.1
                name-server xxx.xxx.37.1
                range 0 {
                    start xxx.xxx.37.150
                    stop xxx.xxx.37.250
                }
            }
        }
    }
    ntp {
        allow-client xxxxxx
            address xxx.xxx.0.0/0
            address ::/0
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
        server xxxxx.tld {
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name xxxxxx
    login {
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
                plaintext-password xxxxxx
                public-keys xxxx@xxx.xxx {
                    key xxxxxx
                    type ssh-rsa
                }
            }
        }
    }
    name-server xxx.xxx.37.1
    syslog {
        global {
            facility all {
                level info
            }
            facility local7 {
                level debug
            }
        }
    }
}
1 Like