VyOS Container Bind to Privileged Port Fails

jagekurt · June 30, 2023, 7:32pm

Hello everyone,

I am currently facing an issue with running a container and binding to a privileged port. My specific use case is deploying Pihole as a container, and I would like to expose port 53/UDP. The commit fails when I try to specify port 53, however it works fine when I add a port above 1024. I have added net-bind-service to the container.

Image Version: VyOS 1.4-rolling-202306130317

set container name pihole-tst cap-add 'net-bind-service'
set container name pihole-tst environment PIHOLE_DNS_ value '1.1.1.1;1.0.0.1'
set container name pihole-tst environment TZ value 'Europe/Stockholm'
set container name pihole-tst environment VIRTUAL_HOST value '<Hostname>'
set container name pihole-tst environment WEBPASSWORD value '<SuperSecret>'
set container name pihole-tst image 'azamserver/pihole-doh:latest'
set container name pihole-tst network con_net address '10.1.0.9'
set container name pihole-tst port dns_udp destination '53'
set container name pihole-tst port dns_udp protocol 'udp'
set container name pihole-tst port dns_udp source '53'
set container name pihole-tst port web_mgmt destination '80'
set container name pihole-tst port web_mgmt protocol 'tcp'
set container name pihole-tst port web_mgmt source '8080'
set container name pihole-tst volume pihole_config destination '/etc/pihole/'
set container name pihole-tst volume pihole_config source '/config/podman/pihole/config'
set container name pihole-tst volume pihole_dnsmasq destination '/etc/dnsmasq.d/'
set container name pihole-tst volume pihole_dnsmasq source '/config/podman/pihole/dnsmasq'
set container name pihole-tst volume pihole_log destination '/var/log/pihole/'
set container name pihole-tst volume pihole_log source '/config/podman/pihole/log'
set container network con_net prefix '10.1.0.0/24'

When I specify the port mapping with source 5353 the DNS resolution works, no problem.

The error message received when I commit:

Report time:      2023-06-30 21:34:09
Image version:    VyOS 1.4-rolling-202306130317
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Tue 13 Jun 2023 03:17 UTC
Build UUID:       52285921-0a5b-4adf-bdd4-0b20e155a3eb
Build commit ID:  dd194c6e8024e1

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Supermicro
Hardware model:   Super Server
Hardware S/N:     0123456789
Hardware UUID:    00000000-0000-0000-0000-3cecef0306f4

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/container.py", line 497, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/container.py", line 471, in apply
    cmd(f'systemctl restart vyos-container-{name}.service')
  File "/usr/lib/python3/dist-packages/vyos/util.py", line 161, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: systemctl restart vyos-container-pihole-tst.service
returned: 
exit code: 1

noteworthy:
cmd 'systemctl restart vyos-container-pihole-tst.service'
returned (out):

returned (err):
Job for vyos-container-pihole-tst.service failed because the control process exited with error code.
See "systemctl status vyos-container-pihole-tst.service" and "journalctl -xeu vyos-container-pihole-tst.service" for details.

[[container]] failed
Commit failed
[edit]

And the status for the service:

× vyos-container-pihole-tst.service - VyOS Container pihole-tst
     Loaded: loaded (/run/systemd/system/vyos-container-pihole-tst.service; static)
     Active: failed (Result: exit-code) since Fri 2023-06-30 21:34:13 CEST; 1min 9s ago
   Duration: 11.925s
    Process: 464531 ExecStartPre=/bin/rm -f /run/vyos-container-pihole-tst.service.pid /run/vyos-container-pihole-tst.service.cid (code=exited, status=0/SUCCESS)
    Process: 464532 ExecStart=/usr/bin/podman run --conmon-pidfile /run/vyos-container-pihole-tst.service.pid --cidfile /run/vyos-container-pihole-tst.service.cid --cgroups=no-conmon --det>
    Process: 464681 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile /run/vyos-container-pihole-tst.service.cid (code=exited, status=0/SUCCESS)
    Process: 464700 ExecStopPost=/bin/rm -f /run/vyos-container-pihole-tst.service.cid (code=exited, status=0/SUCCESS)
        CPU: 579ms

Jun 30 21:34:13 pifw01 systemd[1]: vyos-container-pihole-tst.service: Scheduled restart job, restart counter is at 5.
Jun 30 21:34:13 pifw01 systemd[1]: Stopped vyos-container-pihole-tst.service - VyOS Container pihole-tst.
Jun 30 21:34:13 pifw01 systemd[1]: vyos-container-pihole-tst.service: Start request repeated too quickly.
Jun 30 21:34:13 pifw01 systemd[1]: vyos-container-pihole-tst.service: Failed with result 'exit-code'.
Jun 30 21:34:13 pifw01 systemd[1]: Failed to start vyos-container-pihole-tst.service - VyOS Container pihole-tst.

Viacheslav · June 30, 2023, 8:14pm

Try one of them capability

set container name pihole cap-add ‘net-admin’
set container name pihole cap-add ‘net-raw’

jagekurt · June 30, 2023, 8:27pm

I get the same error message as above when I add both net-admin and net-raw.

Viacheslav · July 1, 2023, 1:00pm

Try DNAT to port 53
As privileged option which allow ports < 1024 is not implemented

jagekurt · July 1, 2023, 1:21pm

Hey,

I used DNS forwarding instead.

I create a port map of source 5353 to destination 53 UDP and configured DNS forwarding to following:

set service dns forwarding allow-from '10.0.0.0/8'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address '10.1.10.1'
set service dns forwarding name-server 127.0.0.1 port '5353'

I am happy with this workaround until < 1024 binds are implemented.

Thank you for your help.

system · July 3, 2023, 1:21pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.