Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS resolution within raspberymatic docker container fails #2739

Open
cubed-it opened this issue May 11, 2024 · 0 comments
Open

DNS resolution within raspberymatic docker container fails #2739

cubed-it opened this issue May 11, 2024 · 0 comments
Labels
🐛 bug-report Something isn't working

Comments

@cubed-it
Copy link

cubed-it commented May 11, 2024
edited

Describe the issue you are experiencing

Hello everyone,

I have set up a raspberry latest distro with docker + raspberymatic and have problems with DNS resolution within the container.

I have created the container exactly according to the following blueprint: https://github.com/jens-maus/RaspberryMatic/wiki/Installation-Docker-OCI#using-docker-compose

services:
  homematic:
    image: ghcr.io/jens-maus/raspberrymatic:latest
    container_name: homematic
    hostname: homematic
    read_only: true
    privileged: true
    restart: unless-stopped
    stop_grace_period: 30s
    volumes:
      - /home/<user>/docker/homematic:/usr/local:rw
      - /lib/modules:/lib/modules:ro
      - /run/udev/control:/run/udev/control
    networks:
      homematic:
        ipv4_address: 192.168.145.9  
        
networks:
  homematic:
    name: homematic
    driver: macvlan
    driver_opts:
      parent: br0
    ipam:
      config:
        - subnet: 192.168.145.0/24
          gateway: 192.168.145.1

The issue is now, that no DNS resolution is possible from within the container. journalctl gives me the following messages cyclically:

May 11 13:32:42 rpi-le dockerd[674]: time="2024-05-11T13:32:42.524563592+02:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.145.9:37355" dns-server="udp:192.168.145.1:53" error="read udp 192.168.145.9:37355->192.168.145.1:53: i/o timeout" question=";google.com.fritz.box.\tIN\t A" spanID=5a987ed8189bc5af traceID=4df1d4d99890b675013fa3b27e2218d9

A CUxD script issuing a query fails and I have a alert inside raspberymatic web interface: WatchDog: no-internet | ausgelöst | No internet connection detected

Through an nslookup wdr.de from inside the container:

/ # nslookup wdr.de
Server:         127.0.0.11
Address:        127.0.0.11:53

;; connection timed out; no servers could be reached

and journalctl:

May 11 13:37:19 rpi-le dockerd[674]: time="2024-05-11T13:37:19.571985054+02:00" level=error msg="[resolver] failed to query external DNS server" client-addr="udp:192.168.145.9:43799" dns-server="udp:192.168.145.1:53" error="read udp 192.168.145.9:43799->192.168.145.1:53: i/o timeout" question=";wdr.de.\tIN\t A" spanID=9d703cbb25db02d6 traceID=653abed0a8d117b93f0e74009d1e4ea9

However, if I completely reset the iptables within the container:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

The nslookup wdr.de is now working from inside the container:

/ # nslookup wdr.de
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:

Non-authoritative answer:
Name:   wdr.de
Address: 149.219.209.51

Also my CUxD script is now working.

I have reached the end of my knowledge, what am I doing wrong or how can I solve the iptables problem properly and persistent? Thanks!

Ps: I have now also played around a bit with the firewall settings within the web interface. Adding port 53 does not help, only the option ports open is so far successful. I would like to see a proper solution, but in principle that would be fine with me. Is ports open a security risk in a private LAN?

Pss: Resolution is working after adding try_exec_cmd "/usr/sbin/iptables -A INPUT -p udp --source-port 53 -j ACCEPT" to libfirewall.tcl and mapping it inside the container. That solution is however not very good, since I have to replace the complete file....
Adding the port via web interface results in:

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

But what seems to be required is just this one rule:

ACCEPT     udp  --  anywhere             anywhere             udp spt:domain

Describe the behavior you expected

DNS requests should resolve

Steps to reproduce the issue

  1. Run rapsberrymatic as described https://github.com/jens-maus/RaspberryMatic/wiki/Installation-Docker-OCI#using-docker-compose
  2. exec into the container
  3. nslookup anything

What is the version this bug report is based on?

3.75.7.20240420

Which base platform are you running?

rpi2 (RaspberryPi2, ARM/armhf)

Which HomeMatic/homematicIP radio module are you using?

n/a

Anything in the logs that might be useful for us?

May 11 13:32:07 homematic syslog.info syslogd started: BusyBox v1.36.1
May 11 13:32:10 homematic user.info firewall: configuration set
May 11 13:32:44 homematic daemon.err xinetd[1044]: Unable to read included directory: /etc/config/xinetd.d [file=/etc/xinetd.conf] [line=14]
May 11 13:32:44 homematic daemon.crit xinetd[1044]: 1044 {init_services} no services. Exiting...
May 11 13:32:45 homematic daemon.info cuxd[1091]: CUx-Daemon(2.11) on CCU(3.75.7.20240420) start PID:1091
May 11 13:32:45 homematic daemon.info cuxd[1091]: write_pid /var/run/cuxd.pid [1091]
May 11 13:32:45 homematic daemon.info cuxd[1091]: load paramsets(/usr/local/addons/cuxd/cuxd.ps) size:15 update(-62s):Sat May 11 13:31:43 2024
May 11 13:32:45 homematic daemon.info cuxd[1091]: 0 device-paramset(s) loaded ok!
May 11 13:32:45 homematic daemon.info cuxd[1091]: write_proxy /var/cache/cuxd_proxy.ini (1091 /usr/local/addons/cuxd/ 2.11 3.75.7.20240420 0)
May 11 13:32:45 homematic daemon.info cuxd[1091]: add interface 'CUxD'
May 11 13:32:45 homematic user.info cuxd: started cux-daemon
May 11 13:32:45 homematic daemon.info cuxd[1091]: write interface(1) 'VirtualDevices' to /usr/local/etc/config/InterfacesList.xml
May 11 13:32:45 homematic daemon.info cuxd[1091]: write interface(2) 'CUxD' to /usr/local/etc/config/InterfacesList.xml
May 11 13:33:01 homematic daemon.warn cuxd[1091]: process_rpc_request(127.0.0.1) - illegal XMLRPC(listDevices) request
May 11 13:33:08 homematic daemon.warn cuxd[1091]: process_rpc_request(127.0.0.1) - illegal XMLRPC(init) request
May 11 13:33:12 homematic daemon.info : starting pid 1277, tty '': '/bin/mv /tmp/boot.log /var/log/boot.log'
May 11 13:33:12 homematic daemon.info : starting pid 1278, tty '/dev/null': '/usr/bin/monit -Ic /etc/monitrc'
May 11 13:33:12 homematic user.info monit[1278]: Starting Monit 5.33.0 daemon with http interface at /var/run/monit.sock
May 11 13:33:12 homematic user.info monit[1278]: 'homematic' Monit 5.33.0 started
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: Error 1 at row 11 col 36 near ^(";", 1); } }  Write(upl);^M  [SyntaxError():iseESP.cpp:1149]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: (";", 1); } }  Write(upl); [ParseProgram():iseESP.cpp:386]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: Error 1 at row 11 col 36 near ^(";", 1); } }  Write(upl);^M  [SyntaxError():iseESP.cpp:1149]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: (";", 1); } }  Write(upl); [ParseProgram():iseESP.cpp:386]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: Error 1 at row 11 col 36 near ^(";", 1); } }  Write(upl);^M  [SyntaxError():iseESP.cpp:1149]
May 11 13:33:12 homematic local0.err ReGaHss: ERROR: SyntaxError: (";", 1); } }  Write(upl); [ParseProgram():iseESP.cpp:386]
May 11 13:33:27 homematic user.err monit[1278]: 'sshdEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'hs485dEnabled' status failed (2) -- grep: /var/etc/hs485d.conf: No such file or directory
May 11 13:33:27 homematic user.err monit[1278]: 'multimacdEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'hmlangwEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'rfdEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.warn monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'hb_rf_eth-CheckEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'coProcessorCheck' status failed (1) -- no output
May 11 13:33:27 homematic user.warn monit[1278]: 'rpi4usb3Check' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: 'tailscaleEnabled' status failed (1) -- no output
May 11 13:33:27 homematic user.err monit[1278]: Lookup for '/media/usb1' filesystem failed  -- not found in /proc/self/mounts
May 11 13:33:27 homematic user.err monit[1278]: Filesystem '/media/usb1' not mounted
May 11 13:33:27 homematic user.err monit[1278]: 'usb1' unable to read filesystem '/media/usb1' state
May 11 13:33:27 homematic user.info monit[1278]: 'usb1' trying to restart
May 11 13:33:28 homematic daemon.info cuxd[1091]: INIT 'xmlrpc_bin://127.0.0.1:31999' '1040'
May 11 13:33:28 homematic daemon.info cuxd[1091]: RPC-server from HM-CCU (1040) registered!
May 11 13:33:29 homematic daemon.info cuxd[1091]: connection to 127.0.0.1:8183 successfull!
May 11 13:33:43 homematic user.warn monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:33:43 homematic user.warn monit[1278]: 'rpi4usb3Check' status failed (1) -- no output
May 11 13:33:43 homematic user.err monit[1278]: Filesystem '/media/usb1' not mounted
May 11 13:33:43 homematic user.err monit[1278]: 'usb1' unable to read filesystem '/media/usb1' state
May 11 13:33:43 homematic user.info monit[1278]: 'usb1' trying to restart
May 11 13:33:43 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:33:59 homematic user.warn monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:33:59 homematic user.err monit[1278]: 'rpi4usb3Check' status failed (1) -- no output
May 11 13:33:59 homematic user.err monit[1278]: Filesystem '/media/usb1' not mounted
May 11 13:33:59 homematic user.err monit[1278]: 'usb1' unable to read filesystem '/media/usb1' state
May 11 13:33:59 homematic user.info monit[1278]: 'usb1' trying to restart
May 11 13:33:59 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:34:15 homematic user.warn monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:34:15 homematic user.err monit[1278]: Filesystem '/media/usb1' not mounted
May 11 13:34:15 homematic user.err monit[1278]: 'usb1' unable to read filesystem '/media/usb1' state
May 11 13:34:15 homematic user.info monit[1278]: 'usb1' trying to restart
May 11 13:34:15 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:34:31 homematic user.err monit[1278]: 'hasUSB' status failed (1) -- no output
May 11 13:34:31 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:34:47 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:35:03 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:35:19 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:35:34 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:35:50 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:36:06 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:36:22 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:36:38 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:36:54 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:37:09 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:37:25 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:37:41 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:37:57 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:38:13 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:38:29 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:38:44 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:00 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:16 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:32 homematic user.warn monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:48 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:39:48 homematic user.info monit[1278]: 'internetCheck' exec: '/bin/triggerAlarm.tcl No internet connection detected WatchDog: no-internet true'
May 11 13:40:04 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:40:20 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:40:35 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:40:51 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:41:07 homematic user.err monit[1278]: 'internetCheck' status failed (1) -- no output
May 11 13:41:23 homematic user.info monit[1278]: 'internetCheck' status succeeded (0) -- no output

Additional information

For completeness, here is my network configuration:

nmcli con mod 'Wired connection 1' con-name eth0
nmcli con add ifname br0 type bridge con-name br0
nmcli con add type bridge-slave ifname eth0 master br0
nmcli con mod br0 bridge.stp no

nmcli con mod br0 ipv4.addresses 192.168.145.5/24
nmcli con mod br0 ipv4.gateway 192.168.145.1
nmcli con mod br0 ipv4.dns '192.168.145.1'
nmcli con mod br0 ipv4.dns-search 'fritz.box'
nmcli con mod br0 ipv4.method manual

nmcli con down eth0 && nmcli con up br0
systemctl restart NetworkManager.service

nmcli device show

GENERAL.DEVICE:                         br0
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         92:C9:C1:05:3E:F7
GENERAL.MTU:                            1400
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     br0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/5
IP4.ADDRESS[1]:                         192.168.145.5/24
IP4.GATEWAY:                            192.168.145.1
IP4.ROUTE[1]:                           dst = 0.0.0.0/0, nh = 192.168.145.1, mt = 425
IP4.ROUTE[2]:                           dst = 192.168.145.0/24, nh = 0.0.0.0, mt = 425
IP4.DNS[1]:                             192.168.145.1
IP4.SEARCHES[1]:                        fritz.box
IP6.ADDRESS[1]:                         fe80::d186:af11:7f56:3c04/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024

GENERAL.DEVICE:                         br-5dc32aee5a36
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         02:42:08:5C:1F:AD
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     br-5dc32aee5a36
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/2
IP4.ADDRESS[1]:                         172.18.0.1/16
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 172.18.0.0/16, nh = 0.0.0.0, mt = 0
IP6.ADDRESS[1]:                         fe80::42:8ff:fe5c:1fad/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

GENERAL.DEVICE:                         br-95ef8c538bf6
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         02:42:3F:4C:40:6B
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     br-95ef8c538bf6
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/3
IP4.ADDRESS[1]:                         172.21.0.1/16
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 172.21.0.0/16, nh = 0.0.0.0, mt = 0
IP6.ADDRESS[1]:                         fe80::42:3fff:fe4c:406b/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

GENERAL.DEVICE:                         lo
GENERAL.TYPE:                           loopback
GENERAL.HWADDR:                         00:00:00:00:00:00
GENERAL.MTU:                            65536
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     lo
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/1
IP4.ADDRESS[1]:                         127.0.0.1/8
IP4.GATEWAY:                            --
IP6.ADDRESS[1]:                         ::1/128
IP6.GATEWAY:                            --

GENERAL.DEVICE:                         br-d81aeccab029
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         02:42:6F:BB:F1:9E
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     br-d81aeccab029
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/4
IP4.ADDRESS[1]:                         172.23.0.1/16
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 172.23.0.0/16, nh = 0.0.0.0, mt = 0
IP6.GATEWAY:                            --

GENERAL.DEVICE:                         docker0
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         02:42:51:70:C1:12
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     docker0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/6
IP4.ADDRESS[1]:                         172.17.0.1/16
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 172.17.0.0/16, nh = 0.0.0.0, mt = 0
IP6.GATEWAY:                            --

GENERAL.DEVICE:                         tap0
GENERAL.TYPE:                           tun
GENERAL.HWADDR:                         92:C9:C1:05:3E:F7
GENERAL.MTU:                            1400
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     tap0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/8
IP4.GATEWAY:                            --
IP6.ADDRESS[1]:                         fe80::90c9:c1ff:fe05:3ef7/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

GENERAL.DEVICE:                         eth0
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         B8:27:EB:7A:8F:E7
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     bridge-slave-eth0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/7
WIRED-PROPERTIES.CARRIER:               on
IP4.GATEWAY:                            --
IP6.GATEWAY:                            --

GENERAL.DEVICE:                         veth957ff27
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         52:2A:88:32:62:B8
GENERAL.MTU:                            1500
GENERAL.STATE:                          10 (unmanaged)
GENERAL.CONNECTION:                     --
GENERAL.CON-PATH:                       --
WIRED-PROPERTIES.CARRIER:               on
IP4.GATEWAY:                            --
IP6.ADDRESS[1]:                         fe80::502a:88ff:fe32:62b8/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

GENERAL.DEVICE:                         vethe607849
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         1A:6E:D0:2D:AC:8C
GENERAL.MTU:                            1500
GENERAL.STATE:                          10 (unmanaged)
GENERAL.CONNECTION:                     --
GENERAL.CON-PATH:                       --
WIRED-PROPERTIES.CARRIER:               on
IP4.GATEWAY:                            --
IP6.ADDRESS[1]:                         fe80::186e:d0ff:fe2d:ac8c/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256
@cubed-it cubed-it added the 🐛 bug-report Something isn't working label May 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 bug-report Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cubed-it