Issue with unbound container permissions

mcjeangab1

Hello there, thank you for maintaining this community forum.

I’m decent at managing Linux servers but I’m a total beginner when it comes to docker.

I’ve tried to install mailcow on my Debian 12 VPS following this tutorial. Everything worked fine up to the point of running docker-compose up -d

The healthcheck for the unbound container fails. When looking at the logs I see:

Setting console permissions... Receiving anchor key... [1714591927] libunbound[9:0] error: socketpair: Permission denied Receiving root hints... ######################################################################## 100.0% setup in directory /etc/unbound removing artifacts Setup success. Certificates created. Enable in unbound.conf file to use [1714591928] unbound[1:0] warning: unable to initgroups unbound: Permission denied [1714591928] unbound[1:0] error: Could not open logfile /dev/console: Permission denied [1714591928] unbound[1:0] notice: init module 0: validator [1714591928] unbound[1:0] notice: init module 1: iterator [1714591928] unbound[1:0] error: socketpair: Permission denied [1714591928] unbound[1:0] fatal error: could not create worker

I’ve tried to add the following caps to the unbound service in the docker-compose.yaml but without any success.
cap_add: - NET_ADMIN - NET_BIND_SERVICE - SYS_ADMIN

I think it’s related to some network or socket permissions. I know AppArmor is running but there doesn’t seem to be any restrictions applied to docker.

Like I said, being unfamiliar with both unbound and docker makes it hard for me to solve. Any help is appreciated. Thank you.

ETNyx

New to forum, but why people do not use official docs? Main problem is “Permission denied” by quick overlook to your tutorial it seems you are not installing as root,…

https://docs.mailcow.email/getstarted/install/#install-mailcow

$ su
# umask
0022 # <- Verify it is 0022
# cd /opt
# git clone https://github.com/mailcow/mailcow-dockerized
# cd mailcow-dockerized
# ./generate_config.sh
# docker compose pull
# docker compose up -d

Edit: I recommend to review the entire documentation from top to bottom, i did it several times always got something new.

DocFraggle

I agree, the tutorial you used is really outdated… the use of and old (v1) standalone docker-compose version will break things, too

mcjeangab1

Thank you for your help 🙂. Could you please recommend me another tutorial? Or maybe I should follow the official documentation, but I found it a bit hard to follow. Thanks a lot.

DocFraggle

The official installation instructions (see above) are pretty straight forward, where did you have problems with that?

mcjeangab1

My only remaining issue is that the documentation states that I cannot have it running with UFW. I always use Debian with UFW for firewall rules management, it seems insecure to not be able to have any sort of firewall.

DocFraggle

mcjeangab1 it seems insecure to not be able to have any sort of firewall.

Sorry, but then you didn’t read that part thoroughly…

I quote from https://docs.mailcow.email/getstarted/prerequisite-system/#firewall-ports

There are several problems with running mailcow on a firewalld/ufw enabled system.
You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead.
See this (blog.donnex.net) or this (unrouted.io) guide for information about how to use iptables-persistent with the DOCKER-USER chain.
As mailcow runs dockerized, INPUT rules have no effect on restricting access to mailcow.
Use the FORWARD chain instead.