mailcow 2024-07 is running on: Proxmox Virtual Environment 8.1.4 1 socket 4 cpu, 16 GB RAM, x86-64-v2-AES cat /etc/debian_version --> 12.6 cat /etc/apt/sources.list deb http://ftp-stud.hs-esslingen.de/debian/ bookworm main non-free-firmware deb-src http://ftp-stud.hs-esslingen.de/debian/ bookworm main non-free-firmware deb http://security.debian.org/debian-security bookworm-security main non-free-firmware deb-src http://security.debian.org/debian-security bookworm-security main non-free-firmware deb http://ftp-stud.hs-esslingen.de/debian/ bookworm-updates main non-free-firmware deb-src http://ftp-stud.hs-esslingen.de/debian/ bookworm-updates main non-free-firmware cat sources.list.d/docker.list deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable apt update OK:1 http://ftp-stud.hs-esslingen.de/debian bookworm InRelease Holen:2 https://download.docker.com/linux/debian bookworm InRelease [43,3 kB] Holen:3 http://ftp-stud.hs-esslingen.de/debian bookworm-updates InRelease [55,4 kB] Holen:4 http://security.debian.org/debian-security bookworm-security InRelease [48,0 kB] Es wurden 147 kB in 2 s geholt (95,8 kB/s). Paketlisten werden gelesen… Fertig Abhängigkeitsbaum wird aufgebaut… Fertig Statusinformationen werden eingelesen… Fertig Alle Pakete sind aktuell. docker version Client: Docker Engine - Community Version: 27.1.2 API version: 1.46 Go version: go1.21.13 Git commit: d01f264 Built: Mon Aug 12 11:50:58 2024 OS/Arch: linux/amd64 Context: default Server: Docker Engine - Community Engine: Version: 27.1.2 API version: 1.46 (minimum version 1.24) Go version: go1.21.13 Git commit: f9522e5 Built: Mon Aug 12 11:50:58 2024 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.7.20 GitCommit: 8fc6bcff51318944179630522a095cc9dbf9f353 runc: Version: 1.1.13 GitCommit: v1.1.13-0-g58aa920 docker-init: Version: 0.19.0 GitCommit: de40ad0 docker compose version Docker Compose version v2.29.1 docker compose exec unbound-mailcow /bin/bash ./healthcheck.sh 2024-08-17 16:16:47: Starting health check - logs can be found in /var/log/healthcheck.log PING 1.1.1.1 (1.1.1.1): 56 data bytes --- 1.1.1.1 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 21.755/26.958/34.800 ms PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 21.730/25.025/31.548 ms PING 9.9.9.9 (9.9.9.9): 56 data bytes --- 9.9.9.9 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 26.463/29.066/34.093 ms mailcow is working flawlessly. Performing the update 2024-08 leads to an unbound error while # docker compose up -d. Container is not starting. Attaching to the unbound container the healthcheck is giving only errors. *Nothing* has been changed in the environment. What's wrong? Any help is appreciated. I restored a backup, so no need to hurry... More info while beeing attached to the unbound container: ./healthcheck.sh 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2024-08-17 16:37:58: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... ping -c1 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: seq=0 ttl=53 time=29.332 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 29.332/29.332/29.332 ms ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=54 time=28.553 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 28.553/28.553/28.553 ms ping -c1 9.9.9.9 PING 9.9.9.9 (9.9.9.9): 56 data bytes 64 bytes from 9.9.9.9: seq=0 ttl=54 time=35.367 ms --- 9.9.9.9 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 35.367/35.367/35.367 ms dig +short fuzzy.mailcow.email 95.217.129.125 dig +short github.com 140.82.121.4 dig +short hub.docker.com elb-default.us-east-1.aws.dckr.io. prodextdefgreen-k0uuibjyui-4ec6503f7037d339.elb.us-east-1.amazonaws.com. 44.219.3.189 3.224.227.198 44.193.181.103 More info while beeing attached to the unbound container: ./healthcheck.sh 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2024-08-17 16:37:58: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... ping -c1 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: seq=0 ttl=53 time=29.332 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 29.332/29.332/29.332 ms ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=54 time=28.553 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 28.553/28.553/28.553 ms ping -c1 9.9.9.9 PING 9.9.9.9 (9.9.9.9): 56 data bytes 64 bytes from 9.9.9.9: seq=0 ttl=54 time=35.367 ms --- 9.9.9.9 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 35.367/35.367/35.367 ms dig +short fuzzy.mailcow.email 95.217.129.125 dig +short github.com 140.82.121.4 dig +short hub.docker.com elb-default.us-east-1.aws.dckr.io. prodextdefgreen-k0uuibjyui-4ec6503f7037d339.elb.us-east-1.amazonaws.com. 44.219.3.189 3.224.227.198 44.193.181.103 More info while beeing attached to the unbound container: healthcheck.sh 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2024-08-17 16:37:58: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... ping -c1 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: seq=0 ttl=53 time=29.332 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 29.332/29.332/29.332 ms ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=54 time=28.553 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 28.553/28.553/28.553 ms ping -c1 9.9.9.9 PING 9.9.9.9 (9.9.9.9): 56 data bytes 64 bytes from 9.9.9.9: seq=0 ttl=54 time=35.367 ms --- 9.9.9.9 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 35.367/35.367/35.367 ms dig +short fuzzy.mailcow.email 95.217.129.125 dig +short github.com 140.82.121.4 dig +short hub.docker.com elb-default.us-east-1.aws.dckr.io. prodextdefgreen-k0uuibjyui-4ec6503f7037d339.elb.us-east-1.amazonaws.com. 44.219.3.189 3.224.227.198 44.193.181.103 More info while beeing attached to the unbound container: ./healthcheck.sh 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2024-08-17 16:37:58: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2024-08-17 16:37:58: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... ping -c1 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: seq=0 ttl=53 time=29.332 ms --- 1.1.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 29.332/29.332/29.332 ms ping -c1 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=54 time=28.553 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 28.553/28.553/28.553 ms ping -c1 9.9.9.9 PING 9.9.9.9 (9.9.9.9): 56 data bytes 64 bytes from 9.9.9.9: seq=0 ttl=54 time=35.367 ms --- 9.9.9.9 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 35.367/35.367/35.367 ms dig +short fuzzy.mailcow.email 95.217.129.125 dig +short github.com 140.82.121.4 dig +short hub.docker.com elb-default.us-east-1.aws.dckr.io. prodextdefgreen-k0uuibjyui-4ec6503f7037d339.elb.us-east-1.amazonaws.com. 44.219.3.189 3.224.227.198 44.193.181.103

Workaround: Skip unbound health check in mailcow.conf followed by docker compose down and docker compose up -d Not really happy with this quick fix... Another workaround: Leave the healthcheck in mailcow.conf as it was (skip healthcheck no). Add in unbound.conf i.e. the IP of your router or an IP of a trusted DNS: forward-zone: name: "." forward-addr: 1.1.1.1 Also not happy with this...

I haven't heard any other complaints so far - you're the first one. Also my two mailcow installations are running fine, no watchdog issues being reported whatsoever. DNS resolution working fine. So it might be something isolated to your setup... A few questions: 1. How have you performed the update, running `./update.sh` I suppose? 2. Can you perform manual dig/nslookup/ping DNS resolutions inside the watchdog container, to see if it just affects the script? 3. What have you defined in setting `COMPOSE_PROJECT_NAME`? 4. Does DNS resolution of `nginx.${COMPOSE_PROJECT_NAME}_mailcow-docker` work inside the watchdog container? It might be potentially related to: https://github.com/mailcow/mailcow-dockerized/pull/5967. Just a guess.

> @"pkernstock"#p17799 How have you performed the update, running ./update.sh I suppose? yes. > @"pkernstock"#p17799 Can you perform manual dig/nslookup/ping DNS resolutions inside the watchdog container, to see if it just affects the script? No. Because ✘ Container mailcowdockerized-unbound-mailcow-1 Error dependency failed to start: container mailcowdockerized-unbound-mailcow-1 is unhealthy therefore: docker compose exec watchdog-mailcow /bin/bash service "watchdog-mailcow" is not running > @"pkernstock"#p17799 What have you defined in setting COMPOSE_PROJECT_NAME COMPOSE_PROJECT_NAME=mailcowdockerized > @"pkernstock"#p17799 Does DNS resolution of nginx.${COMPOSE_PROJECT_NAME}_mailcow-docker work inside the watchdog container? Can't check. Not able to attach to the conatiner. > @"pkernstock"#p17799 So it might be something isolated to your setup… Hmm, how could I check? Before this update all mailcow-updates before (including OS and docker) have been causing no issues. So no, I doubt that there is a problem with my setup. Anyway - give me a hint. I'll check. But it's quite a vanilla setup behind a opnsense and a haproxy handling the certs and restricting acces outside from the LAN or VPN. Again - until the last update no issues at all. > @"pkernstock"#p17799 Also my two mailcow installations are running fine May I ask on a VE? If so, what specific? Which OS in the VM? > @"pkernstock"#p17799 Does DNS resolution of nginx.${COMPOSE_PROJECT_NAME}_mailcow-docker work inside the watchdog container? With an ip forwarding to the opnsense, it looks like this: dig nginx.mailcowdockerized_mailcow-docker ; DiG 9.18.27 nginx.mailcowdockerized_mailcow-docker ;; global options: +cmd ;; Got answer: ;; ->>HEADER

https://mailcow.email/de/posts/2024/release-2024-08/ > Im Unbound-Container wurden die Healthchecks überarbeitet. Well. Someone might check the differences... Something's definitely different.

Does `docker logs --tail=150 mailcowdockerized-unbound-mailcow-1` output anything useful? Beside the failing healthchecks (which are obviously expected when unbound as the DNS server is not running) there must be something stated on why the unbound container crashes/stops. > @"stefan21"#p17797 forward-zone: > name: “.” > forward-addr: 1.1.1.1 > > Also not happy with this… Understandably, especially as external resolvers shouldn't be used. > @"stefan21"#p17800 May I ask on a VE? If so, what specific? Which OS in the VM? VMware ESXi, Ubuntu 22.04, Docker 27.1.2. > @"stefan21"#p17819 Well. Someone might check the differences… Something’s definitely different. It's those changes, as per release details: https://github.com/mailcow/mailcow-dockerized/pull/6004 Maybe something's blocking DNS queries on your firewall?

I just installed the update. My system is Debian12 on Arm. No problems, everything works as it should

> @"pkernstock"#p17820 Maybe something’s blocking DNS queries on your firewall? If so as you assume IMVHO logically the version 2024-07 must not work. Any query from LAN to port 53 is redirected to the opnsense. Opnsense is configured to use unbound. Forwarded ports from the opnsense to the mailcow are 25, 465 and 587. Again, this setup is working flawlessly to the monent. I restored to 2024-07. No problems at all. Alright, for a test I'll forward the port 53 to the mailcow. I let you know.

@"stefan21"#p17823 While the mailcow team shuffled things around a bit in the Unbound container's `healtcheck.sh`, the check itself remained the same. It tries to resolve three different domains using Unbound inside the container: `dig +short +timeout=2 +tries=1 "$domain" @127.0.0.1` According to your error messages, all three fail. Did you try entering the Unbound container to manually check if DNS resolution works?

> @"pkernstock"#p17820 docker logs --tail=150 mailcowdockerized-unbound-mailcow-1 Here the output: Setting console permissions... Receiving anchor key... Receiving root hints... ######################################################################## 100.0% setup in directory /etc/unbound Certificate request self-signature ok subject=CN=unbound-control removing artifacts Setup success. Certificates created. Enable in unbound.conf file to use 2024-08-19 19:39:05,215 INFO Set uid to user 0 succeeded 2024-08-19 19:39:05,219 INFO supervisord started with pid 1 2024-08-19 19:39:06,227 INFO spawned: 'processes' with pid 22 2024-08-19 19:39:06,236 INFO spawned: 'syslog-ng' with pid 23 2024-08-19 19:39:06,246 INFO spawned: 'unbound' with pid 24 2024-08-19 19:39:06,254 INFO spawned: 'unbound-healthcheck' with pid 25 [1724089146] unbound[24:0] notice: init module 0: validator [1724089146] unbound[24:0] notice: init module 1: iterator Aug 19 19:39:06 1b9362a6bf20 syslog-ng[23]: syslog-ng starting up; version='4.7.1' [1724089146] unbound[24:0] info: start of service (unbound 1.20.0). 2024-08-19 19:39:07,312 INFO success: processes entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2024-08-19 19:39:07,312 INFO success: syslog-ng entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2024-08-19 19:39:07,313 INFO success: unbound entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2024-08-19 19:39:07,313 INFO success: unbound-healthcheck entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) 2024-08-19 19:39:12: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:39:12: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:39:12: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:39:12: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2024-08-19 19:39:12: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2024-08-19 19:39:13: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2024-08-19 19:39:13: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2024-08-19 19:39:13: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2024-08-19 19:39:13: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2024-08-19 19:39:13: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2024-08-19 19:39:13: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2024-08-19 19:39:13: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2024-08-19 19:39:13: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... 2024-08-19 19:39:49: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:39:49: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:39:49: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:39:49: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2024-08-19 19:39:49: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2024-08-19 19:39:49: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2024-08-19 19:39:49: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2024-08-19 19:39:49: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2024-08-19 19:39:50: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2024-08-19 19:39:50: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2024-08-19 19:39:50: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2024-08-19 19:39:50: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2024-08-19 19:39:50: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... 2024-08-19 19:40:26: Healthcheck: DNS Resolution Failed on attempt 1 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:40:26: Healthcheck: DNS Resolution Failed on attempt 2 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:40:26: Healthcheck: DNS Resolution Failed on attempt 3 for fuzzy.mailcow.email! Trying again... 2024-08-19 19:40:26: Healthcheck: DNS Resolution not possible after 3 attempts for fuzzy.mailcow.email... Gave up! 2024-08-19 19:40:26: Healthcheck: DNS Resolution Failed on attempt 1 for github.com! Trying again... 2024-08-19 19:40:26: Healthcheck: DNS Resolution Failed on attempt 2 for github.com! Trying again... 2024-08-19 19:40:26: Healthcheck: DNS Resolution Failed on attempt 3 for github.com! Trying again... 2024-08-19 19:40:26: Healthcheck: DNS Resolution not possible after 3 attempts for github.com... Gave up! 2024-08-19 19:40:26: Healthcheck: DNS Resolution Failed on attempt 1 for hub.docker.com! Trying again... 2024-08-19 19:40:27: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again... 2024-08-19 19:40:27: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again... 2024-08-19 19:40:27: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up! 2024-08-19 19:40:27: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy... > @"accolon"#p17824 Did you try entering the Unbound container to manually check if DNS resolution works? Here's the info: docker compose exec unbound-mailcow /bin/bash 1b9362a6bf20:/# ping -c2 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes 64 bytes from 1.1.1.1: seq=0 ttl=53 time=30.357 ms 64 bytes from 1.1.1.1: seq=1 ttl=53 time=21.828 ms --- 1.1.1.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 21.828/26.092/30.357 ms 1b9362a6bf20:/# ping -c2 9.9.9.9 PING 9.9.9.9 (9.9.9.9): 56 data bytes 64 bytes from 9.9.9.9: seq=0 ttl=54 time=37.348 ms 64 bytes from 9.9.9.9: seq=1 ttl=54 time=30.712 ms --- 9.9.9.9 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 30.712/34.030/37.348 ms 1b9362a6bf20:/# ping -c2 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=113 time=31.186 ms 64 bytes from 8.8.8.8: seq=1 ttl=113 time=22.515 ms --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 22.515/26.850/31.186 ms and: dig +short +timeout=2 +tries=1 fuzzy.mailcow.email 95.217.129.125 dig +short +timeout=2 +tries=1 github.com 140.82.121.4 dig +short +timeout=2 +tries=1 hub.docker.com elb-default.us-east-1.aws.dckr.io. prodextdefgreen-k0uuibjyui-4ec6503f7037d339.elb.us-east-1.amazonaws.com. 44.219.3.189 3.224.227.198 44.193.181.103 What exactly does ip-forwarding? forward-zone: name: "." forward-addr: ip-of-opnsense where unbound is running as DNS If in unbound.conf configured like this, the container starts "healthy". Mailcow is running flawlessly.

> @"stefan21"#p17823 Alright, for a test I’ll forward the port 53 to the mailcow. I let you know. Does not work.

Be careful with update from 2024-07 to 2024-08 leads to dns error in unbound

pkernstock

Maybe something related to this particular issue where dockerd misbehaved apparently? mailcow/mailcow-dockerized6042

What I’m confused about is: You said that unbound container isn’t starting properly. But you’re still running dig commands in the same container, right? Are you running them shortly before the container stops, or when you have your workaround in place?

stefan21

@pkernstock

To clarify:

Without a forward-zone:
docker compose up -d leads to

✘ Container mailcowdockerized-unbound-mailcow-1 Error
dependency failed to start: container mailcowdockerized-unbound-mailcow-1 is unhealthy

and:

docker compose exec unbound-mailcow /bin/bash enters the container. Inside the container ping, dig and nslookup are working. Therefore I assume DNS is working.

Defining a forward-zone to the opnsense leads to a healthy start of the unbound-container (all containers). No errors at all.

Inside the container:

nslookup fuzzy.mailcow.email
Server: 127.0.0.11
Address: 127.0.0.11#53

Non-authoritative answer:
Name: fuzzy.mailcow.email
Address: 95.217.129.125

less healthcheck.sh:

for domain in “${domains[@]}” ; do
success=false
for ((i=1; i<=3; i++)); do
dig_output=$(dig +short +timeout=2 +tries=1 “$domain” @127.0.0.1 2>/dev/null)
dig_rc=$?

    if [ $dig_rc -ne 0 ] || [ -z "$dig_output" ]; then
        log_to_stdout "Healthcheck: DNS Resolution Failed on attempt $i for $domain! Trying again..."
    else
        success=true
        break
    fi
done

Testing:

1.) dig +short +timeout=2 +tries=1 fuzzy.mailcow.email @127.0.0.1 is giving nothing back
2.) dig +short +timeout=2 +tries=1 fuzzy.mailcow.email @127.0.0.11
95.217.129.125

Altering healthcheck.sh inside the container will not persist a restart.

accolon

stefan21 altered the healthcheck.sh to 127.0.0.11

127.0.0.11 is Docker’s own internal DNS service. All containers use 127.0.0.11 to include internal names of Docker containers. Your change simply asks another DNS server instead of Unbound, which effectively makes the health check useless.

stefan21 1.) dig +short +timeout=2 +tries=1 fuzzy.mailcow.email @127.0.0.1 is giving nothing back

That’s why the health check fails, so it’s working correctly. In your tests above, I missed that you skipped the @127.0.0.1 part, i.e. you were not asking Unbound directly.

So the question now is why your Unbound is not resolving DNS requests.

stefan21

Must be the script.

Disabled the forward-zone. Did a docker compose down followed by a docker compose up -d. Entered the unbound container and altered the healthcheck.sh to 127.0.0.11. Did a docker compose restart unbound-mailcow.
[+] Restarting 1/1
✔ Container mailcowdockerized-unbound-mailcow-1 Started

docker compose ps
mailcowdockerized-unbound-mailcow-1 mailcow/unbound:1.23 “/docker-entrypoint.…” unbound-mailcow 24 minutes ago Up 11 minutes (healthy) 53/tcp, 53/udp

I’ll define a forward-zone as workaround until this is fixed.

DocFraggle

DocFraggle I suggest you edit your data/Dockerfiles/unbound/healthcheck.sh script and add some debug log output starting at line 53

mailcow/mailcow-dockerizedblob/master/data/Dockerfiles/unbound/healthcheck.sh#L53

For example, output the details of the dig command in $dig_output and maybe even the return code. The script just checks if rc=0, but maybe it’s not 0, dig can return multiple return codes apart from 1

The script may still run things differently from you running commands inside the container

Which brings me back to my suggestion from above… why don’t you have a deeper look and log the details from the healthcheck script?

stefan21

Found it.

I’m redirecting all DNS requests from LAN to the opnsense. As I already wrote, on the opnsense UNBOUND is running. I have to think about creating seperate rules for the mailcow, or leave the workaround with the forward-zone.

Question remains why did it work in version 2024-07 (obviously because of changing the healthcheck script), and what reason for is DNS working inside of the unbound-container working with ping, dig and nslookup. Why in general, changing the script? Running mailcow behind a proper configured firewall will cause hickups.

I’ll stop this now. Maybe someone can mark this thread as solved or tell me, how to do it.

BTW - did I overlook something in the doku? Can’t find anything about this special? issue. Is it special to redirect any DNS request from a LAN to a firewall and let the firewall do the job? AFAIK there are reasons to configure a FW in this way…

pkernstock

stefan21 BTW - did I overlook something in the doku?

Yes: https://docs.mailcow.email/manual-guides/u_e-why_unbound/. It is NOT recommended to use any other external resolver and have unbound resolve everything for you, by directly using the root nameservers.

stefan21

I read this. I do understand. My opnsense is using unbound as resolver. Because I do know about the problems with external resolvers. There are reasons why a sysadmin forces any device in the LAN to use only the resolver from a firewall.

What I don’t like is drilling holes in a firewall… of course a mail server needs ports (25, 465, 587) to communicate with other mail servers. Why icmp and DNS can’t be used from a firewall, IDK.

Anyway - as I know the pro’s and con’s of my setup, I’ll stay with a forward-zone in the mailcow pointing to the IP of my opnsense.

You didn’t answer to my question, why the healthscript worked before. I didn’t change anything in my firewall. Do you know the reason?

stefan21

This seems to be the same …

https://community.mailcow.email/d/2977-container-unbound-unhealthy/47

satorisage

I am having this issue with a fresh mailcow install.

After the heathcheck fails, I exec into the container and run the dig command from the healthcheck and get an error

Seems unbound isn’t actually running here? Thoughts/suggestions?

h2owasser

I have the same issue. Manually updating healtchec.sh to @127.0.0.11 solve this healtcheck issue, but unbound is still not workuing correctly for the other docker containers. As i use multiple docker networks i use a non standard IPV4_NETWORK=172.40.1 in mailcow.conf which might correlate with the problem.

h2owasser

Just want to mention that everything works without problems if you insert @127.0.0.11 in healtcheck: sed 's/127.0.0.1 /127.0.0.11 /' ./data/Dockerfiles/unbound/healthcheck.sh > ./data/Dockerfiles/unbound/healthcheck.sh
delete all dns: entries and its items in docker-compose.yml
exec docker build data/Dockerfiles/unbound -t mailcow/unbound:own
add in docker-compose.overwrite.yml:
services: unbound-mailcow: build: ./data/Dockerfiles/unbound image: mailcow/unbound:own
execute update.sh

Gebemsea

I just upgraded to the November release and had this exact problem. I did find a root cause IN MY SETUP. Sharing in case it helps.

Setup:

Mailcow DNS with forwarding domain to high-powered Pfsense box sitting next to mailcow (no need for two unbounds here).
PFSense configured with NAT to redirect all LAN DNS requests to itself
PFSense running PFBlocker to block outbound DNS-over-HTTP (DOH) and DNS-Over-TCP queries

Issue:

PFBlocker, by default, blocks trafic of ALL Protocols types to the addresses in it’s DOH block lists
Block lists include 1.1.1.1, 8.8.8.8, 9.9.9.9 which Mailcow uses to check the health of Unbound

Solution:

Edit the DOH rule to only block TCP & UDP protocols, thereby allowing ICMP to pass
I can imagin this can occur with other firewall softwares
In PFSense, to do this: PFBlocker -> IP -> IPv4 -> DoH_IP -> Advanced Outbound Firewall Rule Settings ->Custom Protocol -> TCP/UDP

« Previous Page