First of all, thank you for providing this. I am currently using pi-hole + unbound + hyperlocal on my Raspberry Pi ZeroW. It works, but somehow struggles with WLAN connection. Thus I have to migrate to my wired Raspberry Pi4 and would like to use your docker setup.

My network:
192.168.178.1: router (uses domain fritz.box)
192.168.178.78: rp4 (here I would like to host your docker files --> new DNS)
192.168.178.200: rpzero (my current and soon old DNS)

I am struggling to understand the internal IP management in the docker file. I thought, IPs in docker are internal (docker provides an own network configuration). Therefore I don't understand why I have to provide individual IP adresses for pihole and unbound. I have never used MACVLAN and I am not experienced with docker network configurations. Any help would be appreciated.

Furthermore, what do I need to specify for
section pihole
domainname
VIRTUAL_HOST
CORS_HOST
REV_SERVER_DOMAIN
section unbound
domainname
volumes (can I just use everything after <>?)

section networks
how do these settings correlate to the settings above?

I forgot to change the metadata. Again. Sorry for that, the current version is 1.16.2-1 but is shown as 1.16.2.

I have setup unbound on a macvlan and it starts fine and seems to be working. Today I have tried to add redis database so that records are cached persistently.

Good news is that I have got the docker/compose to start and but I am not sure if it is all working correctly.

How can I tell if redis database is working? Should I be able to view/see the database somewhere? Can I tell when the response comes from the redis database?

If I restart the unbound container, a new volume is created so I think this could be an issue. I think the same volume should be used across restarts of the container. Correct?

Here is my compose file. Anything stupid I have done?

`version: '3.3'

services:
unbound:
container_name: unbound
image: madnuttah/unbound:latest
ports:
- 5335:5335/tcp
- 5335:5335/udp
networks:
rpi5_macvlan:
ipv4_address: "192.168.100.15"
environment:
ServerIP: 192.168.100.15
TZ: ${TZ}
UID: ${PUID}
GID: ${PGID}
volumes:
- /symlinks/omv-system/appdata/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw #Your local path to Unbound
- /symlinks/omv-system/appdata/unbound/conf.d/:/usr/local/unbound/conf.d/:rw
- /symlinks/omv-system/appdata/unbound/iana.d/:/usr/local/unbound/iana.d/:rw
- /symlinks/omv-system/appdata/unbound/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log:rw
- /symlinks/omv-system/appdata/unbound/zones.d/:/usr/local/unbound/zones.d/:rw
volumes_from:
- redis-socket:rw
restart: unless-stopped
healthcheck:
test: /usr/local/unbound/sbin/healthcheck.sh
interval: 60s
retries: 5
start_period: 15s
timeout: 30s

redis-socket:
image: busybox
container_name: redis-socket
tty: true
command:
- /bin/sh
- -c
- |
chown -R 999:100 /usr/local/unbound/cachedb.d/ # Change group (:1000) to your used GID
/bin/sh
volumes:
- /symlinks/omv-system/appdata/unbound/cachedb.d:/usr/local/unbound/cachedb.d/

redis:
container_name: unbound-db
image: redis:alpine
command: redis-server /usr/local/etc/redis/redis.conf
volumes:
- /symlinks/omv-system/appdata/unbound/redis.conf:/usr/local/etc/redis/redis.conf
volumes_from:
- redis-socket:rw

volumes:
cachedb.d:

networks:
rpi5_macvlan:
name: rpi5_macvlan
external: true`

When running the container with port 53, I'll get a port bind error:

unbound[1:0] fatal error: could not open ports
unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53 

I am running the container in a docker environment on my Synology NAS (DSM7.2) in a macvlan.

I am referencing to this issue, where I already mentioned my problem:
#54

I have tried different configurations, all with the same error (also tried the minimal config version). Then I found out "by accident", that older versions of the container indeed do work without the above mentioned error. Every version until 1.19.1-0 is working. Everything newer doesn't work anymore.

My yaml file:

version: '2'

services:
  unbound:
    container_name: unbound_madnuttah
    image: madnuttah/unbound:latest
    hostname: unbound_madnuttah
    cap_add: 
      - NET_BIND_SERVICE
    ports:
      - 53:53/tcp
      - 53:53/udp
    networks:
      macvlan0:
        ipv4_address: 192.168.178.226
    environment:
      TZ: "Europe/Berlin"
      ServerIP: 192.168.178.226
    volumes:
      - ./unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw
      - ./conf.d/:/usr/local/unbound/conf.d/:rw
    restart: always

networks:
  macvlan0:
    name: macvlan0
    external: true

If you need any more informations, please let me now.

Regards,
JD

Hallo,

ich habe gerade Dein neues Image ausgerollt bekommen, In der neuen Version, funktioniert der healthcheck nicht mehr. Haben sich da Parameter geändert?

So sieht mein docker-compose file aus (siehe Anhang)

Mit freundlichen Grüßen
René

Describe the bug
when trying to use with nedis, don't start saying module not found

• Device: Synology NAS,
• OS: Alpine
• Architecture: amd64

I have followed your bridge example file and tailored it to my needs but for some reason the DNS queries fail once it is up and running. not sure where I am going wrong but none of the adlist can be updated basically dns fails on pi itself.

a bit of background, IPv4 setup runs all fine but as my ISP has started IPv6 addresses I thought I would set it all up. In my router, for IPv4 DNS, I have local IP address of Pi and under IPv6 management I have given local link addresses of pi. On pihole admin page, under settings I can see the fd11:aa:1234:1234::505#5335 as default and I can also add this ip 172.20.0.253#5335 manually but it makes no difference. I am not sure where I am going wrong.

here is my compose file

version: '2'

services:
pihole:
container_name: pi-hole
image: pihole/pihole:latest
hostname: pi-hole

networks:
  dns-network:
    ipv4_address: 172.20.0.254
    ipv6_address: fd11:aa:1234:1234::506
dns:
  - 172.20.0.253
  - fd11:aa:1234:1234::505
ports:
  - "53:53/tcp"
  - "53:53/udp"
  - "67:67/udp"
  - "8000:80/tcp"
  - "4443:443/tcp"
environment:
  ServerIP: 172.20.0.254 
  ServeIP: fd11:aa:1234:1234::506
  WEBPASSWORD: XXXX
  TZ: Europe/London
  PIHOLE_DNS_: 172.20.0.253#5335
  PIHOLE_DNS_: fd11:aa:1234:1234::505#5335
  IPv6: "true"
  
volumes:
  - '/home/pi/docker/test/etc-pihole/:/etc/pihole/'
  - '/home/pi/docker/test/etc-dnsmasq.d/:/etc/dnsmasq.d/'
restart: unless-stopped

unbound:
container_name: unbound
image: madnuttah/unbound:latest
hostname: unbound

ports:
  - 5335:5335/tcp
  - 5335:5335/udp
networks:
  dns-network:
    ipv4_address: 172.20.0.253
    ipv6_address: fd11:aa:1234:1234::505
environment: 
  TZ: Europe/London
  ServerIP: 172.20.0.253
  ServerIP: fd11:aa:1234:1234::505
  
volumes:       
  - /home/pi/docker/test/unbound/unbound.conf:/home/pi/docker/test/unbound/unbound.conf:rw
  - /home/pi/docker/test/unbound/conf.d/:/home/pi/docker/test/unbound/conf.d/:rw
  - /home/pi/docker/test/unbound/log.d/unbound.log:/home/pi/docker/test/unbound/log.d/unbound.log:rw
  - /home/pi/docker/test/unbound/zones.d/:/home/pi/docker/test/unbound/zones.d/:rw
  - /home/pi/docker/test/unbound/iana.d/:/home/pi/docker/test/unbound/iana.d/:rw
  - /home/pi/docker/test/unbound/conf.d/root.hints/:/home/pi/docker/test/unbound/condf.d/root.hints/:rw
restart: unless-stopped
healthcheck:
  test: /usr/local/sbin/healthcheck.sh
  interval: 60s
  retries: 5
  start_period: 15s
  timeout: 30s

networks:
dns-network:
enable_ipv6: true #Enable if using IPv6
driver: bridge

ipam:
  config:
    - subnet: 172.20.0.0/24     
      gateway: 172.20.0.1  
    - subnet: fd11:aa:1234:1234::/64
      gateway: fd11:aa:1234:1234::11   

Describe the bug
Getting some SERVFAILS from unbound, tried to alter the config, but didn't get successful, im out of ideas.
The time is correct on host and container.
Please complete the following information:

• Device: Raspberry Pi 4
• OS: Raspbian
• Architecture: arm64
• Version:

Additional context
`; <<>> DiG 9.16.48-Raspbian <<>> duckduckgo.com @172.20.0.7 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20927
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;duckduckgo.com. IN A

;; Query time: 4 msec
;; SERVER: 172.20.0.7#5335(172.20.0.7)
;; WHEN: Thu Apr 11 16:36:26 CEST 2024
;; MSG SIZE rcvd: 43`

docker-compose.yml
`networks:
dns-bridge:
driver: bridge
enable_ipv6: true
ipam:
config:
- subnet: 172.20.0.0/16
gateway: 172.20.0.1
- subnet: fdc4:056e:8a54::/48
gateway: fdc4:056e:8a54::1

services:
pihole:
container_name: pi-hole
hostname: pi-hole
domainname: fritz.box
image: pihole/pihole:latest
networks:
dns-bridge:
ipv4_address: 172.20.0.6
ipv6_address: fdc4:056e:8a54::6
dns:
- 172.20.0.7
- fdc4:056e:8a54::7
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
cap_add:
- NET_ADMIN
- NET_BIND_SERVICE
environment:
- TZ=Europe/Berlin
- WEBPASSWORD=*****************
- PIHOLE_DNS_=172.20.0.7#5335;fdc4:056e:8a54::7#5335
- CUSTOM_CACHE_SIZE=0
- REV_SERVER=true
- REV_SERVER_DOMAIN=fritz.box
- REV_SERVER_TARGET=10.0.0.1
- REV_SERVER_CIDR=10.0.0.0/24
- FTLCONF_LOCAL_IPV4=127.20.0.6
- FTLCONF_LOCAL_IPV6=fdc4:056e:8a54::6
- WEBTHEME=default-dark
- CORS_HOSTS=pihole.home.systemfehler.eu,pihole.tail.systemfehler.eu
- DNS_BOGUS_PRIV=true
- DNS_FQDN_REQUIRED=true
volumes:
- /etc/resolv.conf:/etc/resolv.conf:ro
- /etc/localtime:/etc/localtime:ro
- /home/moarsmokes/pihole/etc-pihole/:/etc/pihole/:rw
- /home/moarsmokes/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/:rw
depends_on:
- unbound
restart: unless-stopped
unbound:
container_name: unbound
hostname: unbound
domainname: fritz.box
image: madnuttah/unbound:latest
networks:
dns-bridge:
ipv4_address: 172.20.0.7
ipv6_address: fdc4:056e:8a54::7
environment:
- TZ=Europe/Berlin
- UNBOUND_UID=1000 #Example only, check your docker user info
- UNBOUND_GID=1000
volumes:
- /etc/localtime:/etc/localtime:ro
- /home/moarsmokes/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw
- /home/moarsmokes/unbound/conf.d/:/usr/local/unbound/conf.d/:rw
- /home/moarsmokes/unbound/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log:rw
- /home/moarsmokes/unbound/zones.d/:/usr/local/unbound/zones.d/:rw
- /home/moarsmokes/unbound/iana.d/:/usr/local/unbound/iana.d/:rw
ports:
- "5335:5335/tcp"
- "5335:5335/udp"
healthcheck:
disable: true
restart: unless-stopped`

unbound.confs
`server:
#interface: 127.0.0.1@5335
#interface: ::1@5335
interface: 0.0.0.0@5335
interface: ::0@5335

#outgoing-interface: 0.0.0.0

so-reuseport: yes

do-ip4: yes
do-ip6: yes
do-tcp: yes
do-udp: yes
udp-connect: yes

prefer-ip4: yes
prefer-ip6: no
server:
do-not-query-localhost: no

unblock-lan-zones: no
insecure-lan-zones: yes

private-domain: "fritz.box."
private-domain: "0.0.10.in-addr.arpa."

domain-insecure: "fritz.box."
domain-insecure: "0.0.10.in-addr.arpa."
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96

hide-identity: yes
identity: "server"
hide-version: yes
version: ""
aggressive-nsec: yes
qname-minimisation: yes
qname-minimisation-strict: no
disable-dnssec-lame-check: no
hide-trustanchor: yes
harden-algo-downgrade: no
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-glue: yes
harden-large-queries: no
harden-referral-path: no
harden-short-bufsize: yes
minimal-responses: yes
deny-any: yes
use-caps-for-id: no
val-clean-additional: yes
val-max-restart: 5
root-key-sentinel: yes
zonemd-permissive-mode: no
target-fetch-policy: "0 0 0 0 0"
server:
num-threads: 2
num-queries-per-thread: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
edns-buffer-size: 1472
rrset-roundrobin: yes
neg-cache-size: 4M
delay-close: 10000
rrset-cache-size: 256m
rrset-cache-slabs: 4
ratelimit: 1000
unwanted-reply-threshold: 10000
infra-cache-slabs: 4
infra-cache-numhosts: 100000
msg-cache-size: 256m
msg-cache-slabs: 4
key-cache-size: 4m
key-cache-slabs: 4
prefetch: yes
prefetch-key: yes
serve-expired: yes
max-udp-size: 4096
msg-buffer-size: 65552
stream-wait-size: 4m
outgoing-range: 32768
outgoing-port-permit: 32768`

Describe the bug
A clear and concise description of what the bug is.

Latest pushed image crashes with fatal error: unable to chroot to /usr/local/unbound: Operation not permitted
Whole mounted folder is chowned with 1000:1000 - used to work before, but new image just fails to start

To Reproduce
Steps to reproduce the behavior:

1. Pull latest image
2. See it crash

Expected behavior
A clear and concise description of what you expected to happen.

Continueing to work

Screenshots
If applicable, add screenshots to help explain your problem.

Please complete the following information:

• Device: [e.g. Raspberry, Synology NAS, etc.]: Lenovo ThinkCentre running Ubuntu Server
• OS: [e.g. Debian Bullseye] Ubuntu Server with Portainer
• Architecture: [e.g. arm64, etc.] AMD64
• Version [e.g. 11.2]

Additional context
Add any other context about the problem here.

I'm trying to run this Unbound container on Synology NAS. Everything looks amazing (is the fastest and easiest one I've tried so far, I'm loving it).

But with this container I'm getting errors accessing the mapped files.

[1704707818] unbound[18:0] notice: Start of unbound 1.19.0.
Jan 08 22:56:58 unbound[18:0] error: Could not open logfile /log.d/unbound.log: Permission denied
Jan 08 22:56:58 unbound[18:0] notice: init module 0: validator
Jan 08 22:56:58 unbound[18:0] notice: init module 1: iterator
Jan 08 22:56:58 unbound[18:0] info: start of service (unbound 1.19.0).
Jan 08 22:57:01 unbound[18:0] info: resolving www.com. A IN
Jan 08 22:57:02 unbound[18:0] info: response for www.com. A IN
Jan 08 22:57:02 unbound[18:0] info: reply from (removed)
Jan 08 22:57:02 unbound[18:0] info: query response was ANSWER
Jan 08 22:57:02 unbound[18:0] info: prime trust anchor
Jan 08 22:57:02 unbound[18:0] info: generate keytag query _ta-4f66. NULL IN
Jan 08 22:57:02 unbound[18:0] info: resolving . DNSKEY IN
Jan 08 22:57:02 unbound[18:0] info: resolving _ta-4f66. NULL IN
Jan 08 22:57:02 unbound[18:0] info: response for . DNSKEY IN
Jan 08 22:57:02 unbound[18:0] info: reply from (removed)
Jan 08 22:57:02 unbound[18:0] info: query response was ANSWER
Jan 08 22:57:02 unbound[18:0] fatal error: could not open autotrust file for writing, /iana.d/root.key.18-0-7f1a1630e790: Permission denied

I reckon that relates to the user changed, and PUID/PGID are being lost when the user is changed. Only workaround I found was granting RW to Everyone over those files.

How can I map the right user and permissions?

Been using madnuttah unbound docker on Synology NAS for more than a month behind Pi-hole. Everything works great, no issue at all.

Today I made the mistake of restarting it to update the image, and never got back online. I only get these errors:

unbound[1:0] error: can't bind socket: Permission denied for 127.0.0.1 port 53
unbound[1:0] fatal error: could not open ports

• As far as I can remember, I haven't changed anything.
• I even tried executing with high privileges with the same result.
• Tried restarting Docker and also the whole NAS, no change.
• Pi-hole still works fine, although I had to redirect to a different server. All other containers work fine.
• Since is running on bridged on its own container and without exposing ports to host, the error doesn't make sense unless is clashing with another unbound instance.

Then tried different IPs and playing with interfaces.conf using a different port, but thigs got weirder. It would seem somehow two instances of unbound are trying to run at the same time or file permissions issues?

unbound[1:0] warning: unbound is already running as pid 1.
unbound[1:0] fatal error: unable to chroot to /usr/local/unbound: Operation not permitted

compose.yaml

services:
  unbound:
    container_name: unbound
    depends_on:
        - redis-dns
    hostname: unbound
    image: madnuttah/unbound:latest
    environment:
      - TZ=Pacific/Auckland
      - UID=1031
      - GID=65537
      - ServerIP=172.21.0.102
    volumes:
      - ./unbound/conf.d:/usr/local/unbound/conf.d
      - ./unbound/iana.d:/usr/local/unbound/iana.d
      - ./unbound/log.d:/usr/local/unbound/log.d
      - ./unbound/zones.d:/usr/local/unbound/zones.d
      - ./unbound/unbound.conf:/usr/local/unbound/unbound.conf
    networks:
      bridge0:
        ipv4_address: 172.21.0.102
#    ports:
#      - 5335:53/tcp # Web UI port
#      - 5335:53/udp # Web UI port
    restart: unless-stopped

networks:
  bridge0:
    external: true
    name: bridge-custom

unbound.conf

include: "/usr/local/unbound/conf.d/*.conf"
include: "/usr/local/unbound/zones.d/*.conf"

server:
    module-config: "cachedb iterator" #validator
    username: "_unbound"
    directory: "/usr/local/unbound"
    chroot: "/usr/local/unbound"
    do-daemonize: no
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    auto-trust-anchor-file: "/usr/local/unbound/iana.d/root.key"
    trust-anchor-signaling: yes

interfaces.conf

server:	
  interface: 127.0.0.1
  interface: 172.21.0.102
	
  do-ip4: yes
  do-ip6: no
  do-tcp: yes
  do-udp: yes
  udp-connect: yes

Any help will be greatly appreciated.

Sorry for deleting the template, but I thought it was not needed for this as it's really simple - you make new commits but there hasn't been any new Docker hub image release?

Hello,

First of all thanks for your nice release of Unbound for docker 👍
But why are the following volumes mapped ?

my Config :

version: "3"

services:
  unbound:
    container_name: unbound
    image: madnuttah/unbound:latest
    hostname: unbound
    networks:
     - dns-network
    ports:
      - 5335:5335/tcp
      - 5335:5335/udp
    environment:
      TZ: "Europe/Amsterdam"
    volumes:
      - ./unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw #Your local path to Unbound
      - ./unbound/conf.d/:/usr/local/unbound/conf.d/:rw
      - ./unbound/log.d/:/usr/local/unbound/log.d/:rw
      - ./unbound/zones.d/:/usr/local/unbound/zones.d/:rw
      - ./unbound/certs.d/:/usr/local/unbound/certs.d/:rw
      - ./unbound/iana.d/:/usr/local/unbound/iana.d/:rw
    restart: unless-stopped

networks:
  dns-network:
    driver: bridge

How do i get rid of that [ and ] mapping ?

• Currently there are no DNS related diagnostic tools included in the image starting with the distroless version 1.19.1-4. As @kernbug suggested in issue #57, it might be a good idea to make dig and drill available to diagnose DNS or DNSSEC related issues.

• I'll check the benefits of building the tools by myself, otherwise they'll get installed in a coming version. Don't expect them in the upcoming version, though.

Describe the bug
On a Raspberrypi 1B+ (Architecture armv6l) the container immeditately dies after the start with the messages

$ docker-compose up
Starting unbound ... done
Attaching to unbound
unbound    | Illegal instruction (core dumped)
unbound exited with code 132

Please complete the following information:

• Device: [Raspberry 1 B+]
• OS: [Debian Bookworm]
• Architecture: [armv6l]
• Version [1.19.0-3]

Additional context

• I tried the identical docker-compose directory content on an amd64 server - works fine.
• I tried the identical docker-compose directory content on an Raspberry 4 (aarch64) - works fine.
• I tried older image versions on Raspberry 1B (back to 1.14.0) - all show the same bad behaviour.
• I inspected the image with the command docker run --rm -it madnuttah/unbound sh - all usual linux binaries I tried worked well, but all commands in the directory /usr/local/unbound/unbound.d/sbin show the same behaviour - terminating with "illegal instruction" message.

So my personal guess is that the unbound binaries are compiled for a different arm variant, not suitable for arm v6l.

Describe the bug
After the 1.19.1-0 update the container does not start anymore and gets into a crash loop. following error appears in the logs:

[1707896685] unbound[1:0] error: can't bind socket: Address not available for ::1 port 53
[1707896685] unbound[1:0] fatal error: could not open ports

To Reproduce
Use latest version with following compose file

  unbound:
    container_name: unbound
    hostname: unbound
    image: madnuttah/unbound:latest
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 50m
    ports:
      - "127.0.0.1:5335:5335/tcp"
      - "127.0.0.1:5335:5335/udp"
    networks:
      - dns
    environment:
      TZ: Europe/Berlin

Expected behavior
container should start as it did before the update

Workaround
Download "default" unbound.conf from https://github.com/madnuttah/unbound-docker/blob/main/unbound/root/usr/local/unbound/unbound.conf and add it to the compose file:

  unbound:
    container_name: unbound
    hostname: unbound
    image: madnuttah/unbound:latest
    restart: unless-stopped
    deploy:
      resources:
        limits:
          memory: 50m
    ports:
      - "127.0.0.1:5335:5335/tcp"
      - "127.0.0.1:5335:5335/udp"
    networks:
      - dns
    environment:
      TZ: Europe/Berlin
    volumes:
      - ./unbound.conf:/usr/local/unbound/unbound.conf:rw

Please complete the following information:

• Device: VM
• OS: Debian Bookworm
• Architecture: amd64
• Version: latest

I can't work out why the redis container (named unbound-db in my setup) is saying it is unhealthy but I think it is fine.

I added an additional check to debug in healthcheck.sh and when I run the script using docker exec - it seems to be ok.

here is my updated healthcheck.sh

#! /bin/sh

SOCKET=/usr/local/unbound/cachedb.d/redis.sock
if [[ ! -S "$SOCKET" ]];
then
    echo "$SOCKET is not a file/socket so exit 1"
    exit 1
else
    echo "$SOCKET is a file/socket so do nothing"
fi

Below is from the cli - and it looks to be confirming the container is healthy. Or am I missing something (very likely)

Describe the bug
Hello. Thank you for the image re-work :)

Permission issue with iana.d with default example here:
https://github.com/madnuttah/unbound-docker/blob/main/doc/DETAILS.md

Feb 19 14:07:57 unbound[1:0] notice: init module 0: validator
Feb 19 14:07:57 unbound[1:0] notice: init module 1: iterator
Feb 19 14:07:57 unbound[1:0] info: start of service (unbound 1.19.1).
Feb 19 14:07:59 unbound[1:0] error: could not open /iana.d/root.zone.tmp1: No such file or directory

To Reproduce

docker run --name madnuttah-unbound -d \
--user 1000 \
-e UID=1000 \
-e GID=1000 \
-p 5335:5335/udp \
-p 5335:5335/tcp \
--restart=unless-stopped \
madnuttah/unbound:latest

Expected behavior
No errors with rootless container having only user permissions inside container.

i am using the latest docker image but it now has problems with starting the docker, it is running as it accepts requests:

madnuttah/unbound:latest "/usr/local/sbin/unb…" 3 minutes ago Up 13 seconds (health: starting) 0.0.0.0:5335->5335/tcp, 0.0.0.0:5335->5335/udp, :::5335->5335/tcp, :::5335->5335/udp

my docker-compose.yml

unbound:
    container_name: unbound
    image: madnuttah/unbound:latest
    hostname: unbound
    networks:
      dns-network:
        ipv4_address: 172.22.0.2
    ports:
      - 5335:5335/tcp
      - 5335:5335/udp
    environment:
      TZ: "Europe/Amsterdam"
    volumes:
      - ./unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw #Your local path to Unbound
      - ./unbound/conf.d/:/usr/local/unbound/conf.d/:rw
      - ./unbound/log.d/:/usr/local/unbound/log.d/:rw
      - ./unbound/zones.d/:/usr/local/unbound/zones.d/:rw
      - ./unbound/certs.d/:/usr/local/unbound/certs.d/:rw
      - ./unbound/iana.d/:/usr/local/unbound/iana.d/:rw
    restart: unless-stopped

Similar to issue #24 I'm getting the following errors when attempting to start unbound:

/usr/local/sbin/unbound.sh: line 2: /usr/local/unbound/unbound.d/sbin/unbound-anchor: not found
/usr/local/sbin/unbound.sh: exec: line 3: /usr/local/unbound/unbound.d/sbin/unbound: not found

I'm attempting to configure a 2 container stack (pihole+unbound) following this blog: https://www.xfelix.com/2020/09/pihole-unbound-docker-setup-on-raspberry-pi/

I have not seen these 2 files mentioned before but thinking they were required I tried created them but got the following errors:

/usr/local/sbin/unbound.sh: line 2: /usr/local/unbound/unbound.d/sbin/unbound-anchor: Permission denied
/usr/local/sbin/unbound.sh: exec: line 3: /usr/local/unbound/unbound.d/sbin/unbound: Permission denied

Here is the volumes part of the unbound service in the compose file:

volumes:
  - /home/steve/docker/unbound/:/usr/local/unbound/:rw
  - /home/steve/docker/unbound/conf.d/:/usr/local/unbound/conf.d/:rw
  - /home/steve/docker/unbound/log.d/:/usr/local/unbound/log.d/:rw
  - /home/steve/docker/unbound/zones.d/:/usr/local/unbound/zones.d/:rw
  - /home/steve/docker/unbound/iana.d/:/usr/local/unbound/iana.d/:rw

Being new to this I'm unsure what to do and looking for some help.

Thanks

Follow the example in docker-compose file to set TZ but does not take into effect.
Unbound docker still use UTC.

https://github.com/madnuttah/unbound-docker/blob/main/unbound/examples/docker-compose.yaml%20(mcvlan)
Line #72 should be - <LOCAL_UNBOUND_VOLUME_PATH>/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log:rw

Unbound is running fine, but I do notice the following errors in log.
Does this require attention, or should I ignore?

May 09 13:36:27 unbound[1:0] notice: init module 0: validator
May 09 13:36:27 unbound[1:0] notice: init module 1: iterator
May 09 13:36:27 unbound[1:0] info: start of service (unbound 1.17.1).
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:36:27 unbound[1:0] info: validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <. DNSKEY IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <e.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <l.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <f.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <b.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <k.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <m.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <j.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <i.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <g.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <c.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <h.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <d.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:27 unbound[1:0] info: validation failure <a.root-servers.net. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:31 unbound[1:1] info: validation failure <unifi.Menhir. AAAA IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:35 unbound[1:1] info: validation failure <unifi.Menhir. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:37 unbound[1:0] info: validation failure <big.oisd.nl. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:37 unbound[1:1] info: validation failure <big.oisd.nl. AAAA IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:37 unbound[1:0] info: validation failure <malware-filter.gitlab.io. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:37 unbound[1:1] info: validation failure <malware-filter.gitlab.io. AAAA IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:36:51 unbound[1:0] info: validation failure <google.com. A IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:37:04 unbound[1:0] info: validation failure <unifi.Menhir. AAAA IN>: key for validation . is marked as invalid because of a previous validation failure <. NS IN>: no signatures from 198.97.190.53 for trust anchor . while building chain of trust
May 09 13:37:37 unbound[1:1] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:1] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:1] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:1] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:1] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
May 09 13:37:37 unbound[1:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:1] info: validation failure <big.oisd.nl. A IN>: no signatures from 192.36.148.17 for trust anchor . while building chain of trust
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
May 09 13:37:37 unbound[1:0] info: validation failure <malware-filter.gitlab.io. A IN>: key for validation . is marked as invalid because of a previous validation failure <big.oisd.nl. AAAA IN>: no signatures from 193.0.14.129 for trust anchor .
May 09 13:37:37 unbound[1:0] info: validation failure <big.oisd.nl. AAAA IN>: no signatures from 193.0.14.129 for trust anchor . while building chain of trust
May 09 13:37:37 unbound[1:0] info: validation failure <malware-filter.gitlab.io. AAAA IN>: key for validation . is marked as invalid because of a previous validation failure <big.oisd.nl. AAAA IN>: no signatures from 193.0.14.129 for trust anchor . while building chain of trust

For example those last 2 I recognize, those are the ad filters enabled in my AdGuard Home (which uses Unbound as DNS upstream).

Hi, I am using portainer-ce 2.11.
In order to run the example you made (unbound and pi-hole), I needed to comment all the statement in "volume" section. Otherwise I get several errrors from portainer. With the two sections commented (see below), it works properly.

# volumes:
# - ./pihole/etc/:/etc/:rw

# volumes:
# - ./unbound/:/usr/local/unbound/:rw
# - ./unbound/conf.d/:/usr/local/unbound/conf.d/:rw
# - ./unbound/log.d/:/usr/local/unbound/log.d/:rw
# - ./unbound/zones.d/:/usr/local/unbound/zones.d/:rw

The container now reports as unhealty but I am unable to find logs.

Originally posted by @nick-diama in #50 (comment)

Not sure what really happened to my unbound instance after a recreation today.
Seems like the root.key disappeared and caused SERVFAIL. I download the root.hint and make it work again. And notice a warning message in log.

warning: auth zone .: ZONEMD verification failed: verify DNSKEY RRset with trust anchor failed
info: start of service (unbound 1.17.0). 

The auth-zone.conf looks like this.
auth-zone: name: "." primary: 199.9.14.201 # b.root-servers.net primary: 192.33.4.12 # c.root-servers.net primary: 199.7.91.13 # d.root-servers.net primary: 192.5.5.241 # f.root-servers.net primary: 192.112.36.4 # g.root-servers.net primary: 193.0.14.129 # k.root-servers.net primary: 192.0.47.132 # iad.xfr.dns.icann.org primary: 192.0.32.132 # lax.xfr.dns.icann.org primary: 2001:500:200::b # b.root-servers.net primary: 2001:500:2::c # c.root-servers.net primary: 2001:500:2d::d # d.root-servers.net primary: 2001:500:2f::f # f.root-servers.net primary: 2001:500:12::d0d # g.root-servers.net primary: 2001:7fd::1 # k.root-servers.net primary: 2620:0:2830:202::132 # iad.xfr.dns.icann.org primary: 2620:0:2d0:202::132 # lax.xfr.dns.icann.org #url: "https://www.internic.net/domain/root.zone" fallback-enabled: yes for-downstream: no for-upstream: yes zonemd-check: yes zonemd-reject-absence: no zonefile: "/usr/local/unbound/iana.d/root.zone"

The security.conf is also exactly as the example.

I notice the root.zone file is also missing under iana.d. I downloaded it manually. But the warning still there. Please help.

Describe the bug
nslookup internic.net > /dev/null

Expected behavior
/bin/nslookup -port=5335 -timeout=1 -retry=2 internic.net 127.0.0.1 &> /dev/null

Additional context
Also DNSSEC is not checked with such health check. Maybe worth considering using dig or drill from ldns libs.

I'm trying to use this container for the first time and I'm running into an error after running "docker-compose up -d":

Creating unbound ... error

ERROR: for unbound Cannot start service unbound: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/home/pi/containers/pihole-new/unbound/unbound.conf" to rootfs at "/usr/local/unbound/unbound.conf": mount /home/pi/containers/pihole-new/unbound/unbound.conf:/usr/local/unbound/unbound.conf (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

ERROR: for unbound Cannot start service unbound: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/home/pi/containers/pihole-new/unbound/unbound.conf" to rootfs at "/usr/local/unbound/unbound.conf": mount /home/pi/containers/pihole-new/unbound/unbound.conf:/usr/local/unbound/unbound.conf (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

It looks like unbound.conf is being created as a directory instead of a file (and note that everything is using root:root instead of pi:pi):

pi@pi-eloh:~/containers/pihole-new $ ls -la unbound
total 28
drwxr-xr-x 7 root root 4096 Apr 27 22:16 .
drwxr-xr-x 5 pi pi 4096 Apr 27 22:16 ..
drwxr-xr-x 2 root root 4096 Apr 27 22:16 conf.d
drwxr-xr-x 2 root root 4096 Apr 27 22:16 iana.d
drwxr-xr-x 3 root root 4096 Apr 27 22:16 log.d
drwxr-xr-x 2 root root 4096 Apr 27 22:16 unbound.conf
drwxr-xr-x 2 root root 4096 Apr 27 22:16 zones.d

If I manually remove unbound.conf, then touch it to create a file, I get an error for the log.d/unbound.log, which is also a directory and not a file:

Creating unbound ... error

ERROR: for unbound Cannot start service unbound: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/home/pi/containers/pihole-new/unbound/log.d/unbound.log" to rootfs at "/usr/local/unbound/log.d/unbound.log": mount /home/pi/containers/pihole-new/unbound/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

ERROR: for unbound Cannot start service unbound: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/home/pi/containers/pihole-new/unbound/log.d/unbound.log" to rootfs at "/usr/local/unbound/log.d/unbound.log": mount /home/pi/containers/pihole-new/unbound/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
ERROR: Encountered errors while bringing up the project.

Manually changing both of these directories to files allows the container to start. I checked the Dockerfile and it's not obvious to me why these are being created as directories and not files.

Hi,
When I run the command with

docker run --name madnuttah-unbound -d \
-p 5335:5335/udp \
-p 5335:5335/tcp \
--restart=unless-stopped \
madnuttah/unbound:latest

```It works and I am able to look up addresses from another machine using the unbound machine's address and port 5335 however when I use my docker-compose file I am unable to. Pihole works fine, and I can browse to my pihole IP etc.

version: '2'

services:
pihole:
container_name: pi-hole
image: pihole/pihole:latest
hostname: pi-hole
domainname: solingen.local
depends_on:
- unbound
cap_add:
- NET_ADMIN
- NET_BIND_SERVICE
networks:
dns-network:
ipv4_address: 172.20.0.2
dns:
- 172.20.0.3
ports:
- 53:53/tcp
- 53:53/udp
- 80:80/tcp
- 443:443/tcp
environment:
ServerIP: 192.168.100.211
VIRTUAL_HOST: pi-hole-vm.solingen.local
WEBPASSWORD: 'P@ssw0rd_Pihole'
TZ: Europe/London
CORS_HOSTS: solingen.local
PIHOLE_DNS_: 172.20.0.3#5335
DNS_BOGUS_PRIV: "true"
DNS_FQDN_REQUIRED: "true"
REV_SERVER: "true"
REV_SERVER_TARGET: 192.168.100.220
REV_SERVER_DOMAIN: solingen.local
REV_SERVER_CIDR: 192.168.100.0/24
volumes:
- /home/klittle/pihole/pihole:/etc/pihole:rw
- /home/klittle/pihole/dnsmasq.d:/etc/dnsmasq.d:rw
restart: unless-stopped

unbound:
container_name: unbound
image: madnuttah/unbound:latest
hostname: unbound
domainname: solingen.local
ports:
- 192.168.100.211:5335:5335/tcp
- 192.168.100.211:5335:5335/udp
networks:
dns-network:
ipv4_address: 172.20.0.3

environment:
  TZ: Europe/London
  ServerIP: 192.168.100.211
  VIRTUAL_HOST: unbound_vm.solingen.local
volumes:
  - /home/klittle/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw
  - /home/klittle/unbound/conf.d/:/usr/local/unbound/conf.d/:rw
  - /home/klittle/unbound/iana.d/:/usr/local/unbound/iana.d/:rw
  - /home/klittle/unbound/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log:rw
  - /home/klittle/unbound/zones.d/:/usr/local/unbound/zones.d/:rw
restart: unless-stopped

networks:
dns-network:
driver: bridge
driver_opts:
parent: ent3
ipam:
config:
- subnet: 172.20.0.0/24
gateway: 172.20.0.1

I tried following this guide and my config files look the same but still nothing.
Anything else I can try? There aren't any logs from the container so I'm assuming that means it's startying up fine.
Thanks

Describe the bug
Container is not able to start with podman/docker --user option defined.

To Reproduce
Steps to reproduce the behaviour:

1. Assume starting simple example under the simple user (let's name it userx) using podman, just freshly provisioned Rocky Linux and (dnf install podman):

podman pod create --publish 59822:59822/udp --name wg-unbound-pod

podman run \
  --name madnuttah-unbound \
  -- user $(id -u userx)
  -d \
  --pod unbound-pod \
  --restart=unless-stopped \
  --volume /opt/userx/unbound/iana.d/:/usr/local/unbound/iana.d/:rw,Z \
  --volume /opt/userx/unbound/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log:rw,Z \
madnuttah/unbound:latest

2. Container fails:

chroot procedure doesn't have permissions (and this is logically correct) and tries to use some custom id 1000
port 5335 is defined by default, but internally it tries to listen on 127.0.0.1:53 and fails to bind something under the privileged port numbers
since user 1000 is hardcoded - podman mapping of the file permissions doesn't work and you need to give permissions for this files separately, this can intersect/cross with already existing users in the system allocated for other needs and they will have permissions
you can install anything inside a container (good only for troubleshooting/testing)

Expected behavior

1. Default configuration should not try to bind on :53 even for localhost, this will require additional CAP flag and will not be used by default;
2. Unbound should start with minimal permissions under user defined during run, not some hardcoded one, chroot gives a tradeoff do have root inside container;

Please complete the following information:

• Device: VPS/1 core/2GB RAM
• OS: Rocky Linux
• Architecture: x86_64
• Version 9.3

Additional context
Thank you for images, but it will be much appreciated if you can make them secure without root inside container to create "secure chroot", since such kind of an application doesn't requires escalated privileges (like wireguard for some scenario) to handle it's job.

Hi,
I like the fact that your unbound image is quite tiny (28,9MB), but, if I use your compose.yaml file to deploy also pi-hole, there are two issues:

1. The two images are independent (so, two IP addresses)
2. The pihole image is based on the latest pihole - while this is good, it means that this image is 301,3MB.

Would it be possible to create a new docker image that uses your unbound as a prerequisite, but deploys pihole inside that unbound?
There is something similar already done (cbcrowe/pihole-unbound:latest), but based on Debian, and not on Alpine (and its size is 342,6MB).

Thanks!

Hello again. Thanks for helping me with my setup of unbound with redis. It all works fine when I start the containers/compose when my docker server/host is running.

If I restart the docker server I expect unbound to restart but it does not and I am not sure why.

Here is my full compose file. I added dependencies that I thought would help but I still have this issue.

version: '3.3'

services:
  unbound:
    container_name: unbound
    image: madnuttah/unbound:latest
    restart: unless-stopped
    depends_on:
      - unbound-db
    ports:
      - 5335:5335/tcp
      - 5335:5335/udp
    networks:
      rpi5_macvlan:
        ipv4_address: "192.168.100.15"
    environment:
      ServerIP: 192.168.100.15
      TZ: ${TZ}
      UID: ${PUID}
      GID: ${PGID}
    volumes:
      - /symlinks/omv-system/appdata/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw
      - /symlinks/omv-system/appdata/unbound/conf.d/:/usr/local/unbound/conf.d/:rw
      - /symlinks/omv-system/appdata/unbound/iana.d/:/usr/local/unbound/iana.d/:rw
      - /symlinks/omv-system/appdata/unbound/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log:rw
      - /symlinks/omv-system/appdata/unbound/zones.d/:/usr/local/unbound/zones.d/:rw
    volumes_from:
      - unbound-socket:rw
    healthcheck:
      test: /usr/local/unbound/sbin/healthcheck.sh
      interval: 60s
      retries: 5
      start_period: 15s
      timeout: 30s

  unbound-socket:
    image: busybox
    container_name: unbound-socket
    restart: unless-stopped
    tty: true
    command:
      - /bin/sh
      - -c
      - |
        chown -R 999:100 /usr/local/unbound/cachedb.d/
        /bin/sh
    volumes:
      - cachedb.d:/usr/local/unbound/cachedb.d/
      
  unbound-db:
    container_name: unbound-db
    image: redis:alpine
    restart: unless-stopped
    depends_on:
      - unbound-socket
    command: redis-server /usr/local/etc/redis/redis.conf
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - /symlinks/omv-system/appdata/unbound/redis/redis.conf:/usr/local/etc/redis/redis.conf
      - /symlinks/omv-system/appdata/unbound/redis/data:/data
      - /symlinks/omv-system/appdata/unbound/redis/healthcheck.sh:/usr/local/sbin/healthcheck.sh:ro
    volumes_from:
      - unbound-socket:rw
    healthcheck:
      test: /usr/local/sbin/healthcheck.sh
      interval: 10s
      retries: 5
      start_period: 5s
      timeout: 30s

volumes:
  cachedb.d:

networks:
  rpi5_macvlan:
    name: rpi5_macvlan
    external: true

Describe the bug
The container cannot start:

/usr/local/sbin/unbound.sh: line 2: /usr/local/unbound/unbound.d/sbin/unbound-anchor: not found
/usr/local/sbin/unbound.sh: exec: line 3: /usr/local/unbound/unbound.d/sbin/unbound: not found

To Reproduce
docker compose:

  dns-unbound:
    container_name: dns-unbound
    image: madnuttah/unbound:latest
    hostname: dns-unbound
    restart: always
    network_mode: host
    volumes: 
      - $DOCKERDIR/unbound:/usr/local/unbound

Expected behavior
Container should start normally.

Screenshots
If applicable, add screenshots to help explain your problem.

Please complete the following information:

• Device: homeserver situation, Manjaro Gnome (Arch based). x86-64.

Additional context
I would like to run it in network_mode:host for now, but that doesn't matter, it is missing key parts of unbound.
Unbound.conf: https://pastebin.com/GHpj1L8D but I don't think it has reached the point where conf is being loaded..

I would like to run on a Raspberry Pi, but that would require ARM support.
Add ARM builds for Docker image.