Hanging or crashing under Docker within LXC (Linux containers) #707
Comments
|
@fendle Hi, may I have your confirmation on these?
|
|
@fendle Your configuration might help, although the phenomenon you described does not sound like a misconfiguration of the tool. (Please hide sensitive information such as your domain names and API tokens.) |
|
Hi @favonia, |
|
@fendle The default configuration will already show the maximum amount of information. Could you possibly also check the things I wish to confirm in the other comment? Thank you! |
|
@fendle Hi, I wonder if you could help me understand your problem better?
|
|
Hi @favonia ,
It would be only helpful, why it can be executed to have a hint.# |
|
@fendle Thank you. I feel I still need more information, and your testing without Docker (compose) will help a lot. I can think of the following possible causes, but all of them sound super weird to me:
Theoretically, "dropping privileges" should not involve any system calls that could ever be blocking (even if there's an error, the error should be returned immediately), so Cause 1 should be impossible. However, other causes are equally strange as well, so I'm a bit lost. 🤔 Your experiment to run the tool without Docker compose---or even without Docker---can help check whether Causes 2 and/or 3 is the culprit. I see that you are suggesting more detailed logging. That's actually technically difficult. The dropping involves lots of ugly low-level Linux system calls and it is annoying (maybe impossible, actually) to print out each of them. Some of them are buried inside the Go standard library to maintain consistency between threads. A more reliable way is to use tools such Another thing that could be incredibly helpful is to recall any change you might have made that caused the tool to stop working. Do you remember anything that might have affect your Docker? |
|
Hello, compose.yml: logs: |
|
@este1561997 Could you try any of the following? (@fendle I apologize---I should have provided more detailed instructions for you to test things.)
CF_API_TOKEN=YOUR-CLOUDFLARE-API-TOKEN \
DOMAINS=xxxx.org,yyyy.xxxx.org \
TZ=Europe/Rome
UPTIMEKUMA="https://zzzz.xxxx.org/api/push/LvzcnABuqW?status=up&msg=OK&ping="
go run github.com/favonia/cloudflare-ddns/cmd/ddns@latest
Change services:
cloudflare-ddns:
image: favonia/cloudflare-ddns:1.10.1
container_name: cloudflare-ddns
network_mode: host
restart: always
cap_add:
- SETUID
- SETGID
cap_drop:
- all
read_only: true
security_opt:
- no-new-privileges:true
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Rome
- CF_API_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- DOMAINS=xxxx.org,yyyy.xxxx.org
# Your domains (separated by commas)
- PROXIED=false
- UPTIMEKUMA="https://zzzz.xxxx.org/api/push/LvzcnABuqW?status=up&msg=OK&ping="
CF_API_TOKEN=YOUR-CLOUDFLARE-API-TOKEN \
DOMAINS=xxxx.org,yyyy.xxxx.org \
TZ=Europe/Rome
go run github.com/favonia/cloudflare-ddns/cmd/ddns@v1.10.1Testing any of these will help. Thank you! |
|
Hi @favonia, I tried your suggestions and downgrading didn't fix the problem, however if I try to run directly without docker I get this error message And after this, all the stack trace |
|
@massijay Thank you for your testing!!! Now I have much better ideas about what might be going on. May I ask if the Anyway, please try the latest development version, using "edge" instead of "latest": services:
cloudflare-ddns:
image: favonia/cloudflare-ddns:edge
container_name: cloudflare-ddns
network_mode: host
restart: always
cap_add:
- SETUID
- SETGID
cap_drop:
- all
read_only: true
security_opt:
- no-new-privileges:true
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Rome
- CF_API_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- DOMAINS=xxxx.org,yyyy.xxxx.org
# Your domains (separated by commas)
- PROXIED=false
- UPTIMEKUMA="https://zzzz.xxxx.org/api/push/LvzcnABuqW?status=up&msg=OK&ping="I plan release a version that removes all privilege dropping so that at least it would work (this is tracked by #728). |
|
@favonia Unfortunately it's still not working with edge version too |
|
I tried running without docker the fork without priviledge dropping and it works |
|
@massijay Thinking about it, I feel Docker has no roles. It appears that some Linux system call that was valid became invalid. (And to be clear, none of these system calls are directly initiated by the DDNS updater.) Do you still have the backtrace? It will be helpful for me to see which call exactly is causing trouble. I would like to check whether there's any recent change or bugfix (in Linux kernel, Go runtime, the cap library, etc) related to it. What could also be helpful is your Linux distro and the exact Linux kernel version, but I understand those could be sensitive. :-) |
|
I am running Ubuntu 23.10 (GNU/Linux 6.5.13-3-pve x86_64) |
|
@fendle @massijay Could you confirm that the following 3-line program will crash (!) the Go runtime? If so, maybe the bug should be reported to either the Go team or the Linux team. (I'm not sure who's at fault yet.) Unfortunately, I could not reproduce the crash on my machines, so I might not be the best person to report it. package main
import "kernel.org/pub/linux/libs/security/libcap/cap"
func main() { cap.NewSet().SetProc() }To use and |
|
I can confirm it crashes in a unprivileged lxc container but it freezes (and keeps using the 100% of cpu) in a privileged container, which it seems to be the same also for the docker container. |
|
@massijay Thank you. One more question: are you running Docker in an LXC when you said "Docker container"? To be honest, I found neither looping nor completely crashing acceptable for such a simple program no matter what the setup is, but such information might help other people if you (or I) report the bug. (And, I assume you are not reporting the bug.) |
Yes
Unfortunately I cannot try outside a LXC container on the host, however I think that the problem is occurring due to the LXC. |
|
@massijay Thank you for the data point. I don't think it's possible to gracefully handle this kind of errors inside the DDNS updater. It's a system-level bug that needs to be fixed in the combination (LXC + Docker + libcap + Go). |
|
Thank you anyway for the timely support! I'm looking forward to try the app without cap drop on Docker when it's available :) |
|
@fendle @este1561997 I am changing the issue title, assuming that Linux containers are part of the combination to trigger the bug. If that's the cause, for the time being, please use this fork maintained by @suraw00t before I deliver a more permanent solution. Sorry about the trouble! |
favonia
changed the title
favonia
changed the title
favonia
changed the title
|
@massijay @este1561997 I could not trigger the bug with only LXC. It seems I can do capabilities just fine with only LXC. Can you confirm that you are using Docker inside LXC? In any case, could you possibly confirm that the experimental Docker tag |
|
Solution after 1.13.0: the updater no longer uses the |
|
Hi, sorry for the late response, we just tried the new version and it's now working flawlessy, thank you very much for your support! |
|
@massijay @este1561997 To clarify, the solution (removing
PS: the new template works for older versions of the updater as well! PPS: @fendle I am not sure if you are still using this updater, but if you do, the new version should work out of the box, and it can benefit from a configuration update as described here. You were using the old template. |
Hi,
my IP is not longer update in cloudflare and in my docker logs I see only this message.
cloudflareddns-cloudflare-ddns-1 | 🌟 Cloudflare DDNS (v1.11.0-0-g52d2019)
cloudflareddns-cloudflare-ddns-1 | 🥷 Dropping privileges . .
I used the standard docker compose configuration.
Thanks .
The text was updated successfully, but these errors were encountered: