Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot bind dns interface to port 53 along with systemd-resolved #4578

Closed
gionn opened this issue Aug 24, 2018 · 4 comments · Fixed by #4598
Closed

Cannot bind dns interface to port 53 along with systemd-resolved #4578

gionn opened this issue Aug 24, 2018 · 4 comments · Fixed by #4598
Labels
type/docs Documentation needs to be created/updated/clarified

Comments

@gionn
Copy link

gionn commented Aug 24, 2018
edited
Loading

Hi, I was trying to setup consul 1.2.2 on docker (with network 'host') on an ubuntu 18.04 node.

I followed what is documented here, but I am stuck with:

==> Starting Consul agent...
==> Error starting agent: agent: timeout starting DNS servers

even if I am starting consul on a specific bind address (and port 53):

agent -server -ui -config-dir /etc/consul.d -bind 10.240.0.3 -client 10.240.0.3 -dns-port 53 -bootstrap -recursor 8.8.8.8

I think the reason is related to systemd-resolved that is binding on 127.0.0.53:53 but it should be definitively possible that consul can bind the same port on a different address.
@gionn
Copy link
Author

gionn commented Aug 27, 2018

After more investigation, I found that the problem was the same described in #3848 (comment), and a solution is described in https://hub.docker.com/_/consul/ (Exposing Consul's DNS Server on Port 53).

Maybe a notice on the documentation could save some time to many other people.

Cheers.

@mkeeler
Copy link
Member

mkeeler commented Aug 27, 2018

@gionn After your investigation would you say that the documentation is lacking a notice that using port 53 will require root privileges (or at least running with the CAP_NET_BIND_SERVICE capability). It wasn't an issue with systemd-resolved being bound to 127.0.0.53:53 correct?

@mkeeler mkeeler added the type/docs Documentation needs to be created/updated/clarified label Aug 27, 2018
@gionn
Copy link
Author

gionn commented Aug 28, 2018

There is the CONSUL_ALLOW_PRIVILEGED_PORTS= environment variable but is documented only on the docker image README and not referenced elsewhere. It could be great to have that somewhere on the official docs, I think that docker is one of the most common deployment scenario.

Systemd-resolved conflicts arises only when consul tried to bind client interfaces to 0.0.0.0 (the default?), with docker I usually configure the docker bridge ip of the VM.

The worst thing for me is that consul is not returning a specific error message for every bind error, that makes troubleshooting very hard.

Thanks.

@mkeeler
Copy link
Member

mkeeler commented Aug 28, 2018

@gionn Thanks for the feedback. Right now our documentation at consul.io doesn't contain information regarding the docker image nor many of our other tools like consul-template, consul-esm etc. We have been talking over strategies for how to improve this and it sounds like our users want a single place to go for consul's documentation including the other 1st party tools.

In your particular case there is a bug in Consul that is causing the error messages not to come out. You should see messages like:

listen tcp 127.0.0.1:6258: bind: address already in use

or

listen udp 127.0.0.1:53: bind: permission denied

But in these cases they are being suppressed.

@mkeeler mkeeler mentioned this issue Aug 28, 2018
Merged
mkeeler added a commit that referenced this issue Sep 7, 2018
@mkeeler
Ensure that errors setting up the DNS servers get propagated back to …
cc8327e 
…the shell (#4598)

Fixes: #4578 

Prior to this fix if there was an error binding to ports for the DNS servers the error would be swallowed by the gated log writer and never output. This fix propagates the DNS server errors back to the shell with a multierror.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/docs Documentation needs to be created/updated/clarified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ensure that errors setting up the DNS servers get propagated back to the shell hashicorp/consul
2 participants
@gionn @mkeeler