stubby icon indicating copy to clipboard operation
stubby copied to clipboard
verified publisher icon getdnsapi

stubby inside LXC: Failed at step USER spawning /usr/bin/stubby: Permission denied

Open koshkamau opened this issue 3 years ago • 2 comments

I used stubby for a few years on real and virtual machines with different Ubuntu server OS. Beginning with Ubuntu 16.04, I think. Everything were fine. Now I am forced to use LXD/LXC containers so I picked up Debian Bookworm image and tried to install stubby there. Stubby does not start. This is what I see in syslog:

systemd[1]: Started DNS Privacy Stub Resolver.
systemd[257]: stubby.service: Failed at step USER spawning /usr/bin/stubby: Permission denied
systemd[1]: stubby.service: Main process exited, code=exited, status=217/USER
systemd[1]: stubby.service: Failed with result 'exit-code'.
systemd[1]: stubby.service: Scheduled restart job, restart counter is at 2.
systemd[1]: Stopped DNS Privacy Stub Resolver.

I googled this error message and couldn't find anything useful. It seems that stubby (which is installed from debian repos) is the only service with DynamicUser=true in this container.

I do not understand where the problem is. Maybe LXC debian image simply lacks some component for DynamicUser to work because this image has very small size. Maybe problem in container's settings or user mapping between host system and container. I do not have Apparmor in the container.

koshkamau avatar Oct 30 '22 20:10 koshkamau

Have a look at https://github.com/getdnsapi/stubby/pull/324 Does changing that user to false fix the problem?

saradickinson avatar Nov 02 '22 17:11 saradickinson

Just checked. No it doesn't. Stubby works if I set user and group to a particular user so I use daemon now.

/usr/lib/systemd/system/stubby.service:

[Unit]
Description=DNS Privacy Stub Resolver
Documentation=https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
Wants=network-online.target
After=network-online.target

[Service]
WorkingDirectory=/run/stubby
ExecStart=/usr/bin/stubby -C /etc/stubby/stubby.yml
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
RuntimeDirectory=stubby
PrivateUsers=false
DynamicUser=true
#User=daemon
#Group=daemon
Restart=on-failure
RestartSec=1

[Install]
WantedBy=multi-user.targe

Nov  2 21:11:01 [localhost] systemd[1]: Started DNS Privacy Stub Resolver.
Nov  2 21:11:01 [localhost] systemd[3302]: stubby.service: Failed at step USER spawning /usr/bin/stubby: Permission denied
Nov  2 21:11:01 [localhost] systemd[1]: stubby.service: Main process exited, code=exited, status=217/USER
Nov  2 21:11:01 [localhost] systemd[1]: stubby.service: Failed with result 'exit-code'.
Nov  2 21:11:02 [localhost] systemd[1]: stubby.service: Scheduled restart job, restart counter is at 4.
Nov  2 21:11:02 [localhost] systemd[1]: Stopped DNS Privacy Stub Resolver.
Nov  2 21:11:02 [localhost] systemd[3305]: stubby.service: Failed to update dynamic user credentials: Permission denied
Nov  2 21:11:02 [localhost] systemd[3305]: stubby.service: Failed at step USER spawning /usr/bin/stubby: Permission denied

koshkamau avatar Nov 02 '22 18:11 koshkamau

Thanks for reporting this. I'm going to close it as a known issue as the 0.4.3 update to set PrivateUsers=false seems to work on all other platforms.

saradickinson avatar Jan 10 '23 13:01 saradickinson