diff --git a/baseimage/initializeBaseUbuntuImage.sh b/baseimage/initializeBaseUbuntuImage.sh index 7eeee1f70..39d469373 100755 --- a/baseimage/initializeBaseUbuntuImage.sh +++ b/baseimage/initializeBaseUbuntuImage.sh @@ -28,6 +28,8 @@ debconf-set-selections <<< 'mysql-server mysql-server/root_password password pas debconf-set-selections <<< 'mysql-server mysql-server/root_password_again password password' # this enables automatic security upgrades (https://help.ubuntu.com/community/AutomaticSecurityUpdates) +# resolvconf is needed for unbound to work property after disabling systemd-resolved in 18.04 + gpg_package=$([[ "${ubuntu_version}" == "16.04" ]] && echo "gnupg" || echo "gpg") mysql_package=$([[ "${ubuntu_version}" == "20.04" ]] && echo "mysql-server-8.0" || echo "mysql-server-5.7") apt-get -y install \ @@ -47,6 +49,7 @@ apt-get -y install \ $mysql_package \ openssh-server \ pwgen \ + resolvconf \ swaks \ tzdata \ unattended-upgrades \ @@ -143,7 +146,20 @@ fi systemctl stop bind9 || true systemctl disable bind9 || true +# on ovh images dnsmasq seems to run by default +systemctl stop dnsmasq || true +systemctl disable dnsmasq || true + # on ssdnodes postfix seems to run by default systemctl stop postfix || true systemctl disable postfix || true +# on ubuntu 18.04 and 20.04, this is the default. this requires resolvconf for DNS to work further after the disable +systemctl stop systemd-resolved || true +systemctl disable systemd-resolved || true + +# ubuntu's default config for unbound does not work if ipv6 is disabled. this config is overwritten in start.sh +# we need unbound to work as this is required for installer.sh to do any DNS requests +ip6=$([[ -s /proc/net/if_inet6 ]] && echo "yes" || echo "no") +echo -e "server:\n\tinterface: 127.0.0.1\n\tdo-ip6: ${ip6}" > /etc/unbound/unbound.conf.d/cloudron-network.conf +systemctl restart unbound diff --git a/setup/start.sh b/setup/start.sh index ac08631a8..8c83b2104 100755 --- a/setup/start.sh +++ b/setup/start.sh @@ -108,6 +108,7 @@ rm -f /etc/systemd/system/cloudron.target [[ "${ubuntu_version}" == "16.04" ]] && sed -e 's/MemoryMax/MemoryLimit/g' -i /etc/systemd/system/box.service systemctl daemon-reload systemctl enable --now cloudron-syslog +systemctl enable unbound systemctl enable box systemctl enable cloudron-firewall @@ -117,18 +118,8 @@ systemctl restart cloudron-firewall # For logrotate systemctl enable --now cron -# DNS. resolvconf package will magically update resolv.conf depending on which DNS server gets activated. We have to trick resolvconf -# into putting the systemd-resolved file and then disable it. Ideally, we want to even uninstall the package but currently that will -# display a blocking message - "The removal of the resolvconf package may have resulted in some information about name servers becoming unavailable." -if [[ "${ubuntu_version}" == "16.04" ]]; then - systemctl restart unbound # systemd-resolved was only enabled in 16.10 and resolvconf is the default -else - systemctl stop unbound # this removes unbound's 127.0.0.1 resolv.conf entry. for update case, this also frees up loopback port 53 - systemctl enable --now systemd-resolved # resolved can now use loopback 53. resolv.conf is now updated by resolvconf - systemctl disable --now resolvconf || true # don't let resolvconf update resolv.conf again. on ubuntu 20, there is no resolvconf - systemctl restart unbound # start it back with latest configuration on port 533 - rm -f /etc/resolv.conf && ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf # this still points to resolvconf's resolv.conf and is required for reboots -fi +# ensure unbound runs +systemctl restart unbound # ensure cloudron-syslog runs systemctl restart cloudron-syslog diff --git a/setup/start/unbound.conf b/setup/start/unbound.conf index e0c5aa7e5..818399323 100644 --- a/setup/start/unbound.conf +++ b/setup/start/unbound.conf @@ -1,5 +1,5 @@ server: - port: 533 + port: 53 interface: 127.0.0.1 interface: 172.18.0.1 do-ip6: no diff --git a/src/addons.js b/src/addons.js index 69d65b427..5660cf1a9 100644 --- a/src/addons.js +++ b/src/addons.js @@ -1200,6 +1200,8 @@ function startMysql(existingInfra, callback) { --log-opt syslog-address=udp://127.0.0.1:2514 \ --log-opt syslog-format=rfc5424 \ --log-opt tag=mysql \ + --dns 172.18.0.1 \ + --dns-search=. \ -e CLOUDRON_MYSQL_TOKEN=${cloudronToken} \ -e CLOUDRON_MYSQL_ROOT_HOST=172.18.0.1 \ -e CLOUDRON_MYSQL_ROOT_PASSWORD=${rootPassword} \ @@ -1417,6 +1419,8 @@ function startPostgresql(existingInfra, callback) { --log-opt syslog-address=udp://127.0.0.1:2514 \ --log-opt syslog-format=rfc5424 \ --log-opt tag=postgresql \ + --dns 172.18.0.1 \ + --dns-search=. \ -e CLOUDRON_POSTGRESQL_ROOT_PASSWORD="${rootPassword}" \ -e CLOUDRON_POSTGRESQL_TOKEN="${cloudronToken}" \ -v "${dataDir}/postgresql:/var/lib/postgresql" \ @@ -1595,6 +1599,8 @@ function startTurn(existingInfra, callback) { --log-opt tag=turn \ -m ${memoryLimit}m \ --memory-swap ${memoryLimit * 2}m \ + --dns 172.18.0.1 \ + --dns-search=. \ -e CLOUDRON_TURN_SECRET="${turnSecret}" \ -e CLOUDRON_REALM="${realm}" \ --label isCloudronManaged=true \ @@ -1633,6 +1639,8 @@ function startMongodb(existingInfra, callback) { --log-opt syslog-address=udp://127.0.0.1:2514 \ --log-opt syslog-format=rfc5424 \ --log-opt tag=mongodb \ + --dns 172.18.0.1 \ + --dns-search=. \ -e CLOUDRON_MONGODB_ROOT_PASSWORD="${rootPassword}" \ -e CLOUDRON_MONGODB_TOKEN="${cloudronToken}" \ -v "${dataDir}/mongodb:/var/lib/mongodb" \ @@ -1859,6 +1867,8 @@ function setupRedis(app, options, callback) { --log-opt tag="${redisName}" \ -m ${memoryLimit/2} \ --memory-swap ${memoryLimit} \ + --dns 172.18.0.1 \ + --dns-search=. \ -e CLOUDRON_REDIS_PASSWORD="${redisPassword}" \ -e CLOUDRON_REDIS_TOKEN="${redisServiceToken}" \ -v "${paths.PLATFORM_DATA_DIR}/redis/${app.id}:/var/lib/redis" \ diff --git a/src/graphs.js b/src/graphs.js index 2c32e5737..b48eccee9 100644 --- a/src/graphs.js +++ b/src/graphs.js @@ -29,6 +29,8 @@ function startGraphite(existingInfra, callback) { --log-opt tag=graphite \ -m 150m \ --memory-swap 150m \ + --dns 172.18.0.1 \ + --dns-search=. \ -p 127.0.0.1:2003:2003 \ -p 127.0.0.1:2004:2004 \ -p 127.0.0.1:8417:8000 \ diff --git a/src/infra_version.js b/src/infra_version.js index 62f2a180f..c38e227f5 100644 --- a/src/infra_version.js +++ b/src/infra_version.js @@ -6,7 +6,7 @@ exports = module.exports = { // a version change recreates all containers with latest docker config - 'version': '48.19.0', + 'version': '48.17.1', 'baseImages': [ { repo: 'cloudron/base', tag: 'cloudron/base:2.0.0@sha256:f9fea80513aa7c92fe2e7bf3978b54c8ac5222f47a9a32a7f8833edf0eb5a4f4' } @@ -20,7 +20,7 @@ exports = module.exports = { 'postgresql': { repo: 'cloudron/postgresql', tag: 'cloudron/postgresql:3.3.0@sha256:0daf1be5320c095077392bf21d247b93ceaddca46c866c17259a335c80d2f357' }, 'mongodb': { repo: 'cloudron/mongodb', tag: 'cloudron/mongodb:3.0.0@sha256:59e50b1f55e433ffdf6d678f8c658812b4119f631db8325572a52ee40d3bc562' }, 'redis': { repo: 'cloudron/redis', tag: 'cloudron/redis:2.3.0@sha256:0e31ec817e235b1814c04af97b1e7cf0053384aca2569570ce92bef0d95e94d2' }, - 'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:3.0.0@sha256:b0cf59bcd17aef9523bb28b264e9f1534515813e9efa9e8cfd08731ecfa06f60' }, + 'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:3.0.0@sha256:655919522cbf6f98f5f21eb84f924119bd7ab7a4a21cbf45fc603afa11c4e382' }, 'graphite': { repo: 'cloudron/graphite', tag: 'cloudron/graphite:2.3.0@sha256:b7bc1ca4f4d0603a01369a689129aa273a938ce195fe43d00d42f4f2d5212f50' }, 'sftp': { repo: 'cloudron/sftp', tag: 'cloudron/sftp:3.0.0@sha256:5b249db20ee559de2e3b669526763538cf1ec554966b51accdb7056b9be8fc0f' } } diff --git a/src/mail.js b/src/mail.js index be9dba12d..095fadfe6 100644 --- a/src/mail.js +++ b/src/mail.js @@ -666,6 +666,8 @@ function configureMail(mailFqdn, mailDomain, callback) { --log-opt tag=mail \ -m ${memoryLimit}m \ --memory-swap ${memoryLimit * 2}m \ + --dns 172.18.0.1 \ + --dns-search=. \ -e CLOUDRON_MAIL_TOKEN="${cloudronToken}" \ -e CLOUDRON_RELAY_TOKEN="${relayToken}" \ -v "${paths.MAIL_DATA_DIR}:/app/data" \ diff --git a/src/native-dns.js b/src/native-dns.js index e09db367e..62ec8a5eb 100644 --- a/src/native-dns.js +++ b/src/native-dns.js @@ -9,7 +9,7 @@ var assert = require('assert'), dns = require('dns'), _ = require('underscore'); -const DEFAULT_OPTIONS = { server: `127.0.0.1:${constants.DNS_PORT}`, timeout: 5000 }; // unbound runs on 127.0.0.1 +const DEFAULT_OPTIONS = { server: '127.0.0.1', timeout: 5000 }; // unbound runs on 127.0.0.1 // a note on TXT records. It doesn't have quotes ("") at the DNS level. Those quotes // are added for DNS server software to enclose spaces. Such quotes may also be returned diff --git a/src/sftp.js b/src/sftp.js index 34d143749..eef7ec3f5 100644 --- a/src/sftp.js +++ b/src/sftp.js @@ -105,6 +105,8 @@ function rebuild(callback) { --log-opt tag=sftp \ -m ${memoryLimit}m \ --memory-swap ${memoryLimit * 2}m \ + --dns 172.18.0.1 \ + --dns-search=. \ -p 222:22 \ ${mounts} \ -e CLOUDRON_SFTP_TOKEN="${cloudronToken}" \