SpamHaus rejects queries from ipv6.
unbound does not work on ipv6 only servers without do-ip6: true
prefer-ip4 only works on ubuntu 24
this leads to a situation that we cannot support ipv6 only servers with
older ubuntu
https://forum.cloudron.io/topic/13408/update-to-cloudron-8.3-error
We get a Task xx crashed with code null in the notification.
The crux of the issue is that we use KillMode=control-group. This ends
up sending SIGTERM signal to box code and all the sudo in parallel. The box
code then sees the sudo die and records the task as failed.
To fix, we switch to KillMode=mixed. This gives box code a chance to handle SIGTERM
first. It cleans out its task list and kills all the sudo.
coturn will send 401 when receiving UDP packets with forged source IP.
this can cause a flood of 401s at the victim. the primary concern appears
to be that these packets are quite large compared to handshake packets
below.
TCP is also affected but effects are minimal because they will get
discarded at the connection handshake level.
UDP/TLS (DTLS) has similar handshake mechanism of TCP and effects are
minimal.
https://forum.cloudron.io/topic/13855/reflection-attack-via-stun-turnhttps://github.com/coturn/coturn/pull/1588
collectd (with the python plugin) seems semi-abandoned. replace
with our own. we have more control over how to collect things instead
of relying on random plugins.
Port 546 is reserved for the client-side of the Neighbor Discovery Protocol (NDP).
This is used for communication between IPv6 nodes (such as a device and its router)
to discover and configure network information (such as IP address).
Router Advertisement (RA) messages sent by routers use port 547 (router-side), and
devices use port 546 to receive these messages.
See https://forum.cloudron.io/topic/13566/infomaniak-ipv6-issues/61
it seems unbound-anchor is not a dep of unbound in ubuntu 24. some
installations are thus missing this package.
in any case, ignore unbound-anchor exit status
this changes unbound to listen to 127.0.0.150 (150 is roman CL)
we cannot only bind on docker bridge because unbound is relied
upon for the initial domain setup. docker itself is only initialized
when the platform initializes
This reverts commit 829d53915d.
This breaks on Ubuntu 18
systemd[1]: /etc/systemd/system/unbound.service:12: Executable path is not absolute: kill -HUP $MAINPID
